Governance in Azure — Almost all you need to know

Get acquainted to all the necessary tools in your governance journey on Azure

Governance in the cloud is essential to ensure compliance, have an administrative control over what’s deployed in the cloud while making sure that the costs don’t go out of hand. The compliance dictates where you are allowed to run your VMs, store your data, how authentication and authorization are performed in the cloud etc. This article aims to introduce some of the primary services used on Azure to assist you in your governance journey and points out some important features.

Azure Policy

Image for post
Image for post

Important: Requests to create or update any resource are evaluated by Azure Policy first. Azure Policy creates a list of all policies that apply to a resource and then evaluates the resource against each definition.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine if a resource is compliant or not. It evaluates resources in Azure by comparing the properties of those resources to business rules known as policy definitions. Multiple policy definitions can be grouped into policy initiatives. The policies can be assigned at resources, resource groups, subscriptions, or management groups level/scope using policy assignment. In case a resource does not comply with the policy definitions, you can respond in the following ways.

  • Deny the resource change
  • Log the change to the resource
  • Alter the resource before the change
  • Alter the resource after the change
  • Deploy related compliant resources

These responses can be achieved through the following supported effects — Append, Audit, AuditIfNotExists, Deny, DeployIfNotExist, Disabled, Modify. Audit is used for generating a warning event in the activity log but without failing the requesting compared to Deny which generates an event in the activity log and fails the request. Disabled doesn’t evaluate the resources at all for compliance.

Append vs. Modify — Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it’s recommended to use the Modify effect for tags instead.

Order of evaluation:

  • Disabled is checked first to determine if the policy rule should be evaluated.
  • Append and Modify are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering. These effects are only available with a Resource Manager mode.
  • Deny is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented.
  • Audit is evaluated last.

Important: Azure Policy also comes with pre-defined template functions, for e.g. substring etc. If the result of a template function is an error, policy evaluation fails. A failed evaluation is an implicit deny.

For e.g. the following policy evaluation will fail if name has less than three characters and the effect will be deny instead of audit.

Image for post
Image for post

Azure Resource Graph

Resource Graph uses several tables for the data it stores about Azure Resource Manager resource types and their properties. For example, the following query uses the Resources table to get properties of a virtual machine.

Image for post
Image for post

Such queries provide the following features:

  • Ability to query resources with complex filtering, grouping, and joining by resource properties. For example, the following query uses complex filtering and joins to find a key vault.
Image for post
Image for post
  • Ability to iteratively explore resources based on governance requirements.
  • Ability to assess the impact of applying policies in a vast cloud environment.
  • Ability to detail changes made to resource properties. It allows you to view the last 14 days of change history made to the resources to see what properties changed and when.

You can also use Resource Graph Explorer, which provides a clean interface for working with multiple queries, evaluating the results, and even converting the results of some queries into a chart that can be pinned to an Azure dashboard.

Image for post
Image for post

Azure Cost Management + Billing

  • Set spending thresholds
  • Proactively apply data analysis to your costs
  • Identify opportunities for workload changes that can optimize your spending
  • Download cost and usage data that was used to generate your monthly invoice

Important: Tag your resources! Tags are an effective way to understand costs that span across multiple teams and Azure scopes. Tags can represent if a resource is shared by multiple teams, the environment it is deployed in, project name of the resource etc. Such tags can help you organize your resources and understand the costs incurred better.

You can also use Cost analysis to analyze your organizational costs in-depth by slicing and dicing your costs using standard resource properties. It’s also important to begin setting limits for yourself and your teams.

Image for post
Image for post

Azure budgets give you the ability to set either a cost or usage-based budget with many thresholds and alerts. You can further use services like Azure Advisor to get recommendations for cost savings. Azure Reservations and Azure Hybrid Benefit can also help you in your cost cutting measures

Billing accounts — Azure currently supports the following types of billing accounts:

  • Microsoft Online Services Program: Created when you sign up for an Azure Free Account, account with pay-as-you-go rates or as a Visual studio subscriber.
  • Enterprise Agreement: A billing account for an Enterprise Agreement is created when your organization signs an Enterprise Agreement (EA) to use Azure.
  • Microsoft Customer Agreement: A billing account for a Microsoft Customer Agreement is created when your organization works with a Microsoft representative to sign a Microsoft Customer Agreement.

Most of the time, the organizations use EA or the Customer Agreement.

Azure Management Groups

Important: All subscriptions within a single management group must trust the same Azure Active Directory tenant.

You can order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. This hierarchy should be tailored to your organization to efficiently manage your subscriptions and resources.

For example, you can create a hierarchy that applies a policy, for example, which limits VM locations to the US West Region in the group called “Production”. This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.

Image for post
Image for post

All subscriptions within a management group automatically inherit the conditions applied to the management group. For the first management group, a root management group is created in the Azure Active Directory (Azure AD) organization. The root management group can’t be moved or deleted, unlike other management groups.

Azure Blueprints

Image for post
Image for post

A blueprint brings each of these artifact types together, allowing you to compose and version that package, including through a continuous integration and continuous delivery (CI/CD) pipeline. A blueprint has a typical and natural lifecycle. This lifecycle enables versions of a blueprint to be used and actively assigned while a newer version is being developed.

Image for post
Image for post

When the mode of a version of the blueprint is Published, then that version can be assigned to a subscription. This lifecycle enables versions of a blueprint to be used and actively assigned while a newer version is being developed. Blueprints can pass parameters to either a policy/policy initiative or an ARM template. Each blueprint (a published version) can be assigned to an existing management group or subscription.

It’s typically possible for someone with appropriate role-based access control (RBAC) on the subscription, such as the ‘Owner’ role, to be allowed to alter or delete any resource. This access isn’t the case when Azure Blueprints applies locking as part of a deployed assignment. Locking Mode applies to the blueprint assignment and it has three options: Don’t Lock, Read Only, or Do Not Delete. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. Resources created by artifacts in a blueprint assignment have four states: Not Locked, Read Only, Cannot Edit / Delete, or Cannot Delete.

Other Resources for Azure Governance include a YouTube channel, Governance in the Cloud Adoption Framework, and a learning module.

A Certified Multi-Cloud Architect/Big Data/ML Specialist and Quantum Computing Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store