Governance in Azure — Almost all you need to know
Get acquainted to all the necessary tools in your governance journey on Azure
Governance in the cloud is essential to ensure compliance, have an administrative control over what’s deployed in the cloud while making sure that the costs don’t go out of hand. The compliance dictates where you are allowed to run your VMs, store your data, how authentication and authorization are performed in the cloud etc. This article aims to introduce some of the primary services used on Azure to assist you in your governance journey and points out some important features.
Azure Policy helps you to enforce your organizational standards and to assess compliance at-scale. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Important: Requests to create or update any resource are evaluated by Azure Policy first. Azure Policy creates a list of all policies that apply to a resource and then evaluates the resource against each definition.
Azure Policy uses a JSON format to form the logic the evaluation uses to determine if a resource is compliant or not. It evaluates resources in Azure by comparing the properties of those resources to business rules known as policy definitions. Multiple policy definitions can be grouped into policy initiatives. The policies can be assigned at resources, resource groups, subscriptions, or management groups level/scope using policy assignment. In case a resource does not comply with the policy definitions, you can respond in the following ways.
- Deny the resource change
- Log the change to the resource
- Alter the resource before the change
- Alter the resource after the change
- Deploy related compliant resources
These responses can be achieved through the following supported effects — Append, Audit, AuditIfNotExists, Deny, DeployIfNotExist, Disabled, Modify. Audit is used for generating a warning event in the activity log but without failing the requesting compared to Deny which generates an event in the activity log and fails the request. Disabled doesn’t evaluate the resources at all for compliance.
Append vs. Modify — Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it’s recommended to use the Modify effect for tags instead.
Order of evaluation:
- Disabled is checked first to determine if the policy rule should be evaluated.
- Append and Modify are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering. These effects are only available with a Resource Manager mode.
- Deny is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented.
- Audit is evaluated last.
Important: Azure Policy also comes with pre-defined template functions, for e.g. substring etc. If the result of a template function is an error, policy evaluation fails. A failed evaluation is an implicit deny.
For e.g. the following policy evaluation will fail if name has less than three characters and the effect will be deny instead of audit.
Azure Resource Graph
Azure Resource Graph provides the ability to explore and discover your Azure resources quickly and at scale. It is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. The query language for the Azure Resource Graph supports a number of operators and functions based on Kusto Query Language (KQL).
Resource Graph uses several tables for the data it stores about Azure Resource Manager resource types and their properties. For example, the following query uses the Resources table to get properties of a virtual machine.
Such queries provide the following features:
- Ability to query resources with complex filtering, grouping, and joining by resource properties. For example, the following query uses complex filtering and joins to find a key vault.
- Ability to iteratively explore resources based on governance requirements.
- Ability to assess the impact of applying policies in a vast cloud environment.
- Ability to detail changes made to resource properties. It allows you to view the last 14 days of change history made to the resources to see what properties changed and when.
You can also use Resource Graph Explorer, which provides a clean interface for working with multiple queries, evaluating the results, and even converting the results of some queries into a chart that can be pinned to an Azure dashboard.
Azure Cost Management + Billing
While cloud can reduce your costs and the overhead required to manage organizational assets, there is a potential for waste and inefficiencies unless you are careful with your cloud deployments. Azure Cost Management + Billing is a suite of tools that help you analyze, manage, and optimize the costs of your workloads. Some of the features include:
- Set spending thresholds
- Proactively apply data analysis to your costs
- Identify opportunities for workload changes that can optimize your spending
- Download cost and usage data that was used to generate your monthly invoice
Important: Tag your resources! Tags are an effective way to understand costs that span across multiple teams and Azure scopes. Tags can represent if a resource is shared by multiple teams, the environment it is deployed in, project name of the resource etc. Such tags can help you organize your resources and understand the costs incurred better.
You can also use Cost analysis to analyze your organizational costs in-depth by slicing and dicing your costs using standard resource properties. It’s also important to begin setting limits for yourself and your teams.
Azure budgets give you the ability to set either a cost or usage-based budget with many thresholds and alerts. You can further use services like Azure Advisor to get recommendations for cost savings. Azure Reservations and Azure Hybrid Benefit can also help you in your cost cutting measures
Billing accounts — Azure currently supports the following types of billing accounts:
- Microsoft Online Services Program: Created when you sign up for an Azure Free Account, account with pay-as-you-go rates or as a Visual studio subscriber.
- Enterprise Agreement: A billing account for an Enterprise Agreement is created when your organization signs an Enterprise Agreement (EA) to use Azure.
- Microsoft Customer Agreement: A billing account for a Microsoft Customer Agreement is created when your organization works with a Microsoft representative to sign a Microsoft Customer Agreement.
Most of the time, the organizations use EA or the Customer Agreement.
Azure Management Groups
They are logical containers for managing access, policies, and compliance across multiple Azure subscriptions. It allows you to easily manage your Azure subscriptions by grouping them together and taking actions in bulk by providing a level of scope above subscriptions.
Important: All subscriptions within a single management group must trust the same Azure Active Directory tenant.
You can order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. This hierarchy should be tailored to your organization to efficiently manage your subscriptions and resources.
For example, you can create a hierarchy that applies a policy, for example, which limits VM locations to the US West Region in the group called “Production”. This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.
All subscriptions within a management group automatically inherit the conditions applied to the management group. For the first management group, a root management group is created in the Azure Active Directory (Azure AD) organization. The root management group can’t be moved or deleted, unlike other management groups.
Azure Blueprints enables you to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. It simplifies deployments by packaging artifacts, such as Azure Resource Manager templates, role assignment, resource groups and policy assignment, in a single blueprint definition.
A blueprint brings each of these artifact types together, allowing you to compose and version that package, including through a continuous integration and continuous delivery (CI/CD) pipeline. A blueprint has a typical and natural lifecycle. This lifecycle enables versions of a blueprint to be used and actively assigned while a newer version is being developed.
When the mode of a version of the blueprint is Published, then that version can be assigned to a subscription. This lifecycle enables versions of a blueprint to be used and actively assigned while a newer version is being developed. Blueprints can pass parameters to either a policy/policy initiative or an ARM template. Each blueprint (a published version) can be assigned to an existing management group or subscription.
It’s typically possible for someone with appropriate role-based access control (RBAC) on the subscription, such as the ‘Owner’ role, to be allowed to alter or delete any resource. This access isn’t the case when Azure Blueprints applies locking as part of a deployed assignment. Locking Mode applies to the blueprint assignment and it has three options: Don’t Lock, Read Only, or Do Not Delete. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource. Resources created by artifacts in a blueprint assignment have four states: Not Locked, Read Only, Cannot Edit / Delete, or Cannot Delete.