The adoption of cloud computing is becoming more widespread, but managing and controlling cloud resources can be a daunting challenge for organizations. In this context, Microsoft's Azure Policies represent a fundamental tool for cloud governance, able to help companies define, apply and enforce security and compliance policies in a consistent and automated manner. This article will explore the importance of Azure Policies in managing cloud services, illustrating the benefits of using this solution and some more common use cases. Furthermore, some useful tips for defining effective policies and for integrating Azure Policies into the overall cloud governance strategy will be presented.
The common need and possible approaches
The common requirement is to standardize, and in some cases impose, how resources are configured in the cloud environment. All this is done to obtain specific environments that meet compliance regulations, monitor security, resource costs and standardize the design of the different architectures.
Getting this result is not easy, especially in complex environments where you can find different Azure subscriptions on which different groups of operators develop and operate.
These goals can be achieved with a traditional approach, which provides for a block of operators in direct access to cloud resources (through the portal, API or cli):
Figure 1 – Traditional approach
However, this type of traditional approach is not very flexible, because it involves a loss of agility in controlling the deployment of resources.
In this regard, it is instead recommended to use a mechanism that is provided natively by the Azure platform, which allows you to pilot governance processes to achieve the desired control, but without impacting the speed, fundamental element in operations in modern IT with resources in the cloud:
Figure 2 – Modern approach with Azure Policy
What can be achieved thanks to Azure Policies
By activating the Azure Policy it is possible:
- activate and carry out real-time evaluation of the criteria present in the policies;
- evaluate policy compliance periodically or upon request;
- activate operations for real-time remediation, also for existing resources.
All this translates into the ability to apply and enforce policy compliance on a large scale and its remediation actions.
How the Azure Policy mechanism works
The working mechanism of the Azure Policy is simple and integrated into the platform. When a request is made for an Azure resource configuration using ARM, this is intercepted by the layer containing the engine that performs the evaluation of policy. This engine makes an assessment based on active Azure policies and establishes the legitimacy of the request.
Figure 3 – Working principle of Azure Policy in creating resources
The same mechanism is then repeated periodically or upon specific request to evaluate the compliance status of existing resources.
Figure 4 – Working principle of Azure Policy in resource control
Azure already has many built-in policies ready to apply, or you can configure them to suit your needs. The definition of the Azure Policy is made in JSON and follows a well defined structure, described inthis Microsoft's document. You also have the possibility of creatingInitiatives, they are a collection of multiple policies.
When you have the desired policy definition, you can assign it to a Management Group, to a subscription and possibly in a more limited way to a specific Resource Group. The same goes for Initiatives. You also have the ability to exclude certain resources from applying the policy if necessary.
Following the assignment, you can evaluate the State of compliance in detail and if it is necessary apply remediation actions.
Use cases for Azure policies
The main areas that can be governed by appropriately adopting the Azure Policies are reported:
- financial: resources deployed in Azure for which a consistent metadata strategy needs to be applied to achieve effective cost mapping;
- data location: sovereignty requirements that require data to reside in certain geographic locations;
- unnecessary expenses: resources that are no longer used or that have not been properly disposed of resulting in unnecessary expenses for the company;
- management inefficiencies: an inconsistent resource naming and tagging strategy can make troubleshooting and routine maintenance demands of existing architectures difficult;
- business interruption: SLAs are required to ensure that systems are built in accordance with business requirements. Therefore, architectures must be designed according to SLAs and must be investigated if they do not meet them.
Conclusions
In the context of Cloud Technical Governance it is essential to define and apply rules that make it possible to ensure that Azure resources always comply with the defined company standards. Thanks to the use of Azure Policies, also increasing the complexity and quantity of services, you can always ensure advanced control of your Azure environment.
