Azure Fundamentals (AZ-900)

Last Updated: 1/24/2023

Azure Policy

  • Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.
  • These policies enforce different rules across your resource configurations so that those configurations stay compliant with corporate standards.
  • Azure Policy enables you to define both individual policies and groups of related policies known as initiatives.
  • Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you've created.
  • Azure Policy can also prevent noncompliant resources from being created.
  • Azure Policies can be set at each level, enabling you to set policies on a specific resource, resource group, subscription, and so on.
  • Azure Policies are inherited. For example, if you set an Azure Policy on a resource group, all resources created within that resource group will automatically receive the same policy.
  • Azure Policy comes with built-in policy and initiative definitions for Storage, Networking, Compute, Security Center, and Monitoring. For example, You can define a policy that allows only a certain size for the virtual machines (VMs) to be used in your environment.
  • Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources. If all resources in a certain resource group should be tagged with AppName tag and a value of "SpecialOrders," Azure Policy will automatically apply that tag if it is missing.
  • Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that pertain to the pre-deployment and post-deployment phases of your applications.

Azure Policy initiatives

  • An Azure Policy initiative is a way of grouping related policies together.
  • The initiative definition helps to track your compliance state for a larger goal.

Azure Policy initiative - Enable Monitoring

  • Azure Policy includes an initiative named Enable Monitoring in Azure Security Center.
  • Its goal is to monitor all available security recommendations for all Azure resource types in Azure Security Center.
  • Enable Monitoring in Azure Security Center initiative contains over 100 separate policy definitions.
  • Under this initiative, the following policy definitions are included:
    • Monitor unencrypted SQL Database in Security Center: This policy monitors for unencrypted SQL databases and servers.
    • Monitor OS vulnerabilities in Security Center: This policy monitors servers that don't satisfy the configured OS vulnerability baseline.
    • Monitor missing Endpoint Protection in Security Center: This policy monitors for servers that don't have an installed endpoint protection agent.
Previous
Next