Building a secure environment is one of the most important aspects of the Public Cloud. Azure policy is a service that you can use to create, assign and manage policy definition whilst also easily controlling your Azure environment.

These policy definitions can be used to enforce a desirable state of newly created services or to audit current infrastructure. You can use built-in policies or create using JSON syntax to create new policy appropriate to the requirements.

With Azure policies you can achieve results:

  • Audit
  • Deny
  • Append
  • AuditifNotExists
  • DeployifNotExists

Example policy –  enforces a specific NSG (Network Security Group) on every new network interface.

{   "policyRule": {     "if": {       "allOf": [         {           "field""type",           "equals""Microsoft.Network/networkInterfaces"         },         {           "not": {             "field""Microsoft.Network/networkInterfaces/networkSecurityGroup.id",             "equals""[parameters('nsgId')]"           }         }       ]     },     "then": {       "effect""deny"     }   },   "parameters": {     "nsgId": {       "type""String",       "metadata": {         "displayName""Network Security Group Id",         "description""Resource Id of the Network Security Group",         "strongType""networksecuritygroup"       }     }   },   "metadata": {     "category""LabCategorySecurity"   } }

The above example protects the environment before creating a network card without an assigned Network Security Group.

To create policy definition you can choose:

  • Azure portal
  • Powershell
  • Azure CLI
  • REST API

Sample Powershell assignment:

$rg = Get-AzureRmResourceGroup -Name <RG name>

$definition = Get-AzureRmPolicyDefinition -Id /providers/Microsoft.Authorization/policyDefinitions/<id definition>

New-AzureRMPolicyAssignment -Name <policy name> Assignment -Scope $rg.ResourceId -PolicyDefinition $definition

Azure policy gives the opportunity to deploy policies from a community like Github.

Github: https://github.com/Azure/azure-policy/tree/master/samples

You can assign the policy to a specific place, ranging from a management group to a resource group. Also, you can exclude some scope if you need to, which allows you to assign policy at a high level and then exclude scopes within it.

For a grouping of services, you can create the initiative where you can then collect polices.

Azure policy

Initiative Compliance

For using compliance evaluation standard price tiers are required.

The Azure Policy services are currently in the preview state. This is a service that will most likely be constantly developed, but it could be one of the important services ensuring security in the public cloud environment, making it definitely worth some attention.