Azure Policy

  • Author: Ronald Fung

  • Creation Date: 30 May 2023

  • Next Modified Date: 30 May 2024


A. Introduction

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

For more information on remediation, see Remediate non-compliant resources with Azure Policy.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

Specifically, some useful governance actions you can enforce with Azure Policy include:

  • Ensuring your team deploys Azure resources only to allowed regions

  • Enforcing the consistent application of taxonomic tags

  • Requiring resources to send diagnostic logs to a Log Analytics workspace

It’s important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

All Azure Policy data and objects are encrypted at rest. For more information, see Azure data encryption at rest.

Overview

Azure Policy evaluates resources and actions in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the Resource Manager scope of that assignment. Subscopes can be excluded, if necessary. For more information, see Scope in Azure Policy.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine whether a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated.


B. How is it used at Seagen

As a biopharma research company using Microsoft Azure, Seagen could use Azure Policy to enforce compliance and governance policies across its cloud resources. Here are some ways Seagen could use Azure Policy:

  1. Enforce compliance: Azure Policy can be used to enforce compliance policies across Seagen’s cloud resources, such as ensuring that only approved virtual machine images are used, or that all data is encrypted.

  2. Governance: Azure Policy can be used to enforce governance policies across Seagen’s cloud resources, such as ensuring that all virtual machines are tagged correctly, or that all resources are located in approved regions.

  3. Automate resource management: Azure Policy can be used to automate resource management tasks, such as automatically deleting unused resources or automatically scaling resources based on usage patterns.

  4. Monitor and audit: Azure Policy can be used to monitor and audit Seagen’s cloud resources, providing visibility into compliance and governance policies and identifying potential issues or risks.

  5. Integration with other Azure services: Azure Policy is integrated with other Azure services, such as Azure Security Center and Azure Monitor, which can further enhance compliance and governance policies and improve resource management.

Overall, Azure Policy provides a powerful tool for enforcing compliance and governance policies across Seagen’s cloud resources. Its ability to automate resource management, monitor and audit cloud resources, and integrate with other Azure services makes it a valuable tool for organizations, such as Seagen, that require robust compliance and governance policies for their enterprise applications and workloads.


C. Features

Azure Policy is a service in Microsoft Azure that is used to enforce compliance and governance policies across Azure resources. Some of the key features of Azure Policy include:

  1. Policy definition: Azure Policy provides a flexible policy definition framework that allows users to define policies that meet their specific compliance and governance requirements. Users can define policies using JSON templates or pre-built policies.

  2. Policy enforcement: Azure Policy enforces policies across Azure resources by evaluating the resources for compliance with the defined policies. If a resource is found to be non-compliant, Azure Policy can take action to remediate the issue.

  3. Customizable policy initiatives: Azure Policy allows users to define custom policy initiatives that can be used to group policies together based on a specific compliance or governance objective.

  4. Integration with Azure services: Azure Policy is integrated with other Azure services, such as Azure Resource Manager, Azure Security Center, and Azure Monitor, which can enhance compliance and governance policies and improve resource management.

  5. Compliance reporting: Azure Policy provides compliance reporting functionality that allows users to monitor and report on the compliance status of their Azure resources.

  6. Built-in policy templates: Azure Policy provides a library of built-in policy templates that can be used to enforce common compliance and governance policies across Azure resources.

  7. Role-based access control: Azure Policy provides role-based access control that allows users to control access to policy definitions, policy assignments, and compliance data.

Overall, Azure Policy provides a powerful tool for enforcing compliance and governance policies across Azure resources. Its ability to define and enforce policies, customize policy initiatives, integrate with Azure services, and provide compliance reporting makes it a valuable tool for organizations that require robust compliance and governance policies for their cloud-based applications and workloads.


D. Where Implemented

LeanIX


E. How it is tested

Testing Azure Policy involves several steps that include:

  1. Creating a test environment: The first step is to create a test environment that is separate from the production environment. This ensures that any issues or bugs discovered during testing do not affect the live system.

  2. Defining policies: The next step is to define policies that cover all the functionalities of Azure Policy. Policies should include positive and negative scenarios, edge cases, and stress tests.

  3. Assigning policies: Once the policies are defined, the next step is to assign them to Azure resources. This involves assigning policies to specific resource groups or management groups.

  4. Testing compliance: Once the policies are assigned, the next step is to test compliance. This involves verifying that the policies are being enforced correctly and that any non-compliant resources are being flagged.

  5. Debugging and fixing issues: If any issues or bugs are discovered during testing, they must be debugged and fixed before proceeding with further testing.

  6. Repeat testing: After fixing the issues, the tests must be run again to ensure that the fixes have been successful and there are no further issues.

  7. Integration testing: Once Azure Policy has been tested, it must be integrated with other systems and applications to ensure that it works seamlessly with other components.

  8. User acceptance testing: Finally, Azure Policy must undergo user acceptance testing to ensure that it meets the requirements of the end-users.

Overall, testing Azure Policy involves a comprehensive testing approach that covers all the functionalities of the solution and ensures that it meets the requirements of the end-users. Testing should include both functional and non-functional testing, such as performance testing, security testing, and scalability testing. It is also important to test the integration of Azure Policy with other systems and applications to ensure that it works seamlessly with other components. It is recommended to test Azure Policy in a test environment before deploying it in a production environment to minimize the risk of issues during production use.


F. 2023 Roadmap

????


G. 2024 Roadmap

????


H. Known Issues

Like all software products, Azure Policy may have some known issues. Here are some of the known issues of Azure Policy:

  1. Policy evaluation delays: Azure Policy may have delays in evaluating policies, which can impact the enforcement of policies and the compliance status of resources.

  2. Policy assignment issues: Azure Policy may have issues with policy assignments, such as policies not being applied or policies being applied to the wrong resources.

  3. Policy compliance issues: Azure Policy may have issues with compliance reporting, such as compliance data not being updated correctly or compliance reports not showing accurate information.

  4. Policy definition issues: Azure Policy may have issues with defining policies, such as policy definitions not being created correctly or policy definitions not working as expected.

  5. Integration issues: Azure Policy may have integration issues when integrating with other Azure services or third-party applications, which can impact the ability of organizations to use Azure Policy for their enterprise applications and workloads.

Overall, while Azure Policy is a powerful solution for enforcing compliance and governance policies across Azure resources, users must be aware of these known issues and take steps to mitigate their impact. This may include addressing policy evaluation delays, ensuring correct policy assignments, monitoring compliance reporting, and ensuring compatibility and integration with other systems and applications. It is also important to carefully plan and test the use of Azure Policy to minimize the risk of issues during production use.


[x] Reviewed by Enterprise Architecture

[x] Reviewed by Application Development

[x] Reviewed by Data Architecture