If you don’t have standards in IT, things can get out of control and there’s no change in cloud. In fact, there’s more of a need for governance than ever, if you don’t have it in cloud it could cause allot of issues, excessive costs, issues supporting and a bad cloud experience to name a few. Azure Policy is essentially designed to help set those standards on Azure use (using policies), making sure it’s used in the right way highlighting issues (using compliance) and help fix those issues (using remediation).
You can manually create policies (to check Azure resources are configured in a certain way) or you can use the growing number of pre-built policies.
We have labs for ARM templates, for Terraform configurations and for Azure Policies and Policy Initiatives. All of these will come together in a set of upcoming labs around initial customer governance in line with the Cloud Adoption Framework, plus the deployment of default shared services, policy assignments and role based access control (RBAC) assignments.
These will be achieved using a variety of tools, including Azure Blueprints, Terraform, subscription level ARM templates and Azure DevOps Pieplines, and will be aligned with common definition and deployment stages and organisational structures that we see in both partners and end customers.
Make sure you subscribe to the Azure Citadel Atom (RSS) feed to get notified of the new content as it becomes available.
Set up your machine for these labs using the automation prereqs page.
Read through the Azure Policy documentation area for your foundational knowledge.
|Policy basics in the portal
|Use a simple policy to stipulate the permitted regions
|Creating Policies via CLI
|Specify the allowed VM SKU sizes using the Azure CLI
|Custom Policies and Aliases
|Use the vscode policy extension to determine aliases and create a custom policy
|Using a policy initiative with the DeployIfNotExist effect for automatic agent deployment and remediation
|Management Groups and Initiatives
|Step up a level using Management Groups and assigning a custom Deny initiative
|Tagging and Auditing
|Enable default resource tagging without compromising innovation using the append and audit effects