1.3 Manage access to subscriptions and governance Flashcards
What is Azure policy?
1.Enables you to create, assign, and manage policies to enforce compliance within your Azure environment.
- Runs evaluations and scans on your resources to make sure they are compliant
2.It provides a way to ensure that your resources in Azure adhere to organizational standards and meet regulatory requirements.
- Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Things to know about Azure Policy:
1. Enforce rules and compliance
2. Apply policies at scale
3. Perform remediation
4. Exercise governance
Know the differences between policy Initiative and a initiative definition
Policy is a single
Initiative definition is a grouping of policy
Implement and manage azure policy - Create azure policies
Step 1 - Create Policy definition
- A policy definition is a set of rules and conditions that define the properties and behaviors of resources in the Azure environment
Step 2 - Create Policy Initiative definition
- An Initiative definition is a collection of policy definitions which allows you to group related policies together for a common goal.
Step 3 - Scope the initiative definition
You can set the scope of an initiative definition to a specific management group , subscription or resource group.
Step 3 : Determine compliance
After you assign an initiative definition you can then evaluate the state of compliance for all your resources. Individual resources , resource groups , management groups and subscriptions can be excluded from having the policy rules affect it
Implement and manage azure policy - Create policy definitions
!!A policy definition is a set of rules and conditions that define the properties and behaviors of resources in an azure environment!!
Azure policy offers built -in policy definitions , you can also create your own definitions or import definitions from other sources.
-built in policy can be sorted by category
Examples of built in policy definitions are:
1. Allowed vm size SKUs:
Specify a set of VM SKU’s that your organization can deploy. This policy is under the compute category
- Allowed locations:
Restrict the locations users can specify when deploying resources.
Use this policy to enforce geo compliance requirements.
Located under general category
- You can add or create a new definition. Policy definitions can imported into Azure policy from the Github
Example use case
Policy def might specify that all vm’s must have encryption enabled.
Implement and manage azure policy - Create an initiative definition
!!A policy initiative definition is a set or grouping of policy definitions. This allows you to group related policies together under a common goal , making it easier to manage and assign multiple polices!!
After policy definitions has been selected , the next step is to create an initiative definition.
The initiative definition contains one or more policy definitions.
This is to ensure your resources are compliant with security regulations
Examples of built in Initiative definition:
1. Audit machines with insecure password security settings
- Configure windows machines to run azure monitor agent and associate them with a data collection rule
- Configure Azure defender to be enabled on SQL servers
Example use case
can be created for security best practices , for encryption , NSG and identity and access management
Implement and manage azure policy - Scope the initiative definition
After you create an initiative definition . the next step is to assign the initiative to establish the scope for the policies. The scope determines what resource or grouping of resources are affected by the conditions of the policies.
Implement and manage azure policy - Determine compliance
Once the polices are defined , your initiative definition created and your policies assigned to affected resources , you can then evaluate the state of compliance for your scoped resources.
Policy conditions are evaluated against your existing scoped resources
Configure resource locks
Resource locks prevent accidental deletion of resources in azure.
*A resource lock can be enforced at the subscription , resource group and resource level.
*Locks are inherited by child resources.
Lock types:
1. Read only locks
Prevents any changes being made to the resource
- Delete locks
Prevents deletion
Note: To delete a locked VM , An owner or user access admin needs to be contacted to do so.
Apply and manage tags on resources
Tags are used for sorting , searching , managing and doing analysis on your resources.
A tag consists of a name and value
Things to know about resource tags:
1. each resource tag has a name and value
- The tag name remains constant
- There is defined set of values that can be set for the tag value
- Resource or resource group can have a maximum of 50 tag name/value pairs
- Tags set to resource group is not inherited by the resources.
Things to consider when using resource tags:
Manage resource groups
Resource groups are containers that holds related resources.
*Resource groups cannot be nested
*Resources can only belong in one resource group at a time
*All resources must be a part of a resource group
*Many resources can be moved between resource groups with some having limitations.
- Can contain resources that are from different regions
- Resource groups cannot be renamed
Resources can be moved between resource groups , subscriptions and regions.
What is an Azure subscription?
it is a logical unit of azure services that linked to an azure account.
An azure account is an identity in Microsoft Entra ID thats trusted by Microsoft Entra ID , such as a work or school account.
Helps organize access to azure cloud service resources
Helps control how resource usage is reported , billed and paid.
Manage subscriptions
Things to know about subscriptions:
1. Every cloud service belongs to a subscription
- Each subscription an have a separate billing and payment setup
- Multiple subscriptions can be linked to the same azure account
- Billing is done on a subscription basis
Subscriptions can be obtained in 4 different ways:
1. Enterprise agreement
- Make an upfront agreement to azure
- Microsoft reseller
buy azure through the open licensing program - Microsoft partner
- use a Microsoft partner who can design and implement your azure cloud solution. - Personal account
- sign up for free trial
There are 4 different types of subscriptions
1. Free
- Pay as you go
charges you monthly for the services that you used in the billing period. - Enterprise agreement
- Student
Manage costs by using alerts , budgets , and Azure recommendations.
Cost management is a tool used to monitor and control azure spending and also helps optimize resource usage
Azure has several tools to help with cost saving :
1. Reservations
- Azure Hybrid benefits
- Azure credits
- Azure regions
- budgets
- pricing calculator
Configure management groups
Often used if there is multiple subscriptions in. Provides a level of scope and control of subscriptions
- Management groups can be used as containers where you can manage access , policy and compliance across your subscriptions
Things to know about management groups
- by default , all new subscriptions are placed under the top level management group called the root
- There can be up 6 layers of depth
- all subscriptions inherit the conditions applied to the management group they belong in
- Azure RBAC authorization for management groups is not enabled by default.
