Apply and monitor infrastructure standards with Azure Policy Flashcards
(36 cards)
True/False
You have a policy that allows virtual machines of only a certain size in your environment. After this policy is implemented, new and existing resources are evaluated for compliance.
True
Which actions can you perform with Azure Policy
Create, Assign and Manage policies
What are SKU’s?
Stock keeping units (Pricing tier) for a resource
True/False
Azure Policy will audit all the existing VMs in our organization to ensure our policy is enforced.
True
True/False
You can integrate Azure Policy with Azure DevOps
True
True/False
You can even integrate Azure Policy with Azure DevOps, by applying any continuous integration and delivery pipeline policies that affect the pre-deployment and post-deployment of your applications.
True
True/False
Azure Policy is a default-allow-and-explicit-deny system.
True
True/False
RBAC is a default-allow-and-explicit-deny system.
False
What are the steps to apply an Azure Policy?
- Create a policy definition
- Assign a definition to a scope of resources
- View policy evaluation results
What is a policy definition?
A policy definition expresses what to evaluate and what action to take
True/False
You can use one of the pre-defined policy definitions in Azure Policy or create your own.
True
For what is the Microsoft.PolicyInsights extensions used?
To apply an Azure Policy.
Register-AzResourceProvider -ProviderNamespace ‘Microsoft.PolicyInsights’
How can you identify non-compliant Azure Policy resources?
- Compliance tab in Azure Policy
- Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName -PolicyAssignmentName ‘audit-vm-manageddisks’ -Filter ‘IsCompliant eq false’
True/False
Policy assignments are not inherited by all child resources
False
This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment.
Describe Azure Policy effects.
Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy.
Azure Policy will take a specific action based on the assigned effect.
- Deny
The resource creation/update fails due to policy.
- Disabled
The policy rule is ignored (disabled). Often used for testing.
- Append
Adds additional parameters/fields to the requested resource during creation or update. A common example is adding tags on resources such as Cost Center or specifying allowed IPs for a storage resource.
- Audit, AuditIfNotExists
Creates a warning event in the activity log when evaluating a non-compliant resource, but it doesn’t stop the request.
- DeployIfNotExists
Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way.
True/False
Azure Policy can allow a resource to be created even if it doesn’t pass validation.
True
In these cases, you can have it trigger an audit event that can be viewed in the Azure Policy portal, or through command-line tools.
How can you remove a policy with Powershell?
Remove-AzPolicyAssignment -Name ‘audit-vm-manageddisks’ -Scope ‘/subscriptions//resourceGroups/’
What are Azure Policy Iniatives?
Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That’s where initiatives come in.
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
What are Azure Management Groups?
Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.
Suppose you have a management group “Geo Region 1” within the Root Management Group, which contains two EA subscriptions. When you apply a policy to “Geo Region 1”, would the EA subscription owners be able to alter the policy?
No.
True/False
The resources and subscriptions you assign to a management group automatically inherit the conditions that you apply to that management group.
True
Which Azure resource can you use to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.
Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
What are the steps to implement an Azure Blueprint?
The process of implementing Azure Blueprint consists of the following high-level steps:
Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments
True/False
Azure Blueprints are stored in an Azure Blob Storage Account.
False.
The Azure Blueprints service is backed by the globally distributed Azure Cosmos database. Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, regardless of which region Blueprints deploys your resources to.