Understanding Azure Policy

Azure Policy

A short meaning full of Azure policy easier to understand:

What is Azure policy?

Azure Policy allows you to define rules and guidelines for how your resources should be configured and used within your Azure environment.

We may have cross lot of policy which is cracking our mind about which one we should use, below is the definition for each policy.

There are several policy rules to make your resources complaint, and I have them listed below.

  1. Deny
  2. Audit
  3. Append
  4. Modify
  5. Deployifnotexists

Policy - "Deny"

In Azure Policy, the deny effect is used to block or prevent resources from being created or modified if they violate the policy rule defined in the policy definition. When a policy with a deny effect is assigned, any resource that violates the policy rule will be prevented from being created or updated.

For example, suppose you have a policy that prohibits the creation of virtual machines with less than four CPU cores. If a user attempts to create a virtual machine with only two CPU cores, the deny effect will prevent the virtual machine from being created.

The deny effect can be used to enforce compliance and ensure that resources adhere to organizational policies and standards. It can also help prevent security vulnerabilities and ensure that resources are configured correctly.

It's worth noting that the deny effect is more restrictive than the audit effect. While the audit effect only logs policy violations without taking any action, the deny effect prevents the resource from being created or modified.

Policy - "Audit"

In Azure Policy, the "audit effect" determines what happens when a resource violates a policy. When the audit effect is set to "audit", the policy evaluation will only log the non-compliant resources but will not prevent them from being created or modified. This means that the resource can still be deployed or modified, but a log entry will be generated indicating that the resource is non-compliant with the policy.

The "audit" effect is useful for monitoring compliance with policies without enforcing them. It allows organizations to gradually enforce policies, as they can first audit the resources that would be impacted by a policy before applying it with a more restrictive effect like "deny" or "deployIfNotExists".

On the other hand, if the audit effect is set to "deny", resources that violate the policy will be prevented from being created or modified. This effect is useful for enforcing compliance with policies immediately and preventing non-compliant resources from being created.

Overall, the audit effect in Azure Policy provides a way for organizations to monitor and enforce compliance with policies, depending on their specific needs and requirements.

Policy - "Append"

In Azure Policy, the append effect is used to add or modify properties on a resource if they do not already exist or if they are not already set to a specific value. This effect is typically used to ensure that a specific configuration setting or tag is present on a resource.

For example, suppose you have a policy that requires all virtual machines to have a specific tag set with a particular value. If a virtual machine is created without the required tag, the append effect can be used to automatically add the missing tag to the virtual machine.

The append effect can be used to enforce configuration consistency and ensure that resources are properly tagged. It can also be used to automate certain tasks, such as setting default configuration values or updating resource properties across multiple resources.

It's worth noting that the append effect only adds or modifies properties on a resource if they do not already exist or if they are not already set to a specific value. If a property already exists with a different value, the append effect will not modify it.

Policy - "Modify"

In Azure Policy, the modify effect is used to modify the properties of a resource that is non-compliant with the policy rule defined in the policy definition. When a policy with a modify effect is assigned, the policy engine will attempt to bring the non-compliant resource into compliance by modifying its properties.

For example, suppose you have a policy that requires all storage accounts to have Soft Delete enabled. If a user creates a storage account without Soft Delete enabled, the modify effect can be used to automatically enable Soft Delete on the storage account.

The modify effect can be used to automate the remediation of non-compliant resources, reducing the need for manual intervention. It can also help ensure that resources are configured correctly and in compliance with organizational policies and standards.

It's worth noting that the modify effect should be used with caution, as it can potentially modify resources in unexpected ways. It's important to thoroughly test policies with modify effects before assigning them to production environments, and to ensure that the modifications made by the policy are in line with organizational policies and requirements.

Policy - "Deploy if not exists"

The "deploy if not exist" effect in Azure Policy is used to create a resource if it does not already exist in the specified resource group. When this effect is applied to a policy assignment, Azure Policy checks for the existence of the specified resource and creates it if it does not exist.

This effect is often used to ensure that certain resources are provisioned in the correct configuration or with the correct settings. For example, an organization might use the "deploy if not exist" effect to create a storage account with specific configurations, such as a certain encryption type or access policies.

It is important to note that the "deploy if not exist" effect only applies to the creation of a resource. If a resource already exists, this effect will not modify or update it in any way. If you want to update or modify an existing resource, you can use the "append" effect to add new settings or the "modify" effect to update existing ones.

Policy - "Disabled"

In Azure Policy, the disabled effect is used to temporarily disable a policy definition or a policy assignment. When a policy definition or assignment is disabled, it has no effect on resources in your Azure subscription or resource group.

This can be useful in scenarios where you want to temporarily suspend a policy without deleting it, such as during a maintenance or testing period. Disabling a policy can also be helpful when you want to exclude certain resources from policy enforcement without deleting the resources themselves.

To disable a policy definition or assignment, you can set the effect parameter to disabled in the policy definition or assignment. This will ensure that the policy is not enforced on any resources that match the policy rule.

It's important to note that disabling a policy definition or assignment does not delete the policy or its associated resources. To permanently remove a policy, you need to delete the policy definition or assignment.

Overall, Azure Policy helps ensure that your Azure environment is compliant, secure, and well-governed.

Hope this is helpful for your daily task to enforce this kind of policy, and it is useful for everyone whoever reading this blog!!