![Policies – Rules & Parameters
{
"if": {
"allOf": [
{
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines"
]
},
{
"not": {
"field": "name",
"match": "[parameters('namePattern')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
{
"namePattern": {
"type": "String",
"metadata": {
"description": "Pattern to us
e for names. Can include ? for letters an
d # for numbers."
}
}
}
$definition = New-AzPolicyDefinition -Name "Virtual-Machine-Name-pattern" -
DisplayName "Virtual Machine Name pattern" -
description "Virtual Machine Name pattern" -Policy 'matchPattern.rules.json' -
Parameter 'matchPattern.parameters.json' -Mode All
$definition
#$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope> -
PolicyDefinition $definition
#$assignment](https://image.slidesharecdn.com/azuregovernance-200722063447/75/azure-governance-13-2048.jpg?cb=1669382736)
Azure governance
•0 gostou•300 visualizações
Denunciar
Compartilhar
Baixar para ler offline
Azure governance provides controls over people, processes, actions, and resources. Azure governance composed of the management group, role-based access control, policies, blueprints, monitor, and cost centers.
Mais conteúdo relacionado
Mais procurados
![[Azure Governance] Lesson 4 : Azure Policy](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson4-azurepolicy-190519183014-thumbnail.jpg?width=384&fit=bounds)
![[Azure Governance] Lesson 2 : Azure Locks](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson2-azurelocks-190120120003-thumbnail.jpg?width=384&fit=bounds)
Mais procurados(20)
![[Azure Governance] Lesson 4 : Azure Policy](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson4-azurepolicy-190519183014-thumbnail.jpg?width=768&fit=bounds)
![[Azure Governance] Lesson 2 : Azure Locks](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson2-azurelocks-190120120003-thumbnail.jpg?width=768&fit=bounds)
![[Azure Governance] Lesson 1 : Azure Naming Convention](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson1-azurenamingconvention-181027154955-thumbnail.jpg?width=768&fit=bounds)
Similar a Azure governance
Similar a Azure governance(20)
Mais de Udaiappa Ramachandran
Mais de Udaiappa Ramachandran(20)
Último
Último(20)
Azure governance
- 1. Azure Governance Udaiappa Ramachandran ( Udai ) https://udai.io
- 2. Who am I? • Udaiappa Ramachandran ( Udai ) • CTO, Akumina, Inc., • Consultant • Focus on Cloud Computing • Microsoft Azure, Amazon Web Services and Google • New Hampshire Cloud User Group (http://www.meetup.com/nashuaug ) • https://udai.io
- 3. Agenda • Azure Governance • Management Group • RBAC (role-based access control) • Policies • Blueprints
- 5. Management Groups • Subscriptions: • Logical boundaries between account and workload • Subscription Resource Group(s)Resources(s) • Level of Scope above Subscriptions • 10,000 management groups can be supported in a single directory. • A management group tree can support up to six levels of depth. • This limit doesn't include the Root level or the subscription level. • Each management group and subscription can only support one parent. • Each management group can have many children. • All subscriptions and management groups are within a single hierarchy in each directory
- 8. RBAC • RBAC Security Principal (Assign access to) • Users • Groups • Service Principal • Managed Identity • RBAC Scope (Assign Levels) • Management Groups • Subscriptions • Resource Groups • Resources
- 9. RBAC –Role Definitions • Built-In Roles • Custom Roles
- 10. RBAC – Custom Role Sample #Connect-AzAccount #New-AzRoleDefinition - inputfile contributor_restricted.json #Set-AzRoleDefinition - inputfile contributor_restricted.json #Get-AzRoleDefinition - Name "Contributor - ReadOnly" - Scope "/providers/Microsoft.Management/ma nagementGroups/<MANAGEMENTGROUPID>“ #Remove-AzRoleDefinition -Id "d4377770- c5e9-4bf9-ad93-fe783406cba0" - Scope "/providers/Microsoft.Management/ma nagementGroups/<MANAGEMENTGROUPID>"
- 11. Policies • Declarative • Composed of 3 components; Policy definition, assignment and parameters • Turn on Built-in or Custom policies • Realtime policy evaluation and enforcement • Always On- Periodic and On-demand compliance evaluation • Apply policies to Management Group or Subscriptions or resource • Exclusion scope • Policy Initiative • Remediation
- 12. Policies – Effects and Evaluation • Supported Effects • Append • Audit • AuditIfNotExists • Deny • DeployIfNotExists • Disabled • Modify • Order of Evaluation • Disabled • Append and Modify • Deny • Audit
- 13. Policies – Rules & Parameters { "if": { "allOf": [ { "field": "type", "in": [ "Microsoft.Compute/virtualMachines" ] }, { "not": { "field": "name", "match": "[parameters('namePattern')]" } } ] }, "then": { "effect": "deny" } } { "namePattern": { "type": "String", "metadata": { "description": "Pattern to us e for names. Can include ? for letters an d # for numbers." } } } $definition = New-AzPolicyDefinition -Name "Virtual-Machine-Name-pattern" - DisplayName "Virtual Machine Name pattern" - description "Virtual Machine Name pattern" -Policy 'matchPattern.rules.json' - Parameter 'matchPattern.parameters.json' -Mode All $definition #$assignment = New-AzPolicyAssignment -Name <assignmentname> -Scope <scope> - PolicyDefinition $definition #$assignment
- 14. Blueprints • Declarative way to orchestrate the deployment • Resource as artifacts of • Resource Groups • ARM template • Policy Assignment • Role Assignment • Stored in Management Group or Subscription • Can pass parameters to policy/initiative or ARM template • Publishing support – ability to store and assign multiple version of the blueprints • Static and Dynamic Parameters • Sequencing Order using dependsOn • Resource Locking
- 16. Blueprints #Install-Module -Name Az.Blueprint #Import-Module -Name Az.Blueprint #Get-Command -Module 'Az.Blueprint' -CommandType 'Cmdlet' #Get-Help Import-AzBlueprintWithArtifact #Import-AzBlueprintWithArtifact -Name "MyBlueprint" - InputPath "." # Get the blueprint we just created #$myBluePrint = Get-AzBlueprint -Name "MyBlueprint" # Publish version 1.0 #Publish-AzBlueprint -Blueprint $myBluePrint -Version 1.0
- 17. References • https://docs.microsoft.com/en-us/azure/cloud-adoption- framework/govern/guides/ • https://docs.microsoft.com/en-us/azure/governance/management-groups/ • https://docs.microsoft.com/en-us/azure/role-based-access-control • https://docs.microsoft.com/en-us/azure/governance/policy/ • https://github.com/Azure/azure-policy • https://docs.microsoft.com/en-us/azure/governance/blueprints/ • https://docs.microsoft.com/en-us/rest/api/blueprints/ • https://github.com/Azure/azure-blueprints • https://docs.microsoft.com/en-us/cli/azure/ext/blueprint/blueprint?view=azure- cli-latest • https://docs.microsoft.com/en-us/powershell/module/az.blueprint/?view=azps- 4.3.0
Notas do Editor
- Central IT controls the goveernance users have direct access to cloud cost management serious of controls people, process, actions resources so that we can better craft how our env. look as well as setup a rule everone else play by resource provider Tags
- Monitor Monitoring is the act of collecting and analyzing data to audit the performance, health, and availability of your resources. An effective monitoring strategy helps you understand the operation of components and to increase your uptime with notifications. Read an overview of Monitoring that covers the different services used at Monitoring Azure applications and resources. Configure Configure refers to the initial deployment and configuration of resources and ongoing maintenance. Automation of these tasks allows you to eliminate redundancy, minimizing your time and effort and increasing your accuracy and efficiency. Azure Automation provides the bulk of services for automating configuration tasks. While runbooks handle process automation, configuration and update management assist in managing configuration. Govern Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. It involves planning your initiatives and setting strategic priorities. Governance in Azure is primarily implemented with two services. Azure Policy allows you to create, assign, and manage policy definitions to enforce rules for your resources. This feature keeps those resources in compliance with your corporate standards. Azure Cost Management allows you to track cloud usage and expenditures for your Azure resources and other cloud providers. Secure Manage the security of your resources and data. A security program involves assessing threats, collecting and analyzing data, and compliance of your applications and resources. Security monitoring and threat analysis are provided by Azure Security Center, which includes unified security management and advanced threat protection across hybrid cloud workloads. See Introduction to Azure Security for comprehensive information and guidance on securing Azure resources. Protect Protection refers to keeping your applications and data available, even with outages that are beyond your control. Protection in Azure is provided by two services. Azure Backup provides backup and recovery of your data, either in the cloud or on-premises. Azure Site Recovery provides business continuity and immediate recovery during a disaster. Migrate Migration refers to transitioning workloads currently running on-premises to the Azure cloud. Azure Migrate is a service that helps you assess the migration suitability of on-premises virtual machines to Azure. Azure Site Recovery migrates virtual machines from on-premises or from Amazon Web Services. Azure Database Migration assists you in migrating database sources to Azure Data platforms.
- Azure subscriptions are logical boundaries from accounting and Azure workloads, hence increase in number subscription causes subscription sprawl (duplicates the repetitive resources, e.g. Network). This is logical grouping of all the Subscriptions for better management of access control and policy assignments. This Group will also be useful in terms of Cost Management on Azure portal.
- Define a management group for each business unit with a detailed hierarchy that reflects geography first, then environment type (for example, production or nonproduction environments). Create a production subscription and a nonproduction subscription for each unique combination of discrete business unit or geography. Creating multiple subscriptions requires careful consideration. For more information, see the subscription decision guide. Apply consistent nomenclature at each level of this grouping hierarchy. Resource groups should be deployed in a manner that considers its contents lifecycle. Resources that are developed together, managed together, and retired together belong in the same resource group. For more information about best practices for using resource groups, see here. Region selection is incredibly important and must be considered so that networking, monitoring, auditing can be in place for failover/failback as well as confirmation that needed SKUs are available in the preferred regions.
- User - An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B. Group - A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role. Service principal - A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application. Managed identity - An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.
- https://resources.azure.com/ https://github.com/Azure/azure-policy An Azure initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Azure initiatives simplify management of your policies by grouping a set of policies together as one single item. For example, you could use the PCI-DSS built-in initiative which has all the policy definitions that are centered around meeting PCI-DSS compliance. Similar to Azure Policy, initiatives have definitions ( a bunch of policies ) , assignments and parameters. Once you determine the definitions that you want, you would assign the initiative to a scope so that it can be applied.
- Append is used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource. Important Append is intended for use with non-tag properties. While Append can add tags to a resource during a create or update request, it's recommended to use the Modify effect for tags instead. AuditIfNotExists: Example: Evaluates Virtual Machines to determine if the Antimalware extension exists then audits when missing. DeployIfNotExists: Example: Evaluates SQL Server databases to determine if transparentDataEncryption is enabled. If not, then a deployment to enable is executed. Disabled is checked first to determine if the policy rule should be evaluated. Append and Modify are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering. These effects are only available with a Resource Manager mode. Deny is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented. Audit is evaluated last.
- https://resources.azure.com/ https://github.com/Azure/azure-policy An Azure initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Azure initiatives simplify management of your policies by grouping a set of policies together as one single item. For example, you could use the PCI-DSS built-in initiative which has all the policy definitions that are centered around meeting PCI-DSS compliance. Similar to Azure Policy, initiatives have definitions ( a bunch of policies ) , assignments and parameters. Once you determine the definitions that you want, you would assign the initiative to a scope so that it can be applied. Loading providers: az provider show –namespace Microsoft.sql –expand “resourceTypes/aliases” –query “resourceTypes[].aliases[].name”
- https://docs.microsoft.com/en-us/azure/governance/blueprints/overview The Azure Blueprints AppId is f71766dc-90d9-4b7d-bd9d-4499c4331c3f
- https://docs.microsoft.com/en-us/azure/governance/blueprints/overview The Azure Blueprints AppId is f71766dc-90d9-4b7d-bd9d-4499c4331c3f
- https://docs.microsoft.com/en-us/azure/governance/blueprints/overview The Azure Blueprints AppId is f71766dc-90d9-4b7d-bd9d-4499c4331c3f