Welcome back to Microsoft Azure Fundamentals. This is Module 10, as your compliance and resource monitoring
in this module will first introduce as your policies and initiatives. Then we'll discuss how azure enables you to do enterprise governance.
After that, we'll have a walk through of azure as tools for security, trust and compliance.
At the end, we'll discuss how you can monitor the cloud infrastructure and your workloads.
Let's see how we can create standards for cloud usage in your organization.
A policy is a set of rules and standards that you define.
Policies can be of any kind.
An example could be a policy that developers can only use B one s virtual machines for development purposes
or that production machines must have endpoint protection installed on them. Or that resources must follow certain naming conventions and have a standard set of tags applied.
Having well developed policies allows you to standardize how your employees use the cloud resources and helps you to stay compliant, reduce costs and provide consistent service to your customers.
As your policy is a service that allows you to define a sign and manage those standards for your workloads
using as your policy, you can prevent the creation of disallowed resources and ensure resources. Have certain configurations and settings, and you can run evaluations for policy compliance.
The steps to follow when creating a policy are
create a policy definition,
assign this definition to a scope of resources
and view the results of the policy evaluation.
A policy definition describes what needs to be evaluated and what corrective actions to take.
One example is that the policy checks what VM QSR selected during creation.
If that Q is not in the allowed place, the creation is disallowed.
Policy definitions are written as Jason Files and can be imported and exported out of azure as well as easily automated
as your comes with built in policies that you can use out of the box.
Those policies are available in the definition section of Azure Policy Blade.
You can also download a lot of sample policies from Git Hub.
Once you create a policy definition, you need to assign it to a scope.
The scope can be at the subscription level, which means that it is applied to everything within the subscription.
The scope could also be at the resource group level, which means that it applies to every resource in the resource group.
You can also explore the sub scope from the assignment.
Here's how it's done in the azure portal
in the azure portal. You need to load the policy blade.
If it's not available in your favorites, you can go to all services and search for policy.
Once you load the blade, you'll see the definition selection on the left side.
You can go there and you'll see all of the available policies in azure.
Those are the out of the box policies.
You can search here.
All search for something like require tags.
I'll select the policy that will require tags and its value on the resource group.
Clicking on the policy gives you the policy definition so you can review the policy before you assign it.
If you click on a sign, it will bring up a new blade where you can do the actual assignment of the policy.
The first thing you choose is the scope.
I will select a subscription scope.
You can also optionally select a resource group if you have it available,
because this is a policy for resource groups. The subscription level is the most appropriate scope.
I can also do some exclusions.
If I want to exclude this policy from any specific resource group, I can exclude them here.
The next thing I need to add is the parameters and specifically for this policy. What tag name I would like it to have.
I'll choose owner and I'll say, taught him Latin off.
Then I assign the policy.
Once the policy is assigned, it can be evaluated. However, it may take some time for the policy to get evaluated.
If you go back to the compliance, you'll see all the assignments and the policies.
As you can see, it's already available here.
It says that is not started, so it may take some time to evaluate this policy and see the results from it.
Every request to create or update resources using azure resource manager is evaluated by azure policy.
Each policy definition has a single effect.
The effect is what happens if the policy rule matches. Here's the list of possible effects.
There are six effects from a policy. As you can see,
audit, if not exist, deploy if not exist and enforce Rego policy.
An example of a pen is adding tags on resources such as owner or cost center.
An example for deny policy is to not allow the deployment if expensive VMS for deployment purposes are chosen.
An example for audit policies is to raise awareness if transparent data encryption is not turned on for an SQL database.
An example for audit, if not exist, is to check if anti malware is installed on a VM and raise an alert.
An example for deploy, if not exist, is to deploy the malware software if it doesn't exist.
Enforce REGO policy is a preview policy, and it is specific for the Azure Kubernetes service.
Now you know how to define a sign and review the policy results.
Enterprises may have hundreds of policies defined.
Assigning those one by one can be cumbersome and error prone.
Also, it will be good to group the policies by some criteria.
For example, you may want to group them by environment development or test production.
You can do this in azure with the help of initiatives.
Initiatives follow the same process as policies.
You create the definition that group several policies, and then you assign the initiative to a scope.
The scope for initiative assignments can vary from management group to Resource group.
In the next video, we'll discuss what management groups are.