AZ-304 Microsoft Azure Architect Design – *NEW* Design Governance

1. *NEW* Azure Policy

So we’ve seen with Role Based Access Control or RBAC, you’re able to restrict the permissions to granted to certain roles and those users who are assigned to those roles. And in this way you’re able to enforce your company policy on who does or does not have access to resources onto Azure. Now that’s RBAC. Now there are other more sophisticated ways of implementing governance upon Azure. One is called Azure Policy and we can see it on screen. We can also search for the word Policy and you’ll be given the Policy Service. Now, the concept of Azure policy is that you can either choose from hundreds of predefined policies or even create your own. And we’ll do that in a second. But we can see here we go under definitions that you can scroll down. You’ll be able to scroll down for days. There are literally hundreds of predefined policies.

Now, what are these policies? You can see policies relating to almost all of the Azure Services. So let’s say we want to restrict who has access to SQL Server. I’m going to pull out this, say we can read it. So I just entered SQL Server in search and we can see that one of the policies says deploy Threat Detection on SQL Servers. Deploy advanced data security on SQL servers. So this is a policy that you could implement that basically says all SQL Servers on this subscription must have threat detection enabled. So if I click on it, I can see that it is a JSON definition and similar to an Arm template. This is predefined format and kind of readable. We can see if the type equals Microsoft Sqlservers deploy, if not exists, Security Alert policy and make sure it’s enabled. And that the rule definition is here. We can see the deployment template.

The Arm template is embedded as well in terms of deploying a Security Alert policy. So it’s an Arm template wrapped within almost like an if then statement as we can see here. So you can basically have a rule that says all SQL Servers must have this, and not only make that a rule, but you can enforce that rule if your interests are in virtual machines. For instance, you can type in Virtual Machine and you can say enable Azure Monitor for VM scale sets, azure backup should be enabled for virtual machines. And so these are just built in policies that you can choose from and you can either enforce it or you can just audit it. Auditing it would just make it show up on a report and then you can take manual action to determine if in this case, a virtual machine is even qualified to have encryption and what you’re going to do about it.

So sometimes you just want to audit a policy and not enforce it. But that’s not all. You can create your own policy. So if this is not quite right, let’s say any one of these built in policies is just a little bit off of what you want, you can create a policy definition of your own. So Azure policy basically is pretty cool. That allowing you to enforce these very creative, complex rules upon your Azure account.

2. *NEW* Assign a Policy

So in this video we’re going to take one of these many predefined policies and we’re going to assign it into our account. So I’m first the policy I’m going to choose is called the Allowed Virtual Machine size screws. I type the letters SKU into the search and I can see there’s three options and one of them is the one that I want. Now, I’m going to scroll into the JSON here and we can see that the policy rule is here. We’re going to try to read it. It says if all of the resource type is equal to Microsoft computevirtualmachines and the virtualmachinescu name is not in the predefined list of allowed SKUs, then deny. So this policy is basically going to stop deployment of any arm deployment, even through the portal or any API if the list of SKUs is not matching. So I’m going to say assign up here on the top. Now luckily there is a wizard type interface so we can drag and drop point and click our way through this. First question we have is the scope. Now there are several scopes, right. This subscription that I’m in is part of what’s called a management group.

And so I could do a management group scope, but I could also assign the scope to the specific subscription. So I could at this point say select. And this policy would then apply to across the entire subscription. I can also be more granular and pick a specific resource group called AZ Test Group that I created previously. And so now this policy would only apply to the AZ Test Group. I can also specifically exclude resources from this assignment so I can apply it to the entire subscription except for a particular resource group.

So we’re going to leave this all policies enabled. This is me that’s creating this. Now we do have to go to what are called parameters. Remember, the policy is going to look up a list of acceptable SKUs, loud SKUs from A list and this is the list. So if I pick on the drop down, I will see all of the instance sizes that are available. And so let’s say I don’t want any basic SKUs. I will allow a one, a two, a three, a four and then the DS. I won’t allow the BS D. Now of course this is going to be very restricting. The whole purpose of this is to restrict the people who are going to be affected by this policy into only selecting SKUs that I allow because some of these SKUs are quite expensive. I don’t know how much a D 48 server is, but if you told me it’s $10 an hour, I wouldn’t be surprised, right? So some of these servers can be quite expensive.

So I chose 31, which are the A series one to four and the D series one to four. I can say review. Now, you can see on the remediation screen it says this assignment will only take effect on newly created resources. So existing resources are not going to be affected unless I run this policy as a remediation task. So basically, we’d have to go back to this and then audit and check my existing VMs that don’t. So let’s say review and create. And we’ll say create. So the creating of the policy assignments succeeded. If I go under policies again and go under assignments, I can see that the allowed virtual machine skews is a policy. There’s only one policy associated with it, and it’s in the compute category. Now, to show you the effectiveness, if we were to then so this policy is active, right? If we were to go into create a resource virtual machine, we’re going to choose the test group that we put the policy against, give it a name, and the image doesn’t matter. This doesn’t matter.

What does matter is the list of sizes. So I’m going to say see all sizes. Now, we did not allow the B series virtual machines. So if I select B two S or B four Ms, then we know that that is not on the allowed list of SKUs. So I’m going to just skip through here, disable boot diagnostics, and if I get to the review screen, the validation is going to pass because we selected all of the correct requirements. When I click Create, when it does go to deploy the virtual machine, we would expect an error. We expect that it has a policy violation and I’m going to create that and test that. All right, so we got a pop up saying that the resource was disallowed by policy. And it tells me the policy assignment is the allowed virtual machine skew. So even the error message tells me that this is not allowed. And we can see it listed as forbidden in the deployment details. So this is working exactly as expected.

Azure policy has basically forbidden me from choosing the size because it’s not allowed by my company policy. But you can see that you can be quite creative with Azure policy. You can create your own custom policies, modify the existing ones, or use some of the hundreds and hundreds of predefined ones that can enforce your company’s governance policies on your subscription or even on specific resource group.

3. *NEW* Azure Blueprint

Now it’s quite easy to imagine that over time you come up with a standard list of company policies. You have custom ones or the ones that are built in that you want to be enforced. You’re also going to have a standard set of roles within our back. You’re also going to have arm templates within the template directory. All of these things can be packaged together into to what’s called an Azure Blueprint. So Azure Blueprints help with the setup of new environments, new subscriptions. So if you’re working in a multi subscription environment where each major team, each major business unit has its own subscription, you can set up a standard company subscription that you spend a lot of time and effort creating. All of those things that are required in terms of roles, policies, templates groups. And then it’s just a matter of copy and paste to get to each new subscription you need to create.

So these are called blueprints. Now if we go into the Azure portal and we search for blueprints, I even search for the word Blue and Blueprints comes up, we can see that Azure Blueprints is a service. So again, Blueprints are a collection of, what are they calling, artifacts that allow you to quickly create subscriptions that follow the company policy. So you start off with creating a blueprint. So this is where you can upload your Arm templates, you can upload your custom policies, you can assign your policies, do your custom role stuff and all these resource groups, let’s say you have development, staging, production, resource groups, all set up and ready to go.

And of course then once you’ve got that template, you can apply the blueprint to one or more subscriptions, you get them up to the company standard and then you can see which subscriptions are using which blueprints. So let’s create a blueprint. I click the create button. Now we can start with a blank blueprint and that would be probably most appropriate for a lot of companies, or there’s some sample blueprints. So we can see that Azure has a security benchmark. There’s Australian government, Canada federal blueprint, US government, FedRAMP, HIPAA for health, industry compliance, some of the ISO ones. So if any of these apply to you, you can sort of peruse this and see if these PCI, anytime you’re handling credit cards, the financial industry, then you can peruse those and see the policies and role definitions that might be appropriate for you.

So for instance, we can go into the United Kingdom official, give it a test name, we have to choose where the blueprint is deployed. Again, Blueprints would be deployed at the topmost level if you want the management group or you can deploy it to a single subscription. But this limits from where you can deploy it further. So management group is going to be where you’re likely going to want to put that. But if we look at the artifacts of the UK policy the UK Blueprint, we can see the interesting one are the locations. So there are predefined UK South and UK West as the only two locations allowed for both resources and resource groups. So quite clearly, for a UK official Blueprint, this is going to be one policy that is going to be enforced, which is the resources have to be within the geographical boundaries of the United Kingdom. You can see parent data encryption, threat detection, antimalware extension, et cetera. I’m going to discard this, go back into create. Probably most companies will start with a blank blueprint. So I’m going to call this first Blueprint. And this can be sort of some policies. We said that this has to be there’s a scope to a blueprint.

And so we’ll put this in the measure group level and now we have sort of the blank slate where we can go and add again, roles, groups, policies, arm, templates, so I can say add artifact, choose from the list. So a policy assignment that I want, I’m going to want the SKU one. I can choose, just as we just did, the allowed virtual machine SKUs, and then we can prepopulate it or we can say when the person is assigning the blueprint, they can choose which SKUs are to be populated. I’ll just add a resource group as an example here. So display name. So let’s call this production group, resource group name. This can be prod and location specified at time of assignment. And we can even have resource tags in here. So you can see it’s very easy to sort of set up your template and at that point then enforce your company defaults on your subscriptions that you’re going to be trading for other parts of your organization.

• Category: Uncategorized