Azure Policy is an Azure service that can be used to create, assign, and manage policies that enforce governance in your Azure environment. This includes the application of rules that allow or deny a given resource type, apply tags automatically, and even enforce data sover- eignty. Azure RBAC and Azure Policy are often used in combination. Where Azure RBAC con- trols individual user access, group access, and rights to your Azure environments at a specific scope, Azure Policy provides a mechanism to express how the environment is governed for all users at a specified scope regardless of any RBAC assignments. Another way to state this is that Azure RBAC is a default deny mechanism with an explicit allow mechanism, whereas Policy is a default allow mechanism with an explicit deny system.
To implement Policy, a policy definition must first be authored. That policy definition is then assigned a specific scope using a policy assignment. Recall that scope refers to what your policy is assigned to with valid scopes, a management group, a subscription, a resource group, or a resource.
Policy definitions can also be packaged using initiative definitions and applied to a scope using initiative assignments. Policy and initiative definitions both support parameter sets, which help simplify the reuse of a policy at multiple scopes.
A policy definition describes your desired behavior for Azure resources at the time resources are created or updated. Through a policy definition, you declare what resources and resource features are considered compliant within your Azure environment and what should happen when a resource is noncompliant. For example, you can create a policy that states that resources can only be created in the East US and West US regions for an entire subscrip- tion. If a user attempts to create a resource in East US 2, Azure Policy can deny the creation of the resource because it does not meet the stated compliance goal for allowed regions. In this example, Policy is used to deny the creation of a resource and to enforce organizational stan- dards. As you further explore Policy, you will learn that Policy can be used not just as a deny mechanism but also as an auditing and creation mechanism.
Policy definitions are authored in JSON. The schema for Azure Policy can be downloaded from https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json. A policy definition contains these elements:
NOTE POLICY DEFINITION
While you do not need to memorize the schema, it is worthwhile to understand the elements of a policy definition and how to build your own policies from a blank template when neces- sary. Microsoft offers a number of built-in policy definitions and maintains a repository of samples at https://learn.microsoft.com/en-us/azure/governance/policy/samples/ and https://github.com/Azure/azure-policy/tree/master/samples.
Policy definitions can be created through the Azure portal by browsing to the Policy service at All Services and then choosing Policy, Definitions. From this blade, you can manage both built-in policies and any custom policies that you create. Figure 1-32 shows a list of the built-in policies for selected subscription.
FIGURE 1-32 Azure built-in policies
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
