How To Enforce Compliance Using Azure Policy

How To Enforce Compliance Using Azure Policy

Overview

In this guide, we will explore how to create Azure Policies to enforce compliance at scale. What is Azure Policy?

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Objectives

When you are finished, you will accomplish the following objectives:

  • Creating a resource group
  • Create a Policy Assignment
  • Test the assigned policy

Prerequisites

  • Azure account with an active subscription. You can create a Free Azure Account if not available.

Task 1 - Creating a resource group

  1. Sign in to the Azure Portal.
  2. Click on the Cloud Shell in the Azure Portal top bar.
  3. If prompted, select Powershell and Create Storage.
  4. Run the following command to create the resource group;
1$rgName = "enforce-policy-rg"
2$rgLocation = "East US"
3New-AzResourceGroup -Name $rgName -Location $rgLocation
  1. Once successful, close the Cloud Shell

Task 2 - Create a Policy Assignment

You will use an built-in policy Allowed locations to restrict where the resources can be created.

  1. In the search bar on Azure Portal, look for Policy.
  2. In the Authoring section, open Definitions.
  3. In the search box, look for Allowed locations.
  4. Choose the definition Allowed locations.
  5. Go through the policy to understand what will happen post assignment.
  6. Click Assign
  7. On the Basics tab, click the ellipsis (...) icon.
  8. In the Scope blade, fill the details:
SettingValue
Subscriptionthe name of your Azure subscription
Resource groupthe name of created resource group
  1. Keep the rest of the settings as default. Click Next.
  2. In the Allowed Locations dropdown, select the West US 2 region and click Review + Create. Finally click on Create.

Task 3 - Test the assigned policy

  1. In the search bar on Azure Portal, look for Virtual Networks.
  2. Select + New to create a virtual network.
  3. Fil the details:
SettingValue
Resource groupenforce-policy-rg
Namemy-vnet
RegionEast US
  1. Click on Review + Create.

if the validation doesn't fail. Wait for few more minutes, it takes sometime for policy to take effect

  1. Click on the Validation failed message and see the detailed message it was disallowed by the policy.
  2. Go back to the Basics tab and change the location to West US 2.
  3. Click on Review + Create, this time the validation will pass. Click on Create to create the virtual network.

Clean Up

Remove unwanted resource to not get billed by unexpected resource usage.

  1. Open the Cloud Shell and choose Powershell. Run the command:
1$rgName = "enforce-policy-rg"
2Remove-AzResourceGroup -Name $rgName -Force -AsJob

Conclusion

You learned how to assign a built-in policy definition to the resource group. Policy only allows to create resources in the specified region, any other region selected while creating resources will result in failed validation. This helps the organization to enforce compliance and maintain standard across the Azure account.