Created by Natalia Skowronek
almost 4 years ago
|
||
Question | Answer |
What is Azure Policy | an Azure service where you can create, update and manage policies. |
What is a policy (in general) | policies are rules that might be defined against resources in order to stay compliant with your company rules (corporate standards) |
Example of a policy (in Case of Azure Policies) | e.g. with VMs: you might have a policy that limits their size (in order to limit costs) - after applying this policy new and existing resources are evaluated for compliance. This forces you to create a VM which size is less or equal as the one defined in a policy. The same will be with updating existing one. |
When Azure Policy will audit our resources? | During creation of new resource, during update and against all existing ones. |
What is a result of policy audit? | It can audit non-compliant resources, alter the resource properties, or stop the resource from being created. |
RBAC vs Azure Policy | RBAC focuses on user actions at different scopes. Azure Policy focuses on resource properties during deployment and against existing ones. |
How to create a policy (in general) | To create a policy you need to prepare a policy definition - a conditions under which it is enforced) |
What is a policy definition? | Expresses what to evaluate and what action to take. Defined in JSON. e.g.: allow only specific SKU for VM - if not, deny creation of VM |
How to apply Azure Policy (PS) | - use Microsoft.PolicyInsights extension - Define policy or take existing one - Apply using command New-AzPolicyAssignment |
How to register the resource provider (PS) | Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights' |
What do you need to create Policy assignemnt with PS? | New-AzPolicyAssignment -Name 'audit-vm-manageddisks' -DisplayName 'Audit VMs without managed disks Assignment' -Scope $resourcegroup.ResourceId -PolicyDefinition $definition So you need: name of policy, scope with subscription or resource group ID and a policy definition |
How to check non compliant resources (Azure Portal) | In Azure Portal in your tenant and subscription find Policy section -> Compliance and look for your specific policy in a table |
How to check non compliant resources (PS) | Get-AzPolicyState -ResourceGroupName <ResGrpName> -PolicyAssignmentName <PolicyAssgnName> -Filter 'IsCompliant eq false' |
What is A policy assignment | A policy definition that has been assigned to take place within a specific scope |
Range of Scope for Policy | - It can vary from a Subscription down to RG - assignments are inherited by all child resources - you can exclude a subscope example of scope: '/subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>' |
What is a policy effect | determines what happens when a policy rule is matched; Azure Policu has a single effect and it can be: Deny, Disabled, Append, Audit/AuditIfNotExists. DeployIfNotExists |
Policy Effect: Deny - What happens? | The resource creation/update fails due to policy. |
Policy Effect: Disabled - What happens? | The policy rule is ignored |
Policy Effect: Append- What happens? | Adds additional parameters/fields to the requested resource during creation or update. |
Policy Effect: Audit/AuditIfNotExists- What happens? | Does not stop the request but creates a warning in the activity log |
Policy Effect: DeployIfNotExists- What happens? | Executes a template deployment when a specific condition is met. For example, if SQL encryption is enabled on a database, then it can run a template after the DB is created to set it up a specific way |
How to remove policy assignment (PS) | Remove-AzPolicyAssignment -Name <PolicyAssgnName> -Scope <scope> |
Want to create your own Flashcards for free with GoConqr? Learn more.