Azure Policy
Azure Policy is a set of rules for resource creation and management that apply across multiple subscriptions; it defines what actions are allowed within a subscription and assesses resources to ensure that compliance standards are met or enforce organization mandates drift, or that non-compliance can be remediated through automation.
Some typical example use cases of Azure Policy could limit what regions can be accessed for resources to be created so that data sovereignty can be complied with. You can even limit VM types or storage types so that expensive or operationally inefficient resources are not created.
The following are the key differences to understand between Azure Policy and Azure RBAC:
- Azure Policy:
- Controls what can be done (regardless of the user)
- Focuses on resource properties
- Applied to resources
An example of Azure Policy would be that you are the contributor of a resource group, but a policy blocks you from deploying a VM in WestUS or you cannot deploy a DS12v2 but can deploy a DS4_v2.
We will look at this in a hands-on exercise in this chapter.
- Azure RBAC:
- Controls who can do what (specific to each user)
- Focuses on user actions
- Applied to each action
- Create, read, update, and delete
- Built-in and custom roles
- Default Deny, explicit Allow
An example of Azure RBAC would be having contributor rights on a resource group in a dev/test subscription but only VM admin rights in a production subscription.
Policies are described in JavaScript Object Notation (JSON) format via policy definitions, which are the business rules to be applied to the policy; these rules (policy definitions) can be grouped to form a policy initiative (or policy set). The policy definition is assigned to a resource-level scope and applied by policy assignments; the policy will evaluate all resources in the level assigned.
The following diagram shows that policies are scoped at the subscription, resource group, and resource levels:
Figure 9.4 – Azure Policy scope level
In this section, we looked at Azure Policy and its differences from RBAC. The following section looks at Azure Blueprints.