1. Governance and compliance tools
Welcome back! In this video, we'll discuss governance and compliance tools in Azure.
2. Governance and compliance tools overview
There are two specific tools in Azure you'll be using a lot for governance and compliance: Azure Policy and Azure Blueprints.
Azure Policy is used to enforce standards and best practices by defining and applying rules and policies to resources.
Azure Blueprints is used to standardize deployments and replicate configurations from existing environments.
We'll discuss both in more detail.
3. Azure Policy
Azure Policy, as the name implies, is used to set policies, specific sets of rules, and standards for resources.
This is done to enforce compliance with applicable standards and regulations.
The rules set by Azure Policy can be set at any level and automatically inherited by sub-levels.
For example, a policy could be applied to a specific resource or to a resource group, whereby new resources created in this group would automatically take on the same policy.
Azure Policy not only allows you to set these rules but also allows for automatic remediation. For example, if required resource tags are missing, they can be applied automatically.
4. Azure Policy: Initiatives
Typically, there are a multitude of related sets of rules that need to be set to comply with regulations.
To assist with this, Azure Policies can be grouped into so-called Initiatives: these are groups of policies related to a larger goal.
These Initiatives can be user-defined, or users can make use of built-in Initiatives designed for common scenarios or regulations.
For example, Azure Policy has a built-in Initiative for compliance with HIPAA/HITRUST, the main US regulation protecting data and privacy in healthcare.
This Initiative contains, among others, the following policies: multi-factor authentication should be enabled, there should be more than one owner assigned to a subscription, and there should be an automatic check for missing members in the Administrators group.
5. Azure Blueprints
The second tool you will encounter a lot in the context of governance and compliance is Azure Blueprints.
This tool allows you to standardize new cloud subscriptions or deployment of resource environments.
In doing so, Azure preservers the link between the original blueprint and the deployed resources. In other words, it allows us to track if what was deployed conforms to what should have been deployed.
In addition, Azure Blueprints supports versioning, which means that updates can be easily tracked or reversed, ensuring transparency and supporting recovery in case of problems.
6. Azure Blueprints: Artifacts
Azure Blueprints consists of components, which are called Artifacts in Azure.
These contain specific parameters that can be defined. This configuration can be done directly in the Blueprint for standardization or at deployment if some flexibility is require, depending on the requirements for the deployment.
Examples of possible Artifacts are role assignments, policy assignments, configuration of resource groups, or predefined resource templates.
7. Example use case: network security policy
Suppose you are responsible for implementing best practices for network security, such as disabling public Internet access based on specific rules like whether or not the resource is sensitive.
With Azure Policy, you can implement a set of rules that block or restrict public Internet access.
To do this, you can search the built-in policy definitions to start from and customize the policy as you wish.
Additionally, you can include the above policy as an Artefact in an Azure Blueprint so that new deployments automatically implement the network security rules without having to configure them from scratch.
8. Let's practice!
Let's consolidate what you've learned!