In layman terms, Governance has been generally described as structures and processes that are designed to ensure accountability, transparency, rule of law and so on. This shows that when rule of laws applies, governing policies are formulated.
And these policies guides the behaviours and actions of the subjects being governed.
Bringing this line of thoughts to the discussion in this blog, Governance in Cloud computing defines, implements, and monitors a framework of policies that guides an organisation's cloud operations. In Azure, this framework of policies is referred to as Azure policy which helps to enforce organizational standards and to assess compliance at-scale. Azure Policy offers, is a valuable tool for organizations in achieving resource consistency, ensuring regulatory compliance, enhancing security measures, optimizing costs, and facilitating efficient management practices.
Basically, Azure Policy is used to implement the following actions:
1)Deployment of Azure resources only to allowed regions
2)Ensuring consistent application of tags
3)Requiring resources to send diagnostic logs to a Log Analytics workspace
Organisations set basic rules and standards for their operations. These set rules serves as a guidance for the policy definitions that will be assigned to the Organisations resources on Azure.When a policy is assigned, it applies to all resources within the Resource Manager scope of that assignment.
Each Azure Policy definition is JSON (JavaScript Object Notation) based which is used to determine whether a resource is compliant or not.
Now, lets see for ourselves how Azure policy works on the Azure Portal. Lets set out to do this together in the following logical steps
Step 1 - Assign Policy to a Resource Group
Log in to Azure portal and search for Policy
Click on it
Then proceed to click on Definitions
Search for Allowed Locations by typing it in the Search box
Click on the box with three dots in front of Scope and select the Subscription and Resource Group. My subscription is Azure Pass Subscription and Resource group is MayWorkload1
Click on Parameters and select three allowed locations that you want to be deploying your resources such that if any region other than these three locations are selected for a resource to be deployed, this policy will not allow the creation of the resource.
Here, I am selecting three locations in Japan: Japan, Japan East and Japan West
Click on Review and Create
Check through if everything is in order, then create
The Policy has been assigned to the Resource group MayWorkload1
Step 2 - Test the Allowed Locations' Policy by creating a Resource in the Resource Group
You can choose to create any resource. I am going to create a key vault
Go back to Home page of Azure portal and search for Key vaults
Click on Create
Complete the Project Details. Azure Pass Sponsorship is my Subscription while I will choose my Resource group as MayWorkload1
Complete the Instance details
I will name the key vault dovault1 and select the Region as
East US
Click on Review and Create
The image above shows that the Key vault dovault1 can not be created. The Validation failed. The reason is indicated on the top left hand side of the image. The parent, Resource group MayWorkload1 has an Allowed locations' Policy assignment which allows its resources to be created only in these three regions Japan, Japan West and Japan East. A key vault in the this Resource group can not be located in East US
Step 3 - Delete Policy Assignment
Go back to Azure portal homepage and click on Policy
Then click on Allowed locations
Then click on Delete Assignment
The Allowed locations' policy assignment has been deleted
Now we will go back to Azure portal home page and try to create the key vault again
Take the Steps in Step 2 above
Hola! The deployment is complete. Key vault dovault1 has been created This is because the policy assignment has been deleted
Simply amazing.
You find this helpful? Don't hesitate to leave a comment
Top comments (0)