- Enforce Naming Conventions:Policy: All virtual machines should start with "VM-".Example: If someone tries to create a VM named "DatabaseServer", the policy will block it. However, "VM-DatabaseServer" will be allowed.
- Limit Resource Locations:Policy: Only allow resources to be created in the "East US" region.Example: If a user tries to deploy a storage account in "West Europe", it will be denied.
- Ensure Tagging:Policy: Every resource must have a "CostCenter" tag.Example: A virtual network created without the "CostCenter" tag will be flagged as non-compliant.
- Restrict VM Sizes:Policy: Only allow the creation of "Standard_D2_v3" VMs.Example: If someone tries to deploy a "Standard_E2_v3" VM, the action will be blocked.
- Ensure Specific Extensions are Installed:Policy: All VMs must have the "MicrosoftMonitoringAgent" extension installed.Example: A VM without the monitoring agent will be marked non-compliant and can be audited.
- Enforce Network Configurations:Policy: All virtual networks must have an associated Network Security Group (NSG).Example: A virtual network created without an NSG will be flagged.
- Regulate Storage Account Types:Policy: Only allow the creation of "Standard_GRS" storage accounts.Example: If someone attempts to create a "Standard_LRS" storage account, it will be denied.
- Ensure Compliance with Industry Standards:Policy: Audit storage accounts to ensure they have Secure transfer required enabled (a common regulatory requirement).Example: A storage account with secure transfer disabled will be marked as non-compliant.
- Avoid Drift in Configuration:Policy: Ensure that all web apps have "HTTPS Only" enabled.Example: If an Azure web app is modified to disable HTTPS, the policy will flag it.
- Custom Policy Definitions:Policy: Custom policy to ensure all resources have a "CreatedBy" tag.Example: Any resource deployed without this custom tag will be flagged.
- Integrate with Azure DevOpsExample: During a CI/CD pipeline run, a VM is being deployed. Azure Policy checks the VM against policies and flags an error in the pipeline if the VM is named "TestServer" (violating the naming convention policy).
- Audit and Reporting:Example: Monthly compliance reports are generated. The report for October shows 5 resources non-compliant with the "CostCenter" tagging policy, prompting a review and rectification.
- Restrict Public IP Addresses:
- Policy: Prohibit the creation of public IP addresses.
- Example: If someone tries to create a VM or other resource with a public IP, it's automatically denied.
- Policy: Only allow VMs, Storage Accounts, and Virtual Networks in the subscription.
- Example: If a user attempts to deploy a Cosmos DB instance, it gets blocked.
- Policy: Every resource should have a 'Read-Only' resource lock after creation.
- Example: After deploying a storage account, a 'Read-Only' lock is automatically applied, preventing accidental deletion.
- Enforce Use of Managed Disks:
- Policy: Only allow VMs with managed disks.
- Example: A deployment that tries to create a VM with unmanaged disks will be denied.
- Restrict Storage Account Access:
- Policy: Storage accounts must deny public blob access.
- Example: If someone configures a storage account to allow public access to its blobs, the action will be blocked.
- SQL Server Configuration:
- Policy: SQL servers should have 'Transparent Data Encryption' enabled.
- Example: A SQL server deployed without this encryption setting will be marked as non-compliant.
- Enforce Minimum TLS Version:
- Policy: App services should use a minimum TLS version of 1.2.
- Example: If an App Service is configured with TLS version 1.1, it will be flagged.
- Kubernetes Cluster Configuration:
- Policy: Azure Kubernetes Service (AKS) clusters must have Azure Active Directory integration.
- Example: An AKS deployment without Azure AD integration will be denied.
- Policy: Every VM should be associated with a backup policy.
- Example: A VM deployed without a backup policy association will be flagged as non-compliant.
- Enforce Specific Azure SKU:
- Policy: Only allow specific SKUs for resources. For instance, only allow "P2" SKU for Azure Key Vaults.
- Example: If someone tries to deploy a Key Vault with a "P1" SKU, it will be blocked.
- Ensure Diagnostic Settings:
- Policy: All resources should have diagnostics enabled and should send their diagnostic logs to a central Log Analytics workspace.
- Example: A virtual machine without diagnostics directed to the designated Log Analytics workspace will be flagged.