Azure Landing Zones Part 4 - Rule the Cloud! Mastering Governance and Compliance with Azure Policies
Introduction
Welcome back to the Azure Landing Zones series! You’ve built your Connectivity and Management Subscriptions—the backbone and brain of your Azure environment. Now, it’s time to turn on the guardrails with Azure Policies and governance.
Think of governance as the rules of the road. It’s not just about controlling what happens in Azure—it’s about enabling your teams to work smarter, stay compliant, and avoid costly mistakes. And Azure Policies are your secret weapon.
In this post, we’ll cover:
- What Azure Policies are and why they’re crucial.
- The key policies to implement for a solid Landing Zone setup.
- How to stay compliant with regulatory standards (including NIS2) and monitor your environment effectively.
Let’s dive in and start ruling the cloud with confidence!
What Are Azure Policies?
Azure Policies are rules and standards that you define to govern resources in your Azure environment. They allow you to enforce compliance by auditing, allowing, or denying specific actions based on criteria you set.
Why Are Azure Policies Essential?
- Enforce Standards: Ensure consistent naming conventions, tags, and configurations.
- Boost Security: Deny public IPs, enforce encryption, or secure data at rest.
- Simplify Compliance: Automate adherence to frameworks like ISO, SOC, GDPR, or NIS2.
- Control Costs: Restrict resource types or sizes to avoid surprise bills.
Azure Policies give you the power to keep your environment secure, compliant, and cost-effective—automatically.
Step 1: Organize with Management Groups
Before deploying policies, you need to structure your Management Groups and Subscriptions. Why? Because a solid hierarchy lets you enforce policies consistently and at scale.
In our first blog post, we broke down how to structure Management Groups and Subscriptions. Here’s a quick recap:
Recommended Hierarchy:
- Root Management Group: The parent group for all subscriptions.
- Platform Management Group:
- Connectivity Subscription: Centralized networking resources.
- Management Subscription: Logging, monitoring, and governance tools.
- Workload Management Group:
- Production Workload Subscriptions
- Development Workload Subscriptions
- Sandbox Subscriptions
This structure enables:
- Separation of Duties: Keep shared services isolated from workload subscriptions.
- Governance at Scale: Apply policies at the Management Group level, cascading them to child subscriptions.
For a deeper dive, check out Azure Landing Zones Part 1: Structuring for Success.
Once your Management Groups are ready, you’re all set to define and assign policies.
Step 2: Deploying Must-Have Policies
Let’s talk policies! Here are the essential policies you should enforce in your Landing Zones:
1. Naming Conventions
- Policy Example: Enforce resource naming patterns like
{env}-{service}-{region}-{number}. - Why? Consistency helps with discovery, automation, and management.
- Policy Type: Audit or Deny
2. Tagging Rules
- Policy Example: Require tags like
CostCenter,Environment, andOwneron all resources. - Why? Tags enable cost tracking, ownership assignment, and better reporting.
- Policy Type: Audit or Deny
3. Region Restrictions
- Policy Example: Restrict deployments to approved regions like
East USorWest Europe. - Why? Comply with data residency requirements and optimize performance.
- Policy Type: Deny
4. Security Policies
- Deny Public IPs: Prevent resources from being exposed to the internet.
- Require Encryption: Ensure all data is encrypted at rest.
- Mandatory NSGs: Enforce Network Security Groups on all subnets.
5. Resource SKUs
- Policy Example: Restrict VM sizes to approved SKUs like
B-Seriesfor Dev/Test orD-Seriesfor Production. - Why? Control costs and optimize resources.
- Policy Type: Deny
6. Logging and Monitoring
- Enable Diagnostic Logs: Ensure all resources send logs to Log Analytics.
- Monitor Critical Metrics: Enforce monitoring for critical Azure resources (e.g., VMs, databases).
7. Identity and Access Policies
- Policy Example: Enforce MFA for all accounts, require just-in-time (JIT) access for VMs.
- Why? Strengthen access controls and minimize attack surfaces.
8. Backups and Disaster Recovery
- Policy Example: Ensure VMs, databases, and storage accounts have backup policies enabled.
- Why? Protect critical data and meet compliance requirements.
Step 3: Automating Policy Deployment
Manually creating policies can get tedious. Let’s automate it using a Bicep template.
targetScope = 'subscription'
param policyName string = 'DenyPublicIPs'
param displayName string = 'Deny Public IPs'
param description string = 'This policy ensures no public IP addresses are created on any resource.'
param policyEffect string = 'Deny'
resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
name: policyName
properties: {
displayName: displayName
description: description
mode: 'All'
policyRule: {
if: {
field: 'type'
equals: 'Microsoft.Network/publicIPAddresses'
}
then: {
effect: policyEffect
}
}
}
}
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: '${policyName}-assignment'
properties: {
displayName: displayName
policyDefinitionId: policyDefinition.id
scope: subscription().id
}
}
Deploy this template to deny public IPs across your subscription!
Step 4: Enable Compliance Initiatives
Azure provides pre-built Policy Initiatives to simplify compliance with industry standards. Assign these initiatives to your Management Groups for comprehensive coverage:
- Azure Security Benchmark Initiative
- ISO 27001
- SOC 2
- NIST 800-53
- NIS2 Directive: Address the European Union’s Network and Information Systems Directive 2 for critical infrastructure.
Step 5: Monitor and Remediate Compliance
Governance isn’t set-it-and-forget-it. Use the Azure Policy Compliance Dashboard to:
- Track compliance at the resource, subscription, or Management Group level.
- Identify non-compliant resources and fix them with remediation tasks.
- Set up alerts to stay ahead of critical compliance violations.