All the examples and scenarios you have seen so far were relatively small. They covered mostly one application or were deployed to one or two subscriptions. When that is the case, it is straightforward to keep track of what resources you have running in Azure and to make sure that your solution is secure, compliant, and cost-effective. When your cloud workload gets bigger, that is much harder to do. Luckily, Azure has a built-in feature called Azure Policy that can help you govern your Azure resources, and you can use Azure Policy with Infrastructure as Code, which is then often called Policy as Code. In this chapter, you will learn how to use Azure Policy to govern Azure architectures.
Imagine you work at an enterprise organization that wants to make the move to the Azure cloud. Currently, all the teams run their applications and infrastructure in one or more on-premises data centers. What is often done in such a situation is that you build something called a landing zone in Azure and use a hub and spoke architecture.