12 Governing your subscriptions using Azure Policy

All the examples and scenario’s you have seen so far were all relatively small. They covered mostly one application or were deployed to one or two subscriptions. When that is the case, it is straightforward to keep track of what resources you have running in Azure and make sure that your solution is secure, compliant and cost effective. When your cloud workload gets bigger, that is much harder to do. Luckily Azure has a built-in feature called Azure Policy that can help you govern your Azure resources and you can use Azure Policy, using Infrastructure as Code or as it is then often called: Policy as Code. In this chapter, you will learn how to use Azure Policy to govern Azure architectures.

Imagine you work at an enterprise organization that wants to make the move to the Azure cloud. Currently, all the teams run their application and infrastructure in one or more on-premises datacenters. What is often done in such a situation is that you build something called an Landing Zone in Azure and use a Hub and Spoke architecture.

12.1 Azure policy

12.1.1 Policy definitions

12.1.2 Initiative / policySet

12.1.3 Assignment

12.2 Examining the built-in policies and initiatives

12.3 Using custom policies

12.3.1 Create a custom policy

12.3.2 Testing the policy

12.4 Using the different effects

12.4.1 Append

12.4.2 Audit

12.4.3 AuditIfNotExists

12.4.4 DeployIfNotExists

12.4.5 Disabled

12.4.6 Modify

12.5 Creating your own initiative

12.6 Assigning a policy or initiative

12.7 Reviewing compliance status

12.7.1 Remediate non-compliant resources

12.7.2 Create an exemption

12.8 Summary