Azure governance
Azure governance is defined as the processes and mechanisms that are used to maintain control of your applications and resources in Azure. They are the strategic priorities involved in planning your initiatives within your organization. Azure governance is provided in two services: Azure Policy and, as we will discuss in Chapter 7, Offers, support, resources, and tips to optimize cost in Azure, Azure Cost Management.
The purpose of Azure Policy is to organize your operational standards and to assess your compliance. Azure Policy regulates compliance, security, costs, and management while implementing governance for consistency of your resources. Everything that we see in Azure is governed by these policies, which contain business rules in JSON format and policy definitions. The schema for these policy definitions can be found at https://schema.management.azure.com/schemas/2019-09-01/policyDefinition.json.
What are the benefits?
Azure governance and Azure Policy help with building and scaling your applications while maintaining a level of control. This helps create guardrails and assists with deploying entirely governed environments throughout your organization's subscription using Azure Blueprints. As we will discuss in Chapter 7, Offers, support, resources, and tips to optimize cost in Azure, it also assists in managing costs by providing insights into your spending to maximize your cloud investment. In addition, Azure governance offers the following benefits:
- Helps with audit and enforcement of your policies for any Azure service
- Helps encourage accountability throughout the organization while monitoring spending
- Creates compliant environments, including resources, policies, and access control
- Helps ensure compliance with external regulations via built-in compliance controls
In the following sections, we'll look in detail at some of the features and services available via Azure governance, namely Azure management groups, Azure Policy, Azure Blueprints, Azure Graph, and Azure Cost Management and Billing.
Azure management groups
Azure management groups help manage your Azure subscriptions by grouping them and taking actions against those groups. They allow you to define security, policies, and typical deployments via blueprints. They help create a hierarchical view of your organization so that you can efficiently manage your subscriptions and resources:
Figure 2.5: Azure management groups
As you can see in Figure 2.5, there is a simple separation between production and non-production. We should understand from this illustration that each management group has a root or parent that every hierarchical structure inherits from. You can create a global structure at the root, or you can create a production or non-production policy in either one of the branches.
Azure Policy
Azure Policy was put in place to help enforce asset compliance in organizational standards within Azure. Common uses of Azure Policy are implementing governance for resources consistency, security, costs, and management. Like everything in Azure, Azure policies are in JSON format, and you add business rules for policy definitions to help simplify the management of these rules.
Azure policies can be applied to Azure resources in different life cycles or during an ongoing compliance evaluation. These can be used as a control mechanism to deny changes or to log them. The difference between Azure Policy and Azure rule-based access control (RBAC) is that your policy does not restrict Azure actions. This means a combination of Azure RBAC and Azure policy provides the full scope of security in Azure.
The following best practices are recommended by Microsoft:
- When you use Azure policies, it's always good to start with an audit policy rather than a denial policy, as setting a denial policy may hinder automation tasks when creating the resources.
- When creating your definitions, consider your organizational hierarchies. Creating higher-level definitions such as at the management group or subscription level is recommended.
- Create and assign initiative definitions or policy sets even for the smallest policy definitions.
- It is good to remember that once an initial assignment is evaluated, all policies within that initiative are evaluated as well.
- You should think about using policies to help control your infrastructure, like requiring antivirus to be installed on all virtual machines or not allowing specific sizes of virtual machines to be created in a non-production environment. To gain a better understanding of Azure policy definition structure, you can learn more at https://docs.microsoft.com/azure/governance/policy/concepts/definition-structure.
Azure Blueprints
Azure Blueprints enables technology groups to develop a repeatable set of Azure resources that support an organization's patterns, requirements, and standards. Blueprints are a great way to orchestrate the deployment of various resources, such as role assignments, policies, ARM templates, and resource groups. Azure Blueprints is an extension of ARM templates, which are designed to help with environment setup, and Azure Blueprints uses templates to accomplish this goal.
Azure Resource Graph
Azure Resource Graph was created to extend ARM templates' capabilities to help explore resources even across subscriptions. Azure Resource Graph queries allow you to search for complex results from resources that have been deployed in Azure. Azure Resource Graph is the query system that supports the search in Azure. The query language is based on the Kusto Query Language, which is also used by Azure Data Explorer, so it may be new to you and take a little bit of getting used to.
You need the appropriate rights in Azure RBAC to see the resources—this is the read permission. If you don't get any results returned in Azure when you use Azure Resource Graph, check your read permission first.
Azure Resource Graph is free to use, but it's throttled to ensure the best experience for everyone.
Azure Cost Management and Billing
Azure Cost Management and Billing was created to help analyze, manage, and optimize the costs of your workloads in Azure. It was introduced to help businesses reduce their risk of potential waste and inefficiencies as they migrate to the cloud. Azure Cost Management and Billing does the following:
- Assists in paying your bills
- Generates monthly invoices containing cost and usage data that can be downloaded
- Sets spending thresholds
- Analyzes your costs proactively
- Identifies opportunities to optimize spending for your workloads in Azure
We will cover this in more depth in Chapter 7, Offers, support, resources, and tips to optimize cost in Azure, since individuals and organizations manage cost streams differently in Azure.