Designing, building, and deploying an enterprise-ready Azure infrastructure requires the creation of a secure, reliable, and scalable environment that meets the company's needs. However, many organizations overlook the importance of Azure governance best practices and the need for continuous compliance control to ensure the Azure infrastructure meets the highest security and compliance standards.Â
Efficient Azure governance is critical to maintaining infrastructure compliance using tools that provide continuous posture control and compliance. An efficient Azure governance strategy provides a framework for controlling and managing Azure resources, policies and access control and will help an organization achieve cost efficiency and compliance.
This article will explain the key components of Azure governance, including important native services, configuration, and limitations organizations should consider.Â
Summary of key Azure governance conceptsÂ
The table below summarizes the Azure governance concepts that this article will explain in more detail.Â
| Azure Governance Concept | Description |
|---|---|
| Azure governance services | The three essential services for effective governance are Azure Policy, Defender for Cloud, and Azure Cost Management. They enable organizations to manage security, compliance, and cost in Azure environments. |
| What is Azure Policy? | With Azure Policy, organizations can define rules and regulations that apply to their Azure governance and cover all resource types, regions and tags. |
| How to configure Azure Policy | An example of how administrators can configure Azure Policy using Azure PowerShell and configuration files. |
| What is Azure Defender for Cloud? | Defender for Cloud is a security and compliance solution available in Microsoft Azure. It provides security and threat protection for Azure resources by using machine learning and analytics to detect noncompliant resources and vulnerabilities in Azure. |
| What is Azure Cost Management? | With Azure Cost Management, organizations can manage, analyze and optimize their Azure spending and pinpoint cost-saving opportunities using a range of tools and components like budgeting, cost tracking, email alerts and forecasting. |
Â
Azure governance services overview
With more than 20% market share of the global cloud computing market, the range of services and tools provided by Azure's cloud services have exceeded 200 offerings, providing organizations with an extensive selection to achieve effective governance.
In this article, we focus on three core services — Azure Policy, Defender for Cloud, and Azure Cost Management — that can help ensure security, compliance, and cost optimization controls are in place and provide a good foundation and capabilities in governing their Azure environment more efficiently.
With the above three Azure native core services and CoreStack offerings, organizations can gain comprehensive governance solutions for their Azure infrastructure, delivering continuous compliance and posture control while reducing unnecessary costs related to resource usage across the tenant. These services can help govern their Azure environment more efficiently.
Azure governance services: What is Azure Policy?
The Azure Policy cloud service allows organizations to create, enforce and manage policies for their Azure resources. Azure Policy not only comes with predefined rules and policies but also allows organizations to define their own rules and regulations and apply them to their Azure environment. An Azure Policy can be applied across multiple subscriptions and can be managed using source control.
Key features of Azure Policy
Azure Policy delivers a number of key features that enable us to create, manage and enforce compliance and security policies in our Azure environment. Some of its key features include:
- Policy definition – An organization can use built-in policies based on best practices and real use cases. Microsoft maintains these definitions, and they are available in any subscription.
- Policy enforcement – A policy provides us with the ability to enforce policies across the entire Azure environment and gives us a centralized view of the current compliance state of all resources and the entire infrastructure as a whole.
- Compliance reporting – Once our policies are defined and enforced across the environment, we can generate compliance reports regarding the state of our Azure Infrastructure.Â
Benefits of using Azure Policy
Azure Policy's primary benefits come from the capabilities the service has with enabling the creation and enforcement of policies for the entire Azure environment, including multiple subscriptions. It also helps ensure regulatory compliance and security state are consistent and optimized.Â
Additionally, Azure Policy reduces the risk of running noncompliant or misconfigured resources for too long and can help remediate them before they threaten the organization.
How to configure Azure PolicyÂ
In this section, we configure an Azure Policy that will prevent the creation of resources in non-approved Azure regions. This policy is handy when there are compliance reasons to run and maintain data and workloads in specific Azure regions.
Install Azure PowerShellÂ
We need to install the Azure Az PowerShell module to connect to Microsoft Azure. This module has all the cmdlets that help manage Microsoft Azure using PowerShell.
To install the Az module, open PowerShell as an administrator and run the following command.Â
Install-Module -Name Az -AllowClobber -Scope CurrentUser
Login to AzureÂ
To connect and authenticate to Microsoft Azure, we will use the following cmdlet to connect and deploy a policy. This article assumes that you have admin-level permissions in Azure to manage resources.
Once the Az PowerShell module is installed, run the following cmdlet to connect to Azure.
connect-AzAccount
Configuration filesÂ
We will use the following three configuration files to create our Azure Policy for restricted regions. You must save the files below to the directory from which you will run the PowerShell script.
| File Name | Purpose |
|---|---|
| DeployAzPolicy.ps1 | PowerShell script that creates the policy |
| Locations.json | Lists of allowed locations. Once the policy is enforced, resources can be created in the allowed locations (regions) only |
| RegionPolicy.json | This file contains the Azure Policy configuration. |
Deploy policy
Before deploying the policy, copy the three configuration files above to a directory on your local computer and open PowerShell.Â
Set allowed location
To set the list of allowed Microsoft Azure regions, the policy will allow users to create resources, open the Locations.json file, and add regions on which users can deploy and create resources. The configuration file lists three permitted regions.
{
"listOfAllowedLocations": {
"value": [
"southeastasia",
"westeurope",
"japanwest"
]
}
}
PowerShell script
The PowerShell script below will do the following:
- Set the Azure Subscription ID (Add your Azure Subscription ID)
- Create a policy definition named Allowed locations with a Display name and use policy definition file RegionPolicy.json to configure the policy.
- After the policy definition is set, we save it to a variable called $policy
The last line in the PowerShell script creates an Azure Policy Assignment for the Policy Definition and uses the Location.json file to set the allowed Azure regions.
$Subscription = Get-AzSubscription -SubscriptionId "azure-subscription-id" New-AzPolicyDefinition -Name 'Allowed locations' -DisplayName 'This policy enables you to restrict the locations your organization can specify when deploying resources.' -Policy ./RegionPolicy.json $Policy = Get-AzPolicyDefinition -Name 'Allowed locations' New-AzPolicyAssignment -Name 'Allowed Locations' -PolicyDefinition $Policy -Scope "/subscriptions/$($Subscription.Id)" -PolicyParameter ./Locations.json
To apply the policy, run the script and check the Azure Policy portal to confirm that it was created.
Test Policy
If a user or an automated process tries to create a resource in an unallowed region, they will receive the following error message:
Resource 'storageaccounttest000111' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Allowed Locations
Limitation and shortcomings
Azure Policy is a powerful tool that helps organizations keep their compliance requirements under control. However, it also has a number of limitations that users should be aware of.
Below are some of the limitations of Azure Policy:
- Limited reporting – Azure Policy doesn’t offer a unified reporting view of the current security and compliance state.Â
- Multi-cloud support – Azure Policy has a limited scope which means it doesn’t support multiple cloud providers and can only manage Azure.
- Limited remediation policies – Azure Policy’s remediation policy definition set is limited which can create challenges when custom policies are required.
- Resource provider dependency – Azure Policy can only support resources with providers that support compliance checks.
- Delayed policy enforcement – Azure Policy enforcement has a delay of several minutes or more. This can be challenging for applications that require immediate enforcement.Â
The above limitations can be addressed by a third-party cloud governance tool like CoreStack, one that is designed to embrace, enhance, and extend cloud-native tooling.
Azure governance services: What is Azure Defender for Cloud?Â
Azure Defender for Cloud is a security and compliance solution that provides threat protection and compliance tools that can help organizations detect and respond to threats.Â
Key features of Defender for Cloud
- Compliance monitoring – Defender for Cloud’s compliance monitoring helps organizations monitor and maintain regulatory compliance standards like GDPR, HIPAA, PCI-DSS, and CIS.Â
- Integration – Defender for Cloud is fully integrated with other Azure services and tools like Microsoft Intune and Azure Sentinel.Â
- Security Posture Management – With centralized posture management, organizations can detect and prioritize security risks before they become severe. Â
OfferingÂ
With the wide range of Azure resources that Defender for Cloud can protect, any organization can detect and respond to security threats in almost real-time and prevent security breaches and exposures.
The screenshot below shows the Azure resources Defender for Cloud can secure and the respective cost of each service. Note that the cost can become substantial for large enterprises with many virtual machines, web apps, and databases.Â
An example of the resources Azure Defender for Cloud can secure and their associated costs.Â
How to get started with Defender for CloudÂ
Now that we know about which resources organizations can protect with Defender for Cloud, it is time to enable some of these services using Terraform infrastructure as code.Â
The following Terraform configuration files will configure Defender for Cloud on a subscription level and enable the protection of the resources below:
- Virtual Machines
- KeyVault
- Azure Resource Manager (ARM)
Terraform configurationÂ
To use Terraform to deploy Defender for Cloud into an Azure Tenant, we will use the following three files:
| File Name | Details |
|---|---|
| defender_for_cloud.tf | Defender for cloud configuration |
| variables.tf | Holds variables needed for the deployment |
| provider.tf | Contain information about the Azure and Terraform provider details |
To deploy Defender for Cloud using Terraform, you will need the following:
- Azure CLI – Needed for Azure authenticationÂ
- Terraform – Latest Terraform version
Configure Terraform configuration filesÂ
Before deploying the Terraform configuration files, open the defender_for_cloud.tf file and update the Contact details section under the azurerm_security_center_contact resource similar to the one below:
data "azurerm_subscription" "current" {}
resource "azurerm_resource_group" "rg" {
name = var.rg_name
location = var.location
}
resource "azurerm_log_analytics_workspace" "sentinellog" {
name = "sentinel"
location = var.location
resource_group_name = var.rg_name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_log_analytics_workspace" "la_workspace" {
name = var.log_analytics_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_security_center_workspace" "defender" {
scope = data.azurerm_subscription.current.id
workspace_id = azurerm_log_analytics_workspace.la_workspace.id
}
resource "azurerm_security_center_subscription_pricing" "pricing" {
tier = "Standard"
resource_type = "VirtualMachines"
}
resource "azurerm_security_center_subscription_pricing" "pricing2" {
tier = "Standard"
resource_type = "Arm"
}
resource "azurerm_security_center_subscription_pricing" "pricing3" {
tier = "Standard"
resource_type = "KeyVaults"
}
resource "azurerm_security_center_contact" "contact" {
name = "Enter your name"
email = "Enter you email address"
phone = "enter phone number"
alert_notifications = true
alerts_to_admins = true
}
resource "azurerm_security_center_auto_provisioning" "autoprovision" {
auto_provision = "On"
}
resource "azurerm_subscription_policy_assignment" "va-auto-provisioning" {
name = "mdc-autoprovisioning"
display_name = "Configure machines to receive a vulnerability assessment provider"
policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b"
subscription_id = data.azurerm_subscription.current.id
identity {
type = "SystemAssigned"
}
location = "East US"
parameters = <
Review the variables.tf configuration file and set the name of the resource group, location, and log analytics name as shown below:
variable "rg_name" {
type = string
default = "rgdevenv"
description = "The prefix used for all resources in this example"
}
variable "location" {
type = string
default = "eastus"
description = "The Azure location where all resources in this example should be created"
}
variable "log_analytics_name" {
type = string
default = "defenderloganalytics"
}
To install the provider save the Provider.tf configuration file below and modify the AzureRM version if needed.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.35.0"
}
}
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
}
}
}
Once you have the above done, copy the files to a directory and open a terminal inside the directory.Â
Login to Azure using Azure CLI and the command below
az login --use-device-code
If you have multiple subscriptions in your tenant, set the subscription using the following command.
az account set --subscription pay-as-you-go
Initiate Terraform using the following command:
terraform init
Run Terraform plan to review the deployment before applying it.
terraform plan
And finally, deploy Defender for Cloud using the apply command below.
terraform apply
To destroy and disable Defender for Cloud, run this command:Â
terraform destroy
Limitations and shortcomings
Defender for Cloud offers organizations security and compliance solutions that can help them protect their workloads and resources with multiple security tools.Â
Defender for Cloud also has several limitations you should be aware of.
- Limited integrations – Integration with third-party tools and services is limited.
- Limited remediations – When remediating noncompliant resources, most remediation actions are specific to the policy's built-in actions and do not offer a range of automation and customization capabilities.
- Limited customizations – While Defender for Cloud offers a wide range of security tools and features, its customization capabilities for security controls are limited.
CoreStack can address these limitations with its self-healing and automation capabilities across multiple cloud providers and API extensibility that allows organizations to extend its capabilities.Â
Azure governance services: What is Azure Cost Management?
Azure Cost Management provides several key components that can help us manage and govern our environment from a cost utilization perspective. The key components that can help organizations include:
- Cost Analysis – Cost Analysis provides a dashboard view for an Azure environment. Data is available for current and historical cost spending and allows us to monitor and analyze cost usage per resource, resource group, and subscription.
- Budgets – With Budgets, we can set spending limits per subscription and receive alerts when spending exceeds a set threshold. This feature is overlooked by many organizations and should be used as it allows organizations to take immediate action before costs become too high.
How to configure a budget alert with Azure Cost Management
The process below describes how to configure a budget alert with Azure Cost Management from within the Azure Portal.
- Access the Azure Portal and click on Subscriptions.
- Then, select the subscription you would like to set a budget alert on and click Budgets.
- Click on Add to add a budget alert.
- Fill in the required information to set up a budget, including threshold, and save. We set a $500 budget alert in the example budget alert below.
- In the Alert conditions, I’m setting the Alert to send notifications based on the amount of the spending budget.
Tagging and Resource Groups
Resource Tagging and Grouping are two more features that help enable Azure governance.
Resource tagging allows organizations to label our resources with metadata, like a cost center, owner, or environment. Once resources are tagged, tracking cost and ownership becomes more effective and efficient.
Tagging can be done per resource from the portal or using tools like PowerShell, Azure CLI or Terraform.
The following Terraform code will add a tag called development to every Terraform resource the below code is added.
tags = {
environment = "development"
}
Adding a tag to any resource and categorizing its usage is recommended.
Once a resource is deployed with a tag, the tag will show up in the resource details panel as shown below.
Once tagging is added, it is also recommended to organize resources logically, for example, by grouping resources based on:
- Environment (Development, UAT, PROD)
- Business unit
- ApplicationsÂ
By logically organizing resources, management becomes easier, and controlling costs becomes more straightforward as resource usage can be better understood.
Limitations and shortcomingsÂ
Azure Cost Management generally provides a wide range of solutions to keep Azure resources optimized for cost spending and forecasting. The main shortcoming is the limited integration capabilities of external services. Azure offers limited support for non-Azure resources and lacks advanced reporting capabilities.
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
Azure Native Tools |
âś”
|
âś”
|
âś”
|
Â
|
Â
|
Â
|
|
CoreStack
|
âś”
|
âś”
|
âś”
|
âś”
|
âś”
|
âś”
|
Conclusion
Efficient governance of Microsoft Azure is not limited to deploying resources only. Developing an Azure environment with high compliance levels requires an organization to use tools and services that maintain continuous compliance, security, and cost management across all subscriptions. CoreStack’s NextGen Cloud Governance platform can help organizations complement Azure’s native services and build advanced capabilities across compliance and security that meet the highest cloud governance standards.Â
As a Microsoft partner with a Gold Cloud Platform competency, CoreStack is uniquely equipped to help enterprises address Azure governance challenges. CoreStack’s tools also help to complement native tools in AWS, GCP, and other cloud platforms by adding advanced capabilities.
