By default, network policies are disabled for a subnet in a virtual network and you need to enable it manually, from the Azure Portal after the VNET creation, or you need to specify it in your script if you are deploying with PowerShell, Cli, Bicep or any other IaC.

To ensure that Network security policies are enabled, and force enable it, we can use an Azure Policy. The below Azure Policy checks if the Network security policies are enabled, and if not it automatically enables it. The result of this policy is:

• for new Virtual Networks, it automatically enables Network security policies to all subnets, even if you forgot to select it upon the creation
• for existing virtual Network subnets, it uses a remediation plan to evaluate and enable the Network security policies.

The Policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
      "notEquals": "Enabled"
    },
    "then": {
      "effect": "modify",
      "details": {
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
            "value": "Enabled"
          }
        ]
      }
    }
  },
  "parameters": {}
}

To add the Policy to your Azure environment:

• Go to the Azure Policy Definitions blade (shortcut: Policy – Microsoft Azure )
• Add Policy Definition

• Provide a location (subscription) to save the policy object, and give a name and a category. Use the existing Network category.

• Paste the policy Json

• Select a Role Assignment. You need a role that will have editor access to the subnet. For my demo, I used the Network Contributor build-in role (4d97b98b-1d4f-4787-a291-c67834d212e7) for the action.
• Once the Policy is created, open it and you need to assign it to a scope (MG, Subscription, Resource Group)

• Assign the policy to the scope you want, like Management Group, Subscription, or Resource Group and one thing that needs attention is to create a remediation task and a Managed Identity.
• The remediation task is needed to remediate the existing resources and the Managed Identity for the modification action.

The Policy is in Audit only mode, in case you just need to audit if there are any subnets that don’t have privateEndpointNetworkPolicies enabled.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/virtualNetworks/subnets"
        },
        {
          "field": "Microsoft.Network/virtualNetworks/subnets[*].privateEndpointNetworkPolicies",
          "notEquals": "Enabled"
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  },
  "parameters": {}
}

You can get the Policy Json files at my Github repo: https://github.com/proximagr/automation#policy-audit—enable-network-policy-for-private-endpoints-blog-post

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Policy to enable network policies for private endpoints appeared first on Apostolidis Cloud Corner.

Azure Governance

After the previous post about how to use Azure Policy to limit the Azure VM sizes, I continue the series of posts about Azure Governance with a video guide on how to enforce tags for resource creation. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. We can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Enforce tags for resource creation

So, why tags? Why we need to add tags to all Azure resources? The Microsoft Azure environments are getting bigger and bigger and managed by multiple people and teams. That makes it difficult to understand who created a resource and what is the purpose of that resource. Another critical matter that we need tags is Cost Management. At the Azure Cost Management Portal, we can sort and arrange the resource cost using the Tags. This way we can provide an expense dashboard with the actual cost of the resources per department, project or whatever tags we have added to the Resource.

Guide: Video

View my video guide on how to use Azure Policy to enforce tags for resource creation

You can find more at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Policy | Enforce tags for resource creation appeared first on Apostolidis Cloud Corner.

Azure Governance

This post, Azure Policy, is the first of a series of posts about Azure Governance. The idea is to explain through examples and how-to-guides, the tools that Microsoft Azure provides to help the administrators to enforce rules to all subscriptions. Some examples of those rules are, to help the organizations to stay compliant with their corporate standards, to standardize the resources creation and management, to manage the permissions and access controls, etc.

Azure Policy

Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment.

Limit the Azure VM Sizes

In this fist post we will go through a simple policy, the “Allowed virtual machine SKUs”. With this policy  you can control what Azure VM series and sizes are permitted for deployment. You can apply this policy  to a whole Management group, to a Subscription or to a single Resource Group.

Step by Step Guide

Open the Azure portal, https://portal.azure.com, and login with your account. At the top search box write “policy”. From the search results select the “policy”.

At the Policy screen, select the “Definitions”. To create and apply a policy we need to start from a Policy Definition.

At the Policy Definition screen, we can filter the definitions by scope, definition type, type and category. The “Allowed virtual machine SKUs” definition is under the “Compute” category. At the Category drop down menu, deselect everything and select only the “Compute”. Press the “Allowed virtual machine SKUs” definition.

The “Allowed virtual machine SKUs” definition will open. Here we can see the code beneath the definition. It is written in json format. If we want to make changes at the definition we must first press “Duplicate definition”. This will create a copy of the definition. Then we can open the definition duplicatie and press “Edit definition. We will cover this at a future post.

To select the VM sizes, the scope and apply the definition, press “Assign”

Set the scope

At the Assign policy screen, first we need to select the scope. The scope is where the policy definition will apply. To set the scope press the little blue box with the three dots.

For scope, we can select a whole Management group, a whole subscription or a single Resource Group.

Select the Azure VM SKUs

After the scope, we need to select the allowed Azure VM SKUs. Open the drop down menu and select the SKUs that you will allow.

At this test policy, I selected all Standard F1-4 series, the Standard F2s – 4s and the Standard F2s_v2 – 4s_v2.

We can change the “Assignment Name” to easily find the specific assignment at the Assigned Policies list. I changed the name to “Allowed only F1-4 virtual machine SKUs”

The next step is the “Managed Identity”. Managed identity creates an Azure AD Identity, like a service account, that is used for resource creation. We need this only for some specific policies that must create a resource if it is doesn’t exists.

We don’t need a Managed Identity to limit the Azure VM SKU sizes. So now we can press “Assign”.

A notification will inform you that the Policy will take effect after about 30 minutes. The policy needs this time to apply the rules to the selected scope.

Back to the policy Assignments screen, hit refresh and you will see the new Policy Assignment’s name and the Scope.

Test the policy

To test the policy, I waited 30 minutes and tried to create a Standard DS1 v2 VM at the devrg Resource Group. Although I am the Subscription Owner, the Service admin, the one that created the policy assignment, the Azure Resource Manager doesn’t allow me to create this VM.

And the error details: “disallowed by policy”

You can find more about Azure Policy at Microsoft Docs: https://docs.microsoft.com/en-us/azure/governance/policy/

You can also check my webinar: [embedyt] https://www.youtube.com/watch?v=QHk3XhnomaE[/embedyt]

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Policy | Limit the Azure VM Sizes appeared first on Apostolidis Cloud Corner.