In this blog, we have explained the difference between Azure RBAC, Azure Policy, and Azure Blueprints services that come under Azure Governance. Show
Let’s try to understand all the services in-depth but before that let’s get an overview of Azure governance. What comes to your mind when you see the word Governance? Is it a rule, or is it policy? Whatever it may be, don’t you think the company needs Governance to run effectively and efficiently. In the same way, our tech giant Microsoft Azure manages and monitors its resources, application, and technology with the help of “Azure Governance.” Then, let’s begin to understand the term “Governance” in a general way, Governance is the term for the way a group of people such as a country does things. Many groups create a government to decide how things are to be done. Governance is also how government decision-making affects people in that nation. On a similar note in an Azure cloud, Azure Governance can be described simply as mechanisms and processes to maintain control over your applications and resources in Azure. Let’s have a look at the topics of discussion:
Azure RBAC (Role-Based Access Control)Azure RBAC (Role-Based Access Control) is the system that allows control over who has access to which Azure resources, and what those people can do with those resources. A role might be described as a collection of permissions. Azure RBAC has many built-in roles, and you can create custom roles. Here are four examples of built-in roles:
Read: Azure Service Level Agreements Scope of Azure RBAC Scope is the set of resources that access applies to. When you assign a role, it’s important to understand the scope so that you can grant a security principal just the access that it really needs. Scopes are structured in a parent-child relationship. Each level of hierarchy makes the scope more specific. You can assign roles at any of these levels of scope. The level you select determines how widely the role is applied. Lower levels inherit role permissions from higher.
Azure Active Directory Roles Azure AD also has its own set of roles, which apply mostly to users, passwords, and domains. These roles have different purposes. Global Administrator: Can manage access to administrative features in Azure AD. A person in this role can grant administrator roles to other users, and they can reset a password for any user or administrator. User Administrator: Can manage all aspects of users and groups, including support tickets, monitoring service health, and resetting passwords for certain types of users. Billing Administrator: Can make purchases, manage subscriptions and support tickets, and monitor service health. Azure has detailed billing permissions in addition to Azure RBAC permissions. Also Check: Our blog post on Azure Blue Green Deployment. Azure PolicyAzure Policy Azure Policy is a free Azure service that allows you to create policies, assign them to resources, and receive alerts or take action in cases of non-compliance with these policies. Azure Policy allows you to define both individual policies and groups of related policies, known as initiatives. The basic elements of Azure Policy are Policy Definition, Initiatives, and Initiative or Policy assignments. Policy Definition explains resource compliance (following a rule order) and what effect to take when resources are non-compliant (failing to act in accordance with rules or regulations). Example: Restrict the list of locations where users can deploy resources. The initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Example: All policies that relate to billing can be grouped in one initiative. Policy or initiative assignment: Describes where the policy is applied. Can be a resource group or subscription. Example: The policy to limit the list of locations where users can deploy resources is applied only to the finance team’s resource group, and not to the Dev team’s resource group. An Azure Policy can be assigned at various levels. Policies can be applied at the management group, subscription, or resource group level. Azure Policies and RBAC, both services work hand-in-hand to provide governance around your environment. Azure Policy is based on how scope works in Azure Resource Manager. RBAC grants access to users or groups within a subscription whereas policy is defined within the resource group or subscription. RBAC focuses on what resources the users can access and the policy is focused on the properties of resources. Cloud blueprints are much like the blueprints used in the construction industry. They contain all the key information and bill of materials to successfully build and deploy applications in the cloud including server, software, storage, network, images, and firewall details, and most importantly how they all relate together. Cloud blueprints are a method to offer customers a way to drive extraordinary levels of efficiency and effectiveness, increase the quality of service and reduce cost. Azure Blueprints, a blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance. Azure Blueprints also allows you to quickly release new environments, adopting integrated components, and accelerating development time and delivery. The blueprint consists of different artifacts like Role Assignments, Policy Assignments, Azure Resource Manager templates, and Resource Groups. After the creation, you must publish the blueprint (at the end of creation will be in the draft state) specifying versioning. Azure Blueprints is very useful for companies that use the infrastructure-as-code model as it contemplates the processes of continuous integration and continuous deployment. For example: In an enterprise, you always have teams that are responsible for defining what and how resources are deployed in your environment. (on-prem, in the cloud, or in both). Your networking team defines the network design, the IP addressing, the routing… Your security team defines what services are allowed, who has access. Your legal department may have requirements for compliance such as where you can deploy your resources. You get the picture. Without any tools to allow you to tie all these requirements together, you end up with a deployment process that can take a long time because every team wants and needs to sign off on your deployment. And it makes it difficult to replicate since in most cases it’s tied together with custom scripting. Azure Blueprint allows you to create a way to package all these components together and makes it super easy to “stamp” your blueprint on any environment dev, test, prod, or other. Conclusions
What is an initiative in Azure policy?What is Azure Policy Initiative Definition? An initiative definition is a collection of policy definitions that are grouped towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions by grouping them as a single assignable object.
What term describes a group of policies across different resource group management groups and subscriptions?The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. Assignments are inherited by all child resources.
What is the difference between Azure policy and initiative?The initiative is a collection of Azure policy definitions that are grouped together towards a specific goal or purpose in mind. Example: All policies that relate to billing can be grouped in one initiative. Policy or initiative assignment: Describes where the policy is applied. Can be a resource group or subscription.
What can you use to deploy Azure resources across multiple subscriptions?To simplify the management of resources, you can use an Azure Resource Manager template (ARM template) to deploy resources at the level of your Azure subscription. For example, you can deploy policies and Azure role-based access control (Azure RBAC) to your subscription, which applies them across your subscription.
|