Azure Policy: Compliance

The world of DevOps is continuously changing with constant idea of only one thing “Business Value”. An organisation has the expectation to continual delivery of new value, new capability for business and DevOps enables this.

And the most important is : In this new world of DevOps (Continuous Delivery/Continuous Deployment), we still need to ensure compliance and security are enforced.

Compliance Manager

Compliance Manager: It has a number of templates built in related to a number of different requirements that we might want to adhere to, like for example : Infrastructure and virtualisation security.

Enforcing the Policy

Azure Policy:

  • Enforcement and Compliance
  • Policy at scale
  • Remediation

We have a particular setting a policy. Now commonly, there’s more than one setting that’s going to meet our requirements. We don’t want to every time have to remember to assign different policies to this subscription or this resource group. Instead, we collect them into initiatives. So when we group them into an initiative, we not only can assign them based on the initiative, we can see the compliance based on the initiative. So we’ll see that rolled-up compliance state. We then have all the different scopes we can assign to any management group, multiple management groups, subscriptions, even resource groups.

Azure Policy Structure:

Azure Policy is a realtime and violation-based engine. As we deploy things, it’s going to get checked as part of the Azure Resource Manager fabric. No matter what we do, if we are deploying via a devops-release pipeline, it’s still going to go through the policy, it’s still going to get checked for compliance.

Azure Policy As Code:

In a more decentralised environment, the IT team might maintain policies as code, but then they just give us a subscription and then let run with it. The dev team would be responsible to pull the policy from the repository and then include it as part of the release pipeline, so it gets deployed at the start of each stage.

DevOps Pipeline Controls

Including this Check Azure Policy compliance. Now if by passing it a subscription, optionally a resource group, optionally a resource name, and adding a deployment gate, we also now have evaluation options because these checks may not pass the first time. So rather than just giving up, there’s a time it’s going to wait between reevaluation of the gates. If we have multiple gates, they all have to pass at the same time before it’s allowed to continue.



An Azurer, Web developer, Technologist, Writer, Poet, Runner. Opinions are my own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Milind Chavan

An Azurer, Web developer, Technologist, Writer, Poet, Runner. Opinions are my own.