azurepolicy

Compliance Report using Azure Policy

Compliance Report using Azure Policy

azurepolicy

Azure Policy is a powerful tool for Azure Governance. With Azure Policy we can define rules for all Azure Subscriptions the we manage. We can use this rules for simple limitation actions, like permitting only specific VM Series and Sizes that can be created and also more complex rule sets that helps you standardize the whole Azure deployment. At my previous posts, we learned How to limit the Azure VM Sizes and How to enforce tags for resources creation

At the current post we will learn how to use Azure Policy to have a compliance report for our deployment. We will learn this by using an example. Then we will create two Virtual Networks and we will add a Network Security Group only to the first one. Finally we will use the Policy to audit whether the Subnets have assigned the NSG or Not.

First we need two Virtual Networks. You can create the Virtual Networks using the Azure Portal or using ARM template, like mine from my Github account: https://github.com/proximagr/ARMTemplates/blob/master/2vnets.json

After applying the template you will have two VNETs like that:

azurepolicy1

Then we will a Network Security Group (NSG) only to the MyVNET01 Virtual Network. Again using Azure Portal, PowerShell or my ARM Template for NSG

Assign the NSG to the MyVNET01 VIrtual Network

azurepolicy2

Add the Policy

Go to Azure Policy -> Definitions and click the “+ Policy definition” to create a new policy definition.

azurepolicy3

At the New Policy definition page, select the subscription (location) that the policy will be saved, then add a name. in this case we will use the sample policy template from Microsoft docs so I will add the same name.

Copy the policy Json text from https://docs.microsoft.com/en-us/azure/governance/policy/samples/nsg-on-subnet and paste it at the POLICY RULE below and Save.

azurepolicy4

At the “effect” part of the Json, change the “deny” to “audit”.

azurepolicy5

If you search for “NSG” you will see our new policy definition, ready to be assigned.

azurepolicy6

Click on the definition’s name to open it and press Assign.

azurepolicy7

I will just target the “ComplianceReport” Resource Group

azurepolicy8

At the parameters, I added the Resource ID of the NSG, “MyNSG01”

azurepolicy10

Evaluate the results

To check the compliance, go to Policy – Compliance page and search for nsg. You have to wait for about 15 minutes for the compliance policy to evaluate the resources.

If you search “nsg” you will see that the “Audit NSG on Subnet” policy is 50% compliant. Click on the policy’s name to view more details.

azurepolicy11

The assignment details page will open where we can see what resources are not compliant.

azurepolicy12

Click on the three dots (…) next to the non-compliant subnet and select “view compliance details” to check why this resource is not compliant.

azurepolicy13

The compliance details reports that the value is null and what the required (target) value must be.

azurepolicy14

If you want to trigger an on-demand compliance check, you need to make a POST request. You can follow my post Validate Azure Resource Move with Postman to create the access Token and then use it to make a POST request to the Resource Group sung this POST:

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{YourRG}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2018-07-01-preview

postman

Source:

https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
https://docs.microsoft.com/en-us/azure/governance/policy/samples/nsg-on-subnet
https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.