{"id":21664,"date":"2019-11-05T19:33:17","date_gmt":"2019-11-05T19:33:17","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=21664"},"modified":"2019-11-05T19:33:17","modified_gmt":"2019-11-05T19:33:17","slug":"microsoft-ignite-2019-deep-dive-on-azure-governance","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=21664","title":{"rendered":"Microsoft Ignite 2019 \u2013 Deep Dive on Azure Governance"},"content":{"rendered":"<h2>Observe and Identify Gaps<\/h2>\n<ul>\n<li>Regulatory compliance requirements<\/li>\n<li>News, blogs, industry expectations<\/li>\n<li>Bet practice guidelines<\/li>\n<li>Internal teams\u2019 recommendation<\/li>\n<li>Built-in policies and GitHub policies<\/li>\n<li>And so on<\/li>\n<\/ul>\n<h2>Authoring Custom Policy<\/h2>\n<p>Can I use policy for this?<\/p>\n<ul>\n<li>Resource configurations<\/li>\n<li>Azure resources and (selectively) objects within the resource<\/li>\n<li>Auto-generation of aliases &#8211; Aliases abstract API versions.<\/li>\n<li>Resource type for compliance state<\/li>\n<\/ul>\n<h2>Resource Property Alias<\/h2>\n<ul>\n<li>95% coverage for all resource properties.<\/li>\n<li>If there is a swagger API then there should be an alias<\/li>\n<li>If not \u2013 open a support case<\/li>\n<\/ul>\n<h2>Authoring a Custom Policy<\/h2>\n<p>4 basic steps:<\/p>\n<ul>\n<li>Determine resource properties<\/li>\n<li>Find alias\n<ul>\n<li>The ese first two in VS Code extension<\/li>\n<\/ul>\n<\/li>\n<li>And 3 other steps \ud83d\ude0a<\/li>\n<\/ul>\n<p>Browse resources in VS Code. Find the property alias. Copy\/paste into new policy definition.<\/p>\n<h2>Test The Policy<\/h2>\n<p>Enforcement:<\/p>\n<ul>\n<li>PUT &amp; PATCH<\/li>\n<\/ul>\n<p>Compliance Assessment<\/p>\n<ul>\n<li>Property is compliance, is non-compliance, or doesn\u2019t exist<\/li>\n<\/ul>\n<p>Enforcement mode setting (recently introduced):<\/p>\n<ul>\n<li>Quick what-if testing (coming, January I think) test the result before you roll out the remediation.<\/li>\n<\/ul>\n<h2>Policy-as-code Demo<\/h2>\n<p>Shows a released DevOps pipeline.<\/p>\n<ol>\n<li>Create Initiative<\/li>\n<li>Create Initiative<\/li>\n<li>Test Assignment<\/li>\n<li>Deploy (Enforcement Mode set to enabled)<\/li>\n<\/ol>\n<p><a href=\"https:\/\/aka.ms\/policyscripts\" rel=\"nofollow\">https:\/\/aka.ms\/policyscripts<\/a><\/p>\n<h2>Assess Compliance<\/h2>\n<ul>\n<li>Azure Portal compliance experience<\/li>\n<li>Policy Insights API for summary and raw data<\/li>\n<li>Export compliance data (coming), e.g. Power BI \u2013 they are doing usability studies at Ignite this week.<\/li>\n<\/ul>\n<h2>Road Ahead For Azure Policy<\/h2>\n<ul>\n<li>Regulatory compliance<\/li>\n<li>Multi-tenancy support with Azure Lighthouse<\/li>\n<li>Authoring and language improvement<\/li>\n<li>And more<\/li>\n<\/ul>\n<h2>Policy for Objects within a Resource<\/h2>\n<p>Announcing Key Vault preview. Demo shows ability to control child objects in the Key Vault resource.<\/p>\n<p>And something for AKS engine \u2013 slide moved too quick. Demo shows assessment of pods inside an AKS cluster. Enables control of source images. Trying to deploy an unauthorised image to a pod fails because of the policy.<\/p>\n<h2>Organizing Resources with Resource Graph<\/h2>\n<p>At scale:<\/p>\n<ul>\n<li>Management Group: hierarchy. Define hierarchical organization<\/li>\n<li>Tag: Metadata. Apply tags as metadata to logically organize resources into a taxonomy<\/li>\n<li>Resource graph: Visibility. Query, explore, and analyse cloud resources at scale<\/li>\n<\/ul>\n<h2>Why Resource Graph<\/h2>\n<p>Scale. A query of large number of resource will require a complex query via ARM. That query fans out to resource providers and it just doesn\u2019t scale because of performance \u2013 available capacity and quota limits.<\/p>\n<p>Resource Graph sends the query to ARM which then makes ONE call to the ARG. ARG is like a big cache of all your resources. Any time that there is a change, that change is notified to ARG very quickly.<\/p>\n<h2>ARG \u2013 What\u2019s New<\/h2>\n<h3>Resource Group\/Subscription Support<\/h3>\n<ul>\n<li>Stored in ResourceContainers table\n<ul>\n<li>Resources\/subscriptions<\/li>\n<li>Resources\/subscriptions\/resourcegroups<\/li>\n<\/ul>\n<\/li>\n<li>Resources is default table for all existing resources<\/li>\n<\/ul>\n<h3>Join Support<\/h3>\n<p>Supported flavours:<\/p>\n<ul>\n<li>Leftouter<\/li>\n<li>Innter<\/li>\n<li>Innerunique<\/li>\n<\/ul>\n<p>New operators:<\/p>\n<ul>\n<li>Union<\/li>\n<li>mvexpand \u2013 expand an array\/collection property<\/li>\n<\/ul>\n<h2>Support For Shared Queries<\/h2>\n<p>Save the queries into Graph Explorer.<\/p>\n<p>Save query:<\/p>\n<ul>\n<li>Priavete query<\/li>\n<li>Shared (Microsoft.resourcegraph\/queries ARM resource)\n<ul>\n<li>Saved to RG<\/li>\n<li>Subject to RBAC<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Road Ahead For ARG<\/h3>\n<ul>\n<li>Support for management groups<\/li>\n<li>Support for more dimensions<\/li>\n<li>Support for more resource properties, e.g. VM power state<\/li>\n<\/ul>\n<h2>Visibility To Resource Changes<\/h2>\n<p>Change History went into public preview earlier this year. Build on resource graph \u2013 already constantly informed about changes to resources. They take snapshots, identify the differences, and report on those changes. This is available in all regions and is free because it\u2019s built on already existing functionality in ARG.<\/p>\n<h3>What\u2019s New<\/h3>\n<ul>\n<li>Support for create\/delete changes<\/li>\n<li>Support for change types<\/li>\n<li>Support for property breakdown<\/li>\n<li>Support for change category<\/li>\n<\/ul>\n<h3>Road Ahead<\/h3>\n<ul>\n<li>At scale \u2013 ability to query across resource containers<\/li>\n<li>Notifications \u2013 subscribe to notifications on resources<\/li>\n<li>Correlating \u201cwho\u201d \u2013 Ability to correlate a change with the user or ID that performed the call<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Observe and Identify Gaps Regulatory compliance requirements News, blogs, industry expectations Bet practice guidelines Internal teams\u2019 recommendation Built-in policies and GitHub policies And so on Authoring Custom Policy Can I use policy for this? Resource configurations Azure resources and (selectively) objects within the resource Auto-generation of aliases &#8211; Aliases abstract API versions. Resource type for &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=21664\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Microsoft Ignite 2019 \u2013 Deep Dive on Azure Governance&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":20478,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[170,271,399,273],"class_list":["post-21664","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure","tag-azure-policy","tag-azure-resource-graph","tag-governance"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2017\/09\/Ignite.jpg","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21664"}],"version-history":[{"count":2,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21664\/revisions"}],"predecessor-version":[{"id":21666,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21664\/revisions\/21666"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/20478"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}