Azure Policy use case
Azure Policy use case

Azure Policy use case

  1. Enforce Naming Conventions:Policy: All virtual machines should start with "VM-".Example: If someone tries to create a VM named "DatabaseServer", the policy will block it. However, "VM-DatabaseServer" will be allowed.
  2. Limit Resource Locations:Policy: Only allow resources to be created in the "East US" region.Example: If a user tries to deploy a storage account in "West Europe", it will be denied.
  3. Ensure Tagging:Policy: Every resource must have a "CostCenter" tag.Example: A virtual network created without the "CostCenter" tag will be flagged as non-compliant.
  4. Restrict VM Sizes:Policy: Only allow the creation of "Standard_D2_v3" VMs.Example: If someone tries to deploy a "Standard_E2_v3" VM, the action will be blocked.
  5. Ensure Specific Extensions are Installed:Policy: All VMs must have the "MicrosoftMonitoringAgent" extension installed.Example: A VM without the monitoring agent will be marked non-compliant and can be audited.
  6. Enforce Network Configurations:Policy: All virtual networks must have an associated Network Security Group (NSG).Example: A virtual network created without an NSG will be flagged.
  7. Regulate Storage Account Types:Policy: Only allow the creation of "Standard_GRS" storage accounts.Example: If someone attempts to create a "Standard_LRS" storage account, it will be denied.
  8. Ensure Compliance with Industry Standards:Policy: Audit storage accounts to ensure they have Secure transfer required enabled (a common regulatory requirement).Example: A storage account with secure transfer disabled will be marked as non-compliant.
  9. Avoid Drift in Configuration:Policy: Ensure that all web apps have "HTTPS Only" enabled.Example: If an Azure web app is modified to disable HTTPS, the policy will flag it.
  10. Custom Policy Definitions:Policy: Custom policy to ensure all resources have a "CreatedBy" tag.Example: Any resource deployed without this custom tag will be flagged.
  11. Integrate with Azure DevOpsExample: During a CI/CD pipeline run, a VM is being deployed. Azure Policy checks the VM against policies and flags an error in the pipeline if the VM is named "TestServer" (violating the naming convention policy).
  12. Audit and Reporting:Example: Monthly compliance reports are generated. The report for October shows 5 resources non-compliant with the "CostCenter" tagging policy, prompting a review and rectification.
  13. Restrict Public IP Addresses:

  • Policy: Prohibit the creation of public IP addresses.
  • Example: If someone tries to create a VM or other resource with a public IP, it's automatically denied.

  1. Limit Resource Types:

  • Policy: Only allow VMs, Storage Accounts, and Virtual Networks in the subscription.
  • Example: If a user attempts to deploy a Cosmos DB instance, it gets blocked.

  1. Ensure Resource Lock:

  • Policy: Every resource should have a 'Read-Only' resource lock after creation.
  • Example: After deploying a storage account, a 'Read-Only' lock is automatically applied, preventing accidental deletion.

  1. Enforce Use of Managed Disks:

  • Policy: Only allow VMs with managed disks.
  • Example: A deployment that tries to create a VM with unmanaged disks will be denied.

  1. Restrict Storage Account Access:

  • Policy: Storage accounts must deny public blob access.
  • Example: If someone configures a storage account to allow public access to its blobs, the action will be blocked.

  1. SQL Server Configuration:

  • Policy: SQL servers should have 'Transparent Data Encryption' enabled.
  • Example: A SQL server deployed without this encryption setting will be marked as non-compliant.

  1. Enforce Minimum TLS Version:

  • Policy: App services should use a minimum TLS version of 1.2.
  • Example: If an App Service is configured with TLS version 1.1, it will be flagged.

  1. Kubernetes Cluster Configuration:

  • Policy: Azure Kubernetes Service (AKS) clusters must have Azure Active Directory integration.
  • Example: An AKS deployment without Azure AD integration will be denied.

  1. Backup Requirements:

  • Policy: Every VM should be associated with a backup policy.
  • Example: A VM deployed without a backup policy association will be flagged as non-compliant.

  1. Enforce Specific Azure SKU:

  • Policy: Only allow specific SKUs for resources. For instance, only allow "P2" SKU for Azure Key Vaults.
  • Example: If someone tries to deploy a Key Vault with a "P1" SKU, it will be blocked.

  1. Ensure Diagnostic Settings:

  • Policy: All resources should have diagnostics enabled and should send their diagnostic logs to a central Log Analytics workspace.
  • Example: A virtual machine without diagnostics directed to the designated Log Analytics workspace will be flagged.


