Category: Azure Policy

Azure Policy Little Secrets

Azure Policy checks Azure resources and operations by matching their properties against defined business rules. It helps to enforce organizational standards and to assess compliance at-scale. Azure Policy is commonly used to enforce governance across Azure, ensuring consistency, regulatory compliance, security controls, cost management, and operational standards. Unfortunately, Azure Policy has its secrets; it has some limitations that are either not documented or the documentation is not so easy to find. With this blog post, I am not trying to bash on Azure Policy as I love the service and I think its architecture is very good, but due to the way some Azure APIs are written it can limit what Azure Policy can do.

Continue reading “Azure Policy Little Secrets”

Do not use tags for filtering security related Azure Policies

I spend a lot of time on Microsoft Q&A trying to help people by not just providing with answers but also educating them and pushing them to learn more. Recently I was asked to help with Azure Policy rule and I did.

Continue reading “Do not use tags for filtering security related Azure Policies”

Enable Defender for Cloud Auto provisioning agents via Bicep

Often I see questions around how I can the auto provisioning agents capabilities (now renamed to Settings & monitoring) in Defender for Cloud via API.

Defender for Cloud Settings and Monitoring
Continue reading “Enable Defender for Cloud Auto provisioning agents via Bicep”

Tips on creating Azure policies for Azure SQL Databases

Azure SQL Databases is quite a big service and it is also one of the oldest. Because of these two there are a few architectural designs that you should be aware. Some of these are:

  • with every SQL logical server there is a master database resource that is created. This resource is not directly managed but for example when you configure diagnostic settings on server level you need to configure those against the master database resource rather the SQL logical server
  • The SKUs of Azure SQL Databases are mostly divided into DTU and vCore based. Among the vCore based we also have Hyperscale and Serverless variants. You can also have elastic pools for some SKUs and than the databases under those elastic pools inherit their SKUs. Not all Azure SQL SKUs support all of the features of the service. Some of the features that may not be available or have some limitations across different SKUs are:
    • Zone redundancy
    • Hybrid benefit
    • Read replicas
    • Failover Group support – for example not supported on Hyperscale SKUs and supported on Serverless SKUs only auto pause delay is disabled
    • Geo replication
    • Short term backup
    • Long term backup

Among these we also have Datawarehouses (now known as Azure Synapse Analytics) which underneath are the same resource as Azure SQL databases but have completely different options.

Continue reading “Tips on creating Azure policies for Azure SQL Databases”

Controlling Azure SQL Firewall Rules

Recently on Microsoft Q&A there was question on how you can control Azure SQL Firewall rule in a way that only certain IP addresses are allowed to be configured. Naturally I gave general answer that you can do that via Azure Policy. Initially I didn’t give the person an actual policy as I haven’t done such before. Of course creating Azure Policy definition can be challenging so the person asked him if I can provide him with example.

Continue reading “Controlling Azure SQL Firewall Rules”