Operational compliance in Azure

Operational compliance is the second discipline in any cloud management baseline.

Diagram that shows a cloud management baseline.

Improving operational compliance reduces the likelihood of an outage related to configuration drift or vulnerabilities related to systems being improperly patched.

For any enterprise-grade environment, this table outlines the suggested minimum for a management baseline.

Process Tool Purpose
Patch management Azure Automation Update Management Management and scheduling of updates
Policy enforcement Azure Policy Automated policy enforcement to ensure environment and guest compliance
Environment configuration Infrastructure as code (IaC) Automated environment creation, configuration, and to avoid configuration drift
Resource configuration Desired State Configuration (DSC) Automated configuration on guest OS and some aspects of the environment

Update Management

Computers that are managed by the Update Management solution for Azure Automation use the following configurations to do assessment and update deployments:

  • Log Analytics agent for Windows or Linux.
  • PowerShell DSC for Linux.
  • Azure Automation Hybrid Runbook Worker.
  • Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.

For more information, see Update Management solution for Azure Automation.

Warning

Before using Update Management, you must onboard virtual machines or an entire subscription into Log Analytics and Azure Automation.

There are two approaches to onboarding:

You should follow one before proceeding with Update Management.

Manage updates

To apply a policy to a resource group:

  1. Go to Azure Automation.
  2. Select Automation accounts, and choose one of the listed accounts.
  3. Go to Configuration Management.
  4. Use Inventory, Change Management, and State Configuration to control the state and operational compliance of the managed VMs.

Azure Policy

Azure Policy is used throughout governance processes. It's also highly valuable within cloud management processes. Azure Policy can audit and remediate Azure resources and can also audit and configure settings inside a machine. The validation is performed by the machine configuration extension and client. The extension, through the client, validates settings like:

  • Operating system configuration.
  • Application configuration or presence.
  • Environment settings.

An important part of this process is maintaining and updating Azure Policy assignments as your governance process requires. Using IaC can help you update and maintain your policy infrastructure. For more information, see Use IaC to update Azure landing zones.

Action

Assign a built-in policy to a management group, subscription, or resource group.

Apply a policy

To apply a policy to a resource group:

  1. Go to Azure Policy.
  2. Select Assign a policy.

Learn more

To learn more, see: