Share via

How to identify Azure Data Lake Gen 2 inside Azure Policy

Christophe Humbert 126 Reputation points
2024-01-03T09:43:39.1033333+00:00

Hello

I need to scope an Azure Policy on Azure Data Lake Gen2 to prevent http and disabling secure transfer

Thanks in advance

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,562 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
1,019 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azar 29,520 Reputation points MVP Volunteer Moderator
    2024-01-03T13:55:48.1+00:00

    Hi
    Christophe Humbert

    Sure let me help you on this, first open your Azure portal, go to the "Policy" service.

    Click on "Definitions" then Click on "+ Policy definition."

    Provide a name and description and category for your policy.

    In the "Policy rule" section, use the below JSON policy definition 

    {
   "mode": "All",
   "policyRule": {
      "if": {
         "allOf": [
            {
               "field": "type",
               "equals": "Microsoft.Storage/storageAccounts"
            },
            {
               "not": {
                  "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                  "equals": true
               }
            }
         ]
      },
      "then": {
         "effect": "deny"
      }
   }
}

    The abovepolicy denies the creation or modification of storage accounts that do not have (HTTPS) enabled.

    finally in the "Policy" service, click on "Assignments" Click on "+ Assign policy.

    Choose the policy definition you created earlier.

    Set the "Parameters" as needed (if your policy has any).

    Configure "Assignment name" and "Assignment description."

    Click "Review + create" and then "Create" to assign the policy.

    If this helps kindly accept the answer thanks much.

    1 person found this answer helpful.
  2. shirivo 160 Reputation points Microsoft Employee
    2024-01-04T03:59:16.55+00:00

    Hello @Christophe Humbert

    Azure Data Lake Storage Gen2 is a set of capabilities dedicated to big data analytics, built on Azure Blob Storage. It’s not a dedicated service or account type. Therefore, to identify Azure Data Lake Gen2 inside Azure Policy, you need to look for Azure Storage accounts with the hierarchical namespace enabled.

    To scope an Azure Policy on Azure Data Lake Gen2 to prevent HTTP and disabling secure transfer, you can create a custom policy definition that targets Azure Storage accounts with the hierarchical namespace enabled. The policy should enforce the use of HTTPS and enable secure transfer.

    Here’s a high-level overview of the steps:

    Identify Azure Data Lake Gen2: Use the Get-AzStorageAccount command with the EnableHierarchicalNamespace property to identify if Data Lake Gen2 is enabled.

    Create a Custom Policy Definition: Create a custom policy definition in Azure Policy that targets Azure Storage accounts. The policy definition should include conditions to check if the hierarchical namespace is enabled (which indicates it’s a Data Lake Gen2 account).

    Enforce HTTPS and Secure Transfer: In the policy definition, include effects to enforce the use of HTTPS and enable secure transfer. This can be done by setting the supportsHttpsTrafficOnly property to true.

    Assign the Policy: Once the policy definition is created, assign it to the scope where your Data Lake Gen2 accounts are located.

    ** Important: Note that this is a high-level overview, so, the exact steps can vary based on your specific requirements and Azure environment.

    Wishing you well,

    @shirivo

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.