Operational compliance in Azure
Operational compliance is the second discipline in any cloud management baseline.
Improving operational compliance reduces the likelihood of an outage related to configuration drift or vulnerabilities related to systems being improperly patched.
For any enterprise-grade environment, this table outlines the suggested minimum for a management baseline.
| Process | Tool | Purpose |
|---|---|---|
| Patch management | Azure Automation Update Management | Management and scheduling of updates |
| Policy enforcement | Azure Policy | Policy enforcement to ensure environment and guest compliance |
| Environment configuration | Azure Blueprints | Automated compliance for core services |
| Resource configuration | Desired State Configuration | Automated configuration on guest OS and some aspects of the environment |
Update Management
Computers that are managed by the Update Management solution for Azure Automation use the following configurations to do assessment and update deployments:
- Log Analytics agent for Windows or Linux.
- PowerShell Desired State Configuration (DSC) for Linux.
- Azure Automation Hybrid Runbook Worker.
- Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.
For more information, see Update Management solution for Azure Automation.
Warning
Before using Update Management, you must onboard virtual machines or an entire subscription into Log Analytics and Azure Automation.
There are two approaches to onboarding:
You should follow one before proceeding with Update Management.
Manage updates
To apply a policy to a resource group:
- Go to Azure Automation.
- Select Automation accounts, and choose one of the listed accounts.
- Go to Configuration Management.
- Use Inventory, Change Management, and State Configuration to control the state and operational compliance of the managed VMs.
Azure Policy
Azure Policy is used throughout governance processes. It's also highly valuable within cloud management processes. Azure Policy can audit and remediate Azure resources and can also audit settings inside a machine. The validation is performed by the guest configuration extension and client. The extension, through the client, validates settings like:
- Operating system configuration.
- Application configuration or presence.
- Environment settings.
Azure Policy guest configuration currently only audits settings inside the machine. It doesn't apply configurations.
An important part of this process is maintaining and updating Azure Policy assignments and updating them as your governance process requires. Using Infrastructure as Code can help you update and maintain your policy infrastructure. To learn more, see Use infrastructure as code to update Azure landing zones.
Action
Assign a built-in policy to a management group, subscription, or resource group.
Apply a policy
To apply a policy to a resource group:
- Go to Azure Policy.
- Select Assign a policy.
Learn more
To learn more, see:
Azure Blueprints
With Azure Blueprints, cloud architects and central information-technology groups can define a repeatable set of Azure resources. These resources implement and adhere to an organization's standards, patterns, and requirements.
With Azure Blueprints, development teams can rapidly build and stand up new environments. Teams can also trust they're building within organizational compliance. They do so by using a set of built-in components like networking to speed up development and delivery.
Blueprints are a declarative way to orchestrate the deployment of different resource templates and other artifacts like:
- Role assignments.
- Policy assignments.
- Azure Resource Manager templates.
- Resource groups.
Applying a blueprint can enforce operational compliance in an environment if this enforcement isn't done by the cloud governance team.
Create a blueprint
To create a blueprint:
- Go to Blueprints: Getting started.
- On the Create a Blueprint pane, select Create.
- Filter the list of blueprints to select the appropriate blueprint.
- In the Blueprint name box, enter the blueprint name.
- Select Definition location, and choose the appropriate location.
- Select Next : Artifacts, and review the artifacts included in the blueprint.
- Select Save draft.
- Go to Blueprints: Getting started.
- On the Create a Blueprint pane, select Create.
- Filter the list of blueprints to select the appropriate blueprint.
- In the Blueprint name box, enter the blueprint name.
- Select Definition location, and choose the appropriate location.
- Select Next : Artifacts, and review the artifacts included in the blueprint.
- Select Save draft.
Publish a blueprint
To publish blueprint artifacts to your subscription:
- Go to Blueprints > Blueprint definitions.
- Select the blueprint you created in the previous steps.
- Review the blueprint definition, then select Publish blueprint.
- In the Version box, enter a version like "1.0".
- In the Change notes box, enter your notes.
- Select Publish.
- In the Azure portal, go to Blueprints: Blueprint definitions.
- Select the blueprint you created in the previous steps.
- Review the blueprint definition, then select Publish blueprint.
- In the Version box, enter a version like "1.0".
- In the Change notes box, enter your notes.
- Select Publish.
Learn more
To learn more, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for