Operational compliance in Azure

Operational compliance is the second discipline in any cloud management baseline.

Diagram showing a cloud management baseline.

Improving operational compliance reduces the likelihood of an outage related to configuration drift or vulnerabilities related to systems being improperly patched.

For any enterprise-grade environment, this table outlines the suggested minimum for a management baseline.

Process Tool Purpose
Patch management Azure Automation Update Management Management and scheduling of updates
Policy enforcement Azure Policy Policy enforcement to ensure environment and guest compliance
Environment configuration Azure Blueprints Automated compliance for core services
Resource configuration Desired State Configuration Automated configuration on guest OS and some aspects of the environment

Update Management

Computers that are managed by the Update Management solution for Azure Automation use the following configurations to do assessment and update deployments:

  • Log Analytics agent for Windows or Linux.
  • PowerShell Desired State Configuration (DSC) for Linux.
  • Azure Automation Hybrid Runbook Worker.
  • Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.

For more information, see Update Management solution for Azure Automation.

Warning

Before using Update Management, you must onboard virtual machines or an entire subscription into Log Analytics and Azure Automation.

There are two approaches to onboarding:

You should follow one before proceeding with Update Management.

Manage updates

To apply a policy to a resource group:

  1. Go to Azure Automation.
  2. Select Automation accounts, and choose one of the listed accounts.
  3. Go to Configuration Management.
  4. Use Inventory, Change Management, and State Configuration to control the state and operational compliance of the managed VMs.

Azure Policy

Azure Policy is used throughout governance processes. It's also highly valuable within cloud management processes. Azure Policy can audit and remediate Azure resources and can also audit settings inside a machine. The validation is performed by the guest configuration extension and client. The extension, through the client, validates settings like:

  • Operating system configuration.
  • Application configuration or presence.
  • Environment settings.

Azure Policy guest configuration currently only audits settings inside the machine. It doesn't apply configurations.

Action

Assign a built-in policy to a management group, subscription, or resource group.

Apply a policy

To apply a policy to a resource group:

  1. Go to Azure Policy.
  2. Select Assign a policy.

Learn more

To learn more, see:

Azure Blueprints

With Azure Blueprints, cloud architects and central information-technology groups can define a repeatable set of Azure resources. These resources implement and adhere to an organization's standards, patterns, and requirements.

With Azure Blueprints, development teams can rapidly build and stand up new environments. Teams can also trust they're building within organizational compliance. They do so by using a set of built-in components like networking to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of different resource templates and other artifacts like:

  • Role assignments.
  • Policy assignments.
  • Azure Resource Manager templates.
  • Resource groups.

Applying a blueprint can enforce operational compliance in an environment if this enforcement isn't done by the cloud governance team.

Create a blueprint

To create a blueprint:

  1. Go to Blueprints: Getting started.
  2. On the Create a Blueprint pane, select Create.
  3. Filter the list of blueprints to select the appropriate blueprint.
  4. In the Blueprint name box, enter the blueprint name.
  5. Select Definition location, and choose the appropriate location.
  6. Select Next : Artifacts, and review the artifacts included in the blueprint.
  7. Select Save draft.
  1. Go to Blueprints: Getting started.
  2. On the Create a Blueprint pane, select Create.
  3. Filter the list of blueprints to select the appropriate blueprint.
  4. In the Blueprint name box, enter the blueprint name.
  5. Select Definition location, and choose the appropriate location.
  6. Select Next : Artifacts, and review the artifacts included in the blueprint.
  7. Select Save draft.

Publish a blueprint

To publish blueprint artifacts to your subscription:

  1. Go to Blueprints > Blueprint definitions.
  2. Select the blueprint you created in the previous steps.
  3. Review the blueprint definition, then select Publish blueprint.
  4. In the Version box, enter a version like "1.0".
  5. In the Change notes box, enter your notes.
  6. Select Publish.
  1. In the Azure portal, go to Blueprints: Blueprint definitions.
  2. Select the blueprint you created in the previous steps.
  3. Review the blueprint definition, then select Publish blueprint.
  4. In the Version box, enter a version like "1.0".
  5. In the Change notes box, enter your notes.
  6. Select Publish.

Learn more

To learn more, see: