Skip to main content

Think before using "deny" in your Azure policy

Azure policies are a great way to provide governance for your Azure subscription to ensure that you are compliant to the standards that you have set up for your organisation. The reason why I titled the post as "Think before using deny in your azure policy" is that it is very important understand the evaluation process Azure policies uses. The order of the evaluation is as following; (Extract from Microsoft)

  • Disabled is checked first to determine if the policy rule should be evaluated.
  • Append and Modify are then evaluated. Since either could alter the request, a change made may prevent an audit or deny effect from triggering.
  • Deny is then evaluated. By evaluating deny before audit, double logging of an undesired resource is prevented.
  • Audit is then evaluated before the request going to the Resource Provider.

You can see that "Deny" is above "Audit" so if you was retrospectively apply policies on your subscription then you will need to ensure you are in compliant before using Deny. 

Example,

You have deployed a IaaS virtual machine and you have a policy in place which restricts where you can deploy a resource i.e. only allowed to deploy to UK South and North Europe and for any other location you set them to deny. If you try to deploy a "new" resource then the policy will kick in and deny you from deploying. Any existing deployed resources will just report as non-compliant to the policy as it will not explicitly deny any deployed resource before the policy was applied otherwise it will break a lot of workload deployed.

The problem arises when you wish to make a change to an existing resource that was deployed before you enforced your policy. For example, you had already deployed a VM in West Europe region so based on the policy above this would be non-compliant but the policy will not stop the resource from running. If you was to stop, start or restart the VM then policy will not kick in as we are just changing the state of the VM and not changing (updating) any settings. If we now attempt to change the VM size then the policy will be triggered as we are making a change/updating to the resource.

As you can see the "deny" policy could end up preventing you from making changes to your existing resources so remember to put your policy in audit mode first to ensure that all your resources are compliant before starting using "deny". You never know it could be the policies that stops your scripts, continuous deployment from working overnight !!!.


Reference:

Comments

Popular posts from this blog

Rolling back a version of ESXi

There is an option in VMware where after you have performed an major upgrade of ESXi you can roll back to your previous version. The benefit of this is that you would not need to reinstall your ESXi and its configuration if you had issues with the new software. I had to do this on one occassion in my lab where I upgraded from 6.5 to 6.7 and my VMs would not run because the CPU was not supported in 6.7. Please remember if you are using ISO method to upgrade ESXi please ensure you select "Upgrade ESXi, preserve VMFS datastore". Selecting "Install ESXi, preserve VMFS datastore" does not mean preserving datastore means retaining ESXi as it will still do a clean install of ESXi. This method does not work for vSphere 7.0 as there are changes to the partitions on the boot device. Below are the steps to roll back to a previous version which is quite straight forward. As always perform an backup of your host configuration before you upgrade or rollback ( KB2042141 ). I have

Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example. 1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting. 2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514 3)We n

Custom ESXi Image - ISO using PowerCLI

There comes a time when you have purchased a new hardware to run your ESXi software and discover that the installable base media provided by VMware does not include the drivers or the drivers are out of date. In the world of Windows (Plug and Play) it would discover the hardware and prompt you to provide the drivers so that Windows would install/update the drivers for the hardware. For ESXi if the drivers are not present during load time then the hardware will possibly not work. VMware uses VIB (vSphere Installation Bundle) as a way for vendors to distribute their drivers. To install these VIBs you can either use Update Manager or command line (esxcli). Now this is all good but it does mean you have to first install the base ESXi then use one of the steps above to install/update the drivers.   Some people might feel that it is OK to update the drivers using the above methods but what if it was the network card that was the new hardware and you needed new drivers. Without the net