Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
In the previous challenges, you connected resources to Azure using Azure Arc. Azure Arc virtual machines can be governed by Azure Policy to gain insight into the current compliance state of resources as well as to perform tasks at scale, such as onboarding the virtual machines into Azure Monitor or triggering your own custom scripts using extensions.
In this challenge you will explore using Azure Policy to set up your resource group ready for the next challenge where we’ll onboard multiple on prem servers.
- Add the following tags to the
Tag Value platform private cloud datacentre citadel
Don’t apply any policies for the
arc-hack-resourcesresource group. In fact, try to pretent it doesn’t exist!
Policy - Tags
Tagging on resources is useful for filtering resources, and that is even more important when working at scale.
Let’s use tagging policies to auto-tag the Azure Arc VMs as we onboard multiple VMs in the next challenge.
- Assign an Azure Policy to inherit the
datacentretags from the resource group
No need to remediate the tagging on the existing resources. We’ll remediate in the next challenge.
We’ll set up a workspace for Azure Policy to use and configure it to be ready for the scale onboarding.
- Create a Log Analytics workspace in the arc-hack resource group
- Configure to collect event and performance data from virtual machines
- You can configure before you’ve connected VMs
- System events from the Windows Event Log and syslog from linux
- Recommended performance counters
- Ignore events unless they are warning or higher severity level
Policy - Monitor Extensions
Azure Policy is very useful for automatically deploying agents and extensions using the Deploy If Not Exists effect. Well configure an assignment, linked to the workspace you’ve just created, so that newly created Azure Arc VMs will get their Log Analytics and Dependency agents automatically installed.
Assign policy at the arc-hack resource group scope to:
- Deploy the Log Analytics agent to the Azure Arc virtual machines
- Deploy the Dependency agent to the Azure Arc virtual machines
- Using the Log Analytics workspace you’ve just created
- In the remediation tab, specify the region for the identity to be UK South
Hint_: Check the initiatives in the Monitor category.
Assigning a Deploy If Not Exists policy creates an identity for the deployment. Check the policy assignment and you’ll see the managed identity tab and the identity’s role assignments.
Policy evaluations are usually triggered within 30 minutes of policy assignment. There are other triggers for an evaluation, as per the links at the bottom of the page. You can also trigger one manually. We’ll do that now so that your Azure Arc VMs, the ones you manually onboarded, are evaluated against your new policies.
Trigger a policy evaluation manually
az policy state trigger-scan --resource-group arc-hack
It can take a while for the VMs to show as non-compliant so feel free to move to the success criteria and onto the next challenge. (We’ll remediate in the next challenge.)
Screen share with your proctor to show that you achieved:
- The Log Analytic workspace exists and is configured
- The workspace is automatically tagged with the resource group’s tags
- The Monitor for VMs policy initiative is assigned and linked to the workspace
- The additional RBAC assignment is in place for the policy’s identity
- Azure Policy documentation
- Get compliance data of Azure resources
- Overview of Log Analytics in Azure Monitor
- Overview of Azure Monitor agents
Help us improve
Azure Citadel is a community site built on GitHub, please contribute and send a pull requestMake a change