Before considering a deployment, it's important for your organization to put guardrails in place. By using Azure policies, you can implement governance for resource consistency, regulatory compliance, security, cost, and management.
Background
A core principle of cloud-scale analytics is to make it easy to create, read, update, and delete resources as needed. However, while giving unrestricted resource access to developers can make them agile, it can also lead to unintended cost consequences. The solution to this problem is resource access governance. This governance is the ongoing process of managing, monitoring, and auditing the use of Azure resources to meet the goals and requirements of your organization.
Azure Policy is important when ensuring security and compliance within cloud-scale analytics. It helps to enforce standards and to assess compliance at scale. Policies can be used to evaluate resources in Azure and compare them to the wanted properties. Several policies, or business rules, can be grouped into an initiative. Individual policies or initiatives can be assigned to different scopes in Azure. These scopes might be management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the scope, and subscopes can be excluded with exceptions if necessary.
Design considerations
Azure policies in cloud-scale analytics were developed with the following design considerations in mind:
Use Azure policies to implement governance and enforce rules for resource consistency, regulatory compliance, security, cost, and management.
Use available prebuilt policies to save time.
Assign policies to the highest level possible in the management group tree to simplify policy management.
Limit Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.
Only use policy exceptions if necessary, and they require approval.
Azure policies for cloud-scale analytics
Implementing custom policies allows you to do more with Azure Policy. Cloud-scale analytics comes with a set of precreated policies to help you implement any required guardrails in your environment.
Azure Policy should be the core instrument of the Azure (Data) Platform team to ensure compliance of resources within the Data management landing zone, data landing zones, and other landing zones within the organization's tenant. This platform feature should be used to introduce guardrails and enforce adherence to the overall approved service configuration within the respective management group scope. The platform teams can use Azure Policy to, for example, enforce private endpoints for any storage accounts that are being hosted within the data platform environment or enforce TLS 1.2 encryption in transit for any connections being made to the storage accounts. When done right, this policy prohibits any data application teams from hosting services in an incompliant state within the respective tenant scope.
The responsible IT teams should use this platform feature to address their security and compliance concerns and open up for a self-service approach within (Data) Landing Zones.
Cloud-scale analytics contains custom policies related to resource and cost management, authentication, encryption, network isolation, logging, resilience, and more.
The policies should be viewed as guidance-only and can be applied depending on business requirements. Policies should always be applied to the highest level possible and in most cases this will be a management group.
Deny private endpoints to resources outside of the Microsoft Entra tenant and subscription.
Deploy-DNSZoneGroup-{Service}-PrivateEndpoint
Network Isolation
Deploys the configurations of a Private DNS Zone Group by a parameter for service's private endpoint. Used to enforce the configuration to a single Private DNS Zone.
DiagnosticSettings-{Service}-LogAnalytics
Logging
Send diagnostic settings for Azure Cosmos DB to log analytics workspace.
Storage
Policy name
Policy area
Description
Append-Storage-Encryption
Encryption
Enforce encryption for storage accounts.
Deny-Storage-AllowBlobPublicAccess
Network Isolation
Enforces no public access to all blobs or containers in the storage account.
Deny-Storage-ContainerDeleteRetentionPolicy
Resilience
Enforce container delete retention policies larger than seven days for storage account.
Deny-Storage-CorsRules
Network Isolation
Deny cors rules for storage account.
Deny-Storage-InfrastructureEncryption
Encryption
Enforce infrastructure (double) encryption for storage accounts.
Deny-Storage-MinimumTlsVersion
Encryption
Enforces minimum TLS version 1.2 for storage account.
Deny-Storage-NetworkAclsBypass
Network Isolation
Enforces network bypass to none for storage account.
Deny-Storage-NetworkAclsIpRules
Network Isolation
Enforces network ip rules for storage account.
Deny-Storage-NetworkAclsVirtualNetworkRules
Network Isolation
Denies virtual network rules for storage account.
Deny-Storage-Sku
Resource Management
Enforces storage account SKUs.
Deny-Storage-SupportsHttpsTrafficOnly
Encryption
Enforces https traffic for storage account.
Deploy-Storage-BlobServices
Resource Management
Deploy blob services default settings for storage account.
Deny-Storage-RoutingPreference
Network Isolation
Deny-Storage-Kind
Resource Management
Deny-Storage-NetworkAclsDefaultAction
Network Isolation
Key Vault
Policy name
Policy area
Description
Audit-KeyVault-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for key vault.
Deny-KeyVault-NetworkAclsBypass
Network Isolation
Enforces bypass network level rules for key vault.
Deny-KeyVault-NetworkAclsDefaultAction
Network Isolation
Enforces default network acl level action for key vault.
Deny-KeyVault-NetworkAclsIpRules
Network Isolation
Enforces network ip rules for key vault.
Deny-KeyVault-NetworkAclsVirtualNetworkRules
Network Isolation
Denies virtual network rules for key vault.
Deny-KeyVault-PurgeProtection
Resilience
Enforces purge protection for key vault.
Deny-KeyVault-SoftDelete
Resilience
Enforces soft delete with minimum number of retention days for key vault.
Deny-KeyVault-TenantId
Resource Management
Enforce tenant ID for key vault.
Azure Data Factory
Policy name
Policy area
Description
Append-DataFactory-IdentityType
Authentication
Enforces use of system assigned identity for data factory.