Azure Policy Best Practices Virtual Machines

on

Understand Azure Policy

Azure Policy can help users to control or restrict or audit azure resources. Azure policy enforce rules on Azure resources configurations to make sure they remain compliant with corporate standards.

In Azure, you can assign policy within a specific scope (management group, a single subscription, a resource group or on a single resource)

Policy assignments are inherited by all child resources within that scope when it is applied on a management group, a single subscription, a resource group.

Azure users can apply individual policy or can create a policy initiative by adding all the individual policy by grouping them together as one policy initiatives definition.

Manage and Secure Azure VMs by Assigning Policies

You can protect and secure Azure Virtual Machine by assigning the required azure policies. You can assign the below Azure Policies at the scope to secure and to restrict network access for private Azure Virtual Machines.

Policy Name: Resource Groups should have "CanNotDelete" resource lock

This policy ensures that to have a resource lock of type "CanNotDelete" on every Resource Groups.

  • Category: Azure Security
  • Policy Type: Built-in Azure Policy

Policy Name: RDP access from the Internet should be blocked

Any network security rule that allows RDP access from Internet should be blocked.

  • Category: Azure Security
  • Azure Policy Type: Built-in

Policy Name: SSH access from the Internet should be blocked

Any network security rule that allows SSH access from Internet should be blocked.

  • Category: Azure Security
  • Azure Policy Type: Built-in

Policy Name: Subnets should be associated with a Network Security Group

This policy protect the subnet from potential threats by restricting access to it with a Network Security Group (NSG).

  • Category: Azure Security
  • Azure Policy Type: Built-in

Policy Name: The Log Analytics agent should be installed on virtual machines

It checks the machines where Log Analytics agent is not installed and audits if any.

  • Category: Azure Security
  • Azure Policy Type: Built-in

Policy Name: Network Watcher should be enabled

This policy audits if the network watcher is not enabled on any of the resource.

  • Category: Azure Security
  • Azure Policy Type: Built-in

Policy Name: Azure Backup should be enabled for Virtual Machines

Ensure protection of your Azure Virtual Machines by verifying that Azure Backup is enabled.

  • Category: Azure Security 
  • Azure Policy Type: Built-in

Policy Name: Mandatory tags to be created while provisioning resources

  • Category: Azure Security and Azure Cost Management
  • Azure Policy Type: Custom