Resource governance capabilities in Azure

https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/

Use of Azure Resource Manager (ARM) locks

https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/2-describe-use-azure-resource-locks

• ARM is a management layer that enables administrators to create, update, and delete resources in Azure
• Locks secure resources after deployment
• Even with full control resources are not deleted if locked

Use of Azure Blueprints

https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/3-describe-use-azure-blueprints

• Define repeatable set of Azure resources
• Rapidly provision and run new environments in-line with organizations compliance requirements
• Provision resources across several subscriptions simultaneously
• Declarative way to orchestrate
  • Role assignments
  • Policy assignments
  • ARM templates
  • Resource groups
• Replicated to multiple Azure regions

Azure policy

https://docs.microsoft.com/en-us/learn/modules/describe-resource-governance-capabilities-azure/4-describe-azure-policy

• Enforce standards and assess compliance
• Compliance dashboard
• Aggregated view of the whole environment
• Drill down per resource
• Automatic remediation for new resources
• Evaluates whether properties of resources match with business rules
• Rules are described in JSON
• Referred to as policy definitions
• Grouping policy definitions together will create a policy initiative
• Either can be assigned from management groups all the way down to resources as a scope

Evaluation outcomes

• Evaluation occurs at specific times during the resource lifecycle
  • Created, deleted, updated
  • Policy is newly assigned to a scope
  • Policy already assigned to a scope is updated
  • Standard compliance evaluation occurs every 24 hours

Difference between Azure Policy and Azure RBAC

• Policy controls the compliance state of the resource
• RBAC manages user actions