This article is contributed. See the original author and article here.

Policy-driven Governance is a cornerstone in Enterprise-scale Landing Zone (ESLZ!).  It’s possible to codify corporate, industry or country specific governance requirements declaratively using Azure Policy. ESLZ provides 90+ custom policies which help in meeting most common corporate governance requirements with a single click.


 


Benefits of these 90+ custom policies is documented in detail.


 


Following table lists these policies and the governance requirements they help in enforcing.  


 

















































































































Custom Policy in ESLZ Benefit

Deny-PublicIP


Deny-Public-Endpoints-for-PaaS-Services*


Prevent Public IP based services 




Deploy-Diag-LogAnalytics**




Enforce audit and log information collection






Deploy-Sql-Security






Provide comprehensive security for SQL Databases 








Deploy-Sql-Tde








Encrypt SQL data at rest 










Deploy-Sql-SecurityAlertPolicies










Enforce alerts for suspicious activity 












Deploy-Sql-AuditingSettings












Enforce audit trail of operations 














Deploy-Sql-vulnerabilityAssessments














Enforce evaluation against proven best practices 
















Append-KV-SoftDelete
















Protect against intentional/unintentional secret deletion 


















Deny-AppGW-Without-WAF


















Enforce Web Application Firewall (WAF)




















Deny-IP-forwarding




















Prevent IP forwarding on VMs 






















Deny-Private-DNS-Zones






















Enforce centralized DNS record management 
























Deny-Subnet-Without-Nsg
























Enforce network traffic control 


























Deploy-ASC-Standard


























Detect and protect against security threats by using Azure Security Center 




























Deploy-AzureBackup-on-VM




























Protect against ransomware attacks and other data-loss related issues






























Deploy-DDoSProtection






























Protect against DDoS attacks 
































Deploy-DNSZoneGroup-For-*-PrivateEndpoint***
































Auto-provision Private Link/Endpoint with Private DNS Zone 


































Deploy-FirewallPolicy


































Centrally manage firewall rules 




































Deploy-HUB

Deny-VNetPeering




































Provision Hub and Spoke Network topology 








































Deploy-LA-Config








































Provision default configuration for Azure Monitor 










































Deploy-Log-Analytics










































Enable Log Storage and Querying 












































Deploy-*-Arc-Monitoring












































Provision logging for Azure-Arc enabled servers 














































Deploy-Nsg-FlowLogs














































Enforce Network Traffic Log collection 
















































Deploy-vWAN



Deploy-vHUB


















































Provision at-scale network connectivity solution 


















































Deploy-VM-Backup


















































Provision backup for Azure VMs 




















































Deploy-vNet




















































Provision connectivity between Virtual Networks (VNets) 






















































Deploy-Windows-DomainJoin






















































Enforce Windows VMs to join AD Domain 

 



Deny-Public-Endpoints-for-PaaS-Services Policy Initiative includes following policies which apply on specific Azure services.

 




  1.     Deny-PublicEndpoint-CosmosDB

  2.     Deny-PublicEndpoint-MariaDB

  3.     Deny-PublicEndpoint-MySQL

  4.     Deny-PublicEndpoint-PostgreSql

  5.     Deny-PublicEndpoint-KeyVault

  6.     Deny-PublicEndpoint-Sql

  7.     Deny-PublicEndpoint-Storage

  8.     Deny-PublicEndpoint-Aks



  

Deploy-Diag-LogAnalytics PolicySet helps capturing Logs and Metrics as shown below.

 









































































































































































































































































Policy Name Log Categories Metrics
Deploy-Diagnostics-AA JobLogs JobStreams DscNodeStatus AllMetrics
Deploy-Diagnostics-ACI   AllMetrics
Deploy-Diagnostics-ACR   AllMetrics
Deploy-Diagnostics-ActivityLog Administrative Security ServiceHealth Alert Recommendation Policy Autoscale ResourceHealth  
Deploy-Diagnostics-AKS kube-audit kube-apiserver kube-controller-manager kube-scheduler cluster-autoscaler AllMetrics
Deploy-Diagnostics-AnalysisService Engine Service AllMetrics
Deploy-Diagnostics-APIMgmt GatewayLogs Gateway Requests Capacity EventHub Events
Deploy-Diagnostics-ApplicationGateway ApplicationGatewayAccessLog ApplicationGatewayPerformanceLog ApplicationGatewayFirewallLog AllMetrics
Deploy-Diagnostics-Batch ServiceLog AllMetrics
Deploy-Diagnostics-CDNEndpoints CoreAnalytics  
Deploy-Diagnostics-CognitiveServices Audit RequestResponse AllMetrics
Deploy-Diagnostics-CosmosDB DataPlaneRequests MongoRequests QueryRuntimeStatistics Requests”
Deploy-Diagnostics-DataFactory ActivityRuns PipelineRuns TriggerRuns AllMetrics
Deploy-Diagnostics-DataLakeStore Audit Requests AllMetrics
Deploy-Diagnostics-DLAnalytics Audit Requests AllMetrics
Deploy-Diagnostics-EventGridSub   AllMetrics
Deploy-Diagnostics-EventGridTopic   AllMetrics
Deploy-Diagnostics-EventHub ArchiveLogs OperationalLogs AutoScaleLogs AllMetrics
Deploy-Diagnostics-ExpressRoute PeeringRouteLog AllMetrics
Deploy-Diagnostics-Firewall AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy AllMetrics
Deploy-Diagnostics-HDInsight   AllMetrics
Deploy-Diagnostics-iotHub Connections DeviceTelemetry C2DCommands DeviceIdentityOperations FileUploadOperations Routes D2CTwinOperations C2DTwinOperations TwinQueries JobsOperations DirectMethods E2EDiagnostics Configurations AllMetrics
Deploy-Diagnostics-KeyVault AuditEvent AllMetrics
Deploy-Diagnostics-LoadBalancer LoadBalancerAlertEvent LoadBalancerProbeHealthStatus AllMetrics
Deploy-Diagnostics-LogicAppsISE IntegrationAccountTrackingEvents  
Deploy-Diagnostics-LogicAppsWF WorkflowRuntime AllMetrics
Deploy-Diagnostics-MlWorkspace AmlComputeClusterEvent AmlComputeClusterNodeEvent AmlComputeJobEvent AmlComputeCpuGpuUtilization AmlRunStatusChangedEvent Run Model Quota Resource
Deploy-Diagnostics-MySQL MySqlSlowLogs AllMetrics
Deploy-Diagnostics-NetworkSecurityGroups NetworkSecurityGroupEvent NetworkSecurityGroupRuleCounter  
Deploy-Diagnostics-NIC   AllMetrics
Deploy-Diagnostics-PostgreSQL PostgreSQLLogs AllMetrics
Deploy-Diagnostics-PowerBIEmbedded Engine AllMetrics
Deploy-Diagnostics-PublicIP DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports AllMetrics
Deploy-Diagnostics-RecoveryVault CoreAzureBackup AddonAzureBackupAlerts AddonAzureBackupJobs AddonAzureBackupPolicy AddonAzureBackupProtectedInstance AddonAzureBackupStorage  
Deploy-Diagnostics-RedisCache   AllMetrics
Deploy-Diagnostics-Relay   AllMetrics
Deploy-Diagnostics-SearchServices OperationLogs AllMetrics
Deploy-Diagnostics-ServiceBus OperationalLogs AllMetrics
Deploy-Diagnostics-SignalR   AllMetrics
Deploy-Diagnostics-SQLDBs SQLInsights AutomaticTuning QueryStoreRuntimeStatistics QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks SQLSecurityAuditEvents AllMetrics
Deploy-Diagnostics-SQLElasticPools   AllMetrics
Deploy-Diagnostics-SQLMI ResourceUsageStats SQLSecurityAuditEvents  
Deploy-Diagnostics-StreamAnalytics Execution Authoring AllMetrics
Deploy-Diagnostics-TimeSeriesInsights   AllMetrics
Deploy-Diagnostics-TrafficManager ProbeHealthStatusEvents AllMetrics
Deploy-Diagnostics-VirtualNetwork VMProtectionAlerts AllMetrics
Deploy-Diagnostics-VM   AllMetrics
Deploy-Diagnostics-VMSS   AllMetrics
Deploy-Diagnostics-VNetGW GatewayDiagnosticLog IKEDiagnosticLog P2SDiagnosticLog RouteDiagnosticLog RouteDiagnosticLog TunnelDiagnosticLog AllMetrics
Deploy-Diagnostics-WebServerFarm   AllMetrics
Deploy-Diagnostics-Website   AllMetrics


 

PolicySet Deploy-DNSZoneGroup-For-*-PrivateEndpoint targets Azure services as shown below.

 

































Policy Name Azure Service
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Azure Storage Blob
Deploy-DNSZoneGroup-For-File-PrivateEndpoint
Azure Storage File
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint
Azure Storage Queue
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint
Azure Storage Table
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint
Azure KeyVault
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint
Azure SQL Database

 

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: