This article is contributed. See the original author and article here.
Policy-driven Governance is a cornerstone in Enterprise-scale Landing Zone (ESLZ!). It’s possible to codify corporate, industry or country specific governance requirements declaratively using Azure Policy. ESLZ provides 90+ custom policies which help in meeting most common corporate governance requirements with a single click.
Benefits of these 90+ custom policies is documented in detail.
Following table lists these policies and the governance requirements they help in enforcing.
Deny-Public-Endpoints-for-PaaS-Services Policy Initiative includes following policies which apply on specific Azure services.
- Deny-PublicEndpoint-CosmosDB
- Deny-PublicEndpoint-MariaDB
- Deny-PublicEndpoint-MySQL
- Deny-PublicEndpoint-PostgreSql
- Deny-PublicEndpoint-KeyVault
- Deny-PublicEndpoint-Sql
- Deny-PublicEndpoint-Storage
- Deny-PublicEndpoint-Aks
Deploy-Diag-LogAnalytics PolicySet helps capturing Logs and Metrics as shown below.
| Policy Name | Log Categories | Metrics |
| Deploy-Diagnostics-AA | JobLogs JobStreams DscNodeStatus | AllMetrics |
| Deploy-Diagnostics-ACI | AllMetrics | |
| Deploy-Diagnostics-ACR | AllMetrics | |
| Deploy-Diagnostics-ActivityLog | Administrative Security ServiceHealth Alert Recommendation Policy Autoscale ResourceHealth | |
| Deploy-Diagnostics-AKS | kube-audit kube-apiserver kube-controller-manager kube-scheduler cluster-autoscaler | AllMetrics |
| Deploy-Diagnostics-AnalysisService | Engine Service | AllMetrics |
| Deploy-Diagnostics-APIMgmt | GatewayLogs | Gateway Requests Capacity EventHub Events |
| Deploy-Diagnostics-ApplicationGateway | ApplicationGatewayAccessLog ApplicationGatewayPerformanceLog ApplicationGatewayFirewallLog | AllMetrics |
| Deploy-Diagnostics-Batch | ServiceLog | AllMetrics |
| Deploy-Diagnostics-CDNEndpoints | CoreAnalytics | |
| Deploy-Diagnostics-CognitiveServices | Audit RequestResponse | AllMetrics |
| Deploy-Diagnostics-CosmosDB | DataPlaneRequests MongoRequests QueryRuntimeStatistics | Requests” |
| Deploy-Diagnostics-DataFactory | ActivityRuns PipelineRuns TriggerRuns | AllMetrics |
| Deploy-Diagnostics-DataLakeStore | Audit Requests | AllMetrics |
| Deploy-Diagnostics-DLAnalytics | Audit Requests | AllMetrics |
| Deploy-Diagnostics-EventGridSub | AllMetrics | |
| Deploy-Diagnostics-EventGridTopic | AllMetrics | |
| Deploy-Diagnostics-EventHub | ArchiveLogs OperationalLogs AutoScaleLogs | AllMetrics |
| Deploy-Diagnostics-ExpressRoute | PeeringRouteLog | AllMetrics |
| Deploy-Diagnostics-Firewall | AzureFirewallApplicationRule AzureFirewallNetworkRule AzureFirewallDnsProxy | AllMetrics |
| Deploy-Diagnostics-HDInsight | AllMetrics | |
| Deploy-Diagnostics-iotHub | Connections DeviceTelemetry C2DCommands DeviceIdentityOperations FileUploadOperations Routes D2CTwinOperations C2DTwinOperations TwinQueries JobsOperations DirectMethods E2EDiagnostics Configurations | AllMetrics |
| Deploy-Diagnostics-KeyVault | AuditEvent | AllMetrics |
| Deploy-Diagnostics-LoadBalancer | LoadBalancerAlertEvent LoadBalancerProbeHealthStatus | AllMetrics |
| Deploy-Diagnostics-LogicAppsISE | IntegrationAccountTrackingEvents | |
| Deploy-Diagnostics-LogicAppsWF | WorkflowRuntime | AllMetrics |
| Deploy-Diagnostics-MlWorkspace | AmlComputeClusterEvent AmlComputeClusterNodeEvent AmlComputeJobEvent AmlComputeCpuGpuUtilization AmlRunStatusChangedEvent | Run Model Quota Resource |
| Deploy-Diagnostics-MySQL | MySqlSlowLogs | AllMetrics |
| Deploy-Diagnostics-NetworkSecurityGroups | NetworkSecurityGroupEvent NetworkSecurityGroupRuleCounter | |
| Deploy-Diagnostics-NIC | AllMetrics | |
| Deploy-Diagnostics-PostgreSQL | PostgreSQLLogs | AllMetrics |
| Deploy-Diagnostics-PowerBIEmbedded | Engine | AllMetrics |
| Deploy-Diagnostics-PublicIP | DDoSProtectionNotifications DDoSMitigationFlowLogs DDoSMitigationReports | AllMetrics |
| Deploy-Diagnostics-RecoveryVault | CoreAzureBackup AddonAzureBackupAlerts AddonAzureBackupJobs AddonAzureBackupPolicy AddonAzureBackupProtectedInstance AddonAzureBackupStorage | |
| Deploy-Diagnostics-RedisCache | AllMetrics | |
| Deploy-Diagnostics-Relay | AllMetrics | |
| Deploy-Diagnostics-SearchServices | OperationLogs | AllMetrics |
| Deploy-Diagnostics-ServiceBus | OperationalLogs | AllMetrics |
| Deploy-Diagnostics-SignalR | AllMetrics | |
| Deploy-Diagnostics-SQLDBs | SQLInsights AutomaticTuning QueryStoreRuntimeStatistics QueryStoreWaitStatistics Errors DatabaseWaitStatistics Timeouts Blocks Deadlocks SQLSecurityAuditEvents | AllMetrics |
| Deploy-Diagnostics-SQLElasticPools | AllMetrics | |
| Deploy-Diagnostics-SQLMI | ResourceUsageStats SQLSecurityAuditEvents | |
| Deploy-Diagnostics-StreamAnalytics | Execution Authoring | AllMetrics |
| Deploy-Diagnostics-TimeSeriesInsights | AllMetrics | |
| Deploy-Diagnostics-TrafficManager | ProbeHealthStatusEvents | AllMetrics |
| Deploy-Diagnostics-VirtualNetwork | VMProtectionAlerts | AllMetrics |
| Deploy-Diagnostics-VM | AllMetrics | |
| Deploy-Diagnostics-VMSS | AllMetrics | |
| Deploy-Diagnostics-VNetGW | GatewayDiagnosticLog IKEDiagnosticLog P2SDiagnosticLog RouteDiagnosticLog RouteDiagnosticLog TunnelDiagnosticLog | AllMetrics |
| Deploy-Diagnostics-WebServerFarm | AllMetrics | |
| Deploy-Diagnostics-Website | AllMetrics |
PolicySet Deploy-DNSZoneGroup-For-*-PrivateEndpoint targets Azure services as shown below.
| Policy Name | Azure Service |
| Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint | Azure Storage Blob |
| Deploy-DNSZoneGroup-For-File-PrivateEndpoint | Azure Storage File |
| Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint | Azure Storage Queue |
| Deploy-DNSZoneGroup-For-Table-PrivateEndpoint | Azure Storage Table |
| Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint | Azure KeyVault |
| Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint | Azure SQL Database |
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments