Operational compliance in Azure
Operational compliance is the second discipline in any cloud management baseline.
Improving operational compliance reduces the likelihood of an outage related to configuration drift or vulnerabilities related to systems being improperly patched.
For any enterprise-grade environment, this table outlines the suggested minimum for a management baseline.
Process | Tool | Purpose |
---|---|---|
Patch management | Azure Automation Update Management | Management and scheduling of updates |
Policy enforcement | Azure Policy | Automated policy enforcement to ensure environment and guest compliance |
Environment configuration | Infrastructure as code (IaC) | Automated environment creation, configuration, and to avoid configuration drift |
Resource configuration | Desired State Configuration (DSC) | Automated configuration on guest OS and some aspects of the environment |
Update Management
Computers that are managed by the Update Management solution for Azure Automation use the following configurations to do assessment and update deployments:
- Log Analytics agent for Windows or Linux.
- PowerShell DSC for Linux.
- Azure Automation Hybrid Runbook Worker.
- Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.
For more information, see Update Management solution for Azure Automation.
Warning
Before using Update Management, you must onboard virtual machines or an entire subscription into Log Analytics and Azure Automation.
There are two approaches to onboarding:
You should follow one before proceeding with Update Management.
Manage updates
To apply a policy to a resource group:
- Go to Azure Automation.
- Select Automation accounts, and choose one of the listed accounts.
- Go to Configuration Management.
- Use State Configuration (DSC) to control the state and operational compliance of the managed VMs.
Azure Policy
Azure Policy is used throughout governance processes. It's also highly valuable within cloud management processes. Azure Policy can audit and remediate Azure resources and can also audit and configure settings inside a machine. The validation is performed by the machine configuration extension and client. The extension, through the client, validates settings like:
- Operating system configuration.
- Application configuration or presence.
- Environment settings.
An important part of this process is maintaining and updating Azure Policy assignments as your governance process requires. Using IaC can help you update and maintain your policy infrastructure. For more information, see Use IaC to update Azure landing zones.
Action
Assign a built-in policy to a management group, subscription, or resource group.
Apply a policy
To apply a policy to a resource group:
- Go to Azure Policy.
- Select Assign a policy.
Learn more
To learn more, see: