272 - Lessons learned with Azure Policy - Ctrl+Alt+Azure

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Tobias Zimmergren (00:12):
Hey there, and welcome to another episode
of Control Alt Azure. I'mTobias, and I'm back with Jussi.
What's up?

Jussi Roine (00:18):
Hey, Tobias. It's 2025 now. I took some time off,
worked a little bit here andthere. But there was plenty of
time to do fun stuff with thefamily. We mostly stayed at
home.
Lots of snow, lots of nicedinners, really slow mornings.
That was fun. On a personalnote, I did hit a new personal

(00:43):
record at the gym with benchpress. And and perhaps it's a
vanity goal, but that wassomething I realized this after
hitting that record. That wassomething that I set out to
achieve 5 years ago when I gotstarted at the gym.
And now that that is done, I'mplanning for new goals at the

(01:07):
gym, obviously, but alsothroughout the year as as well
to to do new exciting stuff andachieve a little bit more again
than last year. What's up withyou?

So on my end, I just came back from a ski trip
with a family. I think Imentioned that in in a previous
episode. We had a really greattime in the slopes. And
personally, I'm proud that I,myself, who's not a skier and
did not grow up skiing, I cannow master all the open slopes
in the system. The black slopewas closed, so therefore it was

(01:41):
easy to master the like semiadvanced red ones.
I'm a pretty quick learner. Itwas amazingly fun. I mostly use
Snowblades, like the shortertype of ski that enables me to
really have a lot more fun. I Icould go jumping. I could do
some one eighties.
I fell down a little bit, but dosome fun tricks along the way as

(02:02):
well. That was really fun. Butmore importantly, the 7 year old
made some really good progress.She's also never been skiing in
her life. She went 3 days lastyear, same as me, and now for a
week.
And she's now sliding down theslopes herself. And we got some
training to do with the 4 yearold, but we'll definitely plan
on another ski trip again. Sothis was a lot of fun for the

(02:23):
family, a lot of good memoriesbuilt up. And I can feel I'm
recharged. I'm mentallyrecharged.
I'm physically recharged. Exceptmaybe for today after doing a
lot of laundry and, you know,unpacking the car, getting back
from the trip and all thatstuff, 10 hour driving. But,
yeah, it feels great.

That sounds awesome. Skiing, especially with
the family, that's that's alwaysnice. Today, we will be talking
about lessons learned with AzurePolicy. You might recall that we
did an episode on Azure Policyat the general level during
episode 25, which feels like itwas 4 years ago, and it I think

(03:06):
it was 4 years ago. And then wehad Jesse Loudon as a guest to
talk more in-depth on AzurePolicies in Episode 109.
And all of the guidance fromthere is still very valid. And
while the actual capability ofAzure policies is very mature,

(03:28):
And I've always felt that Azurepolicy is a little bit gray and
boring, but it still is thecornerstone of any Azure
architecture. So today, we'lltalk about a couple of lessons
learned in recent months onAzure Policy. But before we get
to the lessons, Toby, how wouldyou define what is Azure Policy,

(03:51):
just in case somebody'slistening and is not intimately
familiar with Azure Policy?

So without, like, diving into the details,
because we can probably do a anew episode fully on Azure
Policy and what it is and do thesales pitch, it's really a way
for for you to bring governanceto, you know, the resources and
the technical platform you have.You know, up from the management
group level and tenant level,you can say, in this
subscription, in this tenant, wewill only allow a specific type

(04:20):
of resource to be deployed. Itshould be deployed this way.
Here's to kind of patterns.Here's to rules.
Here's to kind of governancepolicies we want to apply to
specific types of resources. Forexample, if you wanna deploy
things in a specific regiononly, if you wanna avoid certain
regions, if you wanna disallowsomething, if you wanna limit
the SKUs, you can choose. Youknow, Astro policy can help you

(04:42):
do things like that. And there'sa bunch of built in ones, and
then you can customize and buildyour own and define your own
kind of rules. So it's really aversatile tool to bring
governance to your fingertips.
That's how I would describe itif you did a napkin presentation
or if we're in an elevator for 5floors. That's pretty much, you
know, how I would box it in.

That's a nice description. When I got working
more on Azure Policy way backwhen, I always initially felt
that Azure Policy is like a GPOfor the cloud, GPO, the group
policy objects you would have inActive Directory. And, well, it
sort of is, but it does a lot ofother things as well. So you can

(05:25):
sort of deny and allow stuffthat can or or shouldn't happen,
but you can also do compliancereporting based on what you
defined in your Azure policies.So with this out of the way,
let's let's go through a coupleof lessons with Azure policy.
And I've got one here. Let'sdebate a little bit on on this.

(05:48):
Let me just set the scene here.The lesson for me was recently,
what policies do we have? Thatwas the question.
And there was a scenario wherewe inherited a new environment.
Or perhaps somebody did somework on policies, but you don't

(06:09):
really have proper documentationon that one. So you need to
figure out what policies do wehave, how are they deployed,
where, when, by whom, and how.And then you also need to figure
out if there's any custompolicies and how those are
managed. And maybe 1 or more ofthose custom policies are

(06:33):
bypassing your built inpolicies.
And is there a reason for that?What if we enable a built in
policy now? Would it breaksomething else from custom
policies or from your realservices? So this was sort of
the first big question I wasasked. Jussi, can you have a
look?
What policies do we have? And Ithought, well, this will take me

(06:56):
2 and a half minutes. I'm donebefore lunch, and I can do a
long lunch and a long coffeebreak and then do something
else. But it was it wassurprisingly tricky. I've got a
couple of insights that I gotfrom this.
We're gonna go through those ina little bit. But what sort of
ideas are you getting from thisif somebody were to ask you,

(07:18):
hey, Toby. What policy do wehave? How would you start
approaching this problem?

Yeah. I think, I think this is a great
question. Right? Because I'vethis is something I used to do a
little bit, and this issomething I see customers doing
as well. And like building aninventory is it's not always
easy, especially if you havemultiple tenants, or if you have
multiple subscriptions.
This can be a, a tricky thing.I've used something like AZ

(07:48):
Advertiser, which you can getfrom AZ Advertiser dot net. It's
a third party tool built by aMicrosoft employee, but it's not
kind of officially supported byMicrosoft. I I just want to
mention that as a disclaimer.That's a pretty good tool to
understand, Azure policies andpolicy definitions and what
exists and what does that looklike.

(08:09):
So that's been a good startingpoint for me. I've used in the
past a little bit of KQL. Youcould query and say, hey, what
do we have here? Use the Azureportal. But as soon as you kind
of go beyond a certain boundary,if you have a single
subscription or a couple of fewsmaller subscriptions, using the
Azure portal is pretty easy.
Right? But if you have a hugeenterprise with multiple tenants

(08:32):
or multiple, you know, 100 orthousands of subscriptions
spread out, this becomes alittle bit more tricky. So for
me, like, my personal experiencehas been more with AZ
advertiser. I've done somePowerShell, scripts to do
inventory and stuff like that,but that's kind of the extent. I
never did this for the, like,large enterprises with, you

(08:53):
know, thousands ofsubscriptions.

Yeah. I I I fully agree on that one, especially if
it's a smaller environment.Typically, if you go to Azure
portal, then you select policy.You get the Azure policy
compliance view. And from there,you can view all the policies.
It's relatively easy to to getthe big picture from there. But
as you said, if you have 300subscriptions, it's relatively

(09:19):
hard now to get the grasp of thebig picture. With maybe 100 of
or thousands of policies, the UIin Azure policy view becomes
quite slow. So it starts paging,the stuff for you at least,
maybe 50 policies at a time.Then you click next.
There's no page numbers. Thenyou get 50 more. And it's really

(09:42):
hard to sort of try to buildthis mental image that, okay, I
have 300 policies. How are theyapplied? At what level?
Are we applying them throughmanagement groups or to
subscriptions or someplace else?And there's no line numbers in
any of the views. So maybeyou're seeing a list of policies

(10:02):
that these policies are applied.Well, is it 25 policies? Is it
30 policies?
You have to count the rowsvisually on the screen or do
some sort of scripting in there.The other sort of lesson as part
of this what policies do we haveis that you cannot assume that

(10:23):
you're a global admin. So,obviously, in your home
environment, you're always theglobal admin. You can do
whatever. But perhaps you are aglobal reader or just reader,
and you have to request forelevation of permissions to do
stuff, and that might be timebombed.

(10:44):
So it adds this friction intrying to do stuff that you feel
takes 2 minutes or 5 minutes.And if you cannot deploy 3rd
party tools like as advertiser,which is super handy, if you
cannot deploy that one, then yourelatively quick quickly start
thinking about building yourcustom tools or using something

(11:06):
outside the environment, if youcan connect to that remotely.
Just a quick side note on thisone, though. If you inherit an
existing Azure environment, theAzure Resource Inventory, which
is an open source tool, it'ssuper handy, and it's it's

(11:26):
available as a partial modulenow. So when you install ARRI,
Azure Resource Inventory, youcan just type invoke ARRI, and
it goes through the wholeenvironment and produces a
really nice looking report.
What goes where? Whatsubscriptions do you have? What
VNets do you have? What VMs,what are the total resources. It

(11:49):
doesn't really give you thatmuch in policies, but at least,
it is giving you the bigpicture, which you can then
mentally apply to your policyviews to try to understand
what's where and how and why.
So that was the first lesson.The next one, you mentioned KQL
already. And we've talked aboutKQL a couple of times in the

(12:11):
past. What's your 2025 take onKQL as a query language today?

That's, that's a really that's a really
good question. And, you know,couple years back, I loved KQL.
And then a few years after that,I disliked it. And then I loved
it again. So it kind of dependson what you're doing.
Right? It's it's a specificquery language specifically for,
you know, pulling out resourceson Azure and figuring out what

(12:44):
your Azure estate looks like.And, you know, it's connected to
Azure Data Explorer, and you canuse that, and you can run the
kind of heavy queries and doheavy compute computational
stuff with it. So what's my takeon this as a query language?
Well, you get learn you kind oflearn it and get used to it, and
then it kind of works.
But I don't have any opinion onthe actual language itself. The

(13:09):
the asking the question Iusually ask myself is will this
get the job done? Like what isthe purpose I'm what am I trying
to achieve here? And what's thepurpose of me trying to achieve
this? Does it fulfill a businessneed?
Is this where the business needsthe time, invested? Is this what
I need to be focusing on? And ifso, great. We figure it out.

(13:29):
This is a goal we have.
This is a mission we have. Thisis something we need to work
towards. How do I get there? Andif KQL is that way, great. If
it's something else, cool.
I'll go with that. So I I don'thave a strong opinion just like
with if you would ask what's myfavorite web browser? I don't
care. Like, what's my favoritelaptop? Same thing.
I don't care. What's the goalthat we need to achieve and

(13:51):
what's the best way to getthere? So my own opinions aside,
let's go with the best optionfor the problem that we have. So
that's my kind of politicalanswer. I To that.

I admire your political approach in here.
Because my my opinion here isthat KQL is is it's horrible.
It's painful to type. It'simpossible to memorize. It's
hard to quickly glance at alengthy query to try to figure
out what is this doing.

(14:25):
It's a little bit like with SQL,simple SQL statements, not a
problem. But then you then youhave a 2 pager, and you're like,
this is almost like a functionalprogram. Why aren't you using
SQL for this? So for Azurepolicies, when I couldn't really
grasp the big picture withhundreds of policies and

(14:47):
hundreds of custom policies, Ifigured, let's use KQL. And what
I had forgotten, and this mightbe obvious to somebody listening
on this one, but what I hadforgotten was that KQL comes in
a couple of different variants.

Mhmm. Yep.

There there's the one variant that you can run-in
Resource Graph Explorer in Azureportal. And then there's the
other one, the more beefy onethat requires or dictates that
you should use Data Explorer andspin up the compute clusters and
really dive deep into that one.And those type of queries

(15:25):
typically are quite lengthy toexecute. So if you're just
wanting to do some ad hoc stuff,you typically gravitate for
Resource Graph Explorer. Andwhat bite me here is that I used
some of the sample queries fromMicrosoft on figuring out what
Azure policies do I have, andnone of them worked.

(15:48):
So Resource Graph Explorer wascomplaining about the syntax,
but I was literally copying themfrom Microsoft Learn. And I was
like, I'm I'm not doing a typoin here. There's no
IntelliSense. And then it hitme. Oh, maybe this environment,
I'm executing this, doesn't havethe full language capabilities
that I'm expecting it to have.

(16:10):
I went to Data Explorer, oh,they work in here. So again, you
have KQL, but it's a differenttype of KQL depending on what
your interface is. And that'swhat I actively dislike about
KQL. Any any thoughts on this?

No. I you know, a couple years back when I
when I was operating, like,distributed, globally deployed,
subscriptions and and tenants,This is something I stumble upon
as well. So it it's it's afamiliar problem. I have not
worked a lot with KQL in detailsince, so I would have expected

(16:47):
that to become a bit more clear,but I hear the story remains
kind of the same. It's a verypowerful query language, but you
have to know where to applywhich query.
Otherwise, you'll probably wastea little bit of time, on what
you just did. Like, trying toexecute queries here, But it's
actually over here, you shouldrun the query, but it's the same
language or the same type ofquery that you're trying to

(17:08):
execute.

Yeah. And then when the queries fail or the
interface is giving you red textbut not really telling you why
it's failing, then you spend alot of time trying to
troubleshoot the syntax. Andonce you get it running, you
cannot really be sure, am Istill getting the stuff that I
wanted? And you sort of have toredo the query again with this

(17:32):
mindset. So once you've foundthe queries, typically, what you
want to find is list all custompolicies, all all the metadata
on those.
List all built in policies, allthe metadata on those. List all
initiatives, meaning the sort ofenvelopes that pack together

(17:53):
policies and apply themsomeplace. And also, list the
compliance status. Andobviously, you can see the
compliance status in the policyview. But what's useful in here
is to try to understand, do Ihave one policy affecting 15,000
resources and failing?

(18:13):
Or do I have 500 policiesaffecting a single resource and
failing? Either way, thecompliance status will be red.
But it's important for you tounderstand, is it a big or a
small problem for me to try tofix the compliance status to
become green again? So once youhave these queries, you export

(18:35):
to Excel using the best formatknown to man, CSV files. And
once you have them in Excel,then it becomes easier.
What I did try, GitHub Copilotnow has the o one language model
support. So what I did use waswith o one, I could quite

(18:56):
rapidly craft nice looking KQLqueries that have mostly worked.
I needed to tweak them a littlebit in the Resource Graph
Explorer. But before o one,everything I got from GitHub
Copilots or from my local LLMswere broken queries, and they
wouldn't work at all in metrying to figure out what's

(19:17):
happening with the policies. Sothere's a little bit of a
disconnect here with thegraphical interface and figuring
out the queries to get the sameinformation, but get that to
Excel so that I can really divedeep into the source dates.
So this was lesson number 2. Ithink we have one more lesson.
What did you have in mind?

So for me, one of the things that I've, you
know, I've stepped on that minda couple of times in production
or in systems where, we wantedto kind of enforce specific
policies, but we didn't testthem out, or we didn't have a
chance to test them out, or wethought we tested them out. The
lesson number 3 for me would bestart with audit mode. Always

(20:02):
try to start with audit mode. Soaudit mode in Azure Policy,
that's like a non enforcingevaluation mode, if you will.
And this kind of allows you toassess and monitor the
compliance, without reallymaking any changes to your
resources.
So when a policy is set to auditmode, then Azure Policy will
evaluate resources against thatcondition, and it will identify

(20:25):
non compliant resources. But itwill not block the creation of
the non compliant resources, andit will not modify the existing
ones. And I think that's the keypoint. You will discover them.
You will identify them.
You will kind of buildvisibility. So, it doesn't
hinder you or enforce anything,but it monitors and brings
visibility to, kind of theestate you have. And also says:

(20:49):
hey, if you were to apply thispolicy, it you know, here's a
bunch of things breakingcompliance. That's good for you
to know because then you canstart working on that before you
start breaking your productionenvironments. So for me, that's
you know, that was the numberone thing.
Whenever we deployed anddeveloped, you know, bigger sets

(21:10):
of policies, always go withaudit mode. Right? And and don't
just assume you can startenforcing things because there's
a lot of things and a lot ofkind of divisions in large
enterprises as well that will,likely be impacted in one or
another way. So why is thisimportant? Well, obviously,
enforcing a policy immediatelycan disrupt, disrupt your

(21:33):
operations.
And it can conflict withexisting configurations. So kind
of have to be mindful how andwhen you start enforcing versus
just auditing. So the lessonlearned here for me over the
years is use audit mode for newpolicies to evaluate compliance
without enforcing them. And thenthis will allow you to better
understand the impact first.Then you can refine your

(21:56):
policies as necessary if you seethat, well, this is not gonna
work.
Or if we do this, our productionis gonna stop. Or if we do this,
we're gonna hinder the entirebusiness from doing x, y, or
zed. Then you can kind of assessand understand that impact. Then
you can refine the policy, andthen you can gradually start
enforcing it. So you don't maybeyou don't need to start at the

(22:16):
top and say, hey, for the entiretenant or the, you know, root
management group, let's enforcethis entire thing.
You might wanna do it forspecific divisions that might be
more mature or in areas whereyou see a lot of problems, but
you don't wanna causedisruptions for the rest of the
business. So that's my, probablylesson number 3, that's my best

(22:36):
tip. Start with audit mode tobuild an understanding of the
impact of applying the policiesand get some monitoring on this.
You know, and and kind of assessis this the right policy? Is it
configured the right way?
Is it gonna help us configureour Azure estate the best way
and the right way in a compliantway that we want? And then build

(22:57):
your understanding of that auditmode. When you've done that, you
can switch that and say, okay,now we know here's what's gonna
happen. Here's the impact. Thisis, you know, we're doing an
assessment now and we can seethis is what the landscape will
look like if we deploy thesethings.
And then you can switch. Sothat's my number 3. Always go

(23:17):
with audit mode first. Because Idid do like I this is a lesson I
learned in production where wehad a globally distributed
system operated across theglobe. And one of the things we
we needed to do was enforcespecific regions or rather
disallow certain regions,disallow certain SKUs to be

(23:40):
deployed while still enablingkind of the DevOps mindset, like
developers and dev divisions.
And, you know, folks shouldstill be able to deploy certain
types of things and run theirCICD pipelines and and stuff
like that, but we still had torestrict a bunch of things. And
in doing so, we also realizedthat we kind of just started

(24:02):
enforcing something, and then wedidn't realize what the full
impact of that was until acouple of days later when we had
a bunch of problems deployingother things we did not expect.
So that's my, lesson learned.Start with audit mode, you know,
assess the landscape, understandthe impact, and then take it
from there.

I I I like this. And what I'm recalling now is
that as part of the cloudadoption framework, there's some
additional capabilities beyondaudit mode, stuff like, deploy
if it not exists and modify. Soregardless of which mode you're
planning on deploying yourpolicies, start with audit mode.

(24:45):
Otherwise, if somebody'sdeploying custom policies over a
pipeline, for example, it mighttake several minutes to deploy.
And if you now have deny ordeploy if it not exists or
modify or something similar,then Azure will trap those
deployments and go, hold on.
I'm seeing a policy that doesn'tdo x, but the policy is still

(25:10):
being deployed and evaluated.But now now you have Azure
picking it up, in the middle ofthat process, starting to modify
stuff for you, and everythingwill break. So audit mode
definitely is going to be yourfriend. So the tools that we
mentioned, the as advertiser,Azure resource inventory, and a

(25:32):
couple of sample KQL queries,they will be in the show notes.
Have a look at those.
This was fun with Azurepolicies. I'm happy I got this
done. I don't have to spend thatmany hours with Azure policies
any longer in the next couple ofweeks. Perhaps I will get to
enjoy them later as well. Andthe last bit is the unexpected

(25:55):
question.
It is 2025. Toby, I have aquestion for you. Are you ready?

Let's go.

If your life were a sitcom, what would it be called,
and what's the theme song?

Okay. Well, based on my recent experience
and coming back from the skitrip, this would probably be
something like The Chronicles ofLaundry, which is probably a
comedy drama about the neverending laundry battles, probably
playing something like Eye ofthe Tiger in the background
because that's what I had on mySpotify today as well,

(26:31):
yesterday, as I did 6 basket oflaundries, or 6 machines. So at
least right now, after gettingback from the ski trip, that's
my life. So The Chronicles ofLaundry, with Tobias.

Yeah. I can I can feel it as well? We do laundry
quite often at home as well, andthat's not the tricky bits. But
then somebody needs to hang themto dry at 9 o'clock, and
somebody needs to collect thedry clothes the next day and
fold them neatly and divide thembetween the kids' bedrooms and

(27:06):
and wardrobes. And it seems likeit's never ending.
So, yeah, I would I woulddefinitely join on on that
sitcom as well. Alrighty. Thanksfor tuning in. See you next
week.

Alright. See you then.

All Episodes

272 - Lessons learned with Azure Policy

Episode Transcript

Popular Podcasts

Dateline NBC

Stuff You Should Know

Intentionally Disturbing

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}272 - Lessons learned with Azure Policy