This blog has been co-authored by Andreas Schauber (Microsoft), Verron Martina (NetApp) and Rutger Kosters (NetApp).
Introduction
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.
Azure Policy & ANF
As Azure Policy integration for Azure NetApp Files is relatively new, there are no built-in ANF definitions available as of yet, so customers need to create their own.
How to create a custom policy definition is extensively covered in the following article: https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition
Important are the policy aliases for the ANF namespace that are used in the policyRule section. You can retrieve these aliases by running the following PowerShell command.
Get-AzPolicyAlias -Namespace Microsoft.NetApp | Select -ExpandProperty Aliases | select Name
Examples
Below some examples of custom policy definitions that can be assigned to ANF resources.
The following example denies the creation of a capacity pool equal to or greater than 5TiB.
{
"properties": {
"displayName": "ANF capacity pool custom policy definition",
"description": "Denies ANF capacity pool creation equal to or greater than 5TiB (defined in bytes).",
"mode": "all",
"policyRule": {
"if": {
"field": "Microsoft.NetApp/netAppAccounts/capacityPools/size",
"greaterOrEquals": 5497558138880
},
"then": {
"effect": "deny"
}
}
}
}After assigning the policy definition, creation of a 5TiB capacity pool is denied.
The following example denies the creation of a NFS volume that contains the default export policy (0.0.0.0/0), which allows access to all clients.
{
"properties": {
"displayName": "ANF volume deny NFS export policy allow all",
"description": "Denies the default allow all clients on NFS volume export policy.",
"mode": "all",
"policyRule": {
"if": {
"field": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/exportPolicy.rules[*].allowedClients",
"equals": "0.0.0.0/0"
},
"then": {
"effect": "deny"
}
}
}
}More information on the policy definition structure and the parameters can be found in this article: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
Closing thoughts
With the ability to leverage Azure Policy for Azure NetApp Files, customers get a more granular control over resource allocation and enforcement of standards that are relevant to meet compliancy regulations. Keep an eye out for upcoming Microsoft provided built-in policy definitions, as well as community provided definitions in the GitHub listed below.
References
https://docs.microsoft.com/en-us/azure/governance/policy/overview
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition
https://github.com/Azure/Community-Policy