Cost Optimization DevOps Security

Azure Policy now available for Azure NetApp Files

This blog has been co-authored by Andreas Schauber (Microsoft), Verron Martina (NetApp) and Rutger Kosters (NetApp). 

Introduction
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. 

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started. 

Azure Policy & ANF
As Azure Policy integration for Azure NetApp Files is relatively new, there are no built-in ANF definitions available as of yet, so customers need to create their own. 
 
How to create a custom policy definition is extensively covered in the following article: https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition 

Important are the policy aliases for the ANF namespace that are used in the policyRule section. You can retrieve these aliases by running the following PowerShell command. 

Get-AzPolicyAlias -Namespace Microsoft.NetApp | Select -ExpandProperty Aliases | select Name
Azure Policy ANF aliases

Examples
Below some examples of custom policy definitions that can be assigned to ANF resources. 
 
The following example denies the creation of a capacity pool equal to or greater than 5TiB. 

{
    "properties": {  
        "displayName": "ANF capacity pool custom policy definition",
        "description": "Denies ANF capacity pool creation equal to or greater than 5TiB (defined in bytes).",
        "mode": "All",
        "parameters": {},
        "policyRule": {
            "if": {
                "field": "Microsoft.NetApp/netAppAccounts/capacityPools/size",
                "greaterOrEquals": 5497558138880
            },
            "then": {
                "effect": "deny"
            }
        }
     }
}

After assigning the policy definition, creation of a 5TiB capacity pool is denied.

capacity pool policy error

The following example denies the creation of a NFS volume that contains the default export policy (0.0.0.0/0), which allows access to all clients.

{
    "properties": {
        "displayName": "ANF NFS export policy custom policy definition",
        "description": "Denies allow all clients on NFS volume export policy.", 
        "mode": "All",
        "parameters": {},
        "policyRule": {
            "if": {
                "anyOf": [{
                            "field":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/exportPolicy.rules[*].allowedClients",
                            "contains": "0.0.0.0/0"
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

More information on the policy definition structure and the parameters can be found in this article: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure 

Closing thoughts
With the ability to leverage Azure Policy for Azure NetApp Files, customers get a more granular control over resource allocation and enforcement of standards that are relevant to meet compliancy regulations. Keep an eye out for upcoming Microsoft provided built-in policy definitions, as well as community provided definitions in the GitHub listed below. 

References
https://docs.microsoft.com/en-us/azure/governance/policy/overview 
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure 
https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition 
https://github.com/Azure/Community-Policy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: