与 Azure Policy 集成Integration with Azure Policy

Azure Policy 是 Azure 中的一项服务,用于创建、分配和管理那些对资源强制实施规则的策略,目的是确保这些资源始终符合公司标准和服务级别协议。Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules over your resources to ensure those resources remain compliant with your corporate standards and service level agreements. Azure Policy 会评估资源是否不符合你分配的策略。Azure Policy evaluates your resources for non-compliance with the policies you assign.

Azure Batch 提供了两个内置扩展,可帮助你管理策略符合性。Azure Batch has two built-in extensions to help you manage policy compliance.

名称...Name... 说明Description 效果Effect(s) 版本Version SourceSource
应启用 Batch 帐户中的诊断日志Diagnostic logs in Batch accounts should be enabled 审核是否已启用诊断日志。Audit enabling of diagnostic logs. 这样便可以在发生安全事件或网络受到威胁时重新创建活动线索以用于调查目的This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 2.0.02.0.0 GitHubGitHub
应在批处理帐户上配置指标警报规则Metric alert rules should be configured on Batch accounts 审核是否已针对 Batch 帐户配置指标警报规则,以启用所需指标Audit configuration of metric alert rules on Batch account to enable the required metric AuditIfNotExists, 已禁用AuditIfNotExists, Disabled 1.0.01.0.0 GitHubGitHub

策略定义描述了需要满足的条件。Policy definitions describe the conditions that need to be met. 条件将资源属性与所需的值进行比较。A condition compares the resource property to a required value. 使用预定义的别名访问资源属性字段。可以使用属性别名访问资源类型的特定属性。Resource property fields are accessed using pre-defined aliases.You use property aliases to access specific properties for a resource type. 通过别名,可限制允许用于资源属性的值和条件。Aliases enable you to restrict what values or conditions are allowed for a property on a resource. 每个别名会映射到给定资源类型不同 API 版本的路径。Each alias maps to paths in different API versions for a given resource type. 在策略评估期间,策略引擎会获取该 API 版本的属性路径。During policy evaluation, the policy engine gets the property path for that API version.

Batch 所需的资源包括:帐户、计算节点、池、作业和任务。The resources required by Batch include: account, compute node, pool, job, and task. 因此,你将使用属性别名来访问这些资源的特定属性。So, you would use property aliases to access specific properties for these resources. 详细了解别名Learn more about Aliases

为了确保你知道当前别名并查看你的资源和策略,请使用适用于 Visual Studio Code 的 Azure Policy 扩展。To make sure you know the current aliases and review your resources and policies, use the Azure policy extension for Visual Studio Code. 该扩展可安装在 Visual Studio Code 支持的所有平台上。It can be installed on all platforms that are supported by Visual Studio Code. 支持的平台包括 Windows、Linux 和 macOS。This support includes Windows, Linux, and macOS. 请参阅安装准则See installation guidelines.