评估新 Azure Policy 定义的影响Evaluate the impact of a new Azure Policy definition

Azure Policy 是一种功能强大的工具,用于管理 Azure 资源以符合业务标准并满足合规性需求。Azure Policy is a powerful tool for managing your Azure resources to business standards and to meet compliance needs. 当用户、过程或管道创建或更新资源时,Azure Policy 会评审请求。When people, processes, or pipelines create or update resources, Azure Policy reviews the request. 当策略定义效果是 AppendDeployIfNotExists 时,Policy 会更改请求或添加到其中。When the policy definition effect is Append or DeployIfNotExists, Policy alters the request or adds to it. 当策略定义效果是 AuditAuditIfNotExists 时,Policy 会导致创建活动日志条目。When the policy definition effect is Audit or AuditIfNotExists, Policy causes an Activity log entry to be created. 当策略定义效果是 Deny 时,Policy 会停止创建或更改请求。And when the policy definition effect is Deny, Policy stops the creation or alteration of the request.

如果你知道已正确定义了策略,则这些结果将完全符合预期。These outcomes are exactly as desired when you know the policy is defined correctly. 不过,需要先验证新策略按预期方式工作,然后才允许它更改或阻止工作,这十分重要。However, it's important to validate a new policy works as intended before allowing it to change or block work. 验证必须确保仅将预期资源确定为不合规,并且不会在结果中错误地包含任何合规资源(称为假正)。The validation must ensure only the intended resources are determined to be non-compliant and no compliant resources are incorrectly included (known as a false positive) in the results.

验证新策略定义的建议方法是执行以下步骤:The recommended approach to validating a new policy definition is by following these steps:

  • 严格定义策略Tightly define your policy
  • 审核现有资源Audit your existing resources
  • 审核新的或更新的资源请求Audit new or updated resource requests
  • 将策略部署到资源Deploy your policy to resources
  • 持续监视Continuous monitoring

严格定义策略Tightly define your policy

了解如何将业务策略作为策略定义来实现,以及 Azure 资源与其他 Azure 服务的关系十分重要。It's important to understand how the business policy is implemented as a policy definition and the relationship of Azure resources with other Azure services. 此步骤通过识别要求以及确定资源属性来完成。This step is accomplished by identifying the requirements and determining the resource properties. 不过,超越业务策略的狭隘定义也十分重要。But it's also important to see beyond the narrow definition of your business policy. 例如,你的策略状态是否为“所有虚拟机都必须...”?Does your policy state for example "All Virtual Machines must..."? 使用 VM 的其他 Azure 服务(如 HDInsight 或 AKS)怎么处理?What about other Azure services that make use of VMs, such as HDInsight or AKS? 定义策略时,必须考虑此策略如何影响其他服务所使用的资源。When defining a policy, we must consider how this policy impacts resources that are used by other services.

出于此原因,策略定义应严格进行定义,并尽可能侧重于需要评估合规性的资源和属性。For this reason, your policy definitions should be as tightly defined and focused on the resources and the properties you need to evaluate for compliance as possible.

审核现有资源Audit existing resources

在希望使用新策略定义管理新的或更新的资源之前,最好了解如何评估现有资源的有限子集(如测试资源组)。Before looking to manage new or updated resources with your new policy definition, it's best to see how it evaluates a limited subset of existing resources, such as a test resource group. 对策略分配使用“已禁用”(DoNotEnforce) 的强制模式,以防止触发效果或创建活动日志条目。Use the enforcement mode Disabled (DoNotEnforce) on your policy assignment to prevent the effect from triggering or activity log entries from being created.

此步骤使你可以在不影响工作流的情况下评估新策略对现有资源的合规性结果。This step gives you a chance to evaluate the compliance results of the new policy on existing resources without impacting work flow. 检查是否没有合规资源标记为不合规(假正),并且是否正确标记了所有预期为不合规的资源。Check that no compliant resources are marked as non-compliant (false positive) and that all the resources you expect to be non-compliant are marked correctly. 资源的初始子集经验证符合预期之后,可慢慢将评估扩展到所有现有资源。After the initial subset of resources validates as expected, slowly expand the evaluation to all existing resources.

以这种方式评估现有资源还可以有机会在完整实现新策略之前修正不合规资源。Evaluating existing resources in this way also provides an opportunity to remediate non-compliant resources before full implementation of the new policy. 此清理可以手动完成,或通过修正任务完成(如果策略定义效果是 DeployIfNotExists)。This cleanup can be done manually or through a remediation task if the policy definition effect is DeployIfNotExists.

审核新的或更新的资源Audit new or updated resources

验证新策略定义可对现有资源正确报告后,便可以查看策略在创建或更新资源时的影响。Once you've validated your new policy definition is reporting correctly on existing resources, it's time to look at the impact of the policy when resources get created or updated. 如果策略定义支持效果参数化,请使用 AuditIf the policy definition supports effect parameterization, use Audit. 此配置使你可以监视资源的创建和更新,以查看新策略定义是否在 Azure 活动日志中为不合规资源触发条目,而不影响现有工作或请求。This configuration allows you to monitor the creation and updating of resources to see if the new policy definition triggers an entry in Azure Activity log for a resource that is non-compliant without impacting existing work or requests.

建议更新并创建与策略定义相匹配的新资源,以查看是否在预期时正确触发 Audit 效果。It's recommended to both update and create new resources that match your policy definition to see that the Audit effect is correctly being triggered when expected. 请注意本不应受触发 Audit 效果的新策略定义影响的资源请求。Be on the lookout for resource requests that shouldn't be impacted by the new policy definition that trigger the Audit effect. 这些受影响的资源是假正的另一个示例,在进行完整实现之前,必须在策略定义中得到修复。These impacted resources are another example of false positives and must be fixed in the policy definition before full implementation.

如果在此测试阶段更改了策略定义,则建议从现有资源的审核重新开始验证过程。In the event the policy definition is changed at this stage of testing, it's recommended to begin the validation process over with the auditing of existing resources. 在新的或更新的资源上针对假正的策略定义更改也可能会影响现有资源。A change to the policy definition for a false positive on new or updated resources is likely to also have an impact on existing resources.

将策略部署到资源Deploy your policy to resources

通过现有资源以及新的或更新的资源请求完成对新策略定义的验证之后,可开始实现策略的过程。After completing validation of your new policy definition with both existing resources and new or updated resource requests, you begin the process of implementing the policy. 建议为新的策略定义创建策略分配,将它先分配给所有资源的子集(如资源组)。It's recommended to create the policy assignment for the new policy definition to a subset of all resources first, such as a resource group. 验证初始部署之后,将策略的范围扩展到越来越广泛的级别,如订阅和管理组。After validating initial deployment, extend the scope of the policy to broader and broader levels, such as subscriptions and management groups. 此扩展通过以下方式实现:删除分配并在目标范围上创建新分配,直到分配给新策略定义旨在涵盖的资源的完整范围为止。This expansion is achieved by removing the assignment and creating a new one at the target scopes until it's assigned to the full scope of resources intended to be covered by your new policy definition.

在推出过程中,如果找到应从新策略定义中排除的资源,请按以下方式之一进行处理:During rollout, if resources are located that should be exempt from your new policy definition, address them in one of the following ways:

  • 更新策略定义以更明确地减少意外影响Update the policy definition to be more explicit to reduce unintended impact
  • 更改策略分配的范围(通过删除并创建新分配)Change the scope of the policy assignment (by removing and creating a new assignment)
  • 将资源组添加到策略分配的排除列表中Add the group of resources to the exclusion list for the policy assignment

对范围(级别或排除)进行的任何更改都应进行完整验证,并与安全和合规性组织进行沟通,以确保覆盖范围中没有缺口。Any changes to the scope (level or exclusions) should be fully validated and communicated with your security and compliance organizations to ensure there are no gaps in coverage.

监视策略和合规性Monitor your policy and compliance

实现并分配策略定义并不是最后一步。Implementing and assigning your policy definition isn't the final step. 持续监视资源对新策略定义的合规性级别,并设置适当的 Azure Monitor 警报和通知以用于识别出不合规设备的情况。Continuously monitor the compliance level of resources to your new policy definition and setup appropriate Azure Monitor alerts and notifications for when non-compliant devices are identified. 还建议按计划评估策略定义和相关分配,以验证策略定义是否满足业务策略和合规性需求。It's also recommended to evaluate the policy definition and related assignments on a scheduled basis to validate the policy definition is meeting business policy and compliance needs. 如果不再需要,则应该删除策略。Policies should be removed if no longer needed. 随着底层 Azure 资源发展,以及添加新属性和功能,策略也需要时常更新。Policies also need updating from time to time as the underlying Azure resources evolve and add new properties and capabilities.

后续步骤Next steps