什么是 Azure Policy?What is Azure Policy?

Azure Policy 可帮助实施组织标准并大规模评估合规性。Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Azure Policy 通过其合规性仪表板提供一个聚合视图来评估环境的整体状态,并允许用户按资源、按策略粒度向下钻取。Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill-down to the per-resource, per-policy granularity. 它还通过对现有资源的批量修正以及对新资源的自动修正,帮助资源符合规范。It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Azure Policy 的常见用例包括实施监管来满足资源一致性、安全性、成本和管理方面的要求。Common use cases for Azure Policy include implementing governance for resource consistency, security, cost, and management. Azure 环境中已经内置了这些常见用例的策略定义,帮助你入门。Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

概述Overview

Azure Policy 通过将 Azure 中资源的属性与业务规则进行比较,来评估这些资源。Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. JSON 格式描述的这些业务规则称为策略定义These business rules, described in JSON format, are known as policy definitions. 为了简化管理,可以组合多个业务规则来构成一个策略计划(有时称为“策略集”)。To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). 构成业务规则后,策略定义或计划将分配到 Azure 支持的任何资源范围,例如管理组、订阅、资源组或单个资源。Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. 分配会应用到该分配的范围内的所有资源。The assignment applies to all resources within the scope of that assignment. 必要时可以排除子范围。Subscopes can be excluded, if necessary.

Azure Policy 使用 JSON 格式构成评估机制用来确定某个资源是否合规的逻辑。Azure Policy uses a JSON format to form the logic the evaluation uses to determine if a resource is compliant or not. 定义包括元数据和策略规则。Definitions include metadata and the policy rule. 定义的规则可以使用与所需方案完全匹配的函数、参数、逻辑运算符、条件和属性别名The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. 策略规则确定要评估分配范围内的哪些资源。The policy rule determines which resources in the scope of the assignment get evaluated.

了解评估结果Understand evaluation outcomes

资源将在资源生命周期、策略分配生命周期内的特定时间进行评估,并接受日常进行的合规性评估。Resources are evaluated at specific times during the resource lifecycle, the policy assignment lifecycle, and for regular ongoing compliance evaluation. 出现以下时机或事件时,就会对资源进行评估:The following are the times or events that cause a resource to be evaluated:

  • 在策略分配范围内创建、更新或删除了资源。A resource is created, updated, or deleted in a scope with a policy assignment.
  • 最近已将策略或计划分配到某个范围。A policy or initiative is newly assigned to a scope.
  • 更新了已分配到某个范围的策略或计划。A policy or initiative already assigned to a scope is updated.
  • 在标准合规性评估周期内(每 24 小时发生一次)。During the standard compliance evaluation cycle, which occurs once every 24 hours.

有关何时以及如何进行策略评估的详细信息,请参阅评估触发器For detailed information about when and how policy evaluation happens, see Evaluation triggers.

控制对评估的响应Control the response to an evaluation

处理不合规资源的业务规则根据组织的不同而有很大的不同。Business rules for handling non-compliant resources vary widely between organizations. 下面以示例方式说明了组织希望平台如何对不合规资源进行响应:Examples of how an organization wants the platform to respond to a non-complaint resource include:

  • 拒绝资源更改Deny the resource change
  • 记录对资源的更改Log the change to the resource
  • 在更改之前改变资源Alter the resource before the change
  • 在更改之后改变资源Alter the resource after the change
  • 部署相关的合规资源Deploy related compliant resources

Azure Policy 通过应用效果来实现这其中的每种业务响应方式。Azure Policy makes each of these business responses possible through the application of effects. 效果在策略定义的“策略规则”部分进行设置。Effects are set in the policy rule portion of the policy definition.

修正不符合资源Remediate non-compliant resources

尽管这些效果主要是在创建或更新资源时影响资源,但 Azure Policy 还支持处理现有的不合规资源,而无需改变该资源。While these effects primarily affect a resource when the resource is created or updated, Azure Policy also supports dealing with existing non-compliant resources without needing to alter that resource. 若要详细了解如何使现有资源合规,请参阅修正资源For more information about making existing resources compliant, see remediating resources.

入门Getting started

Azure Policy 和 RBACAzure Policy and RBAC

Azure Policy 和基于角色的访问控制 (RBAC) 之间存在一些主要区别。There are a few key differences between Azure Policy and role-based access control (RBAC). Azure Policy 通过检查资源管理器中显示的资源属性和某些资源提供程序的属性来评估状态。Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers. Azure Policy 不会限制操作。Azure Policy doesn't restrict actions (also called operations). Azure Policy 确保资源状态符合业务规则,而不考虑更改是谁做出的或者谁有权做出更改。Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change.

RBAC 重点关注如何管理不同范围的用户操作RBAC focuses on managing user actions at different scopes. 如果需要控制某项操作,则 RBAC 是可以使用的适当工具。If control of an action is required, then RBAC is the correct tool to use. 即使个人有权执行操作,但如果结果是不合规的资源,Azure Policy 也仍会阻止创建或更新操作。Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still blocks the create or update.

RBAC 和 Azure Policy 的组合在 Azure 中提供了全范围控制。The combination of RBAC and Azure Policy provide full scope control in Azure.

Azure Policy 中的 RBAC 权限RBAC Permissions in Azure Policy

Azure Policy 在两个资源提供程序中具有多个权限(称为操作):Azure Policy has several permissions, known as operations, in two Resource Providers:

许多内置角色可授予对 Azure Policy 资源的权限。Many Built-in roles grant permission to Azure Policy resources. “资源策略参与者”角色包括大多数 Azure Policy 操作。The Resource Policy Contributor role includes most Azure Policy operations. “所有者”具有完全权限。Owner has full rights. “参与者”和“读取者”都有权访问所有 Azure Policy 读取操作。 Both Contributor and Reader have access to all read Azure Policy operations. “参与者”可以触发资源修正,但无法创建定义或分配。Contributor may trigger resource remediation, but can't create definitions or assignments.

如果没有任何内置角色具有所需的权限,可创建自定义角色If none of the Built-in roles have the permissions required, create a custom role.

备注

deployIfNotExists 策略分配的托管标识需有足够的权限才能创建或更新模板中包含的资源。The managed identity of a deployIfNotExists policy assignment needs enough permissions to create or update resources included in the template. 有关详细信息,请参阅配置有关修正的策略定义For more information, see Configure policy definitions for remediation.

Azure Policy 涵盖的资源Resources covered by Azure Policy

Azure Policy 评估 Azure 中的所有资源。Azure Policy evaluates all resources in Azure. 对于某些资源提供程序(例如 Guest ConfigurationAzure Kubernetes 服务Azure Key Vault),可以使用一个更深度的集成来管理设置和对象。For certain resource providers such as Guest Configuration, Azure Kubernetes Service, and Azure Key Vault, there's a deeper integration for managing settings and objects. 有关详细信息,请参阅资源提供程序模式To find out more, see Resource Provider modes.

管理策略的建议Recommendations for managing policies

请记住以下几个要点和提示:Here are a few pointers and tips to keep in mind:

  • 从审核效果(而不是拒绝效果)开始,以跟踪策略定义对环境中资源的影响。Start with an audit effect instead of a deny effect to track impact of your policy definition on the resources in your environment. 如果有用于自动缩放应用程序的脚本,那么设置拒绝效果可能会影响此类已经执行的自动化任务。If you have scripts already in place to autoscale your applications, setting a deny effect may hinder such automation tasks already in place.

  • 请在创建定义和分配时考虑组织的层次结构。Consider organizational hierarchies when creating definitions and assignments. 我们建议在更高级别创建定义,例如管理组或订阅级别。We recommend creating definitions at higher levels such as the management group or subscription level. 然后,在下一子级别创建分配。Then, create the assignment at the next child level. 如果在管理组中创建定义,则可以将分配范围缩小到该管理组中的订阅或资源组。If you create a definition at a management group, the assignment can be scoped down to a subscription or resource group within that management group.

  • 我们建议创建并分配计划定义,即使对于单个策略定义,也是如此。We recommend creating and assigning initiative definitions even for a single policy definition. 例如,你有策略定义 policyDefA 并在计划定义 initiativeDefC 下创建它 。For example, you have policy definition policyDefA and create it under initiative definition initiativeDefC. 如果稍后为 policyDefB 创建另一个策略定义,其目标类似于 policyDefA,则可以在 initiativeDefC 下添加它并一起跟踪它们 。If you create another policy definition later for policyDefB with goals similar to policyDefA, you can add it under initiativeDefC and track them together.

  • 创建计划分配后,添加到该计划中的策略定义也将成为该计划分配的一部分。Once you've created an initiative assignment, policy definitions added to the initiative also become part of that initiatives assignments.

  • 评估计划分配后,还会评估计划内的所有策略。When an initiative assignment is evaluated, all policies within the initiative are also evaluated. 如果需要单独评估某个策略,最好不要将其包含在计划中。If you need to evaluate a policy individually, it's better to not include it in an initiative.

Azure Policy 对象Azure Policy objects

策略定义Policy definition

若要在 Azure Policy 中创建并实施策略,请先创建策略定义。The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition. 每种策略定义在其特定的条件下将被强制执行。Every policy definition has conditions under which it's enforced. 并且,在满足条件时将出现定义的效果。And, it has a defined effect that takes place if the conditions are met.

在 Azure Policy 中,我们将提供一些默认可供使用的内置策略。In Azure Policy, we offer several built-in policies that are available by default. 例如:For example:

  • 允许的存储帐户 SKU(拒绝):确定正在部署的存储帐户是否在 SKU 大小集内。Allowed Storage Account SKUs (Deny): Determines if a storage account being deployed is within a set of SKU sizes. 其效果是拒绝所有不符合定义的 SKU 大小集的存储帐户。Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
  • 允许的资源类型(拒绝):定义可以部署的资源类型。Allowed Resource Type (Deny): Defines the resource types that you can deploy. 其效果是拒绝所有不属于此定义列表的资源。Its effect is to deny all resources that aren't part of this defined list.
  • 允许的位置(拒绝):限制新资源的可用位置。Allowed Locations (Deny): Restricts the available locations for new resources. 其效果是用于强制执行异地符合性要求。Its effect is used to enforce your geo-compliance requirements.
  • 允许的虚拟机 SKU(拒绝):指定可以部署的虚拟机 SKU 集。Allowed Virtual Machine SKUs (Deny): Specifies a set of virtual machine SKUs that you can deploy.
  • 将标记添加到资源(修改):如果部署请求未指定,则应用所需的标记及其默认值。Add a tag to resources (Modify): Applies a required tag and its default value if it's not specified by the deploy request.
  • 追加标记及其默认值(追加):对资源强制执行所需的标记及其值。Append tag and its default value (Append): Enforces a required tag and its value to a resource.
  • 不允许的资源类型(拒绝):禁止部署资源类型的列表。Not allowed resource types (Deny): Prevents a list of resource types from being deployed.

若要实现这些策略定义(包括内置定义和自定义定义),需将其分配出去。To implement these policy definitions (both built-in and custom definitions), you'll need to assign them. 可通过 Azure 门户、PowerShell 或 Azure CLI 来分配上述任意策略。You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.

策略评估采用多种不同的操作,例如策略分配或策略更新。Policy evaluation happens with several different actions, such as policy assignment or policy updates. 有关完整列表,请参阅策略评估触发器For a complete list, see Policy evaluation triggers.

若要了解有关策略定义结构的详细信息,请查看策略定义结构To learn more about the structures of policy definitions, review Policy Definition Structure.

策略参数通过减少必须创建的策略定义数量来帮助简化策略管理。Policy parameters help simplify your policy management by reducing the number of policy definitions you must create. 在创建策略定义时可定义参数,以使其更为通用。You can define parameters when creating a policy definition to make it more generic. 然后就可以为不同方案重复使用该策略定义。Then you can reuse that policy definition for different scenarios. 要执行此操作,请在分配策略定义时传入不同的值。You do so by passing in different values when assigning the policy definition. 例如,为订阅指定一组位置。For example, specifying one set of locations for a subscription.

在创建策略定义时定义参数。Parameters are defined when creating a policy definition. 在定义参数后,会为它指定一个名称,并且可选择为其提供一个值。When a parameter is defined, it's given a name and optionally given a value. 例如,可以为标题为“位置”的策略定义一个参数。For example, you could define a parameter for a policy titled location. 然后,可在分配策略时赋予其不同的值,如“chinanorth2”或“chinaeast2”。Then you can give it different values such as chinanorth2 or chinaeast2 when assigning a policy.

有关策略参数的详细信息,请参阅定义结构 - 参数For more information about policy parameters, see Definition structure - Parameters.

计划定义Initiative definition

计划定义是策略定义的集合,专为实现一个单一的总体目标而量身定制。An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. 计划定义可以简化管理和分配策略定义。Initiative definitions simplify managing and assigning policy definitions. 它们通过将一组策略组合为一个单独的项来实现简化。They simplify by grouping a set of policies as one single item. 例如,可以创建一个标题为“启用 Azure 安全中心中的监视”的计划,用于专门监视 Azure 安全中心中的所有可用的安全建议。For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

备注

Azure CLI 和 Azure PowerShell 等 SDK 使用名为 PolicySet 的属性和参数来引用计划。The SDK, such as Azure CLI and Azure PowerShell, use properties and parameters named PolicySet to refer to initiatives.

在此计划中,将具有特定策略定义,例如:Under this initiative, you would have policy definitions such as:

  • 监视安全中心中未加密的 SQL 数据库 – 用于监视未加密的 SQL 数据库和服务器。Monitor unencrypted SQL Database in Security Center – For monitoring unencrypted SQL databases and servers.
  • 监视安全中心中的操作系统漏洞 - 用于监视不满足配置基线的服务器。Monitor OS vulnerabilities in Security Center – For monitoring servers that don't satisfy the configured baseline.
  • 监视安全中心中缺失的终结点保护 – 用于监视不具备已安装终结点保护代理的服务器。Monitor missing Endpoint Protection in Security Center – For monitoring servers without an installed endpoint protection agent.

类似于策略参数,计划参数通过减少冗余来帮助简化计划管理。Like policy parameters, initiative parameters help simplify initiative management by reducing redundancy. 计划参数是计划内的策略定义正在使用的参数。Initiative parameters are parameters being used by the policy definitions within the initiative.

例如,假设出现这样一种情况,有一个带有两个策略定义(policyApolicyB,每个都需要不同类型的参数)的计划定义 - initiativeC:For example, take a scenario where you have an initiative definition - initiativeC, with policy definitions policyA and policyB each expecting a different type of parameter:

策略Policy 参数的名称Name of parameter 参数的类型Type of parameter 注意Note
policyApolicyA allowedLocationsallowedLocations arrayarray 此参数要求将值设置为字符串列表,因为参数类型已定义为数组This parameter expects a list of strings for a value since the parameter type has been defined as an array
policyBpolicyB allowedSingleLocationallowedSingleLocation stringstring 此参数要求将值设置为一个字词,因为参数类型已定义为字符串This parameter expects one word for a value since the parameter type has been defined as a string

在此情况下,定义 initiativeC 的计划参数时,有三个选项可供选择:In this scenario, when defining the initiative parameters for initiativeC, you have three options:

  • 使用此计划中的策略定义参数:在此示例中,allowedLocations 和 allowedSingleLocation 为 initiativeC 的计划参数 。Use the parameters of the policy definitions within this initiative: In this example, allowedLocations and allowedSingleLocation become initiative parameters for initiativeC.
  • 向此计划定义中策略定义的参数提供值。Provide values to the parameters of the policy definitions within this initiative definition. 在此示例中,可以向 policyA 的参数 – allowedLocations 和 policyB 的参数 – allowedSingleLocation 提供位置列表。In this example, you can provide a list of locations to policyA's parameter – allowedLocations and policyB's parameter – allowedSingleLocation. 此外,也可在分配此计划时提供值。You can also provide values when assigning this initiative.
  • 分配此计划时,提供可供使用的值列表选项。Provide a list of value options that can be used when assigning this initiative. 在分配此计划时,从计划内的策略定义继承的参数只能具有此提供列表中的值。When you assign this initiative, the inherited parameters from the policy definitions within the initiative, can only have values from this provided list.

在计划定义中创建值选项时,无法在计划分配期间输入其他值,因为它不属于列表。When creating value options in an initiative definition, you're unable to input a different value during the initiative assignment because it's not part of the list.

若要详细了解计划定义结构,请查看计划定义结构To learn more about the structures of initiative definitions, review Initiative Definition Structure.

分配Assignments

分配是指已分配的策略定义或计划,在特定范围内生效。An assignment is a policy definition or initiative that has been assigned to take place within a specific scope. 此作用域的范围是从管理组到单个资源。This scope could range from a management group to an individual resource. 术语“范围”指定义分配到的所有资源、资源组、订阅或管理组。The term scope refers to all the resources, resource groups, subscriptions, or management groups that the definition is assigned to. 分配由所有子资源继承。Assignments are inherited by all child resources. 此设计意味着应用到某个资源组的定义也会应用到该资源组中的资源。This design means that a definition applied to a resource group is also applied to resources in that resource group. 但是,可以从分配中排除子范围。However, you can exclude a subscope from the assignment.

例如,可以在订阅范围分配一个阻止创建网络资源的定义。For example, at the subscription scope, you can assign a definition that prevents the creation of networking resources. 可以排除订阅中用于网络基础结构的资源组。You could exclude a resource group in that subscription that is intended for networking infrastructure. 然后可以向信任的用户授予此网络资源组的访问权限,包括创建网络资源。You then grant access to this networking resource group to users that you trust with creating networking resources.

另举一例:你可能想要在管理组级别分配资源类型允许列表定义,In another example, you might want to assign a resource type allow list definition at the management group level. 然后为子管理组或者甚至直接为订阅分配更宽松的策略(以允许更多资源类型)。Then you assign a more permissive policy (allowing more resource types) on a child management group or even directly on subscriptions. 但是,此示例无法实现,因为 Azure Policy 是显式拒绝系统。However, this example wouldn't work because Azure Policy is an explicit deny system. 你不需要那样做,只需要从管理组级别分配中排除子管理组或订阅,Instead, you need to exclude the child management group or subscription from the management group-level assignment. 然后为子管理组或订阅级别分配更宽松的定义。Then, assign the more permissive definition on the child management group or subscription level. 如果任何分配导致资源被拒绝,则允许该资源的唯一方法是修改拒绝分配。If any assignment results in a resource getting denied, then the only way to allow the resource is to modify the denying assignment.

有关通过门户设置分配的详细信息,请参阅创建策略分配以识别 Azure 环境中的不合规资源For more information on setting assignments through the portal, see Create a policy assignment to identify non-compliant resources in your Azure environment. 还可以使用 PowerShellAzure CLI 的步骤。Steps for PowerShell and Azure CLI are also available. 有关分配结构的信息,请参阅分配结构For information on the assignment structure, see Assignments Structure.

Azure Policy 对象的最大计数Maximum count of Azure Policy objects

Azure Policy 的每个对象类型都有一个最大计数。There's a maximum count for each object type for Azure Policy. _作用域_条目是指订阅或管理组An entry of Scope means either the subscription or the management group.

WhereWhere 对象What 最大计数Maximum count
作用域Scope 策略定义Policy definitions 500500
作用域Scope 计划定义Initiative definitions 100100
租户Tenant 计划定义Initiative definitions 1,0001,000
作用域Scope 策略或计划分配Policy or initiative assignments 100100
策略定义Policy definition parametersParameters 20 个20
计划定义Initiative definition 策略Policies 100100
计划定义Initiative definition parametersParameters 100100
策略或计划分配Policy or initiative assignments 排除项(不在范围内的项)Exclusions (notScopes) 400400
策略规则Policy rule 嵌套式条件语句Nested conditionals 512512
修正任务Remediation task 资源Resources 500500

后续步骤Next steps

现在,你已大致了解 Azure Policy 以及一些关键概念,下面是建议的后续步骤:Now that you have an overview of Azure Policy and some of the key concepts, here are the suggested next steps: