Hey everyone! I'm looking to craft a new strategy for implementing Azure Policy in my organization and would love to hear your experiences. Previously, we've applied the default Defender for Cloud initiative on each individual subscription. Do you think it would be better to apply this at the management group level instead? Also, are there any custom policies you've found particularly useful that I should consider adopting? Thanks in advance for your insights!
1 Answer
It's generally best to implement policies at the management group level. This way, the policies can be cascaded down, ensuring a consistent approach across subscriptions. Check out the policies from the Azure Enterprise Scale reference implementation for a solid starting point.
We utilize several policies including:
- No public IPs except for firewalls
- Limited traffic forwarding
- Allowed regions
- Auditing NSGs and user-defined routes
- Mandatory tagging
Plus, consider policies for public access, HTTPS/TLS requirements, diagnostic settings, and alert creation. It really depends on your Infrastructure as Code maturity!