您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 策略?What is Azure Policy?

IT 治理清楚地区分了业务目标和 IT 项目。IT governance creates clarity between business goals and IT projects. 良好的 IT 治理涉及在战略级别上规划各项举措和设置优先级。Good IT governance involves planning your initiatives and setting priorities on a strategic level. 你的公司是否正遇到了大量似乎难以解决的 IT 问题?Does your company experience a significant number of IT issues that never seem to get resolved? 实施这些策略有助于优化管理,预防问题。Implementing policies helps you better manage and prevent them. Azure 策略正适合用在这些策略的实施处。Implementing policies is where Azure Policy comes in.

Azure 策略是 Azure 中的一项服务,可用于创建、分配和管理策略定义。Azure Policy is a service in Azure that you use to create, assign and, manage policy definitions. 策略定义将在整个资源中强制实施不同的规则和操作,以便这些资源符合公司标准和服务级别协议。Policy definitions enforce different rules and actions over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure 策略对资源进行计算和扫描,并找到与所定义策略不相符的资源。Azure Policy runs an evaluation of your resources, scanning for those not compliant with the policy definitions you have. 例如,可以设置一个策略,只允许特定类型的虚拟机。For example, you can have a policy to allow only certain type of virtual machines. 或者,可要求所有资源都拥有特定标记。Another requires that all resources have a particular tag. 在创建和更新资源时评估策略。These policies are then evaluated when creating and updating resources.

策略与 RBAC 有什么不同?How is it different from RBAC?

策略和基于角色的访问控制 (RBAC) 之间存在一些主要区别。There are a few key differences between policy and role-based access control (RBAC). RBAC 关注不同范围内的用户操作。RBAC focuses on user actions at different scopes. 例如,你可能被添加到所需范围的资源组的参与者角色。For example, you might be added to the contributor role for a resource group at the desired scope. 该角色允许你对该资源组做出更改。The role allows you to make changes to that resource group. 策略关注部署期间的资源属性,以及现有资源。Policy focuses on resource properties during deployment and for already existing resources. 例如,可通过策略控制能够预配的资源类型。For example, through policies, you can control the types of resources that can be provisioned. 或者,可限制能够预配资源的位置。Or, you can restrict the locations in which the resources can be provisioned. 不同于 RBAC,策略是默认的允许和明确拒绝系统。Unlike RBAC, policy is a default allow and explicit deny system.

若要使用策略,必须通过 RBAC 完成身份验证。To use policies, you must be authenticated through RBAC. 具体而言,帐户需要:Specifically, your account needs the:

  • 定义策略的 Microsoft.Authorization/policydefinitions/write 权限。Microsoft.Authorization/policydefinitions/write permission to define a policy.
  • 分配策略的 Microsoft.Authorization/policyassignments/write 权限。Microsoft.Authorization/policyassignments/write permission to assign a policy.
  • 定义计划的 Microsoft.Authorization/policySetDefinitions/write 权限。Microsoft.Authorization/policySetDefinitions/write permission to define an initiative.
  • 分配计划的 Microsoft.Authorization/policyassignments/write 权限。Microsoft.Authorization/policyassignments/write permission to assign an initiative.

参与者角色中未包括这些权限。These permissions are not included in the Contributor role.

策略定义Policy definition

每种策略定义在其特定的条件下将被强制执行。Every policy definition has conditions under which it is enforced. 此外,在满足条件时还将出现随附操作。And, it has an accompanying action that takes place if the conditions are met.

在 Azure 策略中,我们将提供一些默认可供使用的内置策略。In Azure Policy, we offer some built-in policies that are available to you by default. 例如:For example:

  • 需要 SQL Server 12.0:此策略定义具有条件/规则,以确保所有 SQL Server 均使用版本 12.0。Require SQL Server 12.0: This policy definition has conditions/rules to ensure that all SQL servers use version 12.0. 其操作是拒绝所有不符合这些条件的服务器。Its action is to deny all servers that do not meet these criteria.
  • 允许的存储帐户 SKU:此策略定义具有一组条件/规则,可确定正在部署的存储帐户是否在 SKU 大小集内。Allowed Storage Account SKUs: This policy definition has a set of conditions/rules that determine if a storage account that is being deployed is within a set of SKU sizes. 其操作是拒绝所有不符合定义的 SKU 大小集的服务器。Its action is to deny all servers that do not adhere to the set of defined SKU sizes.
  • 允许的资源类型:此策略定义具有一组条件/规则,以指定贵组织可以部署的资源类型。Allowed Resource Type: This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. 其操作是拒绝所有不属于此定义列表的资源。Its action is to deny all resources that are not part of this defined list.
  • 允许的位置:通过此策略,可限制组织在部署资源时可指定的位置。Allowed Locations: This policy enables you to restrict the locations that your organization can specify when deploying resources. 其操作用于强制执行地区符合性要求。Its action is used to enforce your geo-compliance requirements.
  • 允许的虚拟机 SKU:通过此策略,可指定组织可部署的一组虚拟机 SKU。Allowed Virtual Machine SKUs: This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.
  • 应用标记及其默认值:若用户未指定所需的标记及其默认值,则通过此策略来应用所需的标记及其默认值。Apply tag and its default value: This policy applies a required tag and its default value, if it is not specified by the user.
  • 强制执行标记和值:此策略将对资源强制执行所需的标记和值。Enforce tag and its value: This policy enforces a required tag and its value to a resource.
  • 不允许的资源类型:此策略用于指定组织不得部署的资源类型。Not allowed resource types: This policy enables you to specify the resource types that your organization cannot deploy.

可通过 Azure 门户、PowerShell 或 Azure CLI 来分配上述任意策略。You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI.

若要了解有关策略定义结构的详细信息,请查看本文中的策略定义结构部分。To learn more about the structures of policy definitions, look at this article - Policy Definition Structure.

策略分配Policy assignment

策略分配是在特定作用域内发生的已分配的策略定义。A policy assignment is a policy definition that has been assigned to take place within a specific scope. 此作用域的范围是从管理组到资源组。This scope could range from a management group to a resource group. 术语“作用域”指分配到策略定义的所有资源组、订阅或管理组。The term scope refers to all the resource groups, subscriptions, or management groups that the policy definition is assigned to. 策略分配由所有子资源继承。Policy assignments are inherited by all child resources. 因此,如果将策略应用到资源组,则会将其应用到该资源组中的所有资源。So, if a policy is applied to a resource group, it is applied to all the resources in that resource group. 但是,可以从策略分配中排除子作用域。However, you can exclude a subscope from the policy assignment. 例如,可以在订阅作用域中分配阻止创建网络资源的策略。For example, at the subscription scope, you can assign a policy that prevents the creation of networking resources. 但排除订阅中用于网络基础结构的一个资源组。However, you exclude one resource group within the subscription that is intended for networking infrastructure. 可以向信任的用户授予此网络资源组的访问权限,包括创建网络资源。You grant access to this networking resource group to users that you trust with creating networking resources.

有关设置策略定义和分配的详细信息,请参阅创建策略分配,识别 Azure 环境中的不合规资源For more information on setting policy definitions and assignments, see Create a policy assignment to identify non-compliant resources in your Azure environment.

策略参数Policy parameters

策略参数通过减少必须创建的策略定义数量来帮助简化策略管理。Policy parameters help simplify your policy management by reducing the number of policy definitions you must create. 在创建策略定义时可定义参数,以使其更为通用。You can define parameters when creating a policy definition to make it more generic. 然后就可以为不同方案重复使用该策略定义。Then you can reuse that policy definition for different scenarios. 要执行此操作,请在分配策略定义时传入不同的值。You do so by passing in different values when assigning the policy definition. 例如,为订阅指定一组位置。For example, specifying one set of locations for a subscription.

在创建策略定义时定义/创建参数。Parameters are defined/created when creating a policy definition. 在定义参数后,会为它指定一个名称,并且可选择为其提供一个值。When a parameter is defined, it is given a name and optionally given a value. 例如,可以为标题为“位置”的策略定义一个参数。For example, you could define a parameter for a policy titled location. 然后,可在分配策略时赋予其不同的值,如 EastUS 或 WestUS。Then you can give it different values such as EastUS or WestUS when assigning a policy.

有关策略参数的详细信息,请参阅资源策略概述 - 参数For more information about policy parameters, see Resource Policy Overview - Parameters.

计划定义Initiative definition

计划定义是策略定义的集合,专为实现一个单一的总体目标而量身定制。An initiative definition is collection of policy definitions that are tailored towards achieving a singular overarching goal. 计划定义可以简化管理和分配策略定义。Initiative definitions simplify managing and assigning policy definitions. 它们通过将一组策略组合为一个单独的项来实现简化。They simplify by grouping a set of policies as one single item. 例如,可以创建一个标题为“启用 Azure 安全中心中的监视”的计划,用于专门监视 Azure 安全中心中的所有可用的安全建议。For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

在此计划中,将具有特定策略定义,例如:Under this initiative, you would have policy definitions such as:

  1. 监视安全中心中未加密的 SQL 数据库 – 用于监视未加密的 SQL 数据库和服务器。Monitor unencrypted SQL Database in Security Center – For monitoring unencrypted SQL databases and servers.
  2. 监视安全中心中的操作系统漏洞 – 用于监视不满足配置基线的服务器。Monitor OS vulnerabilities in Security Center – For monitoring servers that do not satisfy the configured baseline.
  3. 监视安全中心中缺失的终结点保护 – 用于监视不具备已安装终结点保护代理的服务器。Monitor missing Endpoint Protection in Security Center – For monitoring servers without an installed endpoint protection agent.

计划分配Initiative assignment

类似于策略分配,计划分配是分配给特定作用域的计划定义。Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. 计划分配将减少为每个作用域生成多个计划定义的需要。Initiative assignments reduce the need to make several initiative definitions for each scope. 另外,此作用域的范围也是从管理组到资源组。This scope could also range from a management group to a resource group.

根据前面的示例,可以将“启用 Azure 安全中心中的监视”计划分配给不同的作用域。From the preceding example, the Enable Monitoring in Azure Security Center initiative can be assigned to different scopes. 例如,可将一个赋值分配给 subscriptionA。For example, one assignment can be assigned to subscriptionA. 并将另一个分配给 subscriptionB。Another can be assigned to subscriptionB.

计划参数Initiative parameters

类似于策略参数,计划参数通过减少冗余来帮助简化计划管理。Like policy parameters, initiative parameters help simplify initiative management by reducing redundancy. 实质上,计划参数是计划内的策略定义正在使用的参数列表。Initiative parameters are essentially the list of parameters being used by the policy definitions within the initiative.

例如,假设出现以下情况,有一个带有两个策略定义的计划定义 - initiativeC。For example, take a scenario where you have an initiative definition - initiativeC, with two policy definitions. 每个策略定义具有一个定义的参数:Each policy definition having one defined parameter:

策略Policy 参数的名称name of parameter 参数的类型Type of parameter 注意Note
policyApolicyA allowedLocationsallowedLocations 数组array 此参数要求将值设置为字符串列表,因为参数类型已定义为数组This parameter expects a list of strings for a value since the parameter type has been defined as an array
policyBpolicyB allowedSingleLocationallowedSingleLocation 字符串string 此参数要求将值设置为一个字词,因为参数类型已定义为字符串This parameter expects one word for a value since the parameter type has been defined as a string

在此情况下,定义 initiativeC 的计划参数时,有三个选项可供选择:In this scenario, when defining the initiative parameters for initiativeC, you have three options:

  1. 使用此计划中的策略定义参数:在此示例中,allowedLocations 和 allowedSingleLocation 为 initiativeC 的计划参数。Use the parameters of the policy definitions within this initiative: In this example, allowedLocations and allowedSingleLocation become initiative parameters for initiativeC.
  2. 向此计划定义中策略定义的参数提供值。Provide values to the parameters of the policy definitions within this initiative definition. 在此示例中,可以向 policyA 的参数 – allowedLocations 和 policyB 的参数 – allowedSingleLocation 提供位置列表。In this example, you can provide a list of locations to policyA’s parameter – allowedLocations and policyB’s parameter – allowedSingleLocation. 此外,也可在分配此计划时提供值。You can also provide values when assigning this initiative.
  3. 分配此计划时,提供可供使用的值列表选项。Provide a list of value options that can be used when assigning this initiative. 在分配此计划时,从计划内的策略定义继承的参数只能具有此提供列表中的值。When you assign this initiative, the inherited parameters from the policy definitions within the initiative, can only have values from this provided list.

例如,你可以在计划定义中创建一个值选项列表,它包含 EastUS、WestUS、CentralUS 和 WestEurope。For example, you might create a list of value options in an initiative definition that contain EastUS, WestUS, CentralUS, and WestEurope. 如果执行此操作,则无法在计划分配期间输入其他值(如东 Southeast Asia,因为它不属于这个列表)。If so, you are unable to input a different value such as Southeast Asia during the initiative assignment, because it is not part of the list.

管理策略的建议Recommendations for managing policies

以下是在创建和管理策略定义及分配时建议要遵循的几个指标:While creating and managing policy definitions and assignments, here are a few pointers we advise you to follow:

  • 如果在环境中创建策略定义,我们建议从审核效果(而不是拒绝效果)开始,以跟踪环境中资源上策略定义的影响。If you are creating policy definitions in your environment, we recommend starting with an audit effect, as opposed to a deny effect, to keep track of the impact of your policy definition on the resources in your environment. 如果有用于自动纵向扩展应用程序的脚本,那么设置拒绝效果可能会影响这些已经执行的自动化任务。If you have scripts already in place to autoscale up your applications, setting a deny effect may hinder those automations tasks you already have in place.
  • 请务必在创建定义和分配时考虑组织的层次结构。It is important to keep organizational hierarchies in mind when creating definitions and assignments. 我们建议在更高级别创建定义,例如,在管理组或订阅级别进行创建,并在下一子级别进行分配。We recommend creating definitions at a higher level, for example at the management group or subscription level, and assigning at the next child level. 例如,如果在管理组级别创建策略定义,则可以在管理组中将该定义的一个策略分配缩小到订阅级别。For example, if you create a policy definition at the management group level, a policy assignment of that definition can be scoped down to a subscription level within that management group.
  • 我们鼓励使用标准定价层,以更好地了解环境的符合性状态。We encourage using the standard pricing tier, to better understand the compliance state of your environment. 有关定价模型和每种模型优惠的详细信息,请参阅定价For more information about our pricing models and what each of them offer, take a look at Pricing.
  • 即使在只需考虑一个策略的情况下,我们也建议始终使用计划定义,而不使用策略定义。We recommend always using initiative definitions instead of policy definitions, even if you only have one policy in mind. 例如,假设你有一个策略定义 - policyDefA,并在计划定义 - initiativeDefC 下创建它,如果你决定在稍后使用类似 policyDefA 的目标为 policyDefB 创建另一个策略定义,则只需将其添加到 initiativeDefC 下,并通过这种方式来更好地跟踪它们。For example, if you have a policy definition – policyDefA and you create it under the initiative definition - initiativeDefC, if you decide to create another policy definition later for policyDefB with goals similar to that of policyDefA, you can add it under initiativeDefC and track them better that way.

    请记住,从计划定义创建计划分配后,添加到计划定义的任何新策略定义都将在该计划定义下的计划分配下自动滚动。Keep in mind that once you have created an initiative assignment from an initiative definition, any new policy definitions added to the initiative definition automatically roll under the initiative assignment(s) under that initiative definition. 但是,如果为新的策略定义引入一个新参数,则需要通过编辑计划定义或分配来更新计划定义和分配。However, if there’s a new parameter introduced to the new policy definition, you need to update the initiative definition and assignments by editing the initiative definition or assignment.

后续步骤Next steps

现在,你已大致了解 Azure 策略以及我们介绍的一些关键概念,下面是建议的后续步骤:Now that you have an overview of Azure Policy and some of the key concepts we’re introducing, here are the suggested next steps: