Before Lab 5.2 — Policy Guardrails
Before Lab 5.2 — Policy Guardrails
In Lab 5.1, you discovered compliance violations manually — without fixing them yet. Now you will learn how to prevent those violations from happening again — using Azure Policy.
What is Azure Policy?
Azure Policy lets you define rules for your environment and automatically enforce them. Think of it as a continuous compliance check that runs against every resource — automatically.
For a full overview of policy effects (Deny, Audit, DeployIfNotExists, Modify) and assignment scopes, see the Azure Policy theory page.
Quick reference — Policy effects
| Effect | When it runs | What it does |
|---|---|---|
Deny | At write time | Blocks the action if the resource violates the policy |
Audit | At write time | Allows the action, marks resource as non-compliant |
DeployIfNotExists | Periodically | Deploys a required resource if missing |
Modify | At write time | Adds or changes properties on the resource being created |
Quick reference — Policy scopes
| Scope | What it affects |
|---|---|
| Subscription | All resource groups in the subscription |
| Resource group | Only resources in this group |
| Resource | Only this specific resource |
Best practice: Assign policies at the subscription level for broad enforcement. Use resource group scope for environment-specific rules (e.g., dev vs prod).
What you will do in this lab
You will assign two built-in Azure Policies to your Day 5 environment (which was deployed via Terraform in Lab 5.1). You'll need the resource group name from Lab 5.1 — if you don't have it handy, retrieve it again with:
terraform output -raw resource_group_name- Deny public blob access — prevents storage accounts from being created with public blob access
- Require tags — enforces required tags on resources at creation time
What to look for in Lab 5.2
Lab 5.2 checklist
Lab focus
In Lab 5.2, you are preventing violations — not fixing them. The goal is to stop non-compliant resources from being created in the first place.
Check before starting
You should be able to answer these questions before starting the lab:
- What is the difference between Deny and Audit policy effects?
- Why does policy evaluation take time (15-30 minutes)?
- When should you use Deny vs Audit vs DeployIfMissing?