Azure Landing Zones - Policy Refresh Q1 FY25
ALZ - Policy Refresh Q1 FY25 is here!
As you may be aware, the ALZ team release cadence is now on quarterly basis to help customers and partners manage change in their environments. Additionally, based on feedback from our community, partners and customers that we will only introduce breaking changes every half-year, this release, being 3 months since the last breaking change (FY24 H2), therefore does not contain any breaking changes.
With the generally "quiet" time over the summer (in the northern hemisphere), the ALZ team have taken advantage and worked on enhancing security, quality and reliability of ALZ's Policies.
Security
As a core priority for Microsoft, security comes first.
We've updated all our custom minimum TLS version policies to support TLS version 1.2 AND 1.3 as more Azure services roll out supporting TLS 1.3 (we are aware of built-in policies owned by other product teams that require updating and will be working with them in the months ahead).
Most significantly we've introduced the option to audit (for now but over time will increase to deny) the use of virtual network private subnets, via the built-in policy "Subnets should be private". This is a key security feature that ensures resources in a subnet cannot access the internet directly but must either go through a firewall or NAT gateway to egress, reducing exfiltration options for potentially compromised resources. We encourage our partners and customers to review this in their environments, more information can be found here on this topic "Default outbound access in Azure - MS Learn".
We're also addressing other items like disabling local authentication for automation accounts, which is a best practice.
Quality
This involved a lot of backend work and scripting to improve testing of contributions to meet the high standards our consumers expect, including enhancements to testing of custom policy contributions but most notably a complete overhaul of deployment testing using the ARM reference implementation (driven through the portal experience). We can now do full deployments depending on the nature of changes from policy only to selected networking topologies, significantly reducing the many hours needed to do end to end testing with every release.
Whilst this doesnt directly benefit our consumers, it does mean we can complete more work as an ALZ team as testing is enhanced and more efficient which in turn means ALZ can add more in each release for our consumers to benefit from.
AI Ready
Microsoft is heavily invested in the AI space, and ALZ plays a part in driving it's adoption at scale.
We're working with internal teams preparing to provide prescriptive guidance for customers leveraging Azure AI Services in their tenants. To support these teams and ensuring customers are following best practices securing the Azure AI Services in their tenants, we are releasing significant updates to our recommended policies and initiatives for:
- Azure OpenAI
- Cognitive Services/Search -> AI Services
- Machine Learning
- Bot Service (new) -> AI Bot Services
| Note: some services are changing names (as indicated above)
For those using the portal accelerator, the options to configure this are under "Workload Specific Compliance", which has been enhanced to provide a more friendly user experience journey and as before allows you to define the scope to apply:
For those just looking to benefit from our awesome policy work in the AI space, head to our wiki page that contains details and links to all of the policies mentioned above.
General
We have also made a number of small changes to policies and initiatives to update to the latest and greatest, or added much asked for features like adding the option to select either ALL or AUDIT only diagnostic settings logs to be sent to Log Analytics.
We updated initiatives to use a newer built-in policy versions, added additional configuration options - all driven by feedback from the field (please keep it coming!)
Closing
Do note that the ALZ Policy Refresh is released first to the portal experience (as this is where we currently host policy definitions & initiatives as a source of truth), and it takes a short time before these updates are incorporated in the other reference implementations like Terraform, Bicep, etc. Please do check the release notes on those repositories if you are using those implementations.
If you have suggestions for ALZ, please do submit a GitHub Issue over at https://aka.ms/alz/repo.
Please do also regularly review our What's New (https://aka.ms/alz/whatsnew), as this includes all the details of what has changed, including any updates needed between major releases.
And finally make sure to attend our community call https://aka.ms/alz/communitycall which we host every 3 months and discuss releases and also catch-up on the recordings of the previous ones at the same link!
Published on:
Learn moreRelated posts
Code AI apps on Azure - Python, Prompty & Visual Studio
Build your own custom applications with Azure AI right from your code. With Azure AI, leverage over 1,700 models, seamlessly integrating them ...
Network Connectivity for RISE with SAP S/4HANA Cloud Private Edition on Azure
In this article, we will explore different ways to connect to RISE with SAP S/4HANA Cloud Private Edition deployment on Azure, guiding yo...
Debug Queries More Efficiently with the Improved Error Messaging in Azure Cosmos DB Data Explorer
Azure Cosmos DB Data Explorer is a web-based tool available in the Azure Portal that allows you to manage data, as well as track and fix issue...
Meet the Winners | Microsoft Developers Azure AI & Azure Cosmos DB Learning Hackathon
Azure Cosmos DB powers some of the world’s most popular intelligent apps like ChatGPT. In a recent hackathon, Over 9,500 developers engaged wi...
Introducing RBAC Authentication and more for the Azure Cosmos DB Integrated Cache
We’re excited to announce new features for the Azure Cosmos DB! The integrated cache is built into the dedicated gateway, and now there’s new ...
Microsoft DiskANN in Azure Cosmos DB Whitepaper
We are excited to publish a new whitepaper titled, Microsoft DiskANN in Azure Cosmos DB, where we examine the impressive capabilities of Micro...
Announcing Private Preview: VS Code Extension of vCore-based Azure Cosmos DB for MongoDB
Overview We’re excited to introduce a new VS Code extension for vCore-based Azure Cosmos DB for MongoDB ! This tool allows users to conn...
Azure Communication Services September 2024 Feature Updates
The Azure Communication Services team is excited to share several new product and feature updates released in August 2024. (You can view previ...