Azure Landing Zones - Policy Refresh Q2 FY25

Microsoft

Jan 29, 2025

Announcing the Policy Refresh Q2 FY25 for Azure Landing Zones

As before, we release updates to Azure Landing Zones policies (and the portal accelerator) on a quarterly basis to reduce the burden of managing change frequently. The policy updates part of this release process are consumed by all the reference implementations (Portal, Terraform, Bicep) but the portal changes are only applicable to the portal accelerator. An important note, is that the ALZ portal accelerator and all Azure Policy provided by Azure Landing Zones are maintained in the same GitHub repository, which is why policy and portal accelerator changes are grouped together.

This release has been slightly delayed due to the festive season and new security patches deployed by resource providers that have had impacted Azure Landing Zones deployments. These are the highlights of this release:

Policy

With the announcement and preview release of policy versioning back in May 2024, we've been tracking the potential impact on Azure Landing Zones. To this end as part of this releases we've implemented support for policy versioning in all ALZ initiatives and initiative/policy assignments referring to a built-in policy/initiative. This means that all the ALZ initiatives and assignments are now pinned to the current validated major version of the built-in policy (defined as `1.*.*`, or whatever the current major version is).

A policy's major version is incremented whenever there is a breaking change to the definition/function of the policy. Pinning to the current major version of the policy gives us control in determining the version that we've validated, tested and confirmed to work with ALZ. As new major versions are published we'll review the changes we need to make, test and validate the new version and then publish as part of our regular policy release cadence (quarterly).

This change also required us to update the Policy(Set) API version to the latest version which supports policy versioning.

We've also included a number of fixes and updates requested by the community. A community request for better tag auditing based on an array of required tags, has resulted in two new custom policies:

Policy updates are available today in the portal accelerator, and will be included in the Terraform and Bicep accelerators in the coming weeks.

Portal Accelerator

With this release we've added support for deploying Azure Virtual Network Manager (AVNM) for Hub & Spoke and NVA network topologies. You will now have the option to deploy it as part of the network configuration:

Option to enable deployment of Azure Virtual Network Manager

Today, we only support the Security Admin rules feature of AVNM, which we deploy to manage the Intermediate Root management group scope, include Network Groups for all scopes under the Intermediate Root management group and deploy policies to automatically add virtual networks under those scopes to the relevant Network Group. To illustrate the Network Groups, this is an example of a multi-region (Sweden Central and UK South) deployments Network Groups:

As part of the deployment, we've included a Security Admin rule collection that blocks high-risk ports from the internet (Protect High-Risk Ports) that we apply to the "all virtual networks" network group.

We've had feedback that for the Workload Specific Compliance section some of the controls are very restrictive out of the box and the ask was to include an "Audit Only" option for each of the guard rails. We've updated the portal accelerator and enabled this by changing the iniative enforcement mode to "DoNotEnforce" if the "Audit Only" option is selected. Once audit compliance has been remediated, you can then choose to update the assignment to enable enforcement to activate the guardrails.

Under the hood we've also made significant quality of life changes:

We now register all required resource providers with all included subscriptions in the ALZ deployment, which helps avoid issues for new tenants (greenfield environments).
We've also changed how we wait for management groups to be registered which has significantly improved the reliability and consistency of ALZ deployments using the portal accelerator.