 Stay tuned today where I'm talking to Liz Kim about Azure Policy, the route that the product has taken over the last few years since its launch, and also she's sharing some customer stories about how they are using Azure Policy. Hey everybody, my name is Sarah Lean, and on today's episode of Azure Unblogged and joined by Liz Kim, who is the product owner of Azure Policy. Welcome to the show, Liz. Thank you, Sarah. I appreciate the opportunity. It's great. Now, I remember using Azure Policy back in 2018 with a customer, but we were just talking before the recording, and you reminded me that we actually went with the preview and it was announced in 2017, which seems like a long time ago, and the product has certainly evolved since I first used it and first got involved in implementing it for customers, Liz. Could you tell us a bit about what Azure Policy does nowadays and where that journey has taken you guys for the last few years? Yeah, absolutely, and it has been a long while indeed. I'm amazed that seeing the growth of the capabilities and the usage that we've seen over the years, the focus of the policy is still very much the same of being able to do a control and compliance assessment at scale, and so whatever features that we build is still very much focused on that whole mission. In terms of the capabilities, I would say that our investments are really in two main pillars. One is on kind of making the policy expressions more powerful, right? So when you author your policy definitions on being able to do things that you previously wanted possible, and so an example would be, for example, we introduced a new modify effect, which is a new way of doing a remediation where it's a real-time remediation before the resource even gets deployed, like we will catch the request, remediate it, and then let the resource request go through, and that essentially is done by introducing a new effect on the policy side. I think another kind of investment that we do is around the lifecycle of policy, right? And so, for example, like the exemption management that we have where it will make it easier for you to exempt resources, set expiration date on exemption, set metadata on these exemptions, that sort of investment as well as kind of a lifecycle of how you deploy your policies and group them into initiatives, and so I think the secondary investments that we do is really around the lifecycle, but at the end of the day, it's still very much about doing the control of your resource configurations and doing the compliance assessment of all your resources across the whole enterprise. I've definitely loved the evolution of the product, so big applause from me to your team on that. I know a lot of customers are looking towards the hybrid story where they maybe have some workloads still in their own data center and then have some in the cloud. Where does Azure policy fit in that hybrid story? Because I know there's some integration with Azure Arc currently. Are we gonna see more for Azure policy for those non-Azure resources? Where does it fit in for that story? Yeah, so we absolutely do have integration with Azure Arc. We have the integration with Azure Arc or virtual machines today, as well as the Azure Arc Kubernetes. And essentially what we'll do is we will audit the settings that you have within the virtual machine as if it were on Azure. So there's no differences in terms of what kind of things we are able to audit within your virtual machine. And so it could be things like password bank complexity, the sellout set of the applications installed and that sort of things. On the Kubernetes side, it's similar, but we also support enforcement on Kubernetes as well. And so we will be essentially monitoring the pods, namespaces and ingresses within your Kubernetes clusters to make sure that they're compliant and block the deployment of these objects if they're disallowed by policy as well. And so that's kind of how we've extended the policy beyond some of the Azure objects today. Awesome. Talking about integration, I know there's some integration with Azure policy and things like GitHub and Azure DevOps. Could you tell us a bit about how that helps our customers use Azure policy? Yeah, absolutely. I think it's a part of the whole policy as code approach that we've been recommending customers. We're just trying to make it easier by having some buttons out there, easy buttons and building tasks and whatnot. There's essentially two things that we have out there right now. One is that from the portal experience of Azure policy, you have a button to download to GitHub, which will download all of your policy definitions into your GitHub repository. And you will also have GitHub actions to deploy your policies upon changes. And so that will, when you make changes to your repo, it will automatically trigger deployment to your Azure environment. And then we also have some tasks on the Azure DevOps pipelines as well for you to deploy policy definitions and also make the assignment. Although I think that one actually might need a bit of an update. Your technology changes so quick. So that's essentially what we have right now. But really, those are just the piecemeals of what we have. It's nowhere near kind of where we wanted to see end to end. And so there are still more investments going in really in this whole policy as code investment where we see the whole end to end process is taking places from the BS code extension of authoring. So we released a BS code extensions for Azure policy and that allows you to author some of the policy definition a little bit more easily with some intelligence, syntax highlighting. We also released a what if testing capability in that BS code extension as well so that you can quickly get back a response on whether it's compliant, non-compliant reasons, that sort of stuff. And so the way we see it happen is you would author within the BS code extension that obviously has integration with GitHub. And then with GitHub, you would get all the history of the changes that you made into the policy definitions and then you would do the deployment through your, you know, whether that be GitHub, Azure DevOps or your CICV chain of choice and do a deployment there and really do it in a safe deployment rollout method. And so that's kind of where also a lot of our thinking are currently going into on how do we help customers to roll this out in a granular fashion and also have some kind of a virgin management story built in there so that, you know, you can roll back if necessary. And so that's kind of where we see it in vision end to end. I think right now it's just a piecemeal here and there and I hope that with additional investments coming in that customers would really be able to kind of experience the whole story that we wanted to tell here. Awesome. I'll be honest Liz, I didn't realize there was a Visual Studio Code extension for Azure policy. I've been using code to author the policies but I didn't realize there was an extension. So once I'm finished here, I'm gonna fire up Visual Studio Code and put that extension in because I think definitely something that sounds like I could use that. So I've learned something today. In terms of our customers, is there any areas that they're focusing on at the moment that you see any trends with Azure policy in terms of implementing it within their environment? Yeah, absolutely. I think first of all in terms of kind of the, I'll say investments on the types of policies that they're implementing. I think network policies are a hot topic right now. I see a lot of customer requests coming in on how to make, you know, like deploying all these firewall rules and private links and all these network objects easier and managed on that scale. I think that's partly because, you know, it's a tough area and so obviously those questions and the funneling more to the product group side right now. You know, it's network right now because it's difficult last year tag was the hot topic but, you know, we made an investment last year on tags that made it much easier to manage your tags. And so now I no longer get questions on it. But I think that we're only one hot topic area right now. I think for one, we are also investing into some of the language expressions. We just release a new count expressions to make it easier for you to have an array of the firewall rule IP ranges specified in the policy definition. And then we have some, a number of more expression investments coming in throughout this calendar year on kind of making the network management easier. There's also a lot more built-in definitions coming in as well. And so some of them already got released on kind of managing your public access, you know, in relation to the private link feature that was released. And there's a lot more about to come out for kind of, you know, built-in definitions to redeploy your private link, the DNS channels, configure all that and when using policy as well. And so we are putting in a number of investments that I think it is a challenging area today. And so there's a lot of customer requests and questions coming in on that area. Sorry. Talking about the customer requests, what's the best way for a customer to put a request in for Azure policy? Is it through user voice? Yeah, so we do have a number of channels. We have user voice and I'm a little bit of shame to say user voice because we haven't been able to solve the number one request that we have on user voice, which is red graph and I completely hear you like we are definitely planning on implementing projects but user voice is definitely one channel route that we have. We also have other mechanisms as well, right? So for example, we have a quarterly governance call that we host with customers and kind of go through all of the updates that are happening to governance services. So that would be policy, Azure blueprints, Azure resource graph and tags, like all those areas are a part of the Azure governance quarterly governance call. And then lastly, a lot of times these customers will reach out to their counterparts, their Microsoft counterparts, whether that be CAA, CSA or customer engineers and then we route them through that feedback channel as well. Awesome. One last question for you, Liz. Who do you see inside a customer environment using Azure policy? Is it the ops team? Is it the developers? Or should it really be a team sport as such? And everybody should be involved in helping to make sure Azure policy is applied where appropriate. Well, there's definitely teams that are around and heavily using policy, right? I think it could be the cloud architect team. It's also called cloud center of excellence team. I think there's various names for it, but there's a lot of the cloud architects, the team that the cloud architects are a part of that ends up using policy heavily. And there's also a lot of interest from security angle as well. What we've seen in the past is that the security team doesn't have permission to actually apply these policies, but they will come up with what needs to be applied in the environment and what are some of the controls that should be in place. And then the class center of excellence team will actually apply these policies. I do see that sometimes changing here and there. So I've seen some customer shifting that around moving into security team directly applying. I think that just depends on each organization. And then in terms of the background, I think in the beginning when we first started out, everything was new where like most enterprises didn't have the governance team or the cloud center of excellence team at that point. And we used to see a lot of developers background. And so I remember when we were, we did an extensive study on kind of how to help policy definition authoring because, you know, if it's a pain it's hard and I get it. And originally we were thinking maybe we'll have a better, you know, user experience. Like we got some ideas within the customers where, hey, like maybe I just wanna have a, you know, drop down experiences, like a toggle drop here and there. And we ran an extensive customer study on it and the feedback that we got loud and clear is like, I don't care about the UX. Like I want a, I wanna be as code extension, give me a better intelligence. Like it was not loud and clear. And so I think it reflects the part of the very depth centric customers that we had. And that's kind of how we started. But I think over the years, I'm doing more and more of the operations people joining the cloud center of excellence team. I'm seeing a huge shift of those people starting to leverage policy as well. We actually recently did an extensive customer studies on testing out some of the new language that we wanna introduce on policy. Cause as much as we love JSON, it's not everyone's favorite language to author. And we had a number of languages in there, scripting policy and like we tried to target also the different kinds of the persona and what they would be geared towards that we had a C sharp, we had a C sharp Python and language that looks a little bit more like PowerShell and whatnot. And you can really see the mixture of the customers that we are starting to have. I think really like we are, I'm seeing, you know, like almost more of the operations people background nowadays of people offering policies and stuff like that. Yeah. Awesome. That sounds amazing. Thank you for sharing some of those stories there. They're quite good. And again, thank you for your time today, Liz. It's been fun talking to you about Azure policy and I've definitely learned about that extension. So that's one good thing. Well, we're posting some links in our description box. So please head there for more information about Azure policy and how you can use it and make sure you stay tuned for future episodes of Azure Unblocked.