Azure Policy for Deploy Anti-malware VM Extension for SQL VMs
I have just finished a very lengthy engagement, where I had been working exclusively on Terraform. The customer uses only Terraform to deploy resources to Azure, and the use of Azure Policy was very limited in that environment. They do not use the Microsoft Antimalware VM extension, but instead, all the AV settings were pushed to Azure VMs via SCCM. During my engagement, we had few instances that the Azure SQL VMs that we have deployed did not get appropriate AV exclusion settings applied. At that time, I thought wouldn’t it be so easy if Azure Policy is used, and we can automatically deploy MS Antimalware VM extension with a default list of folders, files and processes to be excluded for SQL.
To validate my thoughts, I have developed a Policy definition to do just that. The definition is located HERE in my AzurePolicy GitHub repo.
This policy uses the DeployIfNotExists effect and deploys the MS Antimalware extension with exclusions pre-configured for SQL when a marketplace SQL VM on Windows server image is deployed. the exclusion setting is taken from THIS article. Obviously, the exclusions I have configured may not cover all the exclusions your environment requires. You can always modify the default settings when creating the policy assignments.
P.S. Few years ago, I have created a policy definition that deploys the MS Antimalware VM extension that supports passing custom configuration via Policy assignment inputs. I have also updated it to exclude all marketplace SQL VM images.
Leave a comment