CloudBrew 2018 - Azure Governance

Common sense in
the world of Azure
Governance
Tom Janetscheck
Lead Consultant | Microsoft Azure MVP

Tom Janetscheck
Lead Consultant – Business Line Enterprise
Focussed on Azure Infrastructure, Governance, Security
Microsoft Azure MVP & P-CSA
Twitter: @azureandbeyond
Blog: https://blog.azureandbeyond.com
About me

Governance – a definition
Establishment of policies, and
continuous monitoring of their proper
implementation, by the members of
the governing body of an
organization[…]1
1Source: BusinessDictionary

Azure Governance Scaffold
Source: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/appendix/azure-scaffold

Azure Account Owner vs. Azure AD Global Admin

Define your hierarchy
Azure
Enterprise
Enrollment
1 to
many Departments 1 to
many Accounts 1 to
many Subscriptions

Plan first, act second!
Subscriptions
Accounts
Departments
Enterprise Contoso
Inc.
IT
Account
Owner
Project 1
Dev
Project 1
Test
Finance
Account
Owner
Production
Web Sites Subscriptions
Accounts
Departments
Enterprise Contoso Inc.
Auto
Account
Owner
Application 1
Aerospace
Account
Owner
Application 2 Application 3
Functional Pattern Business Unit Pattern

Plan first, act second!
Subscriptions
Accounts
Departments
Enterprise
Contoso
Inc.
EU
Account
Owner
Project
1
Project
2
USA
Account
Owner
Project
3
Geographic Pattern

Naming conventions
• It is difficult to change a name later.
• Names must meet the requirements of their specific resource type.
• Consistent naming conventions make resources easier to locate. They
can also indicate the role of a resource in a solution.

Naming conventions - subscription
Company Department
Product Line or
Service
Environment Full Name
Contoso SocialGaming AwesomeService Production
Contoso SocialGaming
AwesomeService Production
Contoso SocialGaming AwesomeService Dev
Contoso SocialGaming
AwesomeService Dev
Contoso IT InternalApps Production
Contoso IT InternalApps
Production
Contoso IT InternalApps Dev Contoso IT InternalApps Dev

Naming conventions
• Use affixes to avoid ambiguity
• SvcCalculationEngine (prefix)
• CalculationEngineSvc (suffix)
• Naming rules and restrictions
• https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions

Automation
https://github.com/azureandbeyond/AzurePS/tree/master/KeyVault

Azure governance features and capabilities
Common
Sense
Resource
Locks
Resource
Groups
Management
Groups
Resource
Tags
Resource
Policies
RBAC

Common sense…
…is not so common.
- Voltaire

Resource Locks
Resource
Locks
Resource
Groups
Management
Groups
Resource
Tags
Resource
Policies
RBAC
Common
Sense

Resource Locks
• Locks protect resources
• Delete locks
• ReadOnly locks
• Define locks in advance
• Use them in combination with common
sense (e.g. read only means read only!)

Resource Groups
Resource
Groups
Management
Groups
Resource
Tags
Resource
Policies
RBAC
Common
Sense
Resource
Locks

Resource Groups
• Management containers for Azure
resources
• RGs contain resources with the same
deployment lifecycle
• RGs stick to one region but can
contain resources that reside in
different regions
• Every resource can only exist in one
RG
• Resources can be moved between
RGs

Management Groups
Management
Groups
Resource
Tags
Resource
Policies
RBAC
Common
Sense
Resource
Locks
Resource
Groups

Management Groups
• efficiently manage access, policies, and compliance
• level of scope above subscriptions

Resource Tags
Resource
Tags
Resource
Policies
RBAC
Common
Sense
Resource
Locks
Resource
Groups
Management
Groups

Resource Tags
• Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom
• Help to define responsibility and view consolidated billing
• Always tag RGs
• Owner
• Dept
• CostCenter
• […]
• Tag resources as needed
• Define tags in advance

Resource Tags
• Billing; Grouping resources and associating them with billing or charge
back codes.
• Service Context Identification; Identify groups of resources across
Resource Groups for common operations and grouping
• Access Control and Security Context; Administrative role
identification based on portfolio, system, service, app, instance, etc.

Resource Policies
Resource
Policies
RBAC
Common
Sense
Resource
Locks
Resource
Groups
Management
Groups
Resource
Tags

Resource Policies
• Rule enforcements on MG, subscription or RG level
• Initiative definitions vs. Policy definitions
• Effect types:
• Append
• Deny
• Audit

Resource Policies
• Create initiatives on MG level
• Assign initiatives on MG or subscription level
• Resource ownership
• Geo-compliance
• Cost management
• Assign RG initiatives if needed

Role-based access control
RBAC
Common
Sense
Resource
Locks
Resource
Groups
Management
Groups
Resource
Tags
Resource
Policies

Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
3. Scope = MG, subscription, RG, resource
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],
Azure
subscription
Resource
group
Management Group

Role-based access control – Role assignment
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
"actions": [
"*"
],
"notActions": [
"Auth/*/Delete"
"Auth/*/Write"
"Auth/elevate…
],
Azure
subscription
Resource
group
Management Group
DevOps Group
Contributor
DevOps Resource
Group
Role
Assignment

Just announced:
Azure Blueprints &
Quickstart Center
public previews

Azure Blueprints
Deployment orchestration of
• ARM templates
• Role assignments
• Policy assignments
• Resource groups
• Resource Locks

Azure Portal Quickstart Center

Key take-aways
1. Plan first, act second
2. Use templates (ARM, PowerShell,…) to automatically deploy Azure
resources
3. Use NoDelete Resource Locks to prevent accidental deletion of key
resources
4. Always use Resource Tags
5. Leverage Resource Policies to enforce Resource Tag usage and
compliance rules
6. Adhere to the Principle of least privilege (POLP)

Further information
• Azure Management - Governance
• https://docs.microsoft.com/en-us/azure/governance/
• Azure Quickstart Center
• https://azure.microsoft.com/en-us/blog/azure-portal-october-update
• Naming rules and restrictions
• https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions

Thank you!
@azureandbeyond
https://slideshare.net/ThomasJanetscheck

CloudBrew 2018 - Azure Governance

More Related Content

What's hot

Similar to CloudBrew 2018 - Azure Governance

Recently uploaded

CloudBrew 2018 - Azure Governance