$30 off During Our Annual Pro Sale. View Details »

Azure Scaffolding and Foundations for Enterprises

Azure Scaffolding and Foundations for Enterprises

Presented by Aaron Saikovski at the Global Azure Bootcamp 2019 in Sydney.

Best practices and recommendations on deploying Azure in large scale and complex environments. The session will cover that foundational elements of a successful Azure deployment in your enterprise.

Azure Sydney User Group

April 27, 2019

More Decks by Azure Sydney User Group

Other Decks in Technology


  1. Aaron.Saikovski@microsoft.com

  2. None
  3. Pressure to digitally transform & innovate Need for agility to

    reduce speed to market Shift to DevOps Cloud Sprawl -> Increased complexity in managing standard, accountability, compliance, consistent architecture & cost -> at Scale
  4. Sacrifice Speed for Control Developers Operations Cloud Custodian / Engineers

    responsible for Cloud environment
  5. Speed and Control Developers Built-in controls through policy instead of

    workflow Operations Cloud Custodian Team
  6. Native platform capabilities to ensure compliant use of cloud resources

    Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Resource Graph Query, explore & analyze cloud resources at scale Management Group Define organizational hierarchy Cost Monitor cloud spend and optimize resources Policy Real-time enforcement, compliance assessment and remediation NEW NEW Control Visibility Environment Consumption Hierarchy NEW
  7. None
  8. What is the ? Overview of the

  9. The Foundation: Enterprise Enrollment Enterprise Enrollment Account A Subscription 1

    Subscription 2 Subscription 3 Account B Department A Account C Subscription 4 Department B DON’T! 
  10. EA/Account/Subscription examples Or Or

  11. • Allow easier identification of resources in the Portal and

    in logs etc. • Allows easier breakout of data in Dashboards and Billing The Pillars: Naming Standards https://azure.microsoft.com/en-gb/documentation/articles/guidance-naming-conventions/
  12. SaaS Public Cloud VPN ExpressRoute NSP internet

  13. None
  14. None
  15. None
  16. None
  17. Up to 9 months to review, define and deploy an

    app into a subscription Large surface area to secure, govern and audit Knowing and updating core infra was extremely tedious
  18. Azure Blueprints Idempotent definition to safely and efficiently provision and

    manage infra at scale Define all your artifacts (policies, RBAC and templates) that go into an environment in simple experience Lock down foundational infra that are shared across subscriptions
  19. Role-based access controls Policy Definitions ARM Templates Custom Scripts* Coming

    in June Contoso Blueprint Cloud Engineer Cloud Architect + ISO 27001 FedRAMP NIST …
  20. deploy and update cloud environments in a repeatable manner using

    composable artifacts Role-based access controls Policy Definitions ARM Templates
  21. Cloud Engineer 1 Creates a Blueprint Contoso Blueprint 2 Adds

    artifacts (azure resources) to be used 3 Lock foundational resources and Sequence Deployments Custom Scripts* Policies Resource Groups ARM Templates Role based access Provision Subscription Deployed and locked foundational artifact 4 Create Subscriptions and/or Apply Blueprint to Scope (MG, Sub, RG) Cloud Engineer Sub A Sub B … 5 Version and Update Blueprints 6 Built-in compliance Blueprints (ISO, HITRUST, PCI etc.)
  22. What is an Azure Blueprint? • A configured, secure, scalable

    Azure environments based on best practices • A starting point for new development and experimentation • A starting point for customers’ application migration journey • An environment that allows for iteration while maintain control and consistency
  23. • Deploys foundation infrastructure based on Virtual Datacentre (VDC) approach

    • Configures Roles – NetOps, SecOps, Sysops • Deploys: • RBAC • Log Analytics • VNet with on-premises support and NSGs and ASGs (Microsegmentation), • Bastion host, ADDS and DNS VMs • Key Vault • Network watcher with DDOS support
  24. None
  25. None
  26. None
  27. None