GABC2019: Azure Blueprints - The next level in Cloud Governance by Michael Rueefli

Transcript

1. Azure Blueprints Cloud Governance at Scale Michael Rueefli Microsoft MVP

   [email protected] miru.ch @drmiru

2. About Me • Partner @ make it noble • Microsoft

   MVP • Cloud Solutions Architect • Public Speaker • Cloud Enthusiast • Automation geek • Skydiver & Skier • Contact Info • twitter: @drmiru • blog: www.miru.ch • email: [email protected] About me

3. ▪ Governance – what & why ▪ Azure Blueprints Essentials

   ▪ Management Groups ▪ Policy ▪ ARM Templates ▪ Azure Blueprints Intro ▪ Blueprints as Code Agenda

4. Audience Check my manager has no clue, but I’m gonna

   fix this All takes way too long and costs a fortune Head of something Natural born IT work horse

5. Cloud governance is a set of rules you create, monitor,

   and amend as necessary in order to control costs, improve efficiency, and eliminate security risks Governance | what?

6. This can’t happen in the cloud

7. Governance | why? User request Managed approval IT Review IT

   Approval IT Provisioning Access User request Validation against Policies and Budget Access User request Access Traditional Agile Agile with Governance Agility Control IT Provisioning

8. ▪ Block Dev/Ops from directly accessing the cloud (portal/API/cli) to

   attain control Traditional Approach Developers Operations Cloud Custodian / Engineers responsible for Cloud environment © Microsoft Corporation Azure

9. Cloud Custodian Team ▪ Cloud-native governance -> removing barriers to

   compliance and enabling velocity Cloud Speed and Control Developers Operations Management Groups Templates RBAC Blueprints Policies Policy © Microsoft Corporation Azure

10. Governance for the Azure cloud Management Group Define organizational hierarchy

    Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEW NEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility

11. Azure Governance Architecture © Microsoft Corporation Resource Provider Network Virtual

    Machine Storage Azure Portal CLI 3rd party CRUD Azure Resource Manager (ARM) Policy Engine Azure Resource Graph Query Role-based Access Policy Definitions ARM Templates Subscriptions Azure Blueprints Providing control over the cloud environment, without sacrificing developer agility

12. Azure Blueprints Essentials Mgmt Groups ▪RBAC ▪Policy Definitions ▪Policy Assignments

    Policy ▪Control ▪Audit ▪Compliance ARM Templates ▪Code based deployment of artifacts ▪Declarative ▪JSON

13. Management Groups

14. ▪ Hierarchy resources that exist above the subscription level within

    Azure ▪ Independent from customer EA Hierarchy ▪ Can be created, moved, updated, and deleted by admins to build a hierarchy for their needs ▪ A management group tree can support up to six levels of depth ▪ Each management group and subscription can only support one parent ▪ All subscriptions and management groups are within a single hierarchy in each directory (Azure AD Tenant) Azure Management Group Facts

15. ▪ The name is always "Tenant root group“, the ID

    will be the Azure Active Directory ID ▪ can't be moved or deleted, unlike other management groups ▪ New subscriptions are automatically defaulted to the root management group when created ▪ No one is given default access to the root management group. ▪ Azure AD Global Administrators can elevate themselves! The Root management group

16. ▪ Policies created on Org Group ▪ RBAC top <

    down ▪ Separate BUs ▪ Subscription / Env ▪ Resource Group / App Recommended Hierarchy Subscription Management Group

17. Azure Policy

18. ▪ Real time Policy enforcement​ and at- scale compliance assessment

    ▪ Policy evaluates all Azure resources & in-guest VM​ ▪ Policy generates compliance events that can be used for alerting​ ▪ Aggregated and raw compliance data are available through API, PowerShell & CLI​ ▪ Can be used to automatically remediate problems in your environment​ Policy key information

19. 1. Append 2. Deny 3. Audit 4. DeployIfNotExists 5. AuditIfNotExists

    Policy Modes and Evaluation Order realtime realtime

20. ▪ On change ▪ ~15 min after resource change ▪

    On periodic cadence ▪ Every 24 hours ▪ On demand ▪ New/ updated assignment ▪ Trigger scan API Compliance evaluation frequency POST https://management.azure.com /subscriptions/subID/resourceGroups/rgName/providers/Microsoft.PolicyInsights/polic yStates/latest/triggerEvaluation?api-version=2018-07-01-preview

21. ▪ Fully customizable – consider cloning built-in policies ▪ Policies

    can be organized in policy sets (initiatives) to overcome object limits per scope ▪ Create objects on a top level management group (naahh.. doesn’t work with ARM Templates? -> use REST API or Terraform) ▪ In existing environment don’t screw all up with “deny” effect – start with “audit” first ☺ Policy Hints

22. Demo: Azure Policy

23. Blueprints

24. Introducing Blueprints • Ensure foundational resources cannot be changed by

    subscription owners • Manage locks through a centralize location • Update locked resource through blueprint definition updates Lock foundational resources • Centralize environment creation through templates • Add resources, policies and role access controls • Track blueprint updates through versioning Streamline environment creation • Empower developers to create fully governed environments through self- service • Create multiple dev-ready environments and subscriptions from a centralize location • Leverage the integration with Azure Policy on the DevOps lifecycle Enable compliant development

25. ▪ Standardized / Governed Subscriptions ▪ Policy Enforcement ▪ Protected

    Core Resources ▪ Networking (central control) Common Blueprint Scenarios

26. Blueprints under the hood ARM Templates Policy Definitions Role-based access

    controls Contoso Blueprint Cloud Engineer Cloud Architect + ISO 27001 …

27. Blueprints CRUD Workflow Create BP Definition Save as Draft Publish

    BP V1.0 Assign BP Edit BP

28. ▪ Prevent deletion / modification of important elements ▪ Deployed

    resources can't be modified or deleted - even by subscription owners ▪ Locking Modes ▪ Don’t lock | Do not delete | Read only ▪ Uses System or User MSI Resource Locking with Blueprints

29. Demo: Blueprints

30. ▪ ARM Template(s) ▪ PowerShell & REST API ▪ CI/CD

    Compatible Blueprints as Code https://github.com/Azure/azure-blueprints

31. Demo: Blueprints as Code

32. ▪ Blueprints = compliance & governance at scale ▪ BPs

    are based on Azure Policy, Management Groups and ARM Templates ▪ BPs to enforce corporate standards across subscriptions ▪ ISO27xxx and more as templates available ▪ Watch upcoming months for new stuff! Summing up

33. ▪ Blueprint docs: http://aka.ms/whatareblueprints ▪ GitHub repo: https://github.com/Azure/azure- blueprints ▪

    Azure Blueprints & Policy to get DevOps right: https://www.youtube.com/watch?v=OiOXlgFNgDo Resources

34. Thanks to our sponsors!

35. Thanks FYA! Michael Rueefli Microsoft MVP [email protected] miru.ch @drmiru