Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GABC2019: Azure Blueprints - The next level in Cloud Governance by Michael Rueefli

GABC2019: Azure Blueprints - The next level in Cloud Governance by Michael Rueefli

Learn how to leverage Azure Blueprints to:
-Streamline your Cloud Deployments
-Ensure compliance and governance
-Lock down foundational resources

Azure Zurich User Group

April 27, 2019

More Decks by Azure Zurich User Group

Other Decks in Programming


  1. About Me • Partner @ make it noble • Microsoft

    MVP • Cloud Solutions Architect • Public Speaker • Cloud Enthusiast • Automation geek • Skydiver & Skier • Contact Info • twitter: @drmiru • blog: www.miru.ch • email: [email protected] About me
  2. ▪ Governance – what & why ▪ Azure Blueprints Essentials

    ▪ Management Groups ▪ Policy ▪ ARM Templates ▪ Azure Blueprints Intro ▪ Blueprints as Code Agenda
  3. Audience Check my manager has no clue, but I’m gonna

    fix this All takes way too long and costs a fortune Head of something Natural born IT work horse
  4. Cloud governance is a set of rules you create, monitor,

    and amend as necessary in order to control costs, improve efficiency, and eliminate security risks Governance | what?
  5. Governance | why? User request Managed approval IT Review IT

    Approval IT Provisioning Access User request Validation against Policies and Budget Access User request Access Traditional Agile Agile with Governance Agility Control IT Provisioning
  6. ▪ Block Dev/Ops from directly accessing the cloud (portal/API/cli) to

    attain control Traditional Approach Developers Operations Cloud Custodian / Engineers responsible for Cloud environment © Microsoft Corporation Azure
  7. Cloud Custodian Team ▪ Cloud-native governance -> removing barriers to

    compliance and enabling velocity Cloud Speed and Control Developers Operations Management Groups Templates RBAC Blueprints Policies Policy © Microsoft Corporation Azure
  8. Governance for the Azure cloud Management Group Define organizational hierarchy

    Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEW NEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility
  9. Azure Governance Architecture © Microsoft Corporation Resource Provider Network Virtual

    Machine Storage Azure Portal CLI 3rd party CRUD Azure Resource Manager (ARM) Policy Engine Azure Resource Graph Query Role-based Access Policy Definitions ARM Templates Subscriptions Azure Blueprints Providing control over the cloud environment, without sacrificing developer agility
  10. Azure Blueprints Essentials Mgmt Groups ▪RBAC ▪Policy Definitions ▪Policy Assignments

    Policy ▪Control ▪Audit ▪Compliance ARM Templates ▪Code based deployment of artifacts ▪Declarative ▪JSON
  11. ▪ Hierarchy resources that exist above the subscription level within

    Azure ▪ Independent from customer EA Hierarchy ▪ Can be created, moved, updated, and deleted by admins to build a hierarchy for their needs ▪ A management group tree can support up to six levels of depth ▪ Each management group and subscription can only support one parent ▪ All subscriptions and management groups are within a single hierarchy in each directory (Azure AD Tenant) Azure Management Group Facts
  12. ▪ The name is always "Tenant root group“, the ID

    will be the Azure Active Directory ID ▪ can't be moved or deleted, unlike other management groups ▪ New subscriptions are automatically defaulted to the root management group when created ▪ No one is given default access to the root management group. ▪ Azure AD Global Administrators can elevate themselves! The Root management group
  13. ▪ Policies created on Org Group ▪ RBAC top <

    down ▪ Separate BUs ▪ Subscription / Env ▪ Resource Group / App Recommended Hierarchy Subscription Management Group
  14. ▪ Real time Policy enforcement​ and at- scale compliance assessment

    ▪ Policy evaluates all Azure resources & in-guest VM​ ▪ Policy generates compliance events that can be used for alerting​ ▪ Aggregated and raw compliance data are available through API, PowerShell & CLI​ ▪ Can be used to automatically remediate problems in your environment​ Policy key information
  15. 1. Append 2. Deny 3. Audit 4. DeployIfNotExists 5. AuditIfNotExists

    Policy Modes and Evaluation Order realtime realtime
  16. ▪ On change ▪ ~15 min after resource change ▪

    On periodic cadence ▪ Every 24 hours ▪ On demand ▪ New/ updated assignment ▪ Trigger scan API Compliance evaluation frequency POST https://management.azure.com /subscriptions/subID/resourceGroups/rgName/providers/Microsoft.PolicyInsights/polic yStates/latest/triggerEvaluation?api-version=2018-07-01-preview
  17. ▪ Fully customizable – consider cloning built-in policies ▪ Policies

    can be organized in policy sets (initiatives) to overcome object limits per scope ▪ Create objects on a top level management group (naahh.. doesn’t work with ARM Templates? -> use REST API or Terraform) ▪ In existing environment don’t screw all up with “deny” effect – start with “audit” first ☺ Policy Hints
  18. Introducing Blueprints • Ensure foundational resources cannot be changed by

    subscription owners • Manage locks through a centralize location • Update locked resource through blueprint definition updates Lock foundational resources • Centralize environment creation through templates • Add resources, policies and role access controls • Track blueprint updates through versioning Streamline environment creation • Empower developers to create fully governed environments through self- service • Create multiple dev-ready environments and subscriptions from a centralize location • Leverage the integration with Azure Policy on the DevOps lifecycle Enable compliant development
  19. ▪ Standardized / Governed Subscriptions ▪ Policy Enforcement ▪ Protected

    Core Resources ▪ Networking (central control) Common Blueprint Scenarios
  20. Blueprints under the hood ARM Templates Policy Definitions Role-based access

    controls Contoso Blueprint Cloud Engineer Cloud Architect + ISO 27001 …
  21. ▪ Prevent deletion / modification of important elements ▪ Deployed

    resources can't be modified or deleted - even by subscription owners ▪ Locking Modes ▪ Don’t lock | Do not delete | Read only ▪ Uses System or User MSI Resource Locking with Blueprints
  22. ▪ ARM Template(s) ▪ PowerShell & REST API ▪ CI/CD

    Compatible Blueprints as Code https://github.com/Azure/azure-blueprints
  23. ▪ Blueprints = compliance & governance at scale ▪ BPs

    are based on Azure Policy, Management Groups and ARM Templates ▪ BPs to enforce corporate standards across subscriptions ▪ ISO27xxx and more as templates available ▪ Watch upcoming months for new stuff! Summing up
  24. ▪ Blueprint docs: http://aka.ms/whatareblueprints ▪ GitHub repo: https://github.com/Azure/azure- blueprints ▪

    Azure Blueprints & Policy to get DevOps right: https://www.youtube.com/watch?v=OiOXlgFNgDo Resources