Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bootstrapping cloud environments with Azure Blu...

Bootstrapping cloud environments with Azure Blueprints

David Pazdera

April 06, 2021
Tweet

More Decks by David Pazdera

Other Decks in Technology

Transcript

  1. Blueprints are designed to deploy and update cloud environments in

    a repeatable manner using composable artifacts. — Alex Frankel, PM for Azure Blueprints
  2. Blueprints vs. Blueprint Azure Blueprints as a Governance service https://aka.ms/whatareblueprints

    Azure Blueprint as a package with reference architecture, code, data Blueprints include resources such as example code, test data, security, and compliance support targeting industry compliance scenarios like HIPAA, PCI-DSS etc. These are packages that include reference architectures, guidance, how-to guides, and other documentation, as well as executable code and sample test data. https://aka.ms/azureblueprints https://github.com/Azure/Health-Data-and-AI-Blueprint https://azure.microsoft.com/en-us/blog/customizing-azure-blueprints-to-accelerate-ai-in- healthcare/
  3. What is Azure Blueprints Quick creation of governed subscriptions –

    allowing Cloud Engineers to construct and govern enterprise cloud environments for multiple application teams Allows cloud engineers to define and orchestrate the automatic roll out of an cloud environment for multiple app teams in an enterprise Lays down and locks foundational infrastructure that could be shared across subscriptions to multiple applications or to a specific application while providing flexibility in resource selection and app design Application teams can operate within a governed subscription in a self-service manner but abide by organizational standards defined in the blueprint
  4. Purpose and key facts • Rapidly provision fully governed environments

    in a repetitive manner • Design environments that comply with organizational standards, patterns, requirements and contain required components, protect those components by applying assignment locks • Orchestrate the deployment of multiple resource templates and other artifacts like Resource Groups, Role assignments, Policy/Initiative assignments • Share Blueprints across the organization – define and publish Blueprints on a Management Groups level • Apply/Assign a Blueprint to multiple subscriptions – blueprints can upgrade several subscriptions at once that are governed by the same blueprint • Update, track, and audit assignments, use versioning • Blueprint definition = what should be deployed vs. Blueprint assignment = what was deployed
  5. Artifact types Policy Assignments Lets you add an Azure Policy.

    This can be a built-in or custom policy. Role Assignments Lets you add a user, app, or group and set the role. Only built-in roles are currently supported. Azure Resource Manager templates Lets you add an ARM Template. This does not let you import a parameters file. It does let you pre- set the parameters or set the parameters during assignment of the Blueprint. Resource Groups Lets you add a Resource Group to be created as a part of this Blueprint.
  6. Lifecycle of a Blueprint Develop a blueprint and artifacts o

    Blueprint definition o Draft state Publish a blueprint o Published state o Read-only o Can be assigned Assign a blueprint* o Assigned state o Assign to a subscription De-assign a blueprint o Required before deleting a blueprint (version) o Does not delete resources Delete a version or core blueprint o Core BP: deletes all versions o Version: only this Develop a new version of a blueprint o Edit existing version o Unpublished changes → Draft * or update existing assignment
  7. Prerequisites • Management Group structure – Blueprints can only be

    defined and published at MG level • Subscriptions – Blueprints can only be assigned to existing subscriptions • Custom policy / initiative definitions • (vNext: Custom role definition) • User (or SP) with rights to Blueprint lifecycle management • Create a blueprint – rights at MG (assigned or inherited) • Microsoft.Blueprint/blueprints/write • Microsoft.Blueprint/blueprints/artifacts/write • Microsoft.Blueprint/blueprints/versions/write • Assign a blueprint – rights on a subscription or parent MG • Microsoft.Blueprint/blueprintAssignments/write • Microsoft.Blueprint/blueprintAssignments/delete
  8. Management Groups Build a hierarchy in your cloud environment •

    10,000 MGs in a single directory. • An MG tree supports up to six levels of depth. • Each management group and subscription can only support one parent. • Each management group can have multiple children. • All subscriptions and management groups are contained within a single hierarchy in each directory.
  9. Blueprint definition Basic properties Name - mandatory, cannot change, 48

    chars max, no spaces or special chars Description Definition location – must be a MG Operations View | Publish | Edit | Delete Artifacts Display Name Description Type: Policy assignment | Role Assignment | Resource Group | Resource template Details: RG - Name and location, Resource template – template + parameters
  10. Blueprint publishing Specify version (mandatory) Specify change notes (optional) A

    single blueprint can have multiple Published versions that can each be assigned to subscriptions
  11. Blueprint assignment Specification Assignment scope: subscription (child of a MG

    where the Blueprint is defined) Assignment name Location Blueprint definition version Blueprint parameters or artifact parameters – Blueprint can pass parameters to policy/initiative or resource template. It can also have its own parameters Lock assignment (aka Blueprint lock): None or All Resources • Resources created by artifacts in a blueprint assignment have three states: Not Locked, Read Only, or Cannot Edit / Delete. • Non-resource group artifacts have Read Only state • Resource groups have Cannot Edit / Delete states. The resource group object is read only, but it's possible to make changes to non-locked resources within the resource group.
  12. Resources PowerShell (community) https://www.powershellgallery.com/packages/Manage-AzureRMBlueprint/2.0 Import | Export | Report mode

    https://www.powershellgallery.com/packages/AxAzureBlueprint/1.0.0 Connect-AzureBlueprint | Get-AzureBlueprint | Get-AzureBlueprintArtifact | Import-AzureBlueprintArtifact | Remove- AzureBlueprint | Set-AzureBlueprint https://github.com/Agazoth/AzureBlueprint Export and import Azure Blueprint definitions (Jonas Feller) https://www.jfe.cloud/export-import-azure-blueprints/
  13. Blueprints as Code Benefits • Sharing blueprints • Keeping blueprints

    in source control • Putting blueprints in a CI/CD or release pipeline Guide (Alex Frankel) https://github.com/ajf214/personal-arm-templates/blob/master/Boilerplate/managing-blueprints- as-code.md Blueprints Rest API Reference https://docs.microsoft.com/en-us/rest/api/blueprints/blueprints/createorupdate#blueprint
  14. How to get involved Feedback and questions in Azure Docs

    https://docs.microsoft.com/en-us/azure/governance/blueprints/ Feature requests in UserVoice https://feedback.azure.com/forums/915958-azure-governance Azure Advisors (Governance Advisors) in Yammer https://www.yammer.com/azureadvisors/#/threads/inGroup?type=in_group&feedId=14984785
  15. Resources Microsoft Docs https://aka.ms/whatareblueprints Ignite session recordings BRK3062 – Architecting

    Security and Governance Across your Azure Subscriptions BRK3085 – Deep dive into Implementing governance at scale through Azure Policy Alex Frankel’s GitHub Repo https://github.com/ajf214/personal-arm-templates
  16. Resources Architect your Cloud with Azure Blueprints Whitepaper https://gallery.technet.microsoft.com/Architect-your-Cloud-with-9ea95039 Azure

    Blueprints GitHub repo (currently empty) https://github.com/Azure/azure-blueprints Azure Blueprint – The easy way https://agazoth.github.io/blogpost/2018/11/11/Azure-Blueprint.html YouTube video https://youtu.be/grt6uB9XxvU?t=1543