Slide 1

Slide 1 text

Effective The steps to Azure Governance

Slide 2

Slide 2 text

About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure MVP

Slide 3

Slide 3 text

© 2019 Sjoukje Zaal Management Groups Demo Resource Graph Demo Policy demo Blueprints Demo Step 05 Step 04 Step 03 Azure Governance Step 02 Step 01 Agenda

Slide 4

Slide 4 text

© 2019 Sjoukje Zaal Governance in Azure is one aspect of Azure Management. .

Slide 5

Slide 5 text

© 2019 Sjoukje Zaal 8 6 ( Azure Governance A collection of concepts and services 01 Step 02 Step 03 Step 04 Step Management Groups Policy Blueprints Resource Graph z

Slide 6

Slide 6 text

© 2019 Sjoukje Zaal Automatically inherit the conditions Apply governance conditions Unified policy and access management Organizes subscriptions into containers Management Groups capabilities

Slide 7

Slide 7 text

© 2019 Sjoukje Zaal Management Groups Azure management groups provide a level of scope above subscriptions.

Slide 8

Slide 8 text

© 2019 Sjoukje Zaal Demo Management Groups

Slide 9

Slide 9 text

© 2019 Sjoukje Zaal f w c Looked at the available Management Groups Added a subscription to the group Added the Marketing Management Group Step 1 Demo summary Step 2 Step 3

Slide 10

Slide 10 text

© 2019 Sjoukje Zaal Detail changes made to resource properties Assess the impact of applying policies Explore resources based on governance requirements Queries with complex filtering, grouping, and sorting Resource Graph (Preview) Provides resource exploration with the ability to query at scale across a given set of subscriptions

Slide 11

Slide 11 text

© 2019 Sjoukje Zaal Resource Graph Working • Regular full scan • Updates database when resource is updated • Throttling Supports • PowerShell, CLI and Azure SDK for .NET • Kusto query language ( 6

Slide 12

Slide 12 text

© 2019 Sjoukje Zaal Demo Resource Graph

Slide 13

Slide 13 text

© 2019 Sjoukje Zaal f w c Installed the Az.ResourceGraph module Executed various queries on the subscriptions Set the Resource Graph to query all subscriptions Step 1 Demo summary Step 2 Step 3

Slide 14

Slide 14 text

© 2019 Sjoukje Zaal x E b Azure policy Service Create, assign, and manage policies Azure portal, PowerShell, CLI and ARM templates Built-in & custom policies Stay Compliant by Enforcing rules and effects Evaluating your resources Assigned to Management Groups Subscriptions Resource Groups Azure Policy

Slide 15

Slide 15 text

© 2019 Sjoukje Zaal Append Adds the defined set of fields to the request Audit Generates a warning event in activity log but doesn’t fail the request Deny Generates an event in the activity log and fails the request Disabled Doesn’t evaluate resources for compliance to the policy rule DeployIfNotExists Deploys a resource if it doesn’t already exist AuditIfNotExists Enables auditing if a resource doesn’t exist Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. Policy Effects

Slide 16

Slide 16 text

© 2019 Sjoukje Zaal Policy Policy artifacts Definition Assignment Parameters Definition Assignment Parameters Initiative C

Slide 17

Slide 17 text

© 2019 Sjoukje Zaal Create definition Assign definition Evaluation Compliant / non-compliant User check Create remediation task Azure Policy flow

Slide 18

Slide 18 text

© 2019 Sjoukje Zaal Validating individual policies? Don't include them in an initiative Create and assign initiative definitions Consider organizational hierarchies Start with an audit effect instead of a deny effect Policy best practices

Slide 19

Slide 19 text

© 2019 Sjoukje Zaal Demo Assign Policies

Slide 20

Slide 20 text

© 2019 Sjoukje Zaal

Slide 21

Slide 21 text

© 2019 Sjoukje Zaal f w c b y Assigned a built-in policy Created a VM Assigned the custom policy Created a custom policy Performed Remediation Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

Slide 22

Slide 22 text

© 2019 Sjoukje Zaal x E E b Exists natively in Azure Offers versioning Relationship definition / assignment Backed by Azure Cosmos DB Azure Blueprints (preview) Deploy and update cloud environments in a repeatable manner using composable artifacts

Slide 23

Slide 23 text

© 2019 Sjoukje Zaal RBAC assignments ARM templates Policy definitions Resource Groups Blueprint artifacts

Slide 24

Slide 24 text

© 2019 Sjoukje Zaal Blueprint permissions 01 02 03 Create Microsoft.Blueprint/blueprints/write Microsoft.Blueprint/blueprints/artifacts/write Microsoft.Blueprint/blueprints/versions/write Publish Microsoft.Blueprint/blueprints/delete Microsoft.Blueprint/blueprints/artifacts/delete Microsoft.Blueprint/blueprints/versions/delete (Un) assign Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete The blueprint definition permissions must be granted or inherited on the management group or subscription scope where it is saved.

Slide 25

Slide 25 text

© 2019 Sjoukje Zaal x E t b Install AZ.Blueprint Module Blueprint parameters Import / export Blueprints CI/CD pipelines Create Blueprints using PowerShell, ARM & API

Slide 26

Slide 26 text

© 2019 Sjoukje Zaal Demo Assign Blueprints

Slide 27

Slide 27 text

© 2019 Sjoukje Zaal

Slide 28

Slide 28 text

© 2019 Sjoukje Zaal f w c b y Set the required permissions Imported the Blueprint using PowerShell Created a Network Blueprint using ARM templates Assigned the VNet Blueprint Created VNet Blueprint in the portal Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

Slide 29

Slide 29 text

© 2019 Sjoukje Zaal Useful links Management Groups Azure policy samples: https://bit.ly/2ZpnSVj Blueprints Azure Blueprints samples (including CI/CD pipelines): https://bit.ly/2MLQNwc Resource Graph Starter Resource Graph queries: https://bit.ly/30Q8Owy Advanced Resource Graph queries: https://bit.ly/30Ogf7D ( 6 K

Slide 30

Slide 30 text

© 2019 Sjoukje Zaal Validating individual policies? Don't include them in an initiative Blueprints in PowerShell can only be added to the subscription level Consider organizational hierarchies Can’t use ARM templates to create Management Groups Wrap up

Slide 31

Slide 31 text

? any Are there questions?