Upgrade to Pro — share decks privately, control downloads, hide ads and more …



Many companies fail to understand and implement Azure governance. This can result in many unwanted results, like accidentally deleting resources in your Azure environment, non-compliance with external regulations, deploying costly resources, or deploying resources in the wrong Azure regions. The solution to this is Azure governance, the ongoing process of managing, monitoring, and auditing the use of Azure resources to meet the goals and requirements of your organization.

In this session we are going to look at Azure Blueprints, Azure Policy, Management Groups and the Resource Graph to effectively manage your Azure environment.

Sjoukje Zaal

October 16, 2019

More Decks by Sjoukje Zaal

Other Decks in Technology


  1. © 2019 Sjoukje Zaal Management Groups Demo Resource Graph Demo

    Policy demo Blueprints Demo Step 05 Step 04 Step 03 Azure Governance Step 02 Step 01 Agenda
  2. © 2019 Sjoukje Zaal 8 6 ( Azure Governance A

    collection of concepts and services 01 Step 02 Step 03 Step 04 Step Management Groups Policy Blueprints Resource Graph z
  3. © 2019 Sjoukje Zaal Automatically inherit the conditions Apply governance

    conditions Unified policy and access management Organizes subscriptions into containers Management Groups capabilities
  4. © 2019 Sjoukje Zaal f w c Looked at the

    available Management Groups Added a subscription to the group Added the Marketing Management Group Step 1 Demo summary Step 2 Step 3
  5. © 2019 Sjoukje Zaal Detail changes made to resource properties

    Assess the impact of applying policies Explore resources based on governance requirements Queries with complex filtering, grouping, and sorting Resource Graph (Preview) Provides resource exploration with the ability to query at scale across a given set of subscriptions
  6. © 2019 Sjoukje Zaal Resource Graph Working • Regular full

    scan • Updates database when resource is updated • Throttling Supports • PowerShell, CLI and Azure SDK for .NET • Kusto query language ( 6
  7. © 2019 Sjoukje Zaal f w c Installed the Az.ResourceGraph

    module Executed various queries on the subscriptions Set the Resource Graph to query all subscriptions Step 1 Demo summary Step 2 Step 3
  8. © 2019 Sjoukje Zaal x E b Azure policy Service

    Create, assign, and manage policies Azure portal, PowerShell, CLI and ARM templates Built-in & custom policies Stay Compliant by Enforcing rules and effects Evaluating your resources Assigned to Management Groups Subscriptions Resource Groups Azure Policy
  9. © 2019 Sjoukje Zaal Append Adds the defined set of

    fields to the request Audit Generates a warning event in activity log but doesn’t fail the request Deny Generates an event in the activity log and fails the request Disabled Doesn’t evaluate resources for compliance to the policy rule DeployIfNotExists Deploys a resource if it doesn’t already exist AuditIfNotExists Enables auditing if a resource doesn’t exist Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. Policy Effects
  10. © 2019 Sjoukje Zaal Create definition Assign definition Evaluation Compliant

    / non-compliant User check Create remediation task Azure Policy flow
  11. © 2019 Sjoukje Zaal Validating individual policies? Don't include them

    in an initiative Create and assign initiative definitions Consider organizational hierarchies Start with an audit effect instead of a deny effect Policy best practices
  12. © 2019 Sjoukje Zaal f w c b y Assigned

    a built-in policy Created a VM Assigned the custom policy Created a custom policy Performed Remediation Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  13. © 2019 Sjoukje Zaal x E E b Exists natively

    in Azure Offers versioning Relationship definition / assignment Backed by Azure Cosmos DB Azure Blueprints (preview) Deploy and update cloud environments in a repeatable manner using composable artifacts
  14. © 2019 Sjoukje Zaal Blueprint permissions 01 02 03 Create

    Microsoft.Blueprint/blueprints/write Microsoft.Blueprint/blueprints/artifacts/write Microsoft.Blueprint/blueprints/versions/write Publish Microsoft.Blueprint/blueprints/delete Microsoft.Blueprint/blueprints/artifacts/delete Microsoft.Blueprint/blueprints/versions/delete (Un) assign Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete The blueprint definition permissions must be granted or inherited on the management group or subscription scope where it is saved.
  15. © 2019 Sjoukje Zaal x E t b Install AZ.Blueprint

    Module Blueprint parameters Import / export Blueprints CI/CD pipelines Create Blueprints using PowerShell, ARM & API
  16. © 2019 Sjoukje Zaal f w c b y Set

    the required permissions Imported the Blueprint using PowerShell Created a Network Blueprint using ARM templates Assigned the VNet Blueprint Created VNet Blueprint in the portal Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  17. © 2019 Sjoukje Zaal Useful links Management Groups Azure policy

    samples: https://bit.ly/2ZpnSVj Blueprints Azure Blueprints samples (including CI/CD pipelines): https://bit.ly/2MLQNwc Resource Graph Starter Resource Graph queries: https://bit.ly/30Q8Owy Advanced Resource Graph queries: https://bit.ly/30Ogf7D ( 6 K
  18. © 2019 Sjoukje Zaal Validating individual policies? Don't include them

    in an initiative Blueprints in PowerShell can only be added to the subscription level Consider organizational hierarchies Can’t use ARM templates to create Management Groups Wrap up