The_steps_to_effective_Azure_governance.pdf

Transcript

1. Effective The steps to Azure Governance

2. About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure

   MVP

3. © 2019 Sjoukje Zaal Management Groups Demo Resource Graph Demo

   Policy demo Blueprints Demo Step 05 Step 04 Step 03 Azure Governance Step 02 Step 01 Agenda

4. © 2019 Sjoukje Zaal Governance in Azure is one aspect

   of Azure Management. .

5. © 2019 Sjoukje Zaal 8 6 ( Azure Governance A

   collection of concepts and services 01 Step 02 Step 03 Step 04 Step Management Groups Policy Blueprints Resource Graph z

6. © 2019 Sjoukje Zaal Automatically inherit the conditions Apply governance

   conditions Unified policy and access management Organizes subscriptions into containers Management Groups capabilities

7. © 2019 Sjoukje Zaal Management Groups Azure management groups provide

   a level of scope above subscriptions.

8. © 2019 Sjoukje Zaal Demo Management Groups

9. © 2019 Sjoukje Zaal f w c Looked at the

   available Management Groups Added a subscription to the group Added the Marketing Management Group Step 1 Demo summary Step 2 Step 3

10. © 2019 Sjoukje Zaal Detail changes made to resource properties

    Assess the impact of applying policies Explore resources based on governance requirements Queries with complex filtering, grouping, and sorting Resource Graph (Preview) Provides resource exploration with the ability to query at scale across a given set of subscriptions

11. © 2019 Sjoukje Zaal Resource Graph Working • Regular full

    scan • Updates database when resource is updated • Throttling Supports • PowerShell, CLI and Azure SDK for .NET • Kusto query language ( 6

12. © 2019 Sjoukje Zaal Demo Resource Graph

13. © 2019 Sjoukje Zaal f w c Installed the Az.ResourceGraph

    module Executed various queries on the subscriptions Set the Resource Graph to query all subscriptions Step 1 Demo summary Step 2 Step 3

14. © 2019 Sjoukje Zaal x E b Azure policy Service

    Create, assign, and manage policies Azure portal, PowerShell, CLI and ARM templates Built-in & custom policies Stay Compliant by Enforcing rules and effects Evaluating your resources Assigned to Management Groups Subscriptions Resource Groups Azure Policy

15. © 2019 Sjoukje Zaal Append Adds the defined set of

    fields to the request Audit Generates a warning event in activity log but doesn’t fail the request Deny Generates an event in the activity log and fails the request Disabled Doesn’t evaluate resources for compliance to the policy rule DeployIfNotExists Deploys a resource if it doesn’t already exist AuditIfNotExists Enables auditing if a resource doesn’t exist Each policy definition in Azure Policy has a single effect. That effect determines what happens when the policy rule is evaluated to match. Policy Effects

16. © 2019 Sjoukje Zaal Policy Policy artifacts Definition Assignment Parameters

    Definition Assignment Parameters Initiative C

17. © 2019 Sjoukje Zaal Create definition Assign definition Evaluation Compliant

    / non-compliant User check Create remediation task Azure Policy flow

18. © 2019 Sjoukje Zaal Validating individual policies? Don't include them

    in an initiative Create and assign initiative definitions Consider organizational hierarchies Start with an audit effect instead of a deny effect Policy best practices

19. © 2019 Sjoukje Zaal Demo Assign Policies

20. © 2019 Sjoukje Zaal

21. © 2019 Sjoukje Zaal f w c b y Assigned

    a built-in policy Created a VM Assigned the custom policy Created a custom policy Performed Remediation Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

22. © 2019 Sjoukje Zaal x E E b Exists natively

    in Azure Offers versioning Relationship definition / assignment Backed by Azure Cosmos DB Azure Blueprints (preview) Deploy and update cloud environments in a repeatable manner using composable artifacts

23. © 2019 Sjoukje Zaal RBAC assignments ARM templates Policy definitions

    Resource Groups Blueprint artifacts

24. © 2019 Sjoukje Zaal Blueprint permissions 01 02 03 Create

    Microsoft.Blueprint/blueprints/write Microsoft.Blueprint/blueprints/artifacts/write Microsoft.Blueprint/blueprints/versions/write Publish Microsoft.Blueprint/blueprints/delete Microsoft.Blueprint/blueprints/artifacts/delete Microsoft.Blueprint/blueprints/versions/delete (Un) assign Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete The blueprint definition permissions must be granted or inherited on the management group or subscription scope where it is saved.

25. © 2019 Sjoukje Zaal x E t b Install AZ.Blueprint

    Module Blueprint parameters Import / export Blueprints CI/CD pipelines Create Blueprints using PowerShell, ARM & API

26. © 2019 Sjoukje Zaal Demo Assign Blueprints

27. © 2019 Sjoukje Zaal

28. © 2019 Sjoukje Zaal f w c b y Set

    the required permissions Imported the Blueprint using PowerShell Created a Network Blueprint using ARM templates Assigned the VNet Blueprint Created VNet Blueprint in the portal Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

29. © 2019 Sjoukje Zaal Useful links Management Groups Azure policy

    samples: https://bit.ly/2ZpnSVj Blueprints Azure Blueprints samples (including CI/CD pipelines): https://bit.ly/2MLQNwc Resource Graph Starter Resource Graph queries: https://bit.ly/30Q8Owy Advanced Resource Graph queries: https://bit.ly/30Ogf7D ( 6 K

30. © 2019 Sjoukje Zaal Validating individual policies? Don't include them

    in an initiative Blueprints in PowerShell can only be added to the subscription level Consider organizational hierarchies Can’t use ARM templates to create Management Groups Wrap up

31. ? any Are there questions?