Skip to content

Latest commit

 

History

History
73 lines (65 loc) · 8.6 KB

Azure-Governance.md

File metadata and controls

73 lines (65 loc) · 8.6 KB

Azure Governance

EA Hierarchy

  • EA Hierarchy and Management Scope
    • EA Portal is uses to create an Azure EA hierarchy with departments, accounts, and subscriptions.
    • Management Groups
      • Containers that help you manage access, policy, and compliance for multiple subscriptions.
      • Can set RBAC + policies at this level to be inherited by subscriptions
    • Subscriptions
    • Resource Groups
      • Contains resources
      • Cannot be contained within another resource group
      • The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored.
      • Put resources which should be deployed/charged back together in the same RG. See CAF guidance here
      • You can apply certain actions on all resources within a group such as deleting an RG, or assign RBAC permissions on an entire group
  • Video: EA Portal Onboarding Session

Cloud Adoption Framework

  • Cloud Adoption Framework provides actionable governance guides that represent common experiences often encountered by customers. This framerwork helps you to create personalized governance solutions that meet your business needs.
    • Implement the Disciplines of Cloud Governance
      • Cost Management: Develop policies for cost control for all cloud platforms.
      • Security Baseline: Cloud governance policies and enforcement apply established security requirements across network, data, and asset configurations
      • Identity Baseline: Ensure that identity is consistently applied across cloud adoption efforts.
      • Resource Consistency: Through governance tooling, resources can be configured consistently to manage risks related to onboarding, drift, discoverability, and recovery.
      • Deployment Acceleration: Centralization, standardization, and consistency in approaches to deployment and configuration improve governance practices.

Cost Management

Security

Identity

Resource Consistency

  • Resource Consistency sample policy statements
  • Recommended Naming and Tagging Conventions
    • Well-defined naming and metadata tagging conventions help to quickly locate and manage resources
  • Lock resources to prevent unexpected changes
    • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
    • ReadOnly means authorized users can read a resource, but they can't delete or update the resource.
    • When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent.
    • Consider applying to foundational resources: v-nets, gateways, storage accounts
  • Azure Policy
    • Policies and initiatives enforce rules over resources and services in your subscriptions
    • An initiative definition is a collection of policy definitions that are tailored towards achieving a singular overarching goal. They simplify policy management by grouping a set of policies as one single item.
    • Azure Policy vs RBAC. Azure Policy evaluates state by examining properties on resources. RBAC focuses on managing user actions at different scopes.
    • Walkthrough: Create a Policy Assignment to Identify Non-Compliant Resources
    • Policy Effects determine what happens when the policy rule is evaluated to match.
    • Policy Samples
    • Azure Automation
      • Process Automation in Azure Automation allows you to automate frequent, time-consuming, and error-prone cloud management tasks.
      • Configuration Management in Azure Automation allows access to two features: (1) Change Tracking and Inventory (2) Azure Automation State Configuration
      • Update Management allows you to create scheduled deployments that orchestrate the installation of updates within a defined maintenance window.

Deployment

  • Deployment Acceleration sample policy statements https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/deployment-acceleration/policy-statements
  • Azure Resource Manager templates enable using infrastructure as code to deploy your resources to Azure. You could also use Terraform as a consistent on-premises and cloud-based deployment tool.
  • Azure Monitor, including Log Analytics and Application Insights, provides tools for collecting and analyzing telemetry to help you understand how your applications are performing and proactively identify issues affecting them and the resources they depend on. Additionally, Azure activity log reports all changes that are being made at the platform level and should be monitored and audited for noncompliant changes.
  • Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: (1) Role Assignments (2) Policy Assignments (3) Azure Resource Manager templates (4) Resource Groups
    • Overriding Locking States w/ Blueprints. It's typically possible for someone with appropriate role-based access control (RBAC) on the subscription, such as the 'Owner' role, to be allowed to alter or delete any resource. This access isn't the case when Azure Blueprints applies locking as part of a deployed assignment. If the assignment was set with the Read Only or Do Not Delete option, not even the subscription owner can perform the blocked action on the protected resource.