🪴 Quartz 4.0

02 - Build a cloud governance strategy on Azure

4 min read

Build a cloud governance strategy on Azure

linking:: AZ-900, Azure-Identity

Control access to cloud resources by using Azure role-based access control

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

Use Azure RBAC when you need to:

  • Allow one user to manage VMs in a subscription and another user to manage virtual networks.
  • Allow a database administrator group to manage SQL databases in a subscription.
  • Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
  • Allow an application to access all resources in a resource group.

RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete.

Prevent accidental changes by using resource locks

You can apply locks to a subscription, a resource group, or an individual resource.

  • CanNotDelete means authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.
  • ReadOnly means authorized people can read a resource, but they can’t delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.

To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.

Organize your Azure resources by using tags

You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.

You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, but those tags aren’t automatically applied to the resources within that resource group. You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group. You’ll learn more about Azure Policy later in this module.

You can also use Azure Policy to enforce tagging rules and conventions. For example, you can require that certain tags be added to new resources as they’re provisioned. You can also define rules that reapply tags that have been removed.

Control and audit your resources by using Azure Policy

Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent noncompliant resources from being created.

Implementing a policy in Azure Policy involves three tasks:

  • Create a policy definition
    • Allowed SKUs, locations, forced MFA, CORS, etc
  • Assign the definition to resources
    • Scope is anything except resources, but specific resources can be scoped out
  • Review the evaluation results
    • Marked as compliant or non-compliant

Govern multiple subscriptions by using Azure Blueprints

Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:

  • Role assignments
  • Policy assignments
  • Azure Resource Manager templates
  • Resource groups

Each component in the blueprint definition is known as an artifact.

Accelerate your cloud adoption journey by using the Cloud Adoption Framework for Azure

Create a subscription governance strategy

Billing

You can create one billing report per subscription. If you have multiple departments and need to do a “chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by project.

Resource tags can also help. You’ll explore tags later in this module. When you define how many subscriptions you need and what to name them, take into account your internal billing requirements.

Access control

A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.

When you design your subscription architecture, consider the deployment boundary factor. For example, do you need separate subscriptions for development and for production environments? With separate subscriptions, you can control access to each one separately and isolate their resources from one another.

Subscription limits

Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase. If you’ll need to exceed those limits, you might need to add more subscriptions. If you hit a hard limit maximum, there’s no flexibility to increase it.

Management groups are also available to assist with managing subscriptions. A management group manages access, policies, and compliance across multiple Azure subscriptions. You’ll learn more about management groups later in this module.

Graph View