Azure Scaffold - Governance Recommendations

Azure Scaffold - Governance Recommendations

February 25, 2017

Cloud Governance seems to have come up a few times over the past few weeks, so I wanted to post a short, sharp blog about it!

The topic seems to have come up a few times over the past few weeks, so I wanted to post a short, sharp blog about it!

How should I structure my Azure Subscription Hierarchy?
There is no “one right way” to answer this question. Your best bet is to first familiarise yourself with the Azure enterprise scaffold - prescriptive subscription governance documentation.

  • How do you currently approach this in your team/organisation?
  • Using the Azure enterprise scaffold documentation, what approach would fit best with your team/group?

The Azure Scaffold documentation provides guidance around Subscription Hierarchy, Role Based Access Control, Azure Policies, Resource Tags / Locks and more.

It is worth considering all of these points as part of your cloud governance strategy;

  • Efficient use of Role Based Access Control and Resource Locks could help accidental deletion of resources (Yes, this is something that I have seen in the wild!)
  • Would you give all of your team unrestricted access to machines in your data centre? No? Then why would you give them administrator access to a subscription in the cloud? Use the principle of least privilege, and use the Role Based Access Control functionality built into Azure.
  • Resource Tags can help you track ownership of resources. It provides you with a mechanism to tag resources (key-value pair), based upon keys and values of your choosing. Typical examples include the owner, cost centre, environment and more. Resource tags can also help you in tracking your costs, as you can filter down cost based upon tags.
  • Resource Policies can help you control the deployment of your resources. Rather than focusing on the permissions of a user (i.e. Role Based Access Control), policies determine the rules that govern the deployment of resources. As an example, I could set a policy across a Resource Group or Subscription that prevents me from deploying resources into North Europe. However, this does not retrospectively apply to existing resources - This is only for the deployment of new resources.
  • Resource Policies can be powerful when combined with Resource Tags. You can either Deny, Audit or Append actions. For example, you could refuse a deployment from taking place, unless the user has included particular Tags (e.g. owner and cost centre) as part of the deployment.

Are you using these features already? Is there something that works for you that you would like to share? Let me know on Twitter, @reddobowen!

Related

Are you thinking of scalability in your cloud application?

Scalability is one of the common areas where I have seen common misconceptions, when customers begin building on the platform.

Blog

September 29, 2016
A few useful Azure Resources

Over the past few weeks, I have been working on a number of projects relating to Azure. The usual theme has crept up, around recommended practices, and where to go for documentation. There are a couple of great resources to be aware of!

Blog

September 3, 2016
Approaching Resilience in Azure Solutions

I mentioned inĀ Building Solutions in the Cloud that I would be writing a series of blog posts on the areas of risk that I have seen since I have been providing guidance around Azure. In this post, I will provide some thoughts on how you can consider resilience within the context of your own solution or application.

Blog

August 26, 2016