Azure Governance - amitbhilagude/userfullinks GitHub Wiki

Azure management groups
1. Management groups act as a placeholder for organizing subscriptions. You can also have nested management groups. If you apply for a policy or access at the management group level, it will be inherited by the underlying management groups and subscriptions.
2. E.g. Use management groups to separate the operations of different departments, such as marketing, IT, and HR. Inside each of these departments, there are nested management groups and subscriptions, which help to organize resources into a hierarchy for policy and access management. Later, you will see how management groups are used as a scope for governance, policy management, and access management.
Azure tags
1. Azure allows the tagging of resource groups and resources with name-value pairs. Tagging helps in the logical organization and categorization of resources. It can be used for Information management, cost identification based on queries etc.
Azure Policy
1. Policy is enforcement to meet the governance e.g. Create a policy that will make sure tags are used for every resource creation.
2. It uses JSON format with If Then, OR, AND blocks.
Azure locks
1. Locks can help to avoid accidentally deleting or modifying the configuration of the resource in the production scenario even user has owner access.
Azure RBAC
1. Create different roles like the reader, contributor, owner, and assign them to the resource group, resource, etc.
2. Option to create custom roles based on requirements.
Azure Blueprints
1. Blueprint allows orchestrating (automated)some of deployments like
  1. Role Assignment
  2. Policy Assignment
  3. ARM Templates
  4. Resource Groups
2. Blueprints can be created from the Azure portal, Azure PowerShell, the Azure CLI, REST APIs, or ARM templates
Scenarios
1. Company Inc is a worldwide company that is implementing a social media solution on an Azure IaaS platform. They use web servers and application servers deployed on Azure virtual machines and networks. Azure SQL Server acts as the backend database.
2. RBAC for Company Inc
  1. The first task is to ensure that the appropriate teams and application owners can access their resources. It is recognized that each team has different requirements. For the sake of clarity, Azure SQL is deployed in a separate resource group to the Azure IaaS artifacts
  2. Create multiple roles like Owner, Security Manager, Contributor, Reader
3. Azure Policy
  1. Policy for Deployments to certain locations
  2. Mandatory Tags of resources and resource groups
  3. Mandatory Diagnostic logs and Application Insights for all resources
4. Azure Locks
  1. All production and pre-production environments, apart from the development and testing environments, would be locked for deletion.
  2. All development and testing environments that have single instances would also be locked for deletion
  3. All shared resources would be locked for deletion irrespective of the environment
Best Practices
1. Naming conventions for resource groups and resources and set the policy to adhere to this.
2. Enable tagging for each resource.
3. Use Azure Blueprints instead of ARM templates directly. This will ensure that the deployment of new environments, resources, and resource groups can be standardized according to corporate standards, including naming conventions and the use of tags
4. Leverage Azure Advisor recommendation to get the recommendation on cost etc.
5. Reserve VMs for 1 year to 3 years for potential savings.
6. Azure Hybrid Benefits(AHUB) means the use of an on-prem license of SQL or Windows etc. which save the cost.
7. Choose a region that has all the required resources for use cases. which will save the cost of ingress traffic
8. Schedule machine shut down if there are not more used on off hours
9. Deallocate machine instead of shut down if they are not more used to save the entire cost.
10. Choose Basic tier app gateway if WAF is not needed
11. Reduce network traffic between Azure regions