SO BLEIBT AUF DEM WEG IN DIE CLOUD NICHTS AUF DER STRECKE

Trivadis – Part of Accenture, Online Magazine: https://www.trivadis.com/de/magazine/cloud-transition

 

Technisch betrachtet ist eine Cloud-Plattform im Handumdrehen eingeführt. Damit ein Unternehmen allerdings langfristig von ihr profitiert und nicht schneller als es ihm lieb ist mit ressourcenraubenden und kostspieligen Problemen konfrontiert wird, müssen neben den technischen auch die strategischen sowie organisatorischen Herausforderungen identifiziert und gemeistert werden.

Was sind die Stolpersteine?

  • Keine ganzheitliche Aufnahme des IST-Zustands, fehlende Informationen über den aktuellen Zustand der IT-Landschaft
  • Fehlende Angaben zu Governance, Compliance oder Security
  • Fehlendes Know-how über das Cloud-Computing oder über die einzelnen Cloud-Provider sowie die Möglichkeiten bei den jeweiligen Providern
  • Der Versuch, alle relevanten Themen für Cloud Adoption von Anfang an richtig und vollständig aufzugleisen
  • Cloud-Computing an die On-Premises-Welt anpassen, womit die Vorteile von Cloud-Computing von Anfang an eliminiert werden

Zusammenfassung: Wie wird’s in der Praxis gemacht?

  • Kleines Team für Cloud Adoption bereitstellen.
  • Allgemeines Wissen zur Cloud und spezifisches zum Provider aufbauen.
  • Den IST-Zustand und die Anforderungen strukturiert aufnehmen.
  • Ein erstes Business-Projekt als treibende Kraft für die Cloud Adoption identifizieren, wenig kritisch und geringe Abhängigkeit.
  • Die ersten relevanten Themen aus der Cloud Foundation umsetzen, das kann je nach Organisation sehr unterschiedlich sein, z.B. Governance MVP.
  • Mittels laufender Projekte und Migrationen die Themen aus der Cloud Foundation vervollständigen, bzw. ausweiten, dazu auch die notwendigen organisatorischen Anpassungen vornehmen.
  • Das Ganze als kurze aber effektive Iterationen planen und umsetzen.

Global Azure Live Session – “Enterprise Cloud Readiness – Was ist zu tun?”

Eine Cloud Plattform kann schnell, einfach und mit wenig Wissen über die betroffenen Bereiche eingeführt werden. So stehen die Vorteile von Cloud-Computing für die angefragten Fachbereich sofort zur Verfügung. Doch das spricht sich schnell herum und auch andere Fachbereiche entdecken die Vorteile von Cloud-Computing für sich und möchten diese nutzen. War eine Cloud-Plattform noch einfach einzuführen, bergen mehrere die Gefahr eines Ressourcen Chaos. Dieses kann zu Sicherheitslücken, Ausfällen von produktiven Applikationen und Systemen oder sogar zu unkontrolliertem Kostenzuwachs führen.

Video (coming soon)

Artikel: Enterprise Cloud Readiness – was ist zu tun?

Artikel über “Enterprise Cloud Readiness – was ist zu tun?” auf DOAG Red Stack Magazin

Technisch betrachtet ist eine Cloud-Plattform im Handumdrehen eingeführt. Damit ein Unternehmen allerdings langfristig von ihr profitiert und nicht schneller, als es ihm lieb ist, mit ressourcenraubenden und kostspieligen Problemen konfrontiert wird, müssen neben den technischen auch die strategischen sowie organisatorischen Herausforderungen identifiziert und gemeistert werden.

Multi-Cloud IaaS VM System Management with Azure Arc

you are already using Azure IaaS VM’s and also using Azure Tools like Azure Monitor, Update Management, Change Tracking, and Inventory to manage these VM’s. Now there are new requirements to manage additional VM’s from on-premises and other cloud platforms with the same system management configuration as for Azure VM’s. Are looking for any Tools or Services in Azure to simplify your IaaS VM system management for Multi-Cloud?

Yes, with Azure Arc, VM’s outside Azure can be integrated into Azure Resource Management and can be managed with the same tool and configuration as for Azure VM’s.

Goals with Azure Arc:

  • centralized IaaS System Management for
    • Azure VM’s
    • non-Azure VM’s from
      • OnPremises
      • other Cloud platforms
  • compatible Azure Tools 
    • Azure Monitor
    • Azure Update Management
    • Azure Change Tracking
    • Azure Inventory
    • Azure Policies

PreReq:

Configuration Steps:

  • Create Azure Arc Resource Group within your Azure Subscription
  • Generate script

  • Register your Subscription for Preview

  • Download the non-Azure VM Onboarding PowerShell Script from Azure Portal
# Download the package
function download() {$ProgressPreference="SilentlyContinue"; Invoke-WebRequest -Uri https://aka.ms/AzureConnectedMachineAgent -OutFile AzureConnectedMachineAgent.msi}
download

# Install the package
msiexec /i AzureConnectedMachineAgent.msi /l*v installationlog.txt /qn | Out-String

# Run connect command
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect --resource-group "your-resourceGroup" --tenant-id "your-tenant-ID" --location "your-location" --subscription-id "your-subscription-id"
  • run the Onboarding PowerShell Script on a non-Azure VM
  • verify the connection

  • deploy Extensions to integrate those VM to Azure Tools
    • Monitoring Agent
      • Log Analytics Workplace ID
      • Log Analytics Workplace Key, you can find this key under the advanced settings of your Workspace
    • Custom Powershell Script Extension (Optional)
    • PowerShell DSC Extension (Optional)

 

  • Configure IaaS System Management, wait for 15min until the non-Azure VM is available as a connected VM for Azure Tools
    • Add to Update Management
    • Add to Inventory
    • Add to Change Tracking
    • Add to Monitoring
  • Assign your Azure Policies for this VM or on Resource Group Level to cover all the connected non-Azure VM’s

Azure Governance Series – Part 2, use Azure Policies to be compliant to the organization’s regulations

how to identify the right Azure policies to fulfill the regulatory requirements of the organization and still keep the life of the cloud developers as easy as possible.

In this article, I would like to show you the possibilities of Azure policies and how they can be structured.

first of all, what is Azure Policy and which goals can you reach with using of these Policies:

Governance validates that your organization can achieve its goals through effective and efficient use of IT. It meets this need by creating clarity between business goals and IT projects.

Does your company experience a significant number of IT issues that never seem to get resolved? Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. This strategic need is where Azure Policy comes in.
Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have the policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. Later in this documentation, we’ll go over more details on how to create and implement policies with Azure Policy.

Source https://docs.microsoft.com/en-us/azure/governance/policy/overview

my approach to structuring the Azure policies:

  • verify your Governance, Compliance, and Security requirements from the first part of this series
  • identify which type of effects (auditing or enforcing) make sense four your organization
  • group similar policies to Initiative even it’s only one, use the initiatives
  • start with auditing from top-down and enforcing from bottom-up
  • verify which initiatives/policies should be assigned over the governance structure within the entire Azure Tenant and which one should be placed as part of a Blueprint. Azure Blueprints can also contain additional Initiatives/policies assignment.

Here is one of the possible approach to structure the azure policies:

Initiative NameDescriptionStored location
locationThis initiative contains Azure Policies to set up which Azure Regions are for resource provisioning allowed or not.Root management group
taggingThis initiative contains Azure Policies for tagging the resources and resource groupsRoot management group
monitoringThis initiative contains Azure policies to monitor the entire Azure AD tenant in different levels like tenant, subscription and resourcesRoot management group
Network SecurityThis initiative contains Azure policies to ensure security on network levelRoot management group
IaaSThis initiative contains Azure policies for IaaS workload like Virtual MachinesRoot management group

Policy Initiative – Location

PolicyDescriptionTypeParameter
Allowed locationsName of LocationDenyWest Europe, North Europe
Allowed locations for resource groupName of LocationDenyWest Europe, North Europe

Policy Initiative – Tagging

PolicyDescriptionTypeParameter
Apply tag and default valueAppend a tag and its value to resource groupsAppendEnvironment from Parameter
Owner tbd
CostCenter tbd
EndDate tbd
Service tbd
DataClassification tbd.
ProtectionLevel Low
Require tagInherit a tag from the resource group if missingModifyEnvironment
Owner
CostCenter
EndDate
Service
DataClassification ProtectionLevel

Policy Initiative – Monitoring

PolicyDescriptionTypeParameter
Deploy Log Analytics agent for Linux VMsDeploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed.DeployIfNotExisitsLog Analytics Workspace
Deploy Log Analytics agent for Windows VMsDeploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.DeployIfNotExisitsLog Analytics Workspace
Deploy Log Analytics agent for Windows virtual machine scale setsDeploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.DeployIfNotExisitsLog Analytics Workspace
Deploy Log Analytics agent for Linux virtual machine scale setsDeploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.DeployIfNotExisitsLog Analytics Workspace
Deploy Dependency agent for Windows VMsDeploy Dependency agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated.DeployIfNotExisits
Deploy Dependency agent for Windows virtual machine scale setsDeploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.DeployIfNotExisits
Deploy Dependency agent for Linux virtual machine scale setsDeploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.DeployIfNotExisits
Deploy Dependency agent for Linux VMsDeploy Dependency agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed.DeployIfNotExisits
The Log Analytics agent should be installed on virtual machinesThis policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed.DeployIfNotExisits
Show audit results from Windows VMs on which the Log Analytics agent is not connected as expectedThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines on which the Log Analytics agent is not connected to the specified workspaces. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolDeployIfNotExisits
Deploy default Microsoft IaaSAntimalware extension for Windows ServerThis policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.AuditIfNotExisits
[Preview]: Audit Windows VMs on which Windows Defender Exploit Guard is not enabledWindows Defender Exploit Guard helps protect against malware that uses exploits to infect devices and spread. Exploit Guard protection consists of a number of mitigations that can be applied to either the operating system or individual apps. This policy requires the Azure Policy for Windows extension. For details, visit https://aka.ms/gcpol.AuditIfNotExisits

Policy Initiative – Network Security

PolicyDescriptionTypeParameter
Subnets should be associated with a Network Security GroupProtect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.AuditIfNotExisits 
Network Watcher should be enabled  Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure.AuditIfNotExisits 
Network interfaces should not have public IPs  This policy denies the network interfaces which are configured with any public IP. Public IP addresses allow internet resources to communicate inbound to Azure resources, and Azure resources to communicate outbound to the internet. This should be reviewed by the network security team.Deny               
Deploy network watcher when virtual networks are created  This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances.  AuditIfNotExisits 

Policy Initiative – IaaS

PolicyDescriptionEffectParameter
Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabledThis policy creates a Guest Configuration assignment to audit Windows virtual machines that do not have the password complexity setting enabled. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolDeployIfNotExists
Show audit results from Windows VMs that do not have the password complexity setting enabledThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Windows virtual machines that do not have the password complexity setting enabled. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolAuditIfNotExisits
Deploy prerequisites to audit Linux VMs that have accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that have accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolDeployIfNotExists
Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwordsThis policy creates a Guest Configuration assignment to audit Linux virtual machines that allow remote connections from accounts without passwords. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolDeployIfNotExists
Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644This policy creates a Guest Configuration assignment to audit Linux virtual machines that do not have the passwd file permissions set to 0644. It also creates a system-assigned managed identity and deploys the VM extension for Guest Configuration. This policy should only be used along with its corresponding audit policy in an initiative. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolDeployIfNotExists
Show audit results from Linux VMs that do not have the passwd file permissions set to 0644This policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that do not have the passwd file permissions set to 0644. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolAuditIfNotExisits
Show audit results from Linux VMs that have accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that have accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolAuditIfNotExisits
Show audit results from Linux VMs that allow remote connections from accounts without passwordsThis policy should only be used along with its corresponding deploy policy in an initiative. This definition allows Azure Policy to process the results of auditing Linux virtual machines that allow remote connections from accounts without passwords. For more information on Guest Configuration policies, please visit https://aka.ms/gcpolAuditIfNotExisits
Azure Backup should be enabled for Virtual MachinesThis policy helps audit if Azure Backup service is enabled for all Virtual machines. Azure Backup is a cost-effective, one-click backup solution simplifies data recovery and is easier to enable than other cloud backup services.AuditIfNotExisits
Audit VMs that do not use managed disksThis policy audits VMs that do not use managed disksAudit

Share you experiences with Azure Policies and the assignment structure you used.

Trivadis Azure Days 2019, Azure Foundation

Vorstellung von Azure Foundation bei der Trivadis Azure Days 2019.

Trivadis Azure Foundation – Das Fundament für den erfolgreichen Einsatz der Azure Cloud

Die Azure Cloud steuert auf ihr 10-jähriges Jubiläum zu und ist in der Schweiz angekommen. Im Vergleich zum Betrieb von On-Premise Lösungen bietet die Cloud eine Vielzahl von Vorteilen. Viele Aufgaben aus der On-Premise Welt werden im Cloud Computing vom Anbieter übernommen.

Aber die Freiheiten, welche Cloud Computing bietet, sind sehr mächtig und das beste Rezept für Wildwuchs und Chaos. Viele unserer Kunden werden sich erst jetzt bewusst, um welche Aufgaben sie sich bereits vor 5 Jahren hätten kümmern sollen. Die Trivadis Azure Foundation ist unser in der Praxis erprobtes Vorgehen, um alle Vorteile der Cloud optimal Nutzen zu können, ohne die Kontrolle zu verlieren. In dieser Session bekommen Sie einen Einblick in unsere Azure Foundation Methodik, zusätzlich berichten wir von den Azure-Erfahrungen unserer Kunden.

https://speakerdeck.com/nrajah04/mun-azure-foundation-azureday2019-public

Azure Governance Series – Part 1, how to structure Azure Management Groups

Azure Governance Series – Governance Overview

First steps to do before starting with Management Groups:

  • group your Governance, Compliance, and Security requirements top-down and divide it in max. 6 hierarchical levels
  • gather the requirements about the organizational and operational responsibilities

 

Now some more details about these first steps and using the Management Groups to build your Governance in Azure.

As mentioned in the Governance Overview article you had to identify the governance, security and compliance requirements in the organization.

Hints for Requirements Engineering:

  • Internal cost management
  • Distributed responsibilities over companies/departments/teams
  • Separation of environments like dev/test and prod.
  • Multiple operation teams like global IT and company or department IT

discuss that with the CIO, CISO, Enterprise Architects and other key persons. Provide them the possibilities to build a secure and controlled environment in Azure and also all the possibilities how easily they can check if the environment is compliant to the requirements.

Possibilities in Azure:

  • Role-based Access Control
  • Azure Policies
  • Azure Blueprints
  • Azure Privilege Identity Management
  • Security Center
  • Azure Sentinal
  • Azure Advisor
  • Access Review with PIM

You need also to know who will take the organizational responsibility and who the operational responsibility for all the environment parts in Azure.

Responsibilities like:

  • Cost Management
  • Subscription Management
  • New cloud Services/Application onboarding
  • Service Lifecycle Management
  • Core Infrastructure like IAM, Connectivity, Network
  • Service Management Processes

It’s also important to clarify how the operation of the cloud environment will be organized, the environment in the cloud also need operational tasks, but not the same as On-premise but still needed.

Operational Tasks:

  • Core Infrastructure System Management (IAM, Connectivity, Network)
  • General System Management for IaaS (Monitoring, Backup, Disaster Recovery, optimization,
  • Security Management
  • Initial Deployment, Continuous Deployment

This information is needed to design the structure of the Management Groups. The structure of the management groups should be used to show the organizational and operational responsibilities.

Example structure:

The management groups are really useful when there are more than 1 Azure Subscriptions and the responsibilities are distributed over multiple departments or teams. In the case of distributing responsibilities, you can divide that into max. 6 hierarchical levels

Summary about the Management Groups:

  • 6 hierarchical level available, without root management group
  • Management groups are mandatory for using Azure Blueprints

High level to do’s for the Implementation of the Management Groups and using that to ensure Governance in Azure:

  1. Activate Management Groups over the Azure Portal
  2. Create your structure as designed before
  3. Assign the existing subscriptions to the right Management group
  4. Use RBAC to build up the resource security
  5. Create your Azure policies with the requirements you collected before and assign it to the right Management Group level. More about grouping the policies coming in following articles
  6. Create your Blueprints with the defined environment pattern and store it on the right level. That means when you store a Blueprint in a Management Group, it’ll be available for that Management group and all below. More about structuring the Blueprints and design coming in the following articles

Next steps after implementation of the initial structure for Management Groups:

  • Automated provisioning of Management Groups and subscriptions

Do not hesitate to share your feedback and experience here about structuring management groups.

Azure Day @ Trivadis – Where Cloud Enthusiasts meet

Lernen Sie von ausgewiesenen Azure Experten und verbessern Sie Ihre Skills

Die Microsoft Azure Cloud Plattform feiert demnächst ihr 10-jähriges Jubiläum und startet in der Schweiz durch. Cloud Computing ist für unsere Enterprisekunden wichtiger denn je und steht auf der Agenda an erster Stelle. Am Trivadis Azure Day berichten wir von spannenden Best Practice Szenarios und durchdachten Use Cases. Kommen Sie mit uns auf eine Reise durch die Azure Cloud und nehmen Sie unsere Learnings und Best Practices mit nach Hause. Die Konferenz wird in deutscher Sprache gehalten.

Welche wertvollen Insights werden Sie erhalten?

Am Trivadis Azure Day erwarten Sie 2 volle Tracks mit spannenden Sessions zu diversen Themen rund um die Azure Cloud. Die Sprecher sind zum grossen Teil Trivadis Consultants, welche aus Ihren Kundenprojekten aus dem DACH-Raum erzählen. Ergänzt wird die Agenda mit 2 Speakern von unserem Partner Microsoft. Nutzen Sie diese einmalige Gelegenheit, um von unseren Herausforderungen und der Projekterfahrung zu profitieren. Der Trivadis Azure Day ist eine Gelegenheit, die es sonst nirgendwo gibt!
  • Wie starte ich meine Reise in die Cloud?
  • Bots und AI, brauche ich das?
  • Infrastruktur als Code
  • Azure@Helsana
  • Die Azure Foundation – Wie lege ich eine erfolgreiche Basis?
  • Business Intelligence in der Cloud

Die Einführung einer Cloud Plattform in einer Organisation erfordert es, die strategischen, organisatorischen sowie auch die technischen Herausforderungen zu identifizieren und zu meistern.

Bei der Einführung der Azure Cloud Plattform unterscheiden wir zwischen der Azure Foundation und den Azure Solutions. Die Azure Foundation besteht aus drei Säulen, welche die gesamte Azure Cloud Plattform unserer Kunden tragen. Hierzu gehören Azure Governance, Azure Core Infrastruktur und Azure Operations. In dieser Session stellen wir die Azure Foundations vor und erzählen von den Erfahrungen, welche wir in unseren Kundenprojekten gemacht haben.

Für mehr Infos: https://m.trivadis.com/azure-days

Azure Governance with Management Groups, Blueprints and Policies – First steps before the implementation

To adopt Azure as your Enterprise cloud platform, you should start with Cloud Governance to starting work in a controlled and secure Environment. Azure provides several Services to do that, but you still have get your organizations requirements for governance, security and compliance, and configure this Services for your requirements.

Below you can find the main three Azure Services which Azure provides to build Governance in Azure and first steps from my experience to start with this Services before the implementation.

Azure Resource Organization with Management Groups

What is Azure Management Group and which goals can you reach with using of Management Groups:

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.

For example, you can apply policies to a management group that limits the regions available for virtual machine (VM) creation. This policy would be applied to all management groups, subscriptions, and resources under that management group by only allowing VMs to be created in that region.

Source https://docs.microsoft.com/de-de/azure/governance/management-groups/index

 

First steps:

  • group your Governance, Compliance, and Security requirements top-down and divide it in max. 6 hierarchical levels
  • separate the organizational and operational responsibilities

 

Azure Policy structure with Initiatives and Effect Types

What is Azure Policy and which goals can you reach with using of these Policies:

Governance validates that your organization can achieve its goals through effective and efficient use of IT. It meets this need by creating clarity between business goals and IT projects.

Does your company experience a significant number of IT issues that never seem to get resolved? Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues. This strategic need is where Azure Policy comes in.

Azure Policy is a service in Azure that you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. For example, you can have the policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance. Later in this documentation, we’ll go over more details on how to create and implement policies with Azure Policy.

Source https://docs.microsoft.com/en-us/azure/governance/policy/overview

 

First steps:

  • verify your Governance, Compliance, and Security requirements from the first part
  • identify which type of effects (auditing or enforcing) make sense four your organization
  • group similar policies to Initiative even it’s only one, use the initiatives
  • start with auditing from top-down and enforcing from bottom-up
  • verify which initiatives/policies should be assigned over the management groups and which one over the Blueprints

 

Azure Blueprint structure for an initial and additional setup

What is Azure Policy and which goals can you reach with using of these Policies:

just as a blueprint allows an engineer or an architect to sketch a project’s design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with the trust they’re building within organizational compliance with a set of built-in components — such as networking — to speed up development and delivery.

Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

    • Role Assignments

    • Policy Assignments

    • Azure Resource Manager templates

    • Resource Groups

Source https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

First steps:

  • Sketch your own Azure Environment Templates with organization’s standards, patterns, and requirements to reuse it in multiple Azure Subscriptions.
  • identify the initial Blueprints which contains the basic settings of each Azure subscription in your organization and then create additional blueprints for individual Services like ISO certified SQL Instance and etc.

Cloud Transition, Azure Adoption and Azure Foundation

The Adoption of a cloud platform in an organization requires identifying and mastering the strategic, organizational and technical challenges.

The Adoption of Azure Cloud Plattform can be divided into two steps. The first one is to build up the Azure Foundation and the second one is to build up new Solutions with Azure Services.

The Azure Foundation consists of three pillars that support the entire Azure Cloud platform of customers, including Azure Governance, Azure Core Infrastructure and Azure Operations.

The first pillar “Azure Governance” includes resource Organization, resource Security, auditing and cost Controls.

The second pillar “Azure Core Infrastruktur” includes identity & access management, connectivity, Azure network, Security Management and System Management.

The third pillar “Azure Operations” includes Cloud Service Management and infrastructure Automation.

These three pillars build the Foundation for customers Azure Environment and are ready to carry the new Azure Solutions

As an Azure Solution, a modern environment can be designed and implemented according to business or IT requirements in Azure or Hybrid with OnPremises. e.g. the extension of the OnPrem Datacenter in Azure, compute workloads with VM’s or system/service/application deployment using IaaS as well as PaaS components. The Azure Solutions are offered as Managed Services according to business requests or partly also by the internal IT organization for the business.