Skip to content

Azure

Azure geo

  • Azure has geography > regions > availability zones
    • not all regions have multiple AZ.
    • regions are paired with another that is > 300 miles in the same geo to protect from regional outage (all AZs are down)
  • Availability Zones refer to different data-centers within the same region

Azure Resource Manager ARM

  • Resource Group RG is a deployment unit that is named uniquely within Azure subscription
    • They are equivalent to folders containing files (resources) but cannot be nested
  • A resource must and can only belong to one Resource Group
  • Resource Provider is a grouping of Resource Types
  • Resource is uniquely identified by a name and Resource Type
  • Resources inherit security and access configuration from the containing Resource Group
  • ROT: Organizing by
    1. authorization: Since Resource Group are a scope for RBAC, create them by who needs to administer them
      • eg Put a group of, and only, SQL databases into one RG for allowing DBAs to manage them and only them
    2. life cycle: when RG is deleted, all contained resources are deleted too
    3. billing: eases cost charge-backs or understanding them

IT governance

  • An account is globally unique entity with a name and email and associated with an individual
  • Management Group can group subscriptions and other management groups for setting policy across them
  • Subscription is billing unit
    • supports owner, contributor and reader level permissions.
    • can be finer-grained with Roles
  • Blueprint is a template for creating subscriptions
  • Subscriptions support multiple Resource Groups which are unit of permissions and reporting
    • A resource can belong to only one Resource Group
    • Use Tag to group resources in a non-hierarchical way

Policies

  • Use Policies to prevent creation of certain resources, enforce specific settings on resources, monitor compliance
    • e.g. prevent users from creating VMs with more than 4 CPUs, force use of specific region, software versions etc
  • Policies are JSON documents that have rules and effect which are evaluated against parameters
  • Scope of Policies can be Subscription to Resource Group and are inherited by child resources
    • it is possible to exclude a sub-scope
  • Effects are the result of policy application and can be,
    • Deny, Disabled (noop for testing), Append (set parameters eg tag for charge-backs), Audit, DeployIfNotExists (allows running a template after resource has been created)
  • Policies can be grouped in to Initiative whose scope can range from Management Group to Resource Group
  • Management Groups are containers for managing access, policies and compliance across subscriptions
    • Management Groups are hierarchical

Resource Tags

  • Resource (not all) support 15 tags
  • Use them when one RG hierarchy is too restricting
  • ROT: alternate grouping for example for billing, automation (eg Shutdown:8PM)
  • ROT: Use policies assigned to RG to ensure all resources have the tags you want