Azure 101: Governance


UPDATE: Added additional resource at bottom
I have worked with a lot of different customers over the years and many of them were just betting started with Azure. Although these customers were of different sizes and were in different industries, they absolutely had something in common and that was the process and knowledge that they needed to be successful with their Azure deployments. One of those areas of process and knowledge is something that I believe every customer no matter if they are deploying only one system or a million within Azure will need to have and that is Governance.
What exactly do I mean by Governance? Governance is made up of a number of core services that Azure provides to all customers for free, but at a high level the term typically refers to the following:
  • Resource Organization
  • Resource Security
  • Auditing
  • Cost Controls
Each of these areas correspond to one or more Out of the Box (OOTB) services within Azure and when combined together they will make up a particular customer's governance policy or process. I am not about to sit here and tell you that I can tell you how to put together your own governance policy, because each and every customer's policy or process is going to be different based on the way that they run their business and how they manage their systems and applications.
What I can do however, is give you an overview of all the core services that you will need to understand to help build your own governance policy. I would like to do that for you so that you can get the necessary information in a nice concise set of videos. In these videos, I will give you a brief overview of each service as well as discuss some of the ways that they have been and should be implemented by customers. Each video will be fairly short, but combined together, they should give you a good understanding of how you can get started building your own governance policy.

Resource Organization

The first place to get started is in how you organize your resources within your Azure subscription. Defining a resource organization policy to define how they should be categorized is extremely important and is the starting point for all of the other pieces of the governance policy.
The two major pieces that are required here are Resource Groups and Tags and it is these two items that you will use to categorize your resources. Along with the subscription itself, these are the items that most azure services use as a basis for applying policies and security and all three of these pieces of information are made available within the billing reports to use for the filtering and sorting by your finance team for cost controls.
So with that in mind, let me give you a demonstration of how the resource groups and tags are managed within the portal and how they can be used to find resources more easily:

Resource Security

Within the scope of Azure subscriptions, there are three main areas of security with respect to the resources that are deployed within. The first is the user based security to either allow or deny users and/or groups to perform certain operations against those resources. The second is with respect to the resources that have already been deployed and locking them down so that they cannot be touched. The last is probably the one that every customer needs to understand the best, but many do not even implement and that is Azure Policies. Azure Policies allows you to apply conditions around the manipulation of resources within a Azure subscriptions and/or resource groups.
To give a better understanding around all of these areas, let me show how they can be applied and manipulated within the Azure Portal. I will not be showing every single possible permutation, but just a walk through of each service so that you can understand how to get started and how you might want to implement them within your own Governance policy.

Auditing

The next area to talk about is not really part of a Governance Policy, but is more the way that Cloud Admins and/or Architects validate that the Governance Policy is being implemented correctly. I am specifically referring to Auditing which tracks all create. update, or delete actions that are performed within Azure within the scope of a given subscription. Within Azure, each action that is performed will show up in a simple table format, but is available in a full JSON details as well within the Activity Log feature.
As we talked about above, Policies are a preventative or proactive measure where as the Activity Log Auditing can be used in combination with Azure Alerts to provide a more reactive approach. Let me now show what I am referring to by giving you a walk-through of the Activity Log feature and how it can be used as part of your monitoring and alerting approach, but also how it can be for long-term logging of actions.

Cost Controls

The last area to discuss is around Cost Controls. I talked above about how Subscription, Resource Group, and Tag information can be used as part of your cost control process, because that information is available with each resource entry within your subscription's billing report. In order to make this effective, it will be important that your finance team is involved in defining your resource group and tagging strategy.
Once you have the information coming through into your billing report so that the finance team can actually get the level of reporting that they are looking for, how can they bubble that up into something that can be consumed by executives. By default a subscription billing report is nothing more than a large CSV file that can be considerable in size depending on how many resources your have deployed within the subscription. So to make it possible to view your cost controls and understand how you you can provide charge back to specific departments or other internal organizations, Microsoft has acquired a great product Cloudyn
Cloudyn is a cost management system that takes in those billing reports along with all of the resource group and tagging information so that can more easily find out how much the IT department spent on your internal HR system that is deployed in the South Central US region of Azure. However, unlike the other services that I have talked about above, I do not have a demonstration of this system because I don't have access to one, but there is a great demo available that you view that was created by the Microsoft Partner Network. See below:

Conclusion

Hopefully these videos and discussions will help you get started with the design and implementation of your Governance policy. If you are interested in implementing any of these services within your own subscriptions, I have also included a link to the main documentation for each service in the Addition Resources below.
At the end of the day, the information that I have provided and the demonstrations that I have shown is just a starting point for you. If you should have any questions, please feel free to reach out to me, or you can always talk to your local Microsoft Cloud Solution Architect or a Cloud Solution Architect from one of your local Azure System Integrators. 

Additional Resources

 

Comments (1)

  1. Adin Ermie says:

    Great article Brian. I wrote an expanded version based on your article, which can be found here: https://adinermie.com/the-azure-governance-toolbox-part-1-introduction/

Skip to main content