1 / 56

Manage and control your applications with Microsoft Azure Resource Manager

Manage and control your applications with Microsoft Azure Resource Manager. Mike Chen, Gaurav Bhatnagar Program Manager, Azure Resource Manager. BRK3203. Challenges during transition from traditional mode to agile mode. Visibility of cloud assets Granular access control Cost Control

markcjohnson
Download Presentation

Manage and control your applications with Microsoft Azure Resource Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Manage and control your applications with Microsoft Azure Resource Manager Mike Chen, Gaurav Bhatnagar Program Manager, Azure Resource Manager BRK3203

  2. Challenges during transition from traditional mode to agile mode • Visibility of cloud assets • Granular access control • Cost Control • Service Catalog • Geo-Compliance

  3. Agenda • Organize your application • Manage Access Control • Enforce IT Policy • Policy regular • Create experience • Tags, other examples • Roadmap • Q&A

  4. Organize your resources

  5. An application may have… • Compute, Network, Storage resources • Databases • Web Apps • Runbook automations • Alert rules • etc

  6. Over time You get lost

  7. You wish to see fewer

  8. Resource Group • A folder of resource with same lifecycle • Unit of deployment • Unit of access control • resource groups can span regions • resource groups can span services

  9. Resource Group Payload resourcegroups/{resource-group-name} { "location": "West US", "tags": { "tagname1": "tagvalue1" } }

  10. Pattern : application per resource group • Simple application • Always updated together

  11. Pattern : application tier per resource group • A tier of application • Update independently • Resource can interact with resources in other resource groups

  12. Organize by Template • Template deploys resources in one resource group • RG can be exported as template • Template can redeployed to other resource groups

  13. Tag when there are more apps • Tag is your metadata store • Example: • environment, e.g. dev/test/prod • role, e.g. web/cache/db • application Name, e.g. CRM • department, e.g. finance/retail/legal • responsible party, e.g. Bob • Tagsare essential for 3rd party management solutions

  14. When you have tags

  15. Enforce tags • Settags in approved template • Set tags at resource group level • Use deny Policy to enforce tags • Use audit Policy to audit resources missing tags • Use append Policy to append default tags

  16. Manage Access Control

  17. Control • Role Based Access Control • Audits • Resource Policy

  18. Why RBAC? On-Premises Azure Users, Groups and Password Sync Subscription per Sector .. Sector 2 Sector 1 Owners of Subscriptions Region NA Region SA .. VNet Contributors of “standard” VNet RGs Network Admins IT Director’ Office “Standard” VNet per Division in separate resource group Azure Active Directory Division Mktg Division Sales Billing Tracked per Division .. Active Directory Virtual Machine Contributors of Project RGs and “standard” VNet RGs Express Route(s) Tags Region, Division, Project Project 1 Infrastructure Admins and Support Resource Group per Project Subnet On “standard” Vnet assigned to each Project Project 2 .. Appropriate Role on Project RGs Project Team Roles

  19. Role Based Access Control • Allows secure access with granular permissions • Assignable to users, groups, or service principals • Interactive session • Non-interactive session • Built-in roles make it easy to get started • Custom roles offer greater flexibility

  20. Two Key Concepts Role Assignments associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group) always inherited – subscription assignments apply to all resources Literal mapping for a Principal to a Role Definition on a Resource ex- Jim is a Storage Account Contributor on the Storage Account “Contoso-Storage-east” Role Definitions • describes the set of permissions or actions (e.g. read actions) • Permissions are declarations that include the Resource provider, Resource Type and an Action • 3 basic actions – READ, WRITE, DELETE (wildcards supported) • can be used in multiple assignments

  21. Access Inheritance and Resource Hierarchy Access Inheritance R RG R R S RG R Role Assignment Role = ‘Owner’ Subject = AAD User Scope = Resource R RG Role Assignment Role = ‘Reader’ Subject = AAD Group Scope = Subscription R Role Assignment Role = ‘Contributor’ Subject = AAD User Scope = Resource Group

  22. Built-in Roles Offer rich set of built-in roles to select from (40+) Assignable to users, groups or services at different scopes Can’t be modified Top Used built-in roles – Reader, Contributor, Reader, DevTest Labs User, Virtual Machine Contributor

  23. Built-in Role: Storage Account Contributor

  24. Custom Roles Enhanced flexibility Assignable to users, groups or services at different scopes Can be shared across multiple subscriptions in the same tenant

  25. Who can View/Create/Update Custom Roles? • View - All built-in roles • Microsoft.Authorization/roleDefinition/read operation • Create/Update – Owners of subscriptions, resource groups and resources at that scope • Microsoft.Authorization/roleDefinition/write operation

  26. Custom Role - Sample Role Definition { "properties": { "roleName": "Virtual Machine Contributor", "type": "BuiltInRole", "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.", "assignableScopes": [ "/" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/locations/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/virtualMachineScaleSets/*", ……..], "notActions": [ ] } ], "id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "type": "Microsoft.Authorization/roleDefinitions", "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" }

  27. Sample Role Assignments { "properties": { "roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "principalId": "5ac84765-1c8c-4994-94b2-629461bd191b", "scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-ProjectRND", }, "id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/5eec22ee-ea5c-431e-8f41-82c560706fd2", "type": "Microsoft.Authorization/roleAssignments", "name": "5eec22ee-ea5c-431e-8f41-82c560706fd2" }

  28. Audit history of RBAC activities

  29. Azure RBAC Usage

  30. Demo

  31. Key Learnings from Enterprise Customers Organizational Accounts not LiveIds Resource Groups not Subscriptions Manage Access using Groups Least Privilege Keep a tab on Access Changes

  32. Access Control – some other ways • Audit Logs • Resource Locks • Sharing templates privately on portal

  33. Azure Resource Policy

  34. What is Resource Policy? • Definecustomized rule that governs the shape of your resource • Denythe request or audit the request • Monitor Policy events • GA in 2016 April

  35. What does customer need? • Granular control over Azure resources for • Asset management • Geo-Compliance • Cost control • Configuration best practices • Security • IT pro friendly tool that seamless integrated with the platform to enforce IT policies • compliance status for their resources

  36. Today’s capability • PolicyCatalog • Tag Policy • Whitelist resource Types • Whitelist locations • Naming Convention • VM Size/SKUsfor other Resource Type, such as SQL, Web App • VM Images • Policy Events

  37. How to define a policy { "if" : { <condition> | <logical operator> }, "then" : { "effect" : "deny | audit | append" } }

  38. When does Evaluation happens? • PUT /{resource scope}/{RP namespace}/resourceType/resourceName • Policy will be evaluated if an assignment is in place for the scope Scope Request Policy definition Policy 1 Policy 2 Policy 3 …. Policy Engine in ARM

  39. What happens after a policy evaluation? • An Audit event is generated for policy evaluation results • Caller • Event details • Failed Policy • A request may be blocked or modified • An alert can be generated based on events Email/RunBook Alert Event Resource Deployment

  40. Policy Examples • TagPolicies • Naming Convention • Approved Service • Approved SKUs • Configuration Best Practices

  41. Tag Enforcement Policy { "if": { "not": { "field": "tags.costCenter", "in": [ "department1", "department2", "department3" ] } }, "then": { "effect": "deny" } }

  42. Tag:Append Default Tag { "if": { "allOf": [ { "field": "tags", "exists": "true" }, { "field": "tags.costCenter", "exists": "false" } ] }, "then": { "effect": "append", "details": [ { "field": "tags.costCenter", "value": "myDepartment" } ] } }

  43. Naming Convention { "if" : { "not" : { "field" : "name", "like" : "namePrefix*nameSuffix" } }, "then" : { "effect" : "deny" } }

  44. Approved Services { "if": { "not": { "anyOf": [ { "field": "type", "like": "Microsoft.Resources/*" }, { "field": "type", "like": "Microsoft.Compute/*" }, { "field": "type", "like": "Microsoft.Storage/*" }, { "field": "type", "like": "Microsoft.Network/*" }, { "field": "type", "like": "Microsoft.Web/*" } ] } }, "then" : { "effect" : "deny" } }

  45. Use Approved SKUs { "if": { "allOf": [ { “field": “type", “equals": "Microsoft.Storage/storageAccounts" }, { "not": { "allof": [ { "field": "Microsoft.Storage/storageAccounts/sku.name", "in": ["Standard_LRS", "Standard_GRS"] } ] } } ] }, "then": { "effect": "deny" } }

  46. Use Approved Images { "if": { "not": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/image.publisher", "in": ["publish1","publisher2"] }, { "field": "Microsoft.Compute/virtualMachines/image.offer", "in": ["offer1","offer2"] }, { "field": "Microsoft.Compute/virtualMachines/image.sku", "in": ["sku1","sku2"] } ] } }, "then": { "effect": "deny" } }

  47. Aliases

  48. Monitoring Policy events

  49. Policy Usage

  50. Who assign Policy? • Subscription Owners • Resource Group Owners

More Related