Top Governance Tasks for a New Azure Subscription
Also see - Subscription approaches in Azure
Network Design Comes First
Apart from a hub spoke network design to protect your resources at a network level (with associated FW rules and Custom Routes), ongoing governance best practices (listed in this post) should be part of any Azure subscription.
Azure Governance Step 1 - Separate out Resource Groups
Separate Resource Groups for Azure SQL and Azure VMs (all IaaS resources). Web Applications may belong to their own resource group.
Azure Governance Step 2 - Map Work Functions to Azure RBAC
Example Mapping for Security Admins and Systems Admins (Infrastructure admins) on premises roles:
Azure Governance Step 3 - Azure Policy Recommendations - Azure Security Center
Especially policies related to the deployment of resources. The policies will also govern updates after the initial deployment.
Deployments to certain locations
Azure resources and deployments can only be executed for certain chosen locations. It would not be possible to deploy resources in regions outside of the policy. For example, the regions that are allowed are West Europe and East US. It should not be possible to deploy resources in any other region.
Tags of resources and resource groups
Every resource in Azure, including the resource groups, will mandatorily have tags assigned to it. The tags will include, as a minimum, details about the department, environment, creation data, and project name.
Diagnostic logs and Application Insights for all resources
Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.
Azure Governance Step 4 - Network Watcher (IaaS) Resource Groups Recommendation
Azure Governance Step 5 - Azure locks recommendations for Prod and Pre Prod Resources
All production and pre-production environments, apart from the development and testing environments, would be locked (prevent deletion).
All development and testing environments that have single instances would also be locked (prevent deletion).
All resources related to the web application would be locked.
All shared resources would be locked for deletion irrespective of the environment.
Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply