Also see - Subscription approaches in Azure

Network Design Comes First

Apart from a hub spoke network design to protect your resources at a network level (with associated FW rules and Custom Routes), ongoing governance best practices (listed in this post) should be part of any Azure subscription.

Azure Governance Step 1 - Separate out Resource Groups

Separate Resource Groups for Azure SQL and Azure VMs (all IaaS resources). Web Applications may belong to their own resource group.

Azure Governance Step 2 - Map Work Functions to Azure RBAC

Example Mapping for Security Admins and Systems Admins (Infrastructure admins) on premises roles:

Different roles with access details

Azure Governance Step 3 - Azure Policy Recommendations - Azure Security Center

Especially policies related to the deployment of resources.  The policies will also govern updates after the initial deployment.

Deployments to certain locations

Azure resources and deployments can only be executed for certain chosen locations. It would not be possible to deploy resources in regions outside of the policy. For example, the regions that are allowed are West Europe and East US. It should not be possible to deploy resources in any other region.

Tags of resources and resource groups

Every resource in Azure, including the resource groups, will mandatorily have tags assigned to it. The tags will include, as a minimum, details about the department, environment, creation data, and project name.

Diagnostic logs and Application Insights for all resources

Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.

Azure Governance Step 4 - Network Watcher (IaaS) Resource Groups Recommendation

Network Watcher should be enabled. A network watcher resource group should be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region.

Azure Governance Step 5 - Azure locks recommendations for Prod and Pre Prod Resources

All production and pre-production environments, apart from the development and testing environments, would be locked (prevent deletion).

All development and testing environments that have single instances would also be locked (prevent deletion).

All resources related to the web application would be locked.

All shared resources would be locked for deletion irrespective of the environment.





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.