Azure Charts: Design foundation for IaC and Devops!!!
Arindam Mitra
Posted on June 12, 2022
Greetings my fellow Technology Advocates and Specialists.
In this Session, I will provide you real-time insights on how to use AZURE CHARTS as Design Foundation for IaC (Infrastructure-As-Code) and DevOps Automation.
IMPORTANT TO NOTE:- |
---|
Once Design Foundation is ready, putting into IaC (Terraform/Powershell) and executing using Azure DevOps Pipeline becomes relatively easy. |
WHAT IS COVERED:- |
---|
Azure Charts. |
Category of Azure Services. |
Which Azure Services Supports Private Link. |
Which Azure Services Supports Managed Identity. |
Design Resource Group(s). |
Design Network Framework. |
Azure Night Sky. |
Azure Services SLA. |
Azure Services Reservation. |
AZURE CHARTS:- |
---|
Link to Azure Charts |
First Look on Azure Charts:- |
CATEGORIES OF AZURE SERVICES:- |
---|
When you are designing the foundation to ease Writing IaC and Executing over Azure DevOps Pipeline, it is very important to understand which Azure Services falls under which Category. |
This will then help you to design Resource Group Structure, AAD Group Layout, RBAC Model and Network Framework which is our Foundation. |
Link to Azure Services Categories Overview in Azure Charts: |
First Look on Azure Services Categories Overview in Azure Charts:- |
WHICH AZURE SERVICES SUPPORTS PRIVATE LINK:- |
---|
Browse to Private Link Support to view which Azure Services Supports Private Link. |
Below is how it looks:- |
WHICH AZURE SERVICES SUPPORTS MANAGED IDENTITY:- |
---|
Browse to Managed Identity Support to view which Azure Services Supports Managed Identity. |
Below is how it looks:- |
DESIGN RESOURCE GROUP(S):- |
---|
Consider a Project Scenerio, where we have to deploy below Azure Services (Using IaC and Azure DevOps Pipelines):- 1) Azure App Plan, 2) Azure App Services, 3) Virtual Machine, 4) Data Factory, 5) Databricks, 6) Azure SQL, 7) Azure Active Directory B2C, 8) Key Vault, 9) API Management, 10) Service Bus, 11) Application Gateway, 12) Bastion, 13) Azure Storage and 14) Data Lake Store |
Questions: |
1) How would you Design the Resource Group(s) ? |
If the Required Azure Services needs to be Deployed in Shared Subscription then 1 Resource Group containing all Azure Services makes Sense as Resource Group(s) then becomes the Logical Boundary between Projects in the Same Subscription. But what Happens when Each Project has Dedicated Subscription. Then Design of the Resource Group(s) plays a vital role for Day to Day Operations |
2) Why Do we Need to Design Resource Group(s) ? |
This is needed because of the following reasons:- |
- Sub-Team(s) within the Same Application Development: Different Resource Group with Different Azure Services provides the Logical Boundaries among Sub-Teams. |
- Role Based Control (RBAC): Key Security Feature as which Sub-Team(s) requires what level of permissions on which Resource Groups. |
- Application User Look and Feel Segregation: Developers and Operation Support will only be concerned on the visibility and access of their respective Resource Group(s) |
This is where Azure Services Categories in Azure Charts helps us in DESIGNING RESOURCE GROUP(S) |
For the Purpose of this Session, Consider the Naming Convention of Resource Group(s) as: [NAME OF THE COMPANY]-[PROJECT NAME]-[ENVIRONMENT NAME]-[AZURE SERVICE CATEGORY NAME]-RG |
---|
NOTES ON RBAC:- |
---|
Scope of RBAC = Resource Group. |
RBAC Attached to = Azure Active Directory (AAD) Group. |
AAD Group Design will be based on the Target Operating Model (TOM). |
NAME OF THE RESOURCE GROUP | AZURE SERVICES | ROLE BASED ACCESS CONTROL | NOTES (IF ANY) |
---|---|---|---|
AM-BLOGPOST-TEST-SHARED-RG | Azure App Service Plan, Key Vault | Contributor, Reader | Point(s) to Note: (1) Several Azure App Services can use the Same Azure App Service Plan, hence SHARED RESOURCE GROUP. (2) Key Vault (Keys, Secrets and Certificates can be consumed by one or multiple Azure Services, hence SHARED RESOURCE GROUP. (3) Azure App Service Plan does not have its own defined Built-in RBAC. (4) Key Vault Access will be managed by Access Policies and not RBAC. |
AM-BLOGPOST-TEST-COMPUTE-RG | Azure App Services, Virtual Machines | Contributor, Reader, Virtual Machine Administrator Login, Virtual Machine Contributor | Point(s) to Note: (1) Azure App Services and Virtual Machines belongs to Compute Category in Azure Charts, hence COMPUTE RESOURCE GROUP. (2) Azure App Service does not have its own defined Built-in RBAC. |
AM-BLOGPOST-TEST-ANALYTICS-RG | Data Factory, Databricks | Contributor, Reader, Data Factory Contributor | Point(s) to Note: (1) Data Factory and Databricks belongs to Analytics Category in Azure Charts, hence ANALYTICS RESOURCE GROUP. (2) Databricks does not have its own defined Built-in RBAC. |
AM-BLOGPOST-TEST-DATABASE-RG | Azure SQL | SQL Managed Instance Contributor, SQL Server Contributor, SQL Security Manager | Point(s) to Note: (1) Azure SQL belongs to Database Category in Azure Charts, hence DATABASE RESOURCE GROUP. |
AM-BLOGPOST-TEST-IDENTITY-RG | Azure Active Directory B2C (AAD B2C) | Contributor, Reader | Point(s) to Note: (1) Azure AD B2C belongs to Identity and Security Category in Azure Charts, hence IDENTITY RESOURCE GROUP. (2) Azure AD B2C is a Separate Service from Azure AD which does not have its own defined Built-in RBAC. |
AM-BLOGPOST-TEST-INTEGRATION-RG | API Management, Service Bus | API Management Service Contributor, API Management Service Operator Role, API Management Service Reader Role, Azure Service Bus Data Owner, Azure Service Bus Data Receiver, Azure Service Bus Data Sender. | Point(s) to Note: (1) API Management and Service Bus belongs to Integration Category in Azure Charts, hence INTEGRATION RESOURCE GROUP. |
AM-BLOGPOST-TEST-NETWORK-RG | Application Gateway, Bastion | Contributor, Reader | Point(s) to Note: (1) Application Gateway and Bastion belongs to Network Category in Azure Charts, hence NETWORK RESOURCE GROUP. (2) Application Gateway and Bastion does not have its own defined Built-in RBAC. |
AM-BLOGPOST-TEST-STORAGE-RG | Azure Storage, Data Lake Store | Storage Account Contributor, Storage Blob Data Contributor, Storage Blob Data Reader | Point(s) to Note: (1) Azure Storage Account and Data Lake Store belongs to Storage Category in Azure Charts, hence STORAGE RESOURCE GROUP. |
DESIGN NETWORK FRAMEWORK:- |
---|
Designing a Framework for Network becomes very much easy once we have defined the Resource Group Structure. |
One Virtual Network with One or More Address Space. |
One Route Table attached to all Subnets. |
One Network Security Group per Subnet. |
For the Purpose of this Session, Consider the Network Naming Convention as: [NAME OF THE COMPANY]-[PROJECT NAME]-[ENVIRONMENT NAME]-[AZURE SERVICE CATEGORY NAME]-[VNET/ROUTE-TABLE/SUBNET]-[NSG] |
Virtual Network Name: AM-BLOGPOST-TEST-VNET |
Route Table Name: AM-BLOGPOST-TEST-ROUTE-TABLE |
NAME OF THE RESOURCE GROUP | NAME OF SUBNETS | NAME OF NETWORK SECURITY GROUP | NOTES (IF ANY) |
---|---|---|---|
AM-BLOGPOST-TEST-SHARED-RG | AM-BLOGPOST-TEST-SHARED-SUBNET | AM-BLOGPOST-TEST-SHARED-SUBNET-NSG | - |
AM-BLOGPOST-TEST-COMPUTE-RG | AM-BLOGPOST-TEST-COMPUTE-SUBNET | AM-BLOGPOST-TEST-COMPUTE-SUBNET-NSG | - |
AM-BLOGPOST-TEST-ANALYTICS-RG | AM-BLOGPOST-TEST-ANALYTICS-SUBNET | AM-BLOGPOST-TEST-ANALYTICS-SUBNET-NSG | - |
AM-BLOGPOST-TEST-DATABASE-RG | AM-BLOGPOST-TEST-DATABASE-SUBNET | AM-BLOGPOST-TEST-DATABASE-SUBNET-NSG | - |
AM-BLOGPOST-TEST-IDENTITY-RG | AM-BLOGPOST-TEST-IDENTITY-SUBNET | AM-BLOGPOST-TEST-IDENTITY-SUBNET-NSG | - |
AM-BLOGPOST-TEST-INTEGRATION-RG | AM-BLOGPOST-TEST-INTEGRATION-SUBNET | AM-BLOGPOST-TEST-INTEGRATION-SUBNET-NSG | - |
AM-BLOGPOST-TEST-NETWORK-RG | AM-BLOGPOST-TEST-NETWORK-SYSTEMS-SUBNET | AM-BLOGPOST-TEST-NETWORK-SYSTEMS-SUBNET-NSG | - |
AM-BLOGPOST-TEST-STORAGE-RG | AM-BLOGPOST-TEST-STORAGE-SUBNET | AM-BLOGPOST-TEST-STORAGE-SUBNET-NSG | - |
AZURE NIGHT SKY:- |
---|
Link to Azure Night Sky |
On Realtime, it educates and provides Uses cases as how to look into Azure Services together. Each Use Case is Populated with the Caption Learning Path or Solution highlighting the required Azure Services. Examples Listed Below:- |
Use Case #1: GEOSPATIAL DATA PROCESSING AND ANALYTICS |
Type: Solution |
Use Case #2: DATA SCIENCE AND MACHINE LEARNING WITH AZURE DATABRICKS |
Type: Solution |
Use Case #3: INTRODUCTION TO SECURING DATA AT REST ON AZURE |
Type: Learning Path |
Use Case #4: Modern Analytics Architecture With Databricks |
Type: Solution |
AZURE SERVICES SLA:- |
---|
Browse to Azure Services SLA to view Azure SLA Board. |
Below is how it looks:- |
AZURE SERVICES RESERVATIONS:- |
---|
Browse to Azure Services Reservations to view Reservation Support for Azure Services. |
Below is how it looks:- |
Hope You Enjoyed the Session!!!
Stay Safe | Keep Learning | Spread Knowledge
💖 💪 🙅 🚩
Arindam Mitra
Posted on June 12, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.