ARM and Compliance Vishwas Lele & Jason McNutt 12/4/2018 10:08 AM ARM and Compliance Vishwas Lele & Jason McNutt Applied Information Sciences © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Compliance Azure Resource Manager Azure Blueprints 12/4/2018 10:08 AM Agenda Compliance Azure Resource Manager Azure Blueprints Resource Policies Service Catalog Post Deployment Monitoring © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12/4/2018 10:08 AM Compliance © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Compliance The act or process of complying to a laws, regulations, guidelines and specifications Sarbanes Oxley HIPAA PCI DSS FISMA Shared Responsibility Provider Customer Compliance through DevOps
12/4/2018 10:08 AM ARM Basics © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Consistent Management Layer Azure Resource Manager API Consistent Management Layer
Deploying with Azure Resource Manager Build 2014 12/4/2018 Deploying with Azure Resource Manager template-driven declarative idempotent multi-service multi-region extensible © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Reference Architectures Identity: Extending Active Directory to Azure Implementing a secure hybrid network architecture with federated identities in Azure Web applications (PaaS): Basic web application Improving scalability in a web application Web application with high availability Running virtual machines on Azure: Running a Windows VM on Azure Running a Linux VM on Azure Running multiple VMs for scalability and availability Running VMs for an N-tier architecture Adding reliability to an N-tier architecture (Windows) Adding reliability to an N-tier architecture (Linux) Running VMs in multiple regions for high availability (Windows) Running VMs in multiple regions for high availability (Linux) Hybrid network architectures: Implementing a hybrid network architecture with Azure and on-premises VPN Implementing a hybrid network architecture with Azure ExpressRoute Implementing a highly available hybrid network architecture Implementing a DMZ between Azure and your on-premises datacenter Implementing a DMZ between Azure and the Internet
From Reference Architectures to Building Blocks
Azure Blueprints 12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
“Azure Blueprints” NIST sp 800-53 rev4 - Compliant App Architecture Notional Application Architecture/IaaS Fully scripted deployment ARM Templates Virtual Machine Extensions Desired State Configuration
DevOps Security Immutable architectures Automate all aspects Deployment Security documentation OpenControl.org Compliance Masonry
Demo Jason McNutt 12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resource Policies 12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resource Policies: Scenarios Chargeback: Require departmental tags Geo Compliance: Ensure resource locations Service Curation: Select your service catalog Convention: Enforce naming Bringing Control to the Cloud
Resource Policies: Key Concepts Polices are a default allow system Policies are described via Policy Definitions Policies are applied via Policy Assignments
Policy Definition Language: Basic Structure { "if": { <condition> | <logical operator> }, "then": { "effect": "deny | audit | append" } Policy Definition Language: Basic Structure { "if": { <condition> | <logical operator> }, "then": { "effect": "deny | audit | append" }
Policy Definition Language: Logical Operators Not "not": {<condition>} And "allOf": [ {<condition>}, {<condition>} ] Or "anyOf": [
Policy Definition Language: Conditions equals "equals": "<value>" like "like": "<value*>" contains "contains": "<value>" in "in": [ "<value1>", "<value2>" ] containsKey "containsKey": "<keyName>"
Facets Governed by Policy Name Type Location Tags Tag Values Kind Virtual Machine Size Virtual Machine Image Web ServerFarm SKU Storage Account SKU Scheduler SKU DocDB SKU CDN SKU Redis (Cache) SKU Redis (Cache) SSL Config Redis (Cache) Shard Count SQL Server Version SQL Server DB SLO SQL Server Edition SQL Server Elastic Pool SQL Server Pool DTU SQL Server Pool Edition …more coming soon
Resource Locks Accidents happen. Resource locks help prevent them :) Resource locks allow administrators to create policies which prevent accidental changes or deletion.
Key Concepts Resource lock Lock level Scope: Policy which enforces a "lock level" at a particular scope Lock level Type of enforcement; currently supports CanNotDelete and ReadOnly Scope: The realm to which the lock level is applied. Expressed as a URI; can be set at the resource group, or resource scope.
Post Deployment Monitoring 12/4/2018 10:08 AM Post Deployment Monitoring © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Post Deployment Monitoring Azure Monitor Event Grid
Event Grid Microsoft Build 2017 12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Azure Monitor Overview Microsoft Build 2017 12/4/2018 10:08 AM Azure Monitor Overview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Vishwas Lele 12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12/4/2018 10:08 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.