1. Azure Governance Lessons from the Field
Janaka Rangama
Principal Consultant

2. Janaka Rangama #ලංකාවේකොල්ලෙක්මල්ලී
A proud Lion hailing from the “Pearl of the Indian Ocean” now living in “Down Under”
Microsoft MVP | Cloud and Datacentre Management
Microsoft Azure Advisor
Community Lead, Author & Speaker
Visit my blog
Blogger
Author
Twitter
@JanakaRangama
#ලංකාවේකොල්ලෙක්මල්ලී

3. Agenda Governance in Cloud Azure Subscription Management Azure RBAC
Demo
Azure Policy
Q & A
Janaka

4. Governance for the cloud
Microsoft Worldwide Partner Conference 2016
11/29/ :22 PM
Governance for the cloud
Assess and enforce enterprise-wide governing standards across your cloud environment for proper control and compliance
Monitor cloud spend, drive organizational accountability, and optimize cloud efficiency
Quickly search and find resources across your organization and their relationships with query- based exploration
Create easy-to-use pre- defined templates for DevOps teams that meet organizational security and compliance requirements
Policy-based management
Cost management and optimization
Resource visibility
Subscription governance
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Subscription
Management

7. Subscription Principles
11/29/ :22 PM
Subscription Principles
Subscriptions are…
Administrative security boundary
Support RBAC delegation
A billing unit
Logical limit of scale
First container that you create
Considerations
Subscriptions do not cost anything
Each subscription has its own admins, although a single account can be an admin in multiple subscriptions
Are global
Initially a subscription was the administrative security boundary of Microsoft Azure. With the advent of Azure Resource Management (ARM) environment, a subscription now has two administrative models. Service Management and Azure Resource Management. With ARM the subscription is no longer needed as an administrative boundary. ARM provides a more granular Roles Based Access Control (RBAC) model for assigning administrative rights at the resource level. RBAC is currently being released in stages, 32 new roles have been released and user defined roles is coming in a future release. There will be some complexity during the coexistence of the service management and resource management environments and will need to be carefully considered.
A subscription additionally forms the billing unit. Services charges are accrued to the subscription currently, as part of the new Azure Resource Management model it will be possible to roll up costs to a resource group. A standard naming convention for Azure resource object types can be used to manage billing across projects teams, business units, or other desired view.
A logical limit of scale by which resources can be allocated, these limits include both hard and soft caps of various resource types (like 10,000 compute cores /subscription) and are changing as capacity and capabilities are updated within Azure. Scalability will continue to be a function of subscriptions and therefore is a key element to understand how the Subscription strategy will account for growth as consumption increases.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Azure Subscription Governance Layers
Enterprise
Aerospace
Auto
Application 1
Application 2
Application 3
Lin Chi
Adi Krishnan
Europe
North America
Project 1
Project 2
Project 3
Ted Bear
Grace Ma
Marketing
Finance
Project 1 Dev
Project 1 Test
Production Web Sites
Functional
Joe Smith
Jane Doe
Subscriptions
Business Division
Geographic
Accounts
Departments
[optional]
The Azure governance layers, roles, portals etc.. provide the technical means that can be used in different ways. Some customer prefer to use functional differentiation, others business division based or geographical or even a combination.

9. Account and Subscription Management
The above diagrams explain what the account admin, service admin and coadmin roles are used for, these roles can be assigned to one or multiple identities.

10. Subscription Considerations
Management approach
Single team or distributed
RBAC
Security requirements
Data or network security
Environments - Sandbox, Dev, Test, UAT, Pre-Prod, Prod
Connectivity requirements
Single point of ingress?
Multiple regions?
Application requirements
Data flow
Compliance
Yes There are Limits

11. Subscription per Department
11/29/ :22 PM
Subscription per Department
Each department contains different types of environments (e.g. Prod, Non-Prod). Virtual Networks will wrap the different environments for traffic separation. Subnets will be created within each environment to establish required security isolation zones between applications.
Pros
Low ExpressRoute Circuit Costs
Simplified Subscription Management
No VNet Subscription Limit
Cons
Granular RBAC model required
Subscription Limit Issues in Cores, Storage, NSGs
Complex Vnet addressing
Mistake in management will affect all environments
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Subscription per Environment
11/29/ :22 PM
Subscription per Environment
Each environment contains the different types of applications. Virtual Networks will wrap the different applications for traffic separation. Subnets will be created within each environment to establish required security isolation zones among application tiers.
Pros
Shared ExpressRoute circuit model
Low VNet subscription limit issues (Limit Per 100th application)
VNet address spaces can be tailored per application
Cons
New ExpressRoute circuit required per 10th application, or ER Premium
Granulated Application RBAC model
Requires medium capacity planning
Max of 10 dedicated circuits per subscription, max of 100 applications
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Subscription per Application
11/29/ :22 PM
Subscription per Application
Each application contains the different tiers. Virtual Networks will wrap the different tiers for traffic separation. Subnets will be created within each tier to establish required security isolation zones.
Pros
Minimal Subscription limit issues.
Minimal Capacity Planning
Per Application RBAC model
Cons
Increased Network Costs
Management Complexity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Networking Considerations
Enterprise Enrollment
Department A
Department B
Account A
Account B
Account C
Subscription 1
Subscription 2
Subscription 3
Subscription 4
Region
Region
Vnet 1
Vnet 2
Vnet 3
Vnet 4
Vnet 5
Vnet 6
Express Route Circuit
See dashed lines
1.You MUST create or use the Azure Dynamic Routing VPN gateways to connect your virtual networks. Static Routing VPN gateways are NOT supported for VNet-to-VNet.
2.For each virtual network, you can connect up to 10 “networks”; i.e., both virtual networks and on premises sites combined cannot exceed 10.
3.You need to ensure that the address prefixes don’t overlap among all the connected networks.
4. VNet-to-VNet feature works across regions and subscriptions – same or different regions, single or across subscriptions.
You can link up to 10 virtual networks to an ExpressRoute circuit. All virtual networks must be in the same continent as the ExpressRoute circuit.
You can link a single virtual network with up to 4 ExpressRoute circuits. All ExpressRoute circuits must be in the same continent. They can be ordered through different service providers and in different locations. ( )
Express Route Circuit
Express Route Circuit
Express Route Circuit
Express Route Circuit

15. Subscription for Ingress Security Stack
11/29/ :22 PM
Subscription for Ingress Security Stack
Build a subscription for driving all communications through a security stack. All public communications pass through this subscription then to subscriptions for applications.
Pros
Minimal Subscription limit issues.
Minimal Capacity Planning
Per Application RBAC model
Cons
Increased Network Costs
Management Complexity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Role Based Access Control (RBAC)

17. Containers and Resources
Subscription is the top level container
Create Resource groups in the subscription
Place resources within the resource groups

18. Resource Groups and Hierarchy
11/29/2018
Resource Groups and Hierarchy
Subscription
Resource Group
Resource
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Least Privilege as a Model
11/29/2018
Least Privilege as a Model
Goal
Users can do the tasks their job requires
But no more than that
Best practices
Use the portal and ARM API
Assign the right role
Use resource groups
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Role Based Access Control
Users
Groups
Service Principals
Azure Resources in Resource Groups
Authentication
& Authorization
Azure Active Directory
Azure Subscription

21. ARM Hierarchy and RBAC Roles
11/29/ :22 PM
ARM Hierarchy and RBAC Roles
ARM provides a more granular Roles Based Access Control (RBAC) model for assigning administrative rights at the resource level.
Owner
Can perform all management operations for a resource and its child resources including access management and granting access to others.
Contributor
Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other.
Reader
Has read-only access to a resource and its child resources. A reader cannot read secrets.
There are thirty-two built-in Azure RBAC roles for controlling access to Azure resources:
The Owner can perform all management operations for a resource and its child resources including access management or granting access to others.
The Contributor can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others.
The Reader has read-only access to a resource and its child resources. A Reader cannot read secrets.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Role Based Access Control

23. Key RBAC Concepts Role Definitions Role Assignments
describes the set of permissions (e.g. read actions)
can be used in multiple assignments
Role Assignments
associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group)
always inherited – subscription assignments apply to all resources

24. /subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
RBAC - Granular Scopes
/subscriptions/{id}/resourceGroups/{name}/providers/…/sites/{site}
subscription level – grants permissions to all resources in the sub
resource group level – grants permissions to all resources in the group
resource level – grants permissions to the specific resource

25. Roles for Azure subscription resources
Three primary roles:
Owner, Contributor, Reader
Permissions on all Azure resources
30+ resource-specific roles
Website contributor, Virtual machine contributor, etc.
Permissions scoped to resources and actions typically required by customers
Will add more as new Azure resources come online
Custom roles
Allows customers to take existing actions and create a custom RBAC role
Role must be loaded into each subscription

26. Resource Groups and Access Management
11/29/2018
Resource Groups and Access Management
Example
Best practices
Organize resources to meet access management requirements
Grant access at resource group when appropriate
Marketing Subscription
Solution 1 Resource Group
Virtual machine
Storage account
Solution 2 Resource Group
Virtual machine
Storage account
Benefits
More granularity
Aligns with resource-specific roles
Ongoing manageability
SQL Server
Shared Infrastructure Resource Group
Virtual Network
Finance Subscription
Solution A Resource Group
Web app
SQL Server
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Example RBAC Assignment
11/29/2018
Requirement (example)
User needs to manage “Web app A” and related resources such as “Application Insights B”
User shouldn’t manage “Virtual Machine C” or “Storage account D”
Best practice
Assign Web app contributor and Application Insights Component Contributor role on ‘Solution 1 resource group’
Alternative: Two assignments
Contributor role on ‘Virtual Web App” and
Application Insights Component Contributor role on “App Insights B”
Example RBAC Assignment
Marketing Subscription
Solution 1 Resource Group
Web app A
Assigning role Web app contributor on Solution 1 resource group
Conveys permissions on web apps and Application Insights instances in the resource group
Does not convey permissions on virtual machines or storage accounts
Application Insights B
Virtual Machine C
Storage account D
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Azure Active Directory Integration
Best practice
All organizational Azure subscriptions use the same Azure AD for access control.
I.e., don’t have each subscription in the organization relying on its own Default directory.
Benefits
Manageability
Compliance
Litware Azure AD
Marketing Subscription
Resource Group 1
Resource
Resource
Resource Group 2
Resource
Resource
Finance Subscription
Resource Group A
Resource
Resource

29. Resource Locks Resource lock Lock level Scope:
Accidents happen. Resource locks help prevent them :)
Resource locks allow administrators to create policies which prevent write actions or prevent accidental deletion.
Resource lock
Policy which enforces a "lock level" at a particular scope
Lock level
Type of enforcement; current values include CanNotDelete and ReadOnly
Scope:
The realm to which the lock level is applied. Expressed as a URI; can be set at the resource group, or resource scope.

30. DEMO
Azure RBAC in Action

31. Azure Policy

32. Azure Policy for enterprise-level compliance
11/29/ :22 PM
Azure Policy for enterprise-level compliance
Turn on built-in policies or build custom ones
Enable policy-based management for all your Azure resources
Audit policy compliance against best practices
Enforce configurations like restricting deployment to specific datacenters
Apply policies to a Management Group with control across your entire organization
View policy compliance and trends over time
Aggregate multiple policies together to gain visibility on an initiative
Establish tagging standards to help drive accountability
Add policies to your resources
Apply policies at scale
Monitor compliance
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Policy Definition
$policy = New-AzureRmPolicyDefinition -Name costCenterTagPolicyDefinition -Description "Policy to deny resource creation if no costCenter tag is provided" -Policy '{
"if": {
"not" : {
"field" : "tags",
"containsKey" : "costCenter" } },
"then" : {
"effect" : "deny" }'

34. Policy Rule Fields Logical Operators Conditions Effects name
kind
type
location
tags
tags.*
property aliases
Effects
Deny,
Audit,
Append,
AuditIfNotExists,
DeployIfNotExists
Logical Operators
"not": {condition or operator}
"allOf": [{condition or operator},
{condition or operator}]
"anyOf": [{condition or operator},
Conditions
"equals": "value"
"like": "value"
"match": "value"
"contains": "value"
"in": ["value1","value2"]
"containsKey": "keyName"
"exists": "bool"

35. Enforce naming convention{
"if": {
"not": {
"field": "name",
"like": "namePrefix*nameSuffix" } },
"then": {
"effect": "deny"

36. Enforce VM SKUs using parameters
"properties": {
"displayName": "Allowed VM Skus",
"description": "This policy enables you to specify a set of virtual machine SKUs that your
organization can deploy.",
"parameters": {
"listOfAllowedSKUs": {"type": "array"} } },
"policyRule": {
"if": {
"allOf": [ {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines“
"not": {
"field":"Microsoft.Compute/virtualMachines/sku.name",
"in": "[parameters('listOfAllowedSKUs’)]” ]
"then": {
"effect": "Deny“

37. DEMO
Azure Policies in Action

38. Q&A
@JanakaRangama

39. Survey is below session description at http://elus18.expertslive.us
Take the Survey!
Your feedback is important! Please rate the session for a chance to win!
Survey is below session description at

40. Related Sessions Time Speaker Room Title 2/8: 10:30 Mowrer
Sterling Ridge
Architect a Post-Breach Cyber-Defense Strategy
2/8: 11:45
Rangama
College Park
Azure Governance: Lessons from the Field
2/9: 10:30
Zerger
Mapping Microsoft Cybersecurity to the Cyber Kill Chain
2/9: 11:45
Alden Bridge
Securing BYOD Mobility with EMS & Intune MAM
2/9: 2:00
McAlynn
Enterprise Cybersecurity: No Endpoint Left Behind
2/9: 3:30
Kroesbergen
Modernizing Authentication: Eliminating Extranet Passwords