Up next in 10
I find your lack of Azure Governance disturbing!
6K views
Nov 1, 2023
Register via Meetup https://www.meetup.com/azureusergroupsundsvallsverige/events/289502685 About Session: Organizations are adopting Microsoft Azure at a fast pace. Every day we have more workloads running on Azure. Workloads can be Cloud-native or non-native (lift-and-shift from on-prem). If your organization doesn't operate a robust Governance model, it's easy to create security issues and a lack of compliance. In this session, we will learn Azure Governance Best practices and how to build a Governance strategy from scratch. We will use services like Management Groups, Azure Policy, Tags, Azure Blueprints, CAF - Cloud Adoption Framework, and Cost Management to build a Governance strategy for your organization. About Speaker: Tiago Costa is a Senior Cloud Architect and Advisor focusing on Microsoft Azure, International Speaker, Trainer and Author. For the past 20 years has been architecting and developing solutions using Microsoft technologies. In the last years Tiago have been helping companies to migrate and build Cloud native workloads in Microsoft Azure. Tiago has been working as at the Senior Architect level, but he always like to do some hands-on tasks on the Azure Administration and Development side of things. You can find him regularly in the classroom or online teaching Microsoft Azure. All this real-world experience allows him to deliver amazing trainings on Microsoft Azure. Tiago has several Microsoft Certifications and awards: - Microsoft Azure MVP (2016 – …) - MCT – Microsoft Certified Trainer (2006 – …) - MCT Regional Lead (2013 – …) - Microsoft Certification Council Member (2020 – …)
View Video Transcript
0:30
Hi, everyone. Welcome to Azure User Group Sweden
0:41
It's Saturday again, and we're here in the new session. Hi, Håkan. Welcome
0:46
Hello, Jona. Hi. How are you? I'm great. Thank you. We got snow here in Sweden
0:51
How about you there in Norway? No, so far no snow, but I guess it's just a question of time
0:57
Yes, that's right. Now we're talking about snow, but today we're going to have a special guest that comes from the warm country, tropical country
1:06
So I look forward to the hot session that we're going to have from Sweden today virtually
1:12
Yeah, so welcome everyone. And I hope that you're having a great Saturday sitting in your couch or wherever you are watching from your mobile or your computer
1:23
Thank you for joining us and spending time to learn with us today in our session
1:27
And before we start, I would like to introduce my co-community leader here, Håkan Silvernagel
1:35
He is Microsoft AI MVP in Norway. And he is a manager in AI and expert in machine learning
1:46
And has been a community leader and active in the community as a speaker
1:51
and leading user groups in Norway, such as the .NET user group in Norway
2:01
as well as the AI42 and other community events. So glad to have Håkan with me
2:08
contributing to this community. Yeah, thank you, Jona. And I'm also very proud to present Jona Andersson
2:17
She's the founder of our user group, Azure User Group Sweden. and she is also an Azure MVP
2:23
She is a Microsoft software trainer. She is also a professional speaker
2:27
on many different conferences and a mentor. And in her daily lives
2:32
she works as a cloud and DevOps engineer at Forefront Consulting. And she is also writing a book
2:39
What is that book going to be about, Jona? Yeah, it's going to be about Azure, of course
2:44
for our community. Yes. So, yeah. Thank you for that, Håkan, for the great introduction. Yes, so before we bring our audience and get started, I would like
2:56
to remind everyone about our code of conduct. So Azure User Group Sweden is a community that
3:04
follows this conduct and we expect everyone to be nice and friendly, listen with purpose and be
3:12
thoughtful, be respectful to others, seek to understand and not criticize, be curious and
3:19
open about sharing your ideas in our chat and even in our after session Zoom meetings and be
3:26
inclusive and respectful in your comments and questions. And if you have questions about our
3:32
code of conduct for this community, feel free to reach out to me and Hoka on LinkedIn or our channels
3:39
and share it with us. Thank you. And before that, let me also share that to those that are
3:47
not familiar or familiar with Azure Heroes, we also are sharing Microsoft Azure Heroes
3:55
Learner Badge, digital badger today. So if you scan the QR code and claim your Learner Badge
4:02
for this. And of course, feel free to share on your social media with our hashtag
4:07
Azure Sweden or Azure Heroes and tag Azure Heroes as well. Thank you. All right. Let's bring
4:15
And let's introduce Håkan. You have the honor to introduce our special guest today
4:21
He is one of the trainers in the community and advocates that I also look up to
4:28
I have been following his courses on LinkedIn and Pluralsight even before I met him in person in a conference
4:37
So it's good that he is here with us today. Go ahead. Varsha Gud
4:42
Yes. Thank you. Yeah, I think maybe before I do that, we can also mention that after this session, we will have something that we call a FICA, which is basically an opportunity for you to meet with the speaker and ask him directly questions or have a discussion
4:57
So it's like a short 15 minutes Zoom room. So we'll share the link to that at the end of our session
5:07
So you're very welcome to join that. Now we will add Tiago here
5:13
Hello, Tiago. Welcome. Hello. Okay. Thank you very much for the nice presentation
5:20
It's a big, big pleasure for me for being here with you. Great honor. And I've been in Sweden a few weeks
5:28
I think it was like last week or something like that. I was there for just a few hours, okay
5:35
Because I was in Copenhagen for ESPC. And I dropped the bridge to Malmo, okay
5:40
some drinks with some friends. Yes, that's great. Do you know some Swedish words
5:49
Did you learn some? I don't know. Maybe you know one now or after this session
5:55
It's called Fika. That's I know. Exactly. I just learned that one
6:02
I have to confess that every time I go to Sweden, I never learn that much because everyone speaks English
6:09
and and then that makes okay my life super easy i have to confess right but because everyone speaks
6:16
english you just you know and yeah you get the idea right so yes you end up not learning and
6:22
not experiencing the cultural that that that part but yes that's right and it's also practical if
6:29
you don't need to speak spanish then you you you don't need to especially for your just here
6:35
temporarily yeah exactly if i was living there for sure i would learn it but you know if you just go
6:41
there for a week working and then you just come back and then you go back i don't know a few
6:46
months later again yeah yes that's right yeah it's not easy but i know i know some parts i used to
6:53
travel like really a lot to greece so i learned you know some basic uh knowledge on greek which
7:01
is really hard for me because it's really different from portuguese and also different
7:05
from english so that that's that's what i learned how to ask for a coffee how to ask a taxi driver
7:11
hey look i need to go here you know those basic things that you always need to survive basically
7:17
yes yeah switching back uh i'm i'm also like i know i've been to portugal and the only word i
7:24
know is obrigado and i like your dessert uh cupcakes that you have with some custard cake Yes that right We have people saying hi to you everyone
7:37
We have Simon, Stephen. We also have Ashish, part of our community members, saying good morning
7:46
And some icons with snow. And Rika's as well. Good day, dear friends
7:53
I love what you guys were saying about snow and stuff like that. I was like, no
8:00
Right now it's sunny outside. Really sunny. It wasn't in the morning
8:06
The morning was a little bit rainy. But now it's sunny. But I know sometimes snow comes even in unexpected places
8:14
So have you had snow in the past? Yeah. So during all my life, and I'm only like 18, okay, I'm very young, okay, 18 times a few
8:28
basically only once snowed in Lisbon a few years ago. I think I was like 14, 15 years ago
8:35
And it was like, it snowed, it lasted for like an hour or two, the most, I don't remember
8:43
And then it was gone, you know, it didn't stick. Because we are just by the sea, you know
8:49
It's a warm country. It doesn't snow here, period. In Lisbon. We have some mountains up in the north that, yeah, it's common to snow there
9:00
And some other places more inland that it's common to have some snow during the winter
9:07
But look, we don't have to use tires that are different for the winter
9:12
And, you know, or shoes. Like I saw someone buying shoes the other day that were for winter shoes and stuff like that
9:21
We just don't have those things in here. Yeah, you're lucky you
9:26
But then we don't do winter sports. Yes, that's right. So there's a pros and cons there
9:35
And I wish that I could exchange a good Portuguese desert with snow sent back from Sweden to Portugal
9:43
but unfortunately it will melt right away it will definitely melt it's like I was just checking
9:51
the weather when you were saying that it's currently 18 degrees 1.8
9:56
and I'm like this you know okay I'm inside the house but still
10:03
but still there is no need and the AC is off and you know
10:07
you're good so that's the advantage but it does cold year to be honest yesterday was a little bit cold
10:13
at night. I was just doing some errands at night and it was a little bit cold. Yeah, that's great
10:18
Someone already wants to visit Portugal. Yeah, thanks to Chago. All right, let's get started. So
10:25
we'll share your presentation and yeah, the stage is yours, Chago. Thank you. Yeah, okay. Thank you
10:34
very much. So yeah, welcome everyone. So today we're going to talk about governance and some
10:40
time ago, I was like, I really need to do a session about Azure Governance. I was doing tons of work
10:47
in consulting around Azure Governance. I said, look, this is so important. I really think it
10:52
fits your session. And because I'm a huge Star Wars fan, you guys can't see, but there's like
10:58
some stuff on the walls that's outside focus here now. I was like, look, I really, really need
11:05
to do a cool title for this. And then I just came up with this title
11:09
I Find the Lack of Azure Governance Disturbing. And to be honest, I think it fits really, really well
11:15
because it is really disturbing for me to see big organizations without any kind of Azure governance
11:22
So let's do a short presentation about myself. My name is Tiago. And how do I work
11:28
I work as a cloud architect and advisor. I'm also a trainer. I also train people not just to get certified, but also to get certified
11:37
But more important than getting certified is to having the knowledge and to know what are we talking about
11:42
Then I'm also at the author of some courses that you can find online. And I also speak in some conferences
11:48
I was just last week in Copenhagen speaking at the ESPC. So that was just one of the speakers there
11:57
I work as an independent contractor and basically I'm an Azure MVP, certified trainer and a bunch of stuff
12:05
So this is how you can reach me. OK, so ThiagoCosta.com. So it's just my name.com
12:10
It's like super easy. And yes, I'm based in the sunny Lisbon, Portugal
12:17
So what is the agenda today? So we have really a packed agenda here
12:22
And we're going to talk about what is the cloud today? Just, you know, a little bit, what's the status today
12:28
Then two things that I just want to make references on because I don't have time to really go deep on them, which is the cloud adoption framework and the well-architected framework
12:37
But look, they're pretty important. Maybe we can have a session on those on a separate session because they are so big, what we need to talk about, that they always fill a session by themselves
12:50
And then we have here in terms of governance. How do you get started on this
12:55
And we start to talk about subscriptions, we start to talk about management groups, so kind of the hierarchy of all of this
13:02
Then we talk about Azure policies, and then also a little bit about cost management
13:07
And I want you to get something out of the session today
13:11
that Monday morning you can just bring to your organizations and implement right away
13:19
I have like, I think it's five things that you can just take out of this right away
13:26
Cloud today. What is the cloud today? Cloud today is something that is very complex
13:33
We run millions of cloud resources. We no longer just run Azure for just that department
13:43
or just that small application that we have. No, we run this all across the organization
13:50
So it is massively important to make sure that we are okay with that and make sure that we know and we can control everything
14:02
It's also multi-cloud. It's no longer just one vendor. That's the vendor that I selected and that's it
14:09
Lots and lots of organizations are doing multi-cloud. So they're using more than one cloud provider, which I'm very critical on that aspect, because sometimes I see customers using multi-cloud when they don't need multi-cloud
14:25
They just do multi-cloud because they heard about it and they start to want to do it, but then they bring more complexity into the game, which in the end, all the advantages of the multi-cloud, they are just not there
14:43
But for big organizations, sure, it makes sense. Not saying that it does because it definitely makes sense
14:50
then like I said across business units, across projects so it all distributed all around this When we talk about cloud management capabilities I always like to show this slide which we talk about not just governance like you can see you know just right here
15:09
But we also talk about configuration. We also talk about monitoring, protection, security
15:16
Okay, so all of this, you know, it is something that definitely we need to talk about too
15:23
But today, look, we are just going to focus here on the governance part
15:28
That's the only thing that we're going to talk about today. But look, configuration, implementing Azure DevOps, GitHub, some DevOps tools, whatever it is
15:37
Log ytics to monitor stuff, security, threat management, Sentinel, Defender for Cloud, protection with Azure Backup, Azure Site Recovery
15:49
So all of this, it's something that definitely you also need to do
15:55
Okay, so yeah, great stuff that we have here. Then what about that governance part
16:03
Let's just go deeper on this. So we need to talk about, you know, policy-based management
16:09
So this is where we're going to talk about like, you know, well, Azure policy so that I can force the, you know
16:17
basically my policies to be enabled. I have a policy in terms of my company that says, look
16:26
we cannot have certain data outside some authorized regions. Sure, okay, let's build an Azure policies to enforce, okay, that
16:38
cost management let's never forget something about this is that when we're talking about
16:44
governance cost management always plays a huge role and we all know all the stories or let's
16:52
just rephrase this all the horror stories out there about you know costs that got out of control
17:00
but there are tools for you to be in control of your costs so that's something that you know we
17:08
also need to take care. And there are also tools for you to be able to prevent from costs to
17:20
increase and even very much control the costs the way that you need to control them
17:26
Resource visibility. When we have tons of resources, how do you find them? And this is
17:31
where we start to talk about tagging things, et cetera. And of course, subscription governance
17:36
Look, it's not because you want a subscription that I, as the cloud architect on your organization, will just give you a subscription
17:45
There needs to be rules for this kind of stuff. Okay, so this is cloud today
17:51
Then let me just talk about the CAF and the WAF. I'm a huge fan of the cloud adoption framework
17:59
And, you know, what is the cloud adoption framework? is just basically a framework that was created by cloud architects together with Microsoft
18:09
to basically provide best practices, provide documentation, forms that you can just fill in
18:19
Okay. So that you have something to help you to implement your business in the cloud
18:29
That's it. And this is a very eye level thing. it's very much for cloud architects and the business to work together you know the cfos
18:38
for cost controlling and for all of that so this helps your organization align the business
18:44
with the technical strategies that the last bullet point it is great we have several several
18:52
pillars seven to be more precise if you see the first one the first one is about defining the
18:58
strategy okay so that's where we're going understand motivations uh understanding why
19:05
we want to go for the cloud uh business justification and of course maybe we have some
19:12
projects and we want to choose you know specific projects for uh for this so and we have them in
19:20
here so and we can choose that so that's pretty cool what we can do with this this is something
19:25
that I usually sit with my customers. And let's just write this down
19:30
Okay. And I ask them, what are your motivations to go to the cloud? Why do you went to the cloud if they're already there
19:35
If they're not, they want to go. Why do you want to go to the cloud? So that's something that I always do
19:39
And sometimes I have customers like, oh, what? They get surprised, you know
19:44
Like I was not expecting that question. It's just I thought that we just go do stuff
19:50
But no, we really need to think this. And then we plan
19:54
Okay. Then we are ready. Then we start to adopt this by doing migrations, which is sometimes lift and shift, even why not
20:06
Just that so that we have some stuff in the cloud. And then, you know, sometimes let's just look at that
20:13
And, of course, let's modernize those workloads. Because if you just do VMs, VMs, yeah, okay, great, you're in the cloud
20:22
but you're not taking advantage of the cloud. So that's something that I really like to do there
20:30
And then within all those four pillars that we have here, we always have those three down there
20:37
security, management ability, and govern. That, you know, in all of them
20:43
you always need to look for that. Security, look, it is a massive importance nowadays
20:52
I don't need to tell you that. I'm sure you read the news, you see what's going on in the world
21:00
This is not new to in terms of IT security, something that already came from like the past five, six years
21:06
that has been worse every day. 2022 is going to be the worst year ever
21:12
2023, my prediction is it's even going to be worse than 2022
21:16
in terms of IT security. So more attacks, more sophisticated attacks. So we really need to protect ourselves and our organizations against that
21:25
So that's something that's always across the board. And it starts when you're defining the strategy
21:31
That's something that you need to put on your strategy. It's not something that you just, you know, just do it when you're adopting things
21:40
No, from the start, you need to have a strategy for security
21:45
Okay. That's the cloud adoption framework. What about the well-architected framework? So the well-architected framework also comes with pillars
21:56
And we have a first pillar that is, for example, cost optimization. Okay
22:00
And this is pretty much more specific, you know, for a specific, a specific, you know, service
22:10
Let's just do this for, you know, this workload that is composed with virtual machines
22:15
It's composed with a SQL database from Azure storage accounts and some Cosmos DB
22:20
Let's just imagine something. So let take a look at that and you know let just build that for also for cost optimization for operational excellence OK so operation process that keeps the system running in production all the time
22:36
Or all, you have to define what is all for you. Then performance efficiency, which is when you have a system that it's getting a lot of load, will it scale or not
22:49
Because if it doesn't scale, well, you might have a problem there. Then reliability
22:53
reliability you know is when we're talking about a system that the system will fail look it's it's
23:00
invariable it will fail but the thing is how does it going to recover from failure how much time
23:07
does it takes okay to recover and things like that and then look this is the last one but definitely
23:14
not something okay um it's not it's not exactly the last it should not be like the lowest priority
23:23
which is security okay so nicos has a question regarding taggers by cloud proposal i also have a
23:28
similar approach and what would like to ask a question can we name a few scenarios where cloud
23:34
should be avoided yeah sure okay nicos that's a great question by the way so the big question is
23:38
are there scenarios where you know you should not use the cloud yeah definitely true uh for example
23:44
if you're talking about like an hospital and i and i have this for for uh for an organization here
23:50
They are a private health provider. And we have several devices there that, you know, the latency that we have for the cloud is just not just not possible to be used
24:02
OK, because it really needs to have that very low latency that we that right now, you know, it's just not possible
24:11
Also, for privacy reasons, because it's medical data. And in this country, for example, there is no Azure data center
24:21
And there is a law for them that says that that data cannot leave the country
24:25
So that's another reason why you should avoid the cloud. Not that I like it
24:30
Okay, for sure not. But the thing is, what is the scenario there for those kinds of things
24:36
We use the private cloud. So we went with the Azure Stack approach
24:41
which is the private cloud, and they still have Azure for the stuff that they can use
24:44
the public Azure where they can use it, and they have the private Azure Stack stuff, okay
24:50
for their own things because they want to still manage all their infrastructure as cloud
24:56
But, you know, those have those very large racks for Azure Stack, and they just do it that way
25:04
So there are just two examples where, you know, you can use that
25:09
But there are governmental agencies using this. You know, there are military organizations using this
25:16
It's just a matter on how you use it. OK, so that's the well-architected framework
25:21
So what about subscription management? So let's go with the part of subscription management
25:28
And by the way, keep your questions coming. Happy to answer to them. If we're talking about subscription management
25:33
so what we have is a small definition on, hey, what is an Azure subscription
25:39
An Azure subscription is a logical unit of Azure services where my Azure services will then run
25:45
Every time you deploy an Azure service, I need to deploy this virtual machine
25:51
The service is the Azure virtual machines. Now I'm deploying a resource
25:56
That resource needs to be inside a subscription. You need to first option is always in which subscription do you want to deploy this
26:06
And then, of course, the resource group within the subscription. It's a very easy billing boundary
26:14
And what I'm saying is this. Some companies and some organizations, they need to have a very clear define
26:21
how much money they are paying for some stuff, how much money they are paying for something else
26:26
And this is a very easy way to understand that. If you have, imagine, two departments in your organization
26:33
Department one, department two. You create two subscriptions. You just put the resources regarding department one in one, department two on the other, and you're good to go
26:43
Yeah. And then you ask, what about shared services, Tiago? Oh, let's create a third one
26:50
How do you charge, you know, the shared services? Sure. Okay. That is something that you also need to take into consideration
26:59
It's not easy, that part, to be honest. But I'm also not a big fan of creating subscriptions just for the billing layer
27:08
Because then there are lots of concerns that come with this, especially in the infrastructure as a service world
27:15
If you have, for example, two virtual networks and you need to connect them in some way, you're going to pay for that
27:25
And sometimes you don't need to have two virtual networks and you just have two virtual networks because you have two subscriptions
27:31
So, you know, because a VNet, for people that don't know, a virtual network does not span across subscriptions
27:39
So it is something that you really need to look for in a very, very early planning phase
27:46
Tags can play a huge role on tracking costs. So look at that because you probably will just go around with just that
27:57
Okay, so that's pretty cool. And of course, then we connect this with a single Azure Active Directory tenant
28:03
I will answer the question, but just give me a second here, okay? So if we have this, oh, sorry
28:08
Imagine that we have this Azure AD tenant, and we have that subscription that we have over there, subscription one, okay
28:15
And then subscription one is connected with that Azure AD tenant. I have subscription two that's connected with that
28:21
And I can have tons of subscriptions that can be connected. But one subscription is connected with just one Azure AD tenant
28:31
One Azure AD tenant, as you can see here in the picture, can be connected with multiple
28:36
It can have multiple Azure subscriptions. No problem with that. Now the big question is, how do you manage this
28:46
But before we go for that, let's go for the question. Can someone put me up the question that we had before
28:51
Thanks. How can you balance all the pillars of the well-architected framework
28:58
Oh, yeah, that's not an easy question to answer here just right away
29:02
It really depends on the service that we're using, but we always need to imagine that if we want to have more availability of a service
29:17
more scalability, usually they come with an extra cost. Because sometimes, let's just give it a proper example
29:27
SQL databases. You're in a tier that doesn't have availability zones. You want to go and have availability zones
29:35
so that you have that extra availability. That's a tier that you need to pay more
29:42
for you to have that feature. But that again, again, goes against the cost management, right
29:48
Because you want to spend less money, not more money. So, you know, balancing this, it is something that it's not easy
29:57
to do that, that part, but of course, If you have the need for your application to have that level of availability, you have to go for it
30:09
There is no other way around. The thing is, you're going to pay more
30:13
Sure, usually always my customers never like that idea, but what is the cost for my customers and your customers and your organization to not have that application available
30:27
That's the question that you need to do. If it is something internal, it's not available, it's bad, okay, now it's available again, okay, nothing serious will happen
30:41
If it is something that is very customer-facing, and imagine it's an e-commerce frontend
30:53
Look, if you don't have that available, you're not selling. it's like if your shop you know the door is not opening just no one enters no customers get inside
31:07
your shop so you don't sell and not not only that but also the reputation costs that goes with that
31:15
too the impact on that can be massive and look i'm sure everyone has examples of this there was a
31:24
supermarket here in Portugal that I was always going to that supermarket. One day they had a
31:31
massive issue with their IT and all the shops across the country, they were not opening
31:36
Okay. Because they had like, I don't know, it's a massive thing that they have there. It doesn't
31:40
matter. And I was like, oh, okay. I was like, you know, in a shopping place. I was like, okay
31:46
just let me go to the supermarket that's just next door. Because there is another one that I'm not
31:51
used to go there. I went there. I found, you know, cool products that
31:55
the other one they don't have. And I was like, oh, yeah. And I liked that too
31:59
And, you know, I started to go to both. So they didn't
32:03
only lost, you know, that day sales, but they lost sales for years. The
32:11
impact on this, it is massive. Only because they didn't have a highly, highly available system
32:18
then of course that will cost more money so you always need to balance this but yeah definitely
32:24
look i'm not going to say it's an easy thing because it's not going back here so subscriptions
32:30
we have tons of subscriptions and now we have to manage all this i have customers that we have
32:35
hundreds of different subscriptions how do we manage this we need to manage this as a group
32:42
Well, as a management group. That's the name that we use for this part
32:49
So let's talk about management groups. It's a scope above subscriptions that we have
32:55
And then we create this hierarchy that you can see here. Okay
33:01
So I create here a tenant group, group, group. I create something in here
33:05
And then, you know, you can create a hierarchy. That hierarchy, by the way, can be six levels up and down
33:11
so vertically can be six levels. You should create something that is flexible enough for changes
33:20
and represents what your organization is designed today. Okay? Departments or by regions or how you see your organization
33:34
your company today. I said you should have it flexible enough to be changed
33:40
that's important because it's very common for management come up with a we have here a
33:49
reorganization of our company because you know times change the way that people buy things
33:58
change and your company needs to adapt to that so it is it is it is common and sometimes people
34:04
oh, only companies that are in a bad position re-org. Our company is not
34:10
No way. Your company will re-org even if it's good or in a bad position
34:15
If it's in a good position, it's a reorganization. It's always good, it's healthy for the company
34:21
Or you just buy another company and you need to integrate the other company
34:25
There's always stuff that you need to reshape the way that you do management groups
34:31
So there you go. Then you can target management groups to be the scope of policies of our back assignments
34:38
So benefits of this, you know, logical representation of the organization. You can apply policies
34:44
You can do our back at the management group and you can do governance over, you know, the subscription
34:50
So with this in mind, let's just do here, you know, a demo exactly on exactly on that
34:59
And I already have the Azure portal somewhere. There you go. Too many screens today
35:06
So this is my Azure portal. And if I go, for example, to management groups
35:12
well, this is my demo company that I have. It's called AZ Contoso
35:16
And as you can see here, I have this root group here. And if you see the root group here, so this part here
35:22
I have then another management group that's under that, okay, called branches
35:27
This is where, you know, my company has, the Stemble company here, has branches all over the world
35:35
And we want to give to those countries a subscription so that they can, you know, just do their Azure stuff there
35:44
Corp, this is where I run my corp workloads. Forget about this one here, okay
35:49
It's others. It's just other stuff that I don't know where to put it. I just put it there
35:53
And then we have this sandbox. This is where if I do some R&D and I want to play around with stuff, I just create subscriptions there
36:02
You know, so just I can have a little bit more freedom in the stuff that I can create
36:06
It's still under control. If we expand branches, you see, oh, I even have more
36:13
Okay, here. I even have more management groups. So another level of management groups
36:18
And I have this divided here. Okay, by big regions. Those are the regions in my demo company
36:24
If we go for Europe, for example, I see, oh, there's four subscriptions in here
36:29
And you can see the, let's just say, the four countries where I have a branch, which is Germany, Netherlands, Portugal, and the UK
36:39
I need to create one for Sweden. OK, and there you go. Then I have North America
36:43
I have here some more stuff. And I can even go to the Asia part
36:47
And I have Singapore over here. OK, so there you go. So that's my management groups
36:54
stuff. How do I do this? Imagine that I have this AZ training, Contoso training, and I wanted to move
37:01
this to this sandbox that I have there. So you select the subscription and then under the
37:10
subscription, which is not like this. Sorry, I have to go back. You have to select the three dots here
37:16
Okay. And in the three dots, you click move, which is not available. Oh, sorry. This one here
37:24
and you click move And when you click move you just need to say hey I want to move this to the sandbox because this training I want to do some R and some stuff like this
37:37
There you go. So if you do this now, that subscription will be under that management group
37:43
What is the impact of such a thing? Well, if you have policies that are assigned here on the sandbox
37:54
That subscription now is going to be under those policies. You cannot create resources in, I don't know, region X, Y, or Z
38:07
Sure, now you can't do that. Starting now. Whatever is created is created
38:14
It will not limit you on that part. So there you go
38:20
How do you create a new branch? so you go to branches let's just say uh here and let's just say i want to create here um
38:30
i don't know apac it's asia but let's just say apac so you you put yourself under the branch
38:37
black branches here and i want to create a management group under okay under this
38:44
and so what i do is you know i just click here create and you just need to put here an id
38:53
Okay? And I'll just put one to five, for example. And then let's just say Africa
38:58
And you just create like this, like Africa. And you just click Submit
39:02
Okay? And if you do this, you know, this is a new management group that will be created under branches
39:08
They even say here, it's going to be a child of branches. And it's really just this
39:13
It's really not that hard to do this. And this is like super important to do this
39:20
Do we change the management group hierarchy settings? So new subscriptions are added to the sandbox group and not to the tenant group group
39:27
Great question. I usually don't show that, but let me show you guys this
39:32
So if you are in the management group overview page, okay, under settings, you can define
39:42
here what is the default management group for new subscriptions. And yes, definitely
39:49
I usually have something more than the Sendbox. I usually don't have the Send
39:53
I don't use the Sendbox for that. I have one that is really called new subs
39:59
And the new subs will be over it. Why is that? Because you can't do that much on those subscriptions
40:06
Got it? It's very limited, the stuff that you are going to be able to do on new subscriptions
40:11
I don't want new subscriptions to be able to do things that you're not supposed to
40:19
So I limit a lot what you can do over there until someone moves that subscription into the right leaf of the tree of the management groups
40:31
Got it? So that's kind of the idea. So we can even create that
40:34
I need that for my demos. So let's just go to this here. Let's just say create a new one
40:43
And let's just say, let's call that 99. Okay. And let's just say new subscriptions
40:50
Okay. There you go. So now I have here a new subscriptions that will be under AZ root
40:58
This always takes some time to show up things here. There you go. New subscriptions
41:02
And now I can go to management groups, settings. Okay. change this and you just change this to this one here okay uh oh yeah i think i don't have
41:17
permissions to do something like this but well you get the idea i need to see because i think
41:21
this user doesn't have the permissions for this but i need i need to check that got it but that's
41:27
it great question by the way okay so moving on we have more stuff to do and the cool stuff
41:33
is going to start now. What is the cool stuff? The cool stuff, now let's talk about policies
41:42
And if we talk about Azure policies, am I a huge fan of Azure policies
41:49
and what you can do with Azure policies? But in a nutshell, Azure policies is for you to create
41:56
assign and manage policies. Let's give an example. And I have here some examples
42:03
I will get back to that slide. Some examples of Azure policies
42:07
Allowed locations. I use this a lot. We as an organization, we come up and we say
42:13
only those Azure regions are the ones that I want to use
42:17
Sure. Okay. Let's just go with those. Resource types. I'm only going to use those resource types
42:26
This is one that I always talk with my customers and I always ask them
42:30
customer, what is the services that you're using today? If they don't know, we can query that very easily using PowerShell
42:38
and using other tools in the Azure portal to get that. And we get the list of the current services that they use today
42:48
And I always ask something that I can't query. I really need to ask, which what are the services that you're pretending to use
42:55
very, you know, in the near future? making that list i'm going to do azure governance to each one of them and when i say this is i'm
43:06
going to look for let's talk about storage accounts storage accounts okay we're going to
43:13
create templates to define how we create a storage account following the best practices
43:18
i talk with the company i talk with the security team i talk with the business i talk with loads
43:26
of people so that we as a whole define this is how you use storage accounts
43:33
It goes to the point of what's the naming convention that you should use for this
43:40
Got it? So that's the way that we do this. Then why is this policy helpful on all of this
43:49
If, you know, I will only say, let's imagine, let's give a proper example
43:56
We're only going to use app services, storage accounts, and, I don't know, VMs
44:06
And of course, then you should have VNets and stuff like that. But let's just go with just VMs, okay, for my example
44:11
Let's just go with those. I'm only going to, in the policy, say I only allow those three to be created because are the three that I have defined the way that they should be configured
44:22
Get the idea? The other ones, we never did that definition. Let's imagine a real example
44:29
One of my customers, someone wanted to create a Databricks cluster. And I said, well, no, we never talked as a company how we should be using that
44:42
So you're not going to create that. Sorry. But they say, oh, but it's for, you know, just R&D stuff
44:48
That's why we have subscriptions for that. go to those subscriptions where then
44:53
over there sure you can create that virtual machines queues we all know there are virtual machines in Azure that costs like 10 euros a month And we have on the other spectrum virtual machines that cost
45:08
you know, thousands and thousands of euros a month, like really lots of thousands
45:15
So we're like, my big question is, you know, those virtual machines that everyone likes to show off
45:23
that they have hundreds of CPUs, terabytes of RAM. Let's be totally honest with each other
45:31
Do you use those VMs? Do your company use them? Most probably not
45:36
Only a very few companies use them. And even those companies that use them
45:42
and I have one of my customers, they use them. They use them in very specific use cases
45:48
Most subscriptions never get near those virtual machines. So let's limit the stuff that you can create
45:57
And you also save money with this because you're not going to have people creating those very large virtual machines
46:03
If you even limit the families that they can use, then you're in a very better condition in the near future to work with Azure reservations because you don't have a spread of different families of virtual machines
46:23
you're more focused on just a few sizes of virtual machines. So when you implement an Azure reservation strategy
46:32
that will be much more successful than when you have organizations that they are using
46:39
I don't know, hundreds of different sizes all across the organization. So you can just look at this
46:48
And it's not easy to implement this kind of stuff. Technically, it's pretty easy
46:52
Business-wise, it's not. But just another example of a policy that can be pretty useful
47:01
Requiring tags, enable Azure backup on virtual machines, you name it. Let's go back one slide here
47:06
So advantages of this. Enforce compliance, like locations. I really need just to use some locations
47:14
There you go. Apply policy at scale, because then you can just apply this at the management group
47:19
for example, for naming conventions. Let's imagine you decide to use an Azure policy
47:25
Sure, let's go and implement this over there. So that's a big example of what we can do
47:35
Remediation. So that you can also remediate things. So I'm getting a question about any reason why Blueprint is not part of governance
47:44
So Blueprints are... This is recorded, but let's go ahead. they're not getting any more updates for a long time
47:54
I would look at a proper Azure DevOps strategy and template specs
48:01
because they are way better than to use blueprints, to be totally honest, okay
48:09
Blueprints, for people that don't know them, you could just define just some Azure policies
48:16
some RBAC assignments, create a resource group here, deploy this template, and that's it. But
48:23
to be totally honest with you, that's for ARM templates. There is built-in, then of course you
48:30
could figure out how to do it, but built-in, there is no source control for those ARM templates
48:36
There's no integration built-in for that. It's only for JSON ARM templates. There is no support
48:44
for bicep on that so i'm like yeah not not going to support that no i'm not going to advise
48:50
blueprints anymore and this is why i also not talk about blueprints anymore in my presentations
48:55
i used to by the way uh azar but not um i don't do it anymore so just look at template specs okay
49:04
and you will and and it's pretty cool stuff that you have there so this is the policy dashboard but
49:10
Before I just show you a picture, let's just go. Let's do another demo on this
49:15
And, you know, let's just see the policy dashboard. So you just need to search for policy
49:21
And when you do that, there you go. So we are here. This is the policy dashboard
49:25
You can even go to compliance here on the left. See? So over there on the left, and you have all the same thing
49:31
but just the dashboard. And you can see here in my case, my demo company
49:36
I have plenty of stuff here that I have like 94, you know
49:40
This is a great resume here. 94 compliant resources, but I have 78
49:45
They're not compliant. Whoa, this is not good. Not that bad. I've seen way worse than this, but that's not that bad
49:54
And you have here a bunch of things, and you just need to figure it out
49:58
the policies that you have here and why those are not being assigned
50:04
Let's just go here with, for example, this one here so this policy assignment is called allowed locations europe
50:14
and i look at this and i see that okay i can view the definition i will tell you this is a
50:20
definition only to allow uh the creation of resources in the two european regions west
50:29
europe north europe i look at this and i see well this is that this this resource here called demo
50:35
POPG, okay, if you see the location of this, it's in a location that's not one of those two
50:42
And this is why this is saying, you know, that this is not compliant. Now you have two options
50:47
You can just click here. For example, you can even view the resource. You have here, oh, it's a
50:52
proximity placement group. Yeah, it's in East US. Well, you have two options, or you find a way to
50:58
move this resource to one of those two regions, which in this case, it's not possible because
51:03
there is no migration path for that. Or you delete, you recreate in the new region. If you need to
51:10
migrate data, you need to find ways to migrate the data, etc. Or in this case, because this will be
51:17
easy because, you know, if you could move this from the resource group that's called azdemo
51:25
that will work too because this policy is assigned to a specific resource group
51:31
Okay, so it could be another way to solve this. Sometimes, you know, it's not easy to solve this kind of stuff
51:38
Got it? So just need to pay attention to that. So there you go
51:46
So that's just that part. Terminology that we have with policies. So we always have the policy definition
51:55
So that's the first part, you know, that we have. with that as you can see I could just define you know a policy myself if I wanted or I can go
52:06
and check the built-in ones then I have to assign that policy so I can just grab that and just
52:15
assign that policy to assign I need to basically select a scope scopes for assigning policies okay they could be management group they can be a subscription or even a specific you know resource uh resource group so all those three are options that we have for for this if we
52:43
talk about tiago i want to create my own policy definition sure a policy definition will be
52:51
something like this and as you can see here i have some properties over there um
52:58
like the display name etc then i can have some parameters okay and then parameters are like
53:05
useful so that i can reuse my policy definition in some other scenarios like an allowed locations
53:12
okay i have a parameter called you know allowed locations uh which are it's an array of all the
53:21
locations that i'm going to allow when you're doing an assignment of that policy so you can
53:26
reuse the policy or else you needed to create one policy saying allowed locations west europe and
53:32
north europe and if you wanted to do the same thing but now for east u.s you needed to create
53:37
another policy definition just doesn't make any sense. So you create a policy definition with a parameter
53:45
And then when you're assigning, you just input the values that you want for that parameter
53:51
The other part is this, is the policy rule, okay, that you have here
53:56
If not filled in location, then, okay, defect. And there are plenty of different defects
54:03
There is the deny. the deny really denies the creation of of this and with this in mind let's just do now
54:10
another demo here what i'm going to do now is i already have a policy assignment
54:15
running and i'm going to try to create a resource that goes against that uh that policy so i'm going
54:24
to try to create here uh for example a storage account and my storage account is going to be
54:33
created in this subscription that I have here called AZ Contoso UK. I have a policy assignment
54:43
for this AZ Contoso UK that tells me that the resources need to be in one of the UK regions
54:54
so let me just put here a name for this and see the region i'm going against that policy
55:04
if you go into your review you will see that that thing that validation that i'm doing on the top
55:10
there is going to fail there you go and we click here why this fail i have permissions to create
55:18
the stuff so why is that well you see was this allowed by a policy you even have your the policy
55:25
definition you click on it and you can see why that was the case because you know this is the
55:31
allowed locations uk you go to parameters you see there's two parameters selected and there you go
55:38
only those two are allowed so you are ah okay let me close the tab close this go to the basics again
55:46
And let me just change this, you know, by selecting here one of the UK regions
55:54
Oops. Okay. So, let's just say UK South. And if you review now, you will see that the create button will be activated
56:03
But I'm not going to click the create button. Okay. But then already passed the validation
56:08
Okay. So, cool stuff, you know, that I have here. Second demo
56:14
So let's go to policies here. And let's do a policy assignment
56:20
So you know how policy assignments will work. But for that, let me just go back here
56:27
Let me create a resource group for us. And I do it in here
56:32
AZ demo. And yeah, whatever. It doesn't matter. There you go. We have this created
56:43
Now let's go to policies. So let's do this. There are several different paths to do the same thing
56:49
But in the end, you just do the same thing. So I'll go for definitions
56:54
And I'm going to look for the definitions that I have here. And, you know, the definitions, I have this basically custom definitions that are already
57:03
did here. And you have then, okay, the built-in ones. There are more than a thousand policies
57:10
So before you even think about doing something, check if there is a policy that already does what you want
57:16
If there is not exactly what you want, if you click in one of them, you see the source code of the policy
57:25
Sometimes I have customers like, hey, Tiago, this here almost does what we want, but it just wanted this slightly different thing
57:32
Just create a custom one based on this. The source code is here, so you can just adapt this
57:38
Yes, you can just duplicate the definition and just go with that. So in my case, let me go for this, naming policy for VNets
57:46
I like this. I say, yeah, this is exactly what I want. Let me assign this
57:51
And when you assign, I can assign this to a specific resource group
57:58
And I'll go for AZDemo. This will be so much easier if they alphabetically order this, but they don't
58:08
There you go. What's the assignment name? Okay. Naming policy VNAT. I don't know
58:16
I don't like to do it like this. I like to do it like this. Sweden
58:21
You could put a description on this or not. It's up to you. Parameters
58:25
No parameters on this one. So let's review and create. And then let's then create this
58:31
And there you go. So I now have created this. Now this, you know, it takes a while to really work in order to, you know, show you the error on the UI
58:45
But if you try to do something now, it will be under that. But only usually when you press create is that it will give you the error
58:53
But it's already there. So pretty cool stuff that we have here
58:59
So if you talk about for policies via Microsoft Defender for Cloud
59:03
So those are, you know, a special, they have a special category in here
59:07
Okay. That's how you need to put your custom policies in that category, which is called, it used
59:14
to be called security center. I needed to check that, but you just need to put them in the specific category
59:24
Okay. You can just, just, just tell me later and I will tell you the exact one
59:28
I think it's now regulatory compliance, but I'm not. No, security center
59:34
There you go. It's this one here. It's there. Why is not here? Security center
59:42
Oh, yeah, there you go. Security center. This is it, okay? I was not seeing it, okay
59:48
They still call it security center here in the names of the categories, okay
59:53
That was the old name for Microsoft Defender for Cloud, by the way. So now I know that we're like on top of the top
59:59
But let me just now show you something that I really want to show you, which is this
1:00:06
Just what are my top five policies? Definitely allowed locations, okay? Allow VM SKUs, enforcing naming conventions, if that's something that you want to do
1:00:17
Enforce tags and the allowed services, okay? Sometimes, like I was telling you, look, you really want to do that bit of forcing that
1:00:29
So that's something that, yeah, definitely you want to do it. Just to close up cost management, there are the obvious tools
1:00:37
Pricing calculator, Azure Migrate, you know, all the migration tools have some cost assessment that you can do
1:00:45
There are like the obvious choices. One very cool thing that we have when we talk about cost is tags
1:00:57
Tags make you adding metadata to your Azure resources. So it's very common for me to make sure that everyone has a tag called owner, called department, called cost center, something like that
1:01:12
You can do tags to resource groups or to individual resources. If you do to a resource group, look, it doesn't mean that the resources will have those tags
1:01:23
It's different things. So you always need to do the resources themselves. This is name value pairs
1:01:28
It's super useful for billing. Why? If you just go and you just take the cost
1:01:34
okay, details of your subscription, you're going to get something like this
1:01:38
And I'm sure you can't read this, especially if you're in a mobile device, even worse
1:01:43
But even if you're in a computer, look, you're not going to read this. It's horrible
1:01:47
It's so detailed, so much information. So we really need tools that will be able to work with this
1:01:57
We have the Azure Cost Management, which is a tool included in the Azure portal
1:02:01
We'll help you a lot. It's free. You don't pay for it. It's amazing
1:02:07
You can also query the billing API. Just go query the billing API and build your own tool to yze this
1:02:16
It's not the first time that I do things with the billing API with customers
1:02:22
You can do like really cool stuff. You also have Power BI So with Power BI you know there is lots and lots of things that you can do
1:02:36
And there is an integration for cost management even. So you just need to get data
1:02:42
Billing from Azure, boom. And you connect with this and you get the data
1:02:47
And of course, look, I don't like to talk about third-party services during my presentations
1:02:52
I never do that. But there are third-party services out there. I'm not going to name them, but there is plenty of them that will help you on this
1:03:01
And some of them are pretty good. And you can save money by using those products
1:03:09
But, of course, you don't need them, to be honest. So cost saving. Reservations
1:03:15
Look for that. Hybrid benefits with software assurance. Sometimes you can have licenses when you're moving virtual machines or SQL Server, for example, to manage the instances
1:03:26
and Azure SQL, that you can move the licenses from on-prem to Azure
1:03:33
And, of course, you don't need to pay two times for that. Credit. Sometimes Microsoft gives out credits because you need to do some project
1:03:41
using a new service. They can give you out some Azure credits
1:03:44
Check that out. Regions. There are regions that are more expensive than others
1:03:50
Be careful with that. One of my customers, we don't have any problem using any region in the world
1:03:56
we can use whatever region we want in terms of you know residency concerns there's no resident
1:04:02
concerns for the data that they have so we can use whatever we want still there are some reasons
1:04:09
regions that we blocked and we say we're not using this okay so we did we did that like like
1:04:16
switzerland it's way more expensive than the others like brazil again same thing you know
1:04:21
policies. I told you, you could save lots of money with this. And of course, do budgets
1:04:27
Create Azure budgets in the cost management tool. There's a feature there called budgets
1:04:31
And you can use that and you can save, you know, again, tons and tons and tons of money
1:04:38
with that. OK, so just check that out. Some cost optimizations to monitor your virtual machines
1:04:47
your compute. Sometimes I have customers that they have virtual machines that no one is using
1:04:52
them anymore Check that out you know and see what you can do over there Consider using reserved instances or spot instances Again can save really lots of money by using that
1:05:08
Consider running workloads in different regions if you can, because there are regions that are less expensive, so why not
1:05:15
Use dev and test subscriptions. You have dev and test subscriptions that they can save tons of money
1:05:23
because you don't need to pay license for that. And if you're just building a development environment or a testing environment, you can use those subscriptions
1:05:31
Okay, for that. So just check that out. Nubis is saying, are people using Azure DevTest Labs to save costs
1:05:38
Definitely, because it's not that you just use that and you save money immediately
1:05:42
No, but the thing is, if you just want a development environment, you know, for your workload, and then you just don't need it anymore, you can use those
1:05:50
Because you just go there, I don't need this anymore. and it just deletes everything for you
1:05:55
So it's a great service and it doesn't come with an added cost. DevTest Labs don't cost a thing
1:06:01
It just costs the compute that you're running. So yeah, why not? So definitely something that you can also use
1:06:09
to save some money, okay? And so I hope you enjoyed this session
1:06:14
I have here just some session takeaways. I always like to give you like something
1:06:19
so that Monday morning, You can just use this in your work
1:06:24
Create a naming convention when it comes to Azure governance. You know, it is super important for you to name things wisely
1:06:31
And then with Azure policies, you might even want to do this too
1:06:38
Implement Azure policies to enforce tags, you know. Start your Azure governance approach
1:06:45
Start to document things, you know. This is what I want to do with Azure
1:06:50
and then just start to create some document around governance. Find dev and non-used virtual machines in your organization
1:07:01
and kill them, okay, if you can. And optimize your Azure cost with reserved instances
1:07:09
with spot instances, because you might also save really lots of money by doing this
1:07:17
So that's it. So thank you very much. My name is Tiago, and this is how you can implement Azure governance
1:07:23
And if you want to follow me, you can go to follow.tiagocosta.com
1:07:28
I have on that website like all my social networks I very active usually on Twitter and on LinkedIn That where I more active So just give me a follow there
1:07:40
Or just add me. That would be great. And that's it. Yes
1:07:49
Thank you so much, Chago. For the great and awesome presentation. I was literally taking notes
1:07:57
And learning from your session as well. especially about the policies and great questions and interactions from our audience as well
1:08:06
Thank you so much. There is so much more to talk about all this
1:08:10
This is kind of the beginning of the story because then there is way, way more to talk about on this topic
1:08:17
Yes, I do have a few questions, but I think I'll reserve it to our after session to keep our time
1:08:23
But do you have time to join us? Yeah, I can join a few minutes
1:08:27
Not that many, but yeah. Sure. Now we can take a last question here from the audience
1:08:34
Yeah. Just this one. If you can modify a tag value once it's assigned
1:08:39
Yeah, sure you can. Definitely. That's something that is possible to do
1:08:43
Okay. Great. All right. All right. So we are ending our session, but we do have our Fika after session one
1:08:55
So let me just go ahead and share the link to the Zoom, which is a Bitly URL
1:09:02
So Bitly Asug Sweden FICA 2022. So it will direct you to Zoom after the session
1:09:11
All right. Do you have anything else, Håkan, before we say goodbye for today
1:09:17
No, I think it's better we take it in the Zoom room. All right
1:09:22
Thank you so much, everyone. and most of all to Thiago. And I wish everyone a happy weekend
1:09:30
if you're not joining us in the FICA session. Have a great weekend
1:09:37
Goodbye. Okay, yeah. Bye-bye. It was a pleasure. Thank you. Thank you
#Business Services
#Education
#Enterprise Technology
#Online Communities
#Photo & Video Sharing
#Video Sharing
#Virtual Tours
#Virtual Worlds