Day 06: Azure Resource Manager (Resources & Resource Groups & Management Groups) and Compliance in Azure

Azure Resource Manager (Resources & Resource Groups & Management Groups)

Azure Resource

• Anythings you create in an Azure subscription
• E.g. virtual machines, Application Gateways, and CosmosDB instances
• ?? Good to have consistent naming convention e.g.: cloudarchitecture-prod-infrastructure-rg
• Provides fine-grained access management through role-based access control (RBAC)
• ?? You can move some resources that supports move to a new resource group or subscription if they support move operation.

Tagging

• Helps you better search, filter, and organize these resources
• Name/value pairs of text data that you can apply to resources and resource groups
• E.g.
• ???? Good way to group your billing data
• ?? Help with monitoring
• ?? Help with automation
• ?? Help with automation Governance through Policies
• ? Limitations:

Resource locks

• ?? Blocks modification (Read-only) or deletion (Delete) of the resource.
• Read-only allows only HTTP GET requests
• ?? You must remove the lock in order to perform forbidden activity.
• Apply regardless of RBAC permissions
• ?? Protects against accidental deletion
• ?? Use to protect key resources that could have a large impact if they were removed or modified
• Only "Owner" and "User Access Administrator" can create/delete locks

Azure Resource Group

• Also an Azure resource so it can have locks, tags, RBAC permissions etc.
• Logical container for resources deployed on Azure.
• Tied to a region & subscription itself.
• Helps you organize resources
• ?? If you delete a resource group, all resources contained within are also deleted.
• Authorization
• ? All resources must be in a resource group and a resource can only be a member of a single resource group.
• ? Some services has specific limitations or requirements to move from one resource group to another
• ? Can't be nested.
• Can see history of the deployments to a resource group

Organizing resource groups

• By type (virtual networks, virtual machines, cosmos dbs)
• By environment (prod, qa, dev)
• By department (marketing, finance, human resources)
• Combining strategies e.g. environment and department:
• By authorization
• By life cycle
• By billing

Management Groups

• ?? Groups multiple subscriptions.
• ?? Can have RBAC assignments and policies
• Good for enterprises
• E.g.

Compliance in Azure

Microsoft Privacy Statement

• privacy.microsoft.com/privacystatement
• ?? Explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
• Applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices.

Microsoft Trust Center

• microsoft.com/trust-center
• ?? In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products.
• Recommended resources in the form of a curated list of the most applicable and widely used resources for each topic.
• Direct guidance and support

Service Trust Portal

• servicetrust.microsoft.com
• ?? Can download
• Also has compliance guides to help you understand how you can use Microsoft cloud service features to manage compliance with various regulations.
• Hosts Compliance Manager, companion feature to the Trust Center.

Compliance Manager

• servicetrust.microsoft.com/ComplianceManager
• Free workflow-based risk assessment dashboard with
• Features:

Azure Security Center

• ?? Global service in Azure that includes regulatory compliance dashboard of your services.
• Insights into your compliance posture based on continuous assessments
• Analyzes risk factors in your hybrid cloud environment according to security best practices
• Overall security score, assessment against e.g. CIS, PCI DSS 3.2.1, SOC, ISO 27001..