A step-by-step guide to setting up an Azure landing zone
By Brett Hargreaves, Architecture and Cloud practice lead at Iridium
Sometimes the first step of just formulating a plan is the most difficult, so I've put together a high-level overview of some of the main actions.?
Define Organisational Structures?
Organisations should configure governance structures to help manage policies and standards. This includes setting up a management group structure within Azure, followed by defining rules for subscription creation and resource groups.?
For example, and management group structure may reflect a company's physical structure (i.e. location-based), or organisation (i.e. department-based). This will help control the flow of access and policies. Getting this structure wrong will create complexities and management overhead, so time spent thinking this through now will save you time and money later.
Setup Identity and Access Management?
Identity and Access Management (IAM) is about creating a secure user directory that can protect against your users' accounts and thus prevent access from malicious actors. Once your users are in (Authentication), you need to ensure they only have access to what they should (Authorisation).?
At a bare minimum, this entails setting up services such as Multifactor Authentication (MFA) to protect against password theft, but to truly secure your environment you should enable more advanced features such as regular Access reviews, Just in Time Access, Conditional Access, and Privileged Identity Management.?
I&AM also involves defining a suitable set of Roles & Groups that provide access to the correct resources and only those resources and then assigning users to those groups. There is often a crossover with the Leaver and Joiners processes to ensure that users' accounts are disabled and access removed when they leave.?
Finally, having a good organisational structure helps here as it allows you to set the role and group access in your organisation hierarchy without the need to assign access to individual resources/users.?
Define Policies and Standards?
Many companies have specific requirements around how components should be used and configured. These might come from the need to align to customer needs, or for regulatory reasons within a given industry. A common example of PCI requirements for systems that handle card Payments.?
This starts with defining the required standards and range, from agreeing naming conventions to tagging resources with metadata, or even documenting rules for how to divide workloads. For example, do you have multiple subscriptions or one subscription with multiple resource groups? There's no wrong or right answer, it depends on the size and complexity of your organisation.?
Once you have defined your policies, you can then codify them in Azure using Azure Policies. Azure Policies can either report on, block and automatically apply configurations to any component in Azure regardless of the role a user has been assigned.?
For example, if you want to ensure that Storage accounts only ever allow access from an internal network, and therefore block internet access, one way you can do this is by creating an Azure Policy to always set Public Access to Disabled whenever a storage account is created. The policy can be set to:??
Audit - just flag the component as non-compliant and then manually remediate at some point in the future?
Deny - prevent the resource being created at all if anybody attempts to create a storage account with public access enabled?
DeployIfNotExists - if the flag to block public access has not been set by the user, just go and add it automatically?
Azure Policies have other variations of these actions, but essentially all this means is that if it's configurable, you can report, deny or enforce it.?
Other examples of what you can use Policies to control are?
Apply tags to all resources?
Constrain which regions resources can be deployed in?
领英推荐
Allow only set SKUs - e.g. don't allow the more expensive VMs to be deployed?
Automatically configure logging??
Establishing a Secure Network Environment?
To further protect resources you should also employ perimeter controls around your assets. Again, these will look different depending on the asset in question.?
For example, internal assets, i.e. applications and databases that should only be accessible from your corporate network need to ensure you have private connections from your offices into Azure - either in the form of a VPN or an Azure Express route. Efficiently and securely configuring these connections requires thought and planning.?
Other areas to consider are when building public-facing applications - using traditional firewalls and web application firewalls help block known attacks, and modern products even utilise AI and threat analysis to dynamically react to different types of attacks.?
Finally, you should only expose the smallest possible portion of your application. So if you have a Web App with a SQL backend database, only the WebApp should be exposed (and only over a secure SSL connection), and your backend databases, storage accounts and other internal processes should be blocked off and only allow access what is absolutely required.?
Automating Deployment Processes?
Organisations can use automation tools such as Azure Resource Manager templates or Open-Source multi-platform Infrastructure as Code (IaC) tools such as Terraform. These help to streamline the deployment process and help organisations quickly deploy cloud resources in a secure and cost-effective manner, while also ensuring that deployments adhere to the organisation’s policies and standards.?
Although a base set of standardised templates are often built as part of a Landing Zone setup, requirements are often a moving target. Setting up a Cloud Centre of Excellence (CCoE) that meets regularly to investigate, define and build new standards will help ensure this good work continues.?
Monitor and Optimize Your Azure Landing Zone?
Once the Azure Landing Zone has been established, organisations should monitor their cloud environments to ensure that they are secure and cost-effective. Organisations can use tools such as Azure Monitor or Log Analytics to monitor their cloud resources. Additionally, they can use cost optimization tools such as Azure Advisor or Resource Optimization Advisor to identify areas where they can reduce costs.?
There are of course several 3rd party platforms that can also specialise in this area, but either way, you must ensure your resources are logging out just the information you need. If they don’t send enough you may miss something important, too much and your costs increase or you get lost in the deluge.?
Once you have your logs you must act on them. You can perform manual reviews using Azure Dashboards, workbooks and security tools such as Security Centre or Sentinel, but these products also heavily utilise AI to help you spot and respond to threats and other events.?
Common Challenges and Best Practices?
Creating an Azure Landing Zone can be challenging for organisations due to the complexity of the process. There are a variety of best practices that you should follow when setting up their Landing Zone including, many of which we have covered here.?
By following these steps and best practices, you can ensure that their Azure Landing Zone is properly set up for success.?
It is also important to ensure that your Azure Landing Zone is regularly updated to ensure that it remains secure and cost-effective.?
Make no mistake, this process takes a lot of upfront effort, and must be reviewed regularly, however, if you get it right it will save you time and money in the long run, as well as ensuring your systems are safe and secure.?
Talk to Iridium??
Our industry-leading Cloud Practice team works with businesses to understand their goals and establish tailored Landing Zones, allowing them to innovate, save money and optimise agility. Please don’t hesitate to contact [email protected] with any Cloud questions or requirements.?