July 23 2022

Azure charts: design foundation for iac and devops!!!

In this Session, I will provide you real-time insights on how to use AZURE CHARTS as Design Foundation for IaC (Infrastructure-As-Code) and DevOps Automation.

IMPORTANT TO NOTE:-
Once Design Foundation is ready, putting into IaC (Terraform/Powershell) and executing using Azure DevOps Pipeline becomes relatively easy.
WHAT IS COVERED:-
Azure Charts.
Category of Azure Services.
Which Azure Services Supports Private Link.
Which Azure Services Supports Managed Identity.
Design Resource Group(s).
Design Network Framework.
Azure Night Sky.
Azure Services SLA.
Azure Services Reservation.
AZURE CHARTS:-
Link to Azure Charts
First Look on Azure Charts:-
Image description
CATEGORIES OF AZURE SERVICES:-
When you are designing the foundation to ease Writing IaC and Executing over Azure DevOps Pipeline, it is very important to understand which Azure Services falls under which Category.
This will then help you to design Resource Group Structure, AAD Group Layout, RBAC Model and Network Framework which is our Foundation.
Link to Azure Services Categories Overview in Azure Charts:
First Look on Azure Services Categories Overview in Azure Charts:-
Image description
WHICH AZURE SERVICES SUPPORTS PRIVATE LINK:-
Browse to Private Link Support to view which Azure Services Supports Private Link.
Below is how it looks:-
Image description
WHICH AZURE SERVICES SUPPORTS MANAGED IDENTITY:-
Browse to Managed Identity Support to view which Azure Services Supports Managed Identity.
Below is how it looks:-
Image description
DESIGN RESOURCE GROUP(S):-
Consider a Project Scenerio, where we have to deploy below Azure Services (Using IaC and Azure DevOps Pipelines):- 1) Azure App Plan, 2) Azure App Services, 3) Virtual Machine, 4) Data Factory, 5) Databricks, 6) Azure SQL, 7) Azure Active Directory B2C, 8) Key Vault, 9) API Management, 10) Service Bus, 11) Application Gateway, 12) Bastion, 13) Azure Storage and 14) Data Lake Store
Questions:
1) How would you Design the Resource Group(s) ?
If the Required Azure Services needs to be Deployed in Shared Subscription then 1 Resource Group containing all Azure Services makes Sense as Resource Group(s) then becomes the Logical Boundary between Projects in the Same Subscription. But what Happens when Each Project has Dedicated Subscription. Then Design of the Resource Group(s) plays a vital role for Day to Day Operations
2) Why Do we Need to Design Resource Group(s) ?
This is needed because of the following reasons:-
– Sub-Team(s) within the Same Application Development: Different Resource Group with Different Azure Services provides the Logical Boundaries among Sub-Teams.
– Role Based Control (RBAC): Key Security Feature as which Sub-Team(s) requires what level of permissions on which Resource Groups.
– Application User Look and Feel Segregation: Developers and Operation Support will only be concerned on the visibility and access of their respective Resource Group(s)
This is where Azure Services Categories in Azure Charts helps us in DESIGNING RESOURCE GROUP(S)
For the Purpose of this Session, Consider the Naming Convention of Resource Group(s) as: [NAME OF THE COMPANY]-[PROJECT NAME]-[ENVIRONMENT NAME]-[AZURE SERVICE CATEGORY NAME]-RG
NOTES ON RBAC:-
Scope of RBAC = Resource Group.
RBAC Attached to = Azure Active Directory (AAD) Group.
AAD Group Design will be based on the Target Operating Model (TOM).
NAME OF THE RESOURCE GROUPAZURE SERVICESROLE BASED ACCESS CONTROLNOTES (IF ANY)
AM-BLOGPOST-TEST-SHARED-RGAzure App Service Plan, Key VaultContributor, ReaderPoint(s) to Note: (1) Several Azure App Services can use the Same Azure App Service Plan, hence SHARED RESOURCE GROUP(2) Key Vault (Keys, Secrets and Certificates can be consumed by one or multiple Azure Services, hence SHARED RESOURCE GROUP(3) Azure App Service Plan does not have its own defined Built-in RBAC. (4) Key Vault Access will be managed by Access Policies and not RBAC.
AM-BLOGPOST-TEST-COMPUTE-RGAzure App Services, Virtual MachinesContributor, Reader, Virtual Machine Administrator Login, Virtual Machine ContributorPoint(s) to Note: (1) Azure App Services and Virtual Machines belongs to Compute Category in Azure Charts, hence COMPUTE RESOURCE GROUP(2) Azure App Service does not have its own defined Built-in RBAC.
AM-BLOGPOST-TEST-ANALYTICS-RGData Factory, DatabricksContributor, Reader, Data Factory ContributorPoint(s) to Note: (1) Data Factory and Databricks belongs to Analytics Category in Azure Charts, hence ANALYTICS RESOURCE GROUP(2) Databricks does not have its own defined Built-in RBAC.
AM-BLOGPOST-TEST-DATABASE-RGAzure SQLSQL Managed Instance Contributor, SQL Server Contributor, SQL Security ManagerPoint(s) to Note: (1) Azure SQL belongs to Database Category in Azure Charts, hence DATABASE RESOURCE GROUP.
AM-BLOGPOST-TEST-IDENTITY-RGAzure Active Directory B2C (AAD B2C)Contributor, ReaderPoint(s) to Note: (1) Azure AD B2C belongs to Identity and Security Category in Azure Charts, hence IDENTITY RESOURCE GROUP(2) Azure AD B2C is a Separate Service from Azure AD which does not have its own defined Built-in RBAC.
AM-BLOGPOST-TEST-INTEGRATION-RGAPI Management, Service BusAPI Management Service Contributor, API Management Service Operator Role, API Management Service Reader Role, Azure Service Bus Data Owner, Azure Service Bus Data Receiver, Azure Service Bus Data Sender.Point(s) to Note: (1) API Management and Service Bus belongs to Integration Category in Azure Charts, hence INTEGRATION RESOURCE GROUP.
AM-BLOGPOST-TEST-NETWORK-RGApplication Gateway, BastionContributor, ReaderPoint(s) to Note: (1) Application Gateway and Bastion belongs to Network Category in Azure Charts, hence NETWORK RESOURCE GROUP(2) Application Gateway and Bastion does not have its own defined Built-in RBAC.
AM-BLOGPOST-TEST-STORAGE-RGAzure Storage, Data Lake StoreStorage Account Contributor, Storage Blob Data Contributor, Storage Blob Data ReaderPoint(s) to Note: (1) Azure Storage Account and Data Lake Store belongs to Storage Category in Azure Charts, hence STORAGE RESOURCE GROUP.
DESIGN NETWORK FRAMEWORK:-
Designing a Framework for Network becomes very much easy once we have defined the Resource Group Structure.
One Virtual Network with One or More Address Space.
One Route Table attached to all Subnets.
One Network Security Group per Subnet.
For the Purpose of this Session, Consider the Network Naming Convention as: [NAME OF THE COMPANY]-[PROJECT NAME]-[ENVIRONMENT NAME]-[AZURE SERVICE CATEGORY NAME]-[VNET/ROUTE-TABLE/SUBNET]-[NSG]
Virtual Network Name: AM-BLOGPOST-TEST-VNET
Route Table Name: AM-BLOGPOST-TEST-ROUTE-TABLE
NAME OF THE RESOURCE GROUPNAME OF SUBNETSNAME OF NETWORK SECURITY GROUPNOTES (IF ANY)
AM-BLOGPOST-TEST-SHARED-RGAM-BLOGPOST-TEST-SHARED-SUBNETAM-BLOGPOST-TEST-SHARED-SUBNET-NSG
AM-BLOGPOST-TEST-COMPUTE-RGAM-BLOGPOST-TEST-COMPUTE-SUBNETAM-BLOGPOST-TEST-COMPUTE-SUBNET-NSG
AM-BLOGPOST-TEST-ANALYTICS-RGAM-BLOGPOST-TEST-ANALYTICS-SUBNETAM-BLOGPOST-TEST-ANALYTICS-SUBNET-NSG
AM-BLOGPOST-TEST-DATABASE-RGAM-BLOGPOST-TEST-DATABASE-SUBNETAM-BLOGPOST-TEST-DATABASE-SUBNET-NSG
AM-BLOGPOST-TEST-IDENTITY-RGAM-BLOGPOST-TEST-IDENTITY-SUBNETAM-BLOGPOST-TEST-IDENTITY-SUBNET-NSG
AM-BLOGPOST-TEST-INTEGRATION-RGAM-BLOGPOST-TEST-INTEGRATION-SUBNETAM-BLOGPOST-TEST-INTEGRATION-SUBNET-NSG
AM-BLOGPOST-TEST-NETWORK-RGAM-BLOGPOST-TEST-NETWORK-SYSTEMS-SUBNETAM-BLOGPOST-TEST-NETWORK-SYSTEMS-SUBNET-NSG
AM-BLOGPOST-TEST-STORAGE-RGAM-BLOGPOST-TEST-STORAGE-SUBNETAM-BLOGPOST-TEST-STORAGE-SUBNET-NSG
AZURE NIGHT SKY:-
Link to Azure Night Sky
On Realtime, it educates and provides Uses cases as how to look into Azure Services together. Each Use Case is Populated with the Caption Learning Path or Solution highlighting the required Azure Services. Examples Listed Below:-
Use Case #1: GEOSPATIAL DATA PROCESSING AND ANALYTICS
Type: Solution
Image description
Use Case #2: DATA SCIENCE AND MACHINE LEARNING WITH AZURE DATABRICKS
Type: Solution
Image description
Use Case #3: INTRODUCTION TO SECURING DATA AT REST ON AZURE
Type: Learning Path
Image description
Use Case #4: Modern Analytics Architecture With Databricks
Type: Solution
Image description
AZURE SERVICES SLA:-
Browse to Azure Services SLA to view Azure SLA Board.
Below is how it looks:-
Image description
AZURE SERVICES RESERVATIONS:-
Browse to Azure Services Reservations to view Reservation Support for Azure Services.
Below is how it looks:-
Image description

Hope You Enjoyed the Session!!!

Stay Safe | Keep Learning | Spread Knowledge