Ok so today was Day 1 of the Microsoft Azure Enterprise Scale Landing Zone Open Hack. A chance for me and a few of my colleagues to work through a reasonably complex reference architecture of a fictitious company and basically work out and discuss an appropriate solution for defining an appropriate Azure Management Group / Azure Policy and RBAC configuration to meet the requirements of said fictitious company.
I won’t drill into the details of the Hack as I am sure this is IP created by Microsoft and to be honest I’m not sure if I am allowed to share directly. I will find out after Day 3 and if I am ok to do so then I may just do a short video or something like that.
The day started off around really defining what Enterprise Scale is. The official Microsoft documentation can be accessed here:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/
And there is a great GitHub repo here:
https://aka.ms/enterprisescale
What is Enterprise Scale?
- A reference architecture
- Recommended patterns vetted by engineering
- Adaptable to accommodate customer requirements
- Accelerates onboarding of new workloads by removing governance blockers
- Consistent policy based framework
- Built using native tooling (Azure Policy and Management Groups)
How does Enterprise Scale relate to Cloud Adoption Framework?
Enterprise Scale fits within the ‘Ready’ phase of CAF.
Enterprise Scale Design Principles
- Enable Autonomy for Innovation and Transformation
- Security and Compliance By-Default
- Governance At-Scale with Sustainable Cloud Engineering
Subscriptions should be used as a unit of management and scale aligned with business needs and priorities, to support business areas and portfolio owners to accelerate application migrations and new application development.
Azure Policy should be used to provide the guard-rails and ensure the continued compliance of the customer platform and applications deployed onto it, whilst also providing application owners sufficient freedom and a secure unhindered path to cloud.
The Enterprise-scale architecture should not consider any abstraction layers such as customer developed portals or tooling and should provide a consistent experience for both AppOps (centrally managed operation teams) and DevOps (dedicated application operation teams).
We should focus on application centric migrations and development rather than a pure infrastructure “lift and shift” migration (i.e. movement of virtual machines) and should not differentiate between old/new applications or IaaS/PaaS applications.
The Enterprise Scale architecture approach advocates the use of native platform services and capabilities whenever possible, which should be aligned with Azure platform roadmaps to ensure new capabilities are made available within customer environments.
Critical Design Areas
- Enterprise Agreement enrollment and Azure Active Directory tenants
- Identity and access management
- Management group and subscription organization
- Network topology and connectivity
- Management and monitoring
- Enterprise-scale business continuity and disaster recovery
- Enterprise-scale security governance and compliance
- Platform automation and DevOps
Github – Deploy to Azure
As part of the day we looked at deploying the GitHub stored ARM Templates covering the Management Group configuration as well as typical policy etc for a typical environment.
The following Github repository contains 3 examples:
https://github.com/Azure/Enterprise-Scale
Deploying Enterprise-Scale Architecture in your own environment
The Enterprise-Scale architecture is modular by design and allows customers to start with foundational Landing Zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture can scale alongside the customer’s business requirements regardless of scale point. In this repository we are providing the following three templates representing different scenarios composed using ARM templates.
| Reference implementation | Description | Link |
|---|---|---|
| Contoso | On-premises connectivity using Azure vWAN | Detailed description |
| AdventureWorks | On-premises connectivity with Hub & Spoke | Detailed description |
| WingTip | Azure without hybrid connectivity | Detailed description |
From here we started to inspect some typical Policy and try and align it to our ficticious company!
From here we defined a typical approach for Management Group layout and subscription structure:
That’s where we left Day 1, looking forward to Day 2 where we will focus a lot more on the Azure Policy side so stay tuned for Day 2 tomorrow!
100DaysOfCloud Overview
My Main ReadMe Page is all set up with a bit about me!
The guys at 100DaysofCloud have set up the GitHub repo to be cloned and also have a great repo containing ideas and areas to collaborate on: https://github.com/100DaysOfCloud/100DaysOfCloudIdeas
My Github Journey tracker can be found here: https://github.com/jonnychipz/100DaysOfCloud
Please Watch/Star my repo and feel free to comment of contribute to anything I push! I really look forward to hearing from anyone who is going to jump on the journey around the same time as me! Lets see where I get to in 100 days!
I would encourage others to jump on this journey, I’m not sure that I will be able to commit every day for 100 days, but as long as I can complete 100 days that will be great!
Cloud Computing with a side of Chipz 