Managing Large Azure Deployments with Azure Blueprint
Infrastructure as code (IaC) emerged to made Architect and design jobs easy, deploying a cloud infrastructure no longer critical task. There are tools like Terraform, AWS CloudFormation are making the life easy of Architects.
Microsoft has ARM templates for deploying the Azure cloud, yet another powerful tool from MS is Azure blueprint. The Azure Blueprint feature enables and facilitates to ensure that each environment will meet pertinent standards, requirements and compliance.
Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new environments with trust they’re building within organizational compliance with a set of built-in components, such as networking, to speed up development and delivery.
Blueprint enables bundling of environment into package, each component in the package called Artifacts are below
· Role Assignments
· Policy Assignments
· Azure Resource Manager templates (ARM templates)
· Resource Groups
How it’s different from ARM templates
Blueprint consist of set of artifacts mentioned above and bundled together and allows customization, update and versioning. Each package is assigned to a subscription in a single operation that can be audited and tracked.
An ARM template is a document that doesn’t exist natively in Azure — each is stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there’s no active connection or relationship to the template.
A blueprint is composed of artifacts. Azure Blueprints currently supports the following resources as artifacts:
Manage multiple subscriptions by using Azure Blueprints
When the organization grows with multiple Azure subscription, the biggest challenge is enforcing the global configuration like policy, other resources. with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires
Azure Blueprints allows central Architecture group or IT groups to scale their governance practices throughout the organization.
Implementing a blueprint in Azure Blueprints involves these three steps:
· Create an Azure blueprint.
· Assign the blueprint.
· Track the blueprint assignments.
And the Lifecycle of Blueprint follows
· Creating and editing a blueprint
· Publishing the blueprint
· Creating and editing a new version of the blueprint
· Publishing a new version of the blueprint
· Deleting a specific version of the blueprint
· Deleting the blueprint
Ownership and Parameters
When blueprint is deployed its granted owner rights to the assigned subscription or subscriptions when a system-assigned managed identity managed identity is used. The granted role allows Azure Blueprints to create, and later revoke, the system-assigned managed identity
Dynamic parameters are supported in Blueprint definition, this can assign to resource groups, Azure Resource Manager templates (ARM templates), policies, or role assignments.
To maintain consistency among the resources deployed by Blueprint, Resource locks deployed are only applied to resources deployed by the blueprint assignment. Existing resources, such as those in resource groups that already exist, don’t have locks added to them.
Resources protected by resource locks have four states:
· Not locked
· Read only
· Cannot edit
· Cannot delete
Those properties can only be removed by updating the blueprint itself and changing it to a different locking mode. Unlike other resources in Azure, Azure Blueprints do not allow users with the appropriate role-based access control to override any locks. This security measure protects the consistency of the defined blueprint and the environment. It is designed to prevent inadvertent or programmatic deletion or alteration.
Security compliance and Regulatory compliance
The challenge of enforcing governance within your IT environment, whether it be an on-premises, cloud native or a hybrid environment, exists for all organizations. A robust technical governance framework needs to be in place to ensure your Microsoft Azure environment conforms with design, regulatory, and security requirements.
The service offers several built-in blueprints for compliance with common scenarios and external regulations such as:
· ISO 27001 (Standard, Shared Services and ASE/SQL workloads)
· FedRAMP moderate/high
· HIPAA HITRUST
· IRS 1075
· DOD Impact Level 4 & 5
· NIST SP 800–53 R4
· NIST SP 800–171 R2
· SWIFT CSP-CSCF v2020
Azure Blueprint is a powerful tool for Azure cloud environment. You can compose the resources, policies and manage the lifecycle of the package, scale it whenever the subscription grows. Simplify largescale Azure deployments and update compliant to the environments