Friday, September 29, 2017

Microsoft Ignite 2017: Tips & Tricks with Azure Resource Manager with @rjmax

The AzureRM vision is to capture everything you might do or envision in Cloud. This should extend from infrastructure, configuration to governance and security.

Azure is seeing about 200 ARM templates deployed per second. The session will focus on some of the template enhancements and how Microsoft is more closely integrating identity management and delivering new features.

You now have the ability to deploy ARM deployments across subscriptions (service providers pay attention!). You can also deploy across resource groups. The two declaratives within the ARM template are that enable this are:

“resourceGroup”

“subscriptionId”

You may be wondering how you share your templates, increase the reliability and support them after a deployment?

Managed Applications

Managed applications is the ability to simplify template sharing. Managed applications can be shared or sold, they are meant to be simple to deploy, they are contained so they cannot be broken and they can be connected. Connected means you define what level of access you need to it after it has been deployed for ongoing management and support.

For additional details on Managed applications please see https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-application-overview .

Managed applications are available in West US and West US Central but will be global by the end of the year. When you define a managed application through the Azure portal you determine if it is locked or unlocked. If it is locked you need to define who is authorized to write to it.

image

By default Managed Applications are deployed within your subscription. From within the access pane of the Managed Application you can share it to other users and subscriptions. Delivering Managed Applications to the Azure marketplace is in Public Preview at this moment.

Managed Identity

With Managed Identity you can now create virtual machines with a service principal provided by Azure active directory. This allows the VM to get a token to enable service access to avoid having passwords and credentials in code. To learn more have a look here

https://docs.microsoft.com/en-us/azure/active-directory/msi-overview 

ARM Templates & Event Grid

You can use Event Grid to collect all ARM events and requests which can be pushed to an end point or listener. To learn more on Event Grid read here

https://buildazure.com/2017/08/24/what-is-azure-event-grid/

Resource Policies

You can use Resource Policies to do Location Ringfencing. Location Ringfencing allows you to define a policy to ensure your data does not leave a certain location.

image

You can also restrict which VM Classes that people can use. For example to prevent your developers from deploying extremely expensive classes of VMs.

Policies can be used to limit the access to all the marketplace images to just a few. You can find many starting point policies on GitHub

https://github.com/azure/azure-policy-samples

Azure Policies are in Preview and additional information can be found here:

https://azure.microsoft.com/en-us/services/azure-policy/

No comments:

Post a Comment