Microsoft has a number of individual solutions that can be used together to ensure governance:
- Role-based access control (RBAC): Using a combination of delegated permissions via roles assigned to management groups, subscriptions, resource groups, and (ideally never) resources, you can limit people to just the tasks that they need to complete their jobs.
- Azure Policy: Policy allows you to create a … policy that controls what can be done by people who have permissions. These policies are assigned to management groups, subscriptions, or resource groups. For example, you can force tags to be assigned, limit regions that can be used, or prevent certain kinds of virtual machines from being deployed.
However, governance of a deployment is more than the above. Sometimes you need to control how applications are designed and deployed; Azure Blueprints, generally available today, addresses this need by combining the above into a packaged deployment with:
- Resource groups: Controlling which resources go where so RBAC roles can be assigned appropriately.
- ARM Template: The techie bits of the deployment are controlled centrally, assigning approved architectures for deployment.
Guest Configuration for Azure Policy
Until now, Azure Policy was limited to dealing with management groups, subscriptions, resource groups, and resources. In the case of virtual machines, it could audit and control virtual machine configurations, but that’s just a small part of the story. What about what’s happening inside the guest OS?
A new preview feature, called Guest Configuration for Azure Policy, allows you to reach inside the guest OS and assess it. Maybe you need to control local password policies, enforce guest OS firewalls, control security logging, and more? That’s what this feature is intended to be able to do via a virtual machine extension when it is generally available.
At the moment, the functionality is quite limited, but the responsible team is hungry for customer feedback to drive their direction. One can imagine how this solution, like many other Azure solutions, could become a hybrid one via a Log Analytics agent.
Policy for DevOps
Azure Policy can be applied into the DevOps CI/CD pipeline. I should stop talking now because those words mean little to me, but they mean a lot to people who live the DevOps life.
Would you like to know what’s deployed in an Azure subscription? With this new preview feature, you can do this, but it’s very early days. Once you enroll in the feature, you can query what is deployed using Bash or PowerShell. There is no pretty UI today, but I can envision how this will change.
Cost Management in Azure Portal
The Cloudyn acquisition lives on, even if some (namely me) think it’s a pretty useless service – the data might as well remain buried because it’s so hard to mine, and the consumption pricing is based only on RRP (which few should be paying) and US Dollars.
Enterprise Agreement (EA) customers can now enjoy this service through the Azure Portal instead of opening another portal.
Over the past few months we have seen Azure Log Analytics (often mis-called OMS, which is a licensing bundle that includes Log Analytics) take a smaller role in Azure. I applaud that decision because I found Azure Monitor to be a far superior monitoring and alerting system. Log Analytics still has a role as a data gathering system and its agent offers the ability to reach into Azure virtual machines and on-premises machines for hybrid tasks such as Azure Security Center.
Ignite brings us a few changes to Azure Monitor, the new metrics experience is generally available. This UI allows you to split the chart so you can view multiple metrics at once – when analyzing performance issues, metrics rarely can be analysed on their own to discover bottlenecks.
The next big change is virtual machine insights and container insights, both of which are in preview. These give you access to even more data from your compute workloads, especially from the guest OS. Note that virtual machine insights is based on Log Analytics, so the normally micro-payment Azure Monitor would add a data ingestion fee for the Log Analytics service.
What we’re seeing this week is a maturation of the management and governance features of Azure. The governance teams are offering more control in a self-service environment. And the confusion that we had between Azure Monitor and Log Analytics is being cleared up with Log Analytics taking a more “under the covers” role, where I personally think it belongs because of its very unfinished feel for human usage. Watch out for more Azure posts from Ignite – I already know that I’ll have to add some more compute, storage, and networking news posts because of the sheer amount of information that has poured out of Microsoft this week.