The document discusses Azure Resource Management (ARM) and its capabilities for managing cloud resources effectively, including organizing resources into groups, controlling access, and using templates for deployment. It highlights the use of role-based access control (RBAC), tagging for cost visibility, and defining resource policies for governance. Additionally, it emphasizes the importance of automation and infrastructure as code for improved resource management and cost control in the cloud.

1. ARM FTW
(Azure Resource Management For The Win)

2. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Many thanks to our sponsors & partners!
GOLD
SILVER
PARTNERS
PLATINUM
POWERED BY

4. You!

5. magnus@loftysoft.com

6. ~288 locations @ global.azurebootcamp.net
#GlobalAzure Bootcamp April 21, 2018!

7. Platform Services
Security &
Management
Infrastructure Services
Web Apps
with
Web Jobs
Mobile
Apps
API
Management
API
Apps
Logic
Apps
Notification
Hubs
Content Delivery
Network (CDN)
Media
Services
HDInsight Machine
Learning
Stream
Analytics
Data
Factory
Event
Hubs
Mobile
Engagement
Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Biztalk
Services
Hybrid
Connections
Service
Bus
Storage
Queues
Store /
Marketplace
Hybrid
Operations
Backup
StorSimple
Site
Recovery
Import/Export
SQL
Database
DocumentDB
Redis
Cache Search
Tables
SQL Data
Warehouse
Azure AD
Connect Health
AD Privileged
Identity
Management
Operational
Insights
Cloud
Services
Batch Remote App
Service
Fabric Visual Studio
Application
Insights
Azure SDK
Team Project
VM Image Gallery
& VM Depot
Azure
Functions

8. Challenges with managing resources
?

9. Infrastructure & Configuration as Code + Continuous Delivery

10. Azure Resource Manager
(ARM)

11. Consistent management layer
Resource
Provider
https://management.azure.com/subscriptions/{{subscriptionId}}/provide
rs?api-version={{apiVersion}}
?
REST API

12. What can you do with Azure Resource Manager?
Deploy app resources

13. What can you do with Azure Resource Manager?
Organize resources

14. What can you do with Azure Resource Manager?
Control access to resources

15. Resource Groups

16. Resource Groups: Start as empty “buckets”!
RESOURCE GROUP

17. Azure Resource
Management

18. Behold the simplest possible template!
Demo

19. Declarative templates
Idempotent
Multi-service, multi-region – easy!
Deploying with Azure Resource Manager

20. How do I place my Resources in Resource Groups?

21. Development
Test (multiple)
Staging
Production (multiple regions)
All of those environments…

22. Do I need one Template for each Environment?
:(

23. Use the same Template for all Environments!
Create one Parameter file for each Environment!
Template Parameter Files

24. Deploy many environments in one go!
Demo

26. Tooling for ARM

27. Tooling support for ARM

28. Horseless Carriage

29. VS Code
Demo
Learn it – Love it – it will give you wings!
Great Extensions that keep getting better!

30. Azure PowerShell
aka.ms/powershellopensource & on Linux(!)
Azure Command-Line Interface
aka. Azure CLI, aka. xplat-cli
Two OSS command line options for management of Azure.

31. var windowsVM =
azure.VirtualMachines.Define("myWindowsVM")
.WithRegion(Region.US_EAST)
.WithNewResourceGroup(rgName)
.WithNewPrimaryNetwork("10.0.0.0/28")
.WithPrimaryPrivateIpAddressDynamic()
.WithNewPrimaryPublicIpAddress("mywindowsvmdns")
.WithPopularWindowsImage(
KnownWindowsVirtualMachineImage
.WINDOWS_SERVER_2012_R2_DATACENTER)
.WithAdminUserName("tirekicker")
.WithPassword(password)
.WithSize(VirtualMachineSizeTypes.StandardD3V2)
.CreateAsync();
ARM from code with multiple SDKs.

32. resources.azure.com
The secret Azure-blue sauce
“Ain’t nothing going on but the REST!”
Magnus Mårtensson

33. github.com/azure/
azure-quickstart-templates
Demo: Resources to get you started!

34. ARM is an “enabler”
RBAC
Tags
Policies
etc.

35. Role Based Access Control
(RBAC)

36. Role Based Access Control
Allows secure access with granular permissions.
Assignable to users, groups, or service principals.
Built-in roles make it easy to get started.
Custom roles offer greater flexibility.

37. Access Inheritance and Resource Hierarchy

38. Role Based Access Control
Click on “the little people”!

39. Key Learnings from Enterprise Customers

40. Grant the whole department read access to all the app resources!
Department_Foo_Grp
App1_Readers_AG

41. Grant the team contributor access to the their resources!
Team_Bar_Grp
Service1_Contributors_AG

42. Tagging Resources

43. Visibility, metadata of cloud assets
Growing Service Catalog
Cost Control
Geo-Compliance issues
…
Challenges with all of those easy to deploy services

44. Demo: Tag included in an ARM Template
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2015-06-15",
"name": "mystorage4321",
"location": "[resourceGroup().location]",
"tags": {
"Department": "RnD"
},
"properties":
{
"accountType": "Standard_LRS"
}
}
]

45. Filtering to all resources with a certain tag.
Finding out who owns what resource?
Grouping your costs for the Excel people!
Tags are used for…

46. Policies for your Azure

47. Let’s you define customized rules
which governs the shape
of your resources.
What is a Resource Policy?

48. Enforce naming convention on resources.
Limit which types and instances can be deployed.
Specify which regions can be used.
Require tag for department chargeback.
...
What type of Policy?

49. {
"if" : {
<condition> | <logical operator>
},
"then" : {
"effect" : "deny | audit | append"
}
}
Policy Definition structure

50. {
"if" : {
"not" : {
"field" : "location",
"in" : ["westeurope", "northeurope"]
}
},
"then" : {
"effect" : "deny"
}
}
Policy – Geo Compliance: Ensure resource locations

51. {
"if" : {
"not" : {
"field" : "tags",
"containsKey" : "costCenter"
}
},
"then" : {
"effect" : "deny"
}
}
Policy – Chargeback: Require departmental tags

52. {
"if": {
"allOf": [
{
"field": "tags",
"exists": "true"
},
{
"field": "tags.costCenter",
"exists": "false"
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "tags.costCenter",
"value": "RnD"
}
]
}
}
Chargeback modify resources by appending departmental tag.

53. What happens after a policy evaluation?
A request may be blocked or modified.
An audit event is generated.
An alert can be generated based on events.

54. Auditing

55. A simplified Policy Evaluation Result
{
"authorization": {
"action": "Microsoft.Resources/deployments/validate/action",
"caller": "magnus@loftysoft.com"
},
"level": "Error",
"operationName": {
"value": "Microsoft.Authorization/policies/deny/action",
},
"resourceType": {
"value": "Microsoft.Resources/deployments",
},
"status": {
"value": "Failed",
},
}

56. Who initiated the operation.
When the operation occurred.
What operations were taken on the resources.
The status/result of the operation.
...
Through activity logs, you can determine:

57. Portal view of Activity Logs
Demo

59. Remove human error.
Security control.
Cost savings by spend control.
Environment parity.
Automation! (automation, automation)
Why do I want ARM and Infrastructure as Code?

60. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals

62. magnus@loftysoft.com
Azure Resource Management Wizardry
This course is about the proper way to handle resources in Azure,
access for users, cost control in the Cloud and much more!
After this course you will approach Azure
in a more conscious, controlled and confident way!

63. magnus@loftysoft.com