This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
Location – classified. Customer – classified.
CTO: Azure Cloud Adoption Framework is best resource to define out Cloud adoption strategy. As of part of “Ready” stage n CAF, can you tell me what best practices we are following to ensure “azure resources and resource groups are organized effectively”?
Azure Architect: Yes, we follow 2 important guidelines as follow –
- Allow deployment of azure resources in designated allowed locations only; so, we follow the geopolitical boundary of our country.
- Define resource group - project wise.
CTO: This is good. I recently went through many Azure Events webinar. I think as a best practice for our Azure environment, we should also make sure that “Azure resources are deployed in same location as of Resource group for better management and clarity? How are we placed on this task?”
Azure Architect: Ummmm, yes. It is a good suggestion!
CTO: Ok, so give me report every week where I can see if we are following having all resources in the same location of parent Resource group. Thanks.
Azure Architect: But we have 100+ Resource Groups, 300+ resource in subscription. That will be good time-consuming task every week.
CTO: Well, let us find better solution to get report of azure resources not belonging to Azure Resource group location/ region.
This blog will help our friend Azure Architect to find report of “any azure resources not having same location as parent resource group”.
This will help to satisfy CTO requirement and promotion for our Azure Architect friend in the company.
Azure Resource Group, Azure Resource and Location
Azure Resource Manager is a consistent management layer on Azure used for deployment and end to end management. Important component of Azur Resource Manager is “Resource Group.”
Azure Resource Group is a container that holds related resources for azure solution. It helps hold those resources which you want to manage as a group. The choice of resource group and resource
deployment within is completely organization and project specific decision.
As resource group is container only and never control actual life cycle of resources deployed; the location of Resource Group and Actual Resource can be different. Refer below diagram –
How to report resource and associated resource group location mismatch?
Azure Policy is best thing on Azure that can help to do wonders. If Policy is applied on Azure Subscription level, then automatically Azure policy searches and report noncompliance as per policy definition. There are many built in policies already available on Azure.
One of such important built in policy is – “Audit resource location matches its resource group location”.
This policy can help us to identify is Resources present in Resource Group do not have same location as Resource Group.
In above diagram we have resource group in Central India where as one VNET is in different region. Having separate location for Resource group and separate location for actual Resource is completely normal.
However, as a general best practice I have seen that having all resources deployed in the same location as that of resource group works best in many scenarios.
Create and Assign Policy
Go to Azure portal and search for Policy in top search box. Once found click on it. You will land on below screen. Click on Assign Policy as shown below –
Search the policy named as Audit that the resource location matches its resource group location.
Then click on Review + Create. Once enabled the policy will review the entire Azure subscription for the policy and will also report.
Now click on Compliance view as shown below and we should see the non-compliant resources list for the policy as shown below –
When you go into details you can view individual resources with current value of location and Target expected value of location.
Hope this blog post helped you to understand how Azure policy can effectively help you implement your specific restrictions, best practices on Azure.