This post was co-authored by Sarah Lean, Senior Content Engineer at Azure
Tailwind dealer1 is a retail company looking to adopt Azure as part of their IT strategy. The IT team is familiar with deploying the on-site infrastructure and is currently exploring what to do to run the workloads on Azure. They did some research and found this Microsoft Cloud Adoption Framework for Azure and Azure landing zones.
When starting a project or a new implementation, it is always important to discuss and fully understand key design and decision points. Providing an enterprise-scale landing zone and subsequent resources in the cloud is no different. The enterprise-scale architecture prescribed in this guide is based on the Design principles These serve as a compass for later design decisions in critical technical areas.
Tailwind Traders’ IT team sits down to discuss the critical design areas that are in the Documentation of the landing zone on a company scale. There are several areas that you need to discuss:
Subscriptions and administration
One of the first decision points to think about is how to set up your environment in terms of the hierarchy of management groups and the owners of platform operations. There are many ways to segment your environment. First, define the criteria for providing subscriptions and the responsibilities of a subscription owner. This creates a cross-functional DevOps platform team that you can use to build, manage, and maintain your enterprise-scale architecture. Application DevOps teams are given the Subscriber Owner permission to create and manage application resources through a DevOps model.
Using subscriptions to split your environment can be helpful in managing costs and day-to-day administrative responsibilities. Management groups provide corporate governance guidelines, and subscriptions provide corporate governance management boundaries and isolation, creating a clear separation of concerns.
One thing they want to make sure to start with is clear who is responsible within the subscriptions. What they don’t want is a total lack of governance as the roles and responsibilities were not defined at the beginning. Some suggestions to make sure subscribers think about it and implement it are:
- Run a quarterly or twice-yearly access review in Azure Active Directory (Azure AD) for Privileged Identity Management to ensure that permissions do not increase as users move within the customer organization.
- Take full responsibility for budget spending and resource use.
- Ensure compliance with the guidelines and correct them if necessary.
When tailwind traders wanted to make sure their governance conditions were met and applied to every subscription Management groups. This is a topic that is covered in the Cloud Adoption Framework to guide people through design considerations and recommendations. While it’s something the Tailwind Traders team needs to discuss, they are not all alone and have instructions.
The network and the way your cloud environment will either function as a standalone environment or integrate with your existing environment (s) is a very important part of Tailwind Traders’ design meetings. You have to plan IP addressing, Domain Name System (DNS) and name resolution that Overall topology, all requirements for network encryption and traffic inspection and hybrid connectivity.
Every company has to cope with different requirements, existing setups and complexities on its journey to the cloud introduction. After the Tailwind Traders team has discussed their needs and options, they would like to speak to a Microsoft partner Leveraging outside experience and ensuring that they are going in the right direction with their network design and have not missed or misunderstood anything.
Security, Governance and Compliance
Tailwind traders are very aware that they have some issues with their current environment. Currently, passwords and secrets are stored in a password-protected Microsoft Excel spreadsheet, which has its challenges. Also, many of the resources they have provisioned locally violate the corporate naming convention. Hence, they want to avoid the problems that follow them into the cloud.
They discuss governance and are keen to use it Azure Key Vault instead of their Excel spreadsheet for their passwords and secrets. Still, they need to make sure they are setting the correct security boundaries and the IT department is ready to switch them so they can see everything and only the things they need. Therefore, a discovery exercise is conducted internally to ensure that everyone understands the upcoming changes and that they are accessed from the start of the change.
They are also looking to implement Azure policy in Azure to ensure that new resources follow the business Naming convention. The team is also excited to see how Azure security benchmark and Azure Security Center can help with yours PCI DSS Compliance requirements.
Figure 1: Legal compliance for the Azure Security Center
The team knows they have only covered a portion of the critical design areas as suggested in the enterprise-scale landing area documentation. They will need to hold several other meetings to discuss more before they begin deploying their landing zone, but they are excited about the progress they have made and look forward to future discussions. The team is excited about the fact that the enterprise-scale landing zone is there to accompany them on their way to the cloud rollout.
We’ll explore Tailwind Traders and their cloud adoption further in future blog posts using enterprise-scale architecture. However, if you want to learn more about enterprise-scale landing zones, join Sarah Lean and me on April 7th at 8:00 a.m. PST or 3:00 p.m. GMT Learn to watch television Here we will provide questions and answers and provide a corporate-scale landing zone live.
1Tailwind Traders is a fictional company that we refer to in this blog post to illustrate how companies can leverage the Cloud Adoption Framework in real-world scenarios.