Deploy key design principles with enterprise-scale architecture

2021年3月31日 に投稿済み

Senior Content Engineer

Tailwind Traders1 is a retail company that is looking to adopt Azure as part of its IT strategy. The IT team is familiar with deploying infrastructure on premises and is now researching what they need to do in order to run their workloads within Azure. They've been doing some research and have found the Microsoft Cloud Adoption Framework for Azure and Azure landing zones.

When embarking on any project or new implementation, there are always key design and decision points to be discussed and fully understood. Deploying an enterprise-scale landing zone and subsequent resources to the cloud is no different. The enterprise-scale architecture prescribed in this guidance is based on the design principles that serve as a compass for subsequent design decisions across critical technical domains.

The Tailwind Traders IT team is sitting down to discuss the critical design areas as laid out within the enterprise-scale landing zone documentation. There are several areas that they need to discuss:

Subscriptions and management

One of the first decision points they need to think about is how they want to set up their environment in terms of management group hierarchy and platform operation owners. There are many ways to start to segment your environment. Start by defining the criteria for subscription provisioning and the responsibilities of a subscription owner. This will establish a cross-functional DevOps platform team to build, manage, and maintain your enterprise-scale architecture. Application DevOps teams will be given subscription owner permissions to create and manage application resources through a DevOps model.

Using subscriptions to help split up your environment can help with management of costs and day-to-day management responsibilities. Management groups provide governance guardrails, and subscriptions provide a management boundary for governance and isolation, which creates a clear separation of concerns. 

One thing they want to make sure is clear at the start is who is responsible within the subscriptions. What they don't want to happen is a complete lack of governance because the roles and responsibilities weren't defined at the start. Some suggestions to ensure the subscription owners are thinking about and implementing are:

  • Perform an access review in Azure Active Directory (Azure AD) Privileged Identity Management quarterly or twice a year to ensure that privileges don't proliferate as users move within the customer organization.
  • Take full ownership of budget spending and resource utilization.
  • Ensure policy compliance and remediate when necessary.

If Tailwind Traders wanted to ensure that their governance conditions were met and applied to each subscriptions Management Groups. This is a topic that the Cloud Adoption Framework covers to guide people around design considerations and recommendations. So, although it's something that the Tailwind Traders team needs to discuss, they aren't completely alone and have guidance available to them.

Networking

The networking and how you want your cloud environment to either act as a standalone environment or integrate with your existing environment(s) will be a very important part of Tailwind Traders design meetings. They need to plan for IP addressing, Domain Name System (DNS) and name resolution, the overall topology, any network encryption, and traffic inspection requirements, and hybrid connectivity.

Every organization will have different requirements, existing setups, and complexities to overcome on their cloud adoption journey. Having discussed their needs and options, the Tailwind Traders team are looking to speak to a Microsoft Partner to leverage outside experience and ensure they are heading in the right direction with their networking design and haven't missed anything or misunderstood anything.

Security, governance, and compliance

Tailwind Traders are acutely aware they have some issues with their current environment. Right now, passwords and secrets are stored within a password-protected Microsoft Excel spreadsheet which has its challenges. Also, a lot of the resources they have deployed on-premises violate the company naming convention, so they want to avoid those issues following them into the cloud.

Discussing governance, they are keen to use Azure Key Vault instead of their Excel spreadsheet for their passwords and secrets. Still, they need to ensure they set up the correct security boundaries, and the people within the IT department are ready for the change from them being able to see everything to only the things they need. So, a discovery exercise internally will be carried out to ensure everyone understands the forthcoming changes and their access is right from the start of the change.

They are also looking to implement Azure Policy within Azure to help ensure new resources follow the company naming convention. The team is also excited to see how Azure Security Benchmark and Azure Security Center can help with their PCI DSS compliance needs.

Azure Security Centre Regulatory compliance

Figure 1: Azure Security Centre Regulatory compliance

The team knows they have only covered a portion of the critical design areas as suggested by the enterprise-scale landing zone documentation. They need to have several other meetings to talk more before they start to deploy their landing zone, but they are excited about the progress that they have made and are excited about future discussions. The team is enjoying the fact that the enterprise-scale landing zone is there to help guide them through their cloud adoption journey.

We'll continue exploring Tailwind Traders and their cloud adoption journey using enterprise-scale architecture in future blog posts. However, if you'd like to learn more about enterprise-scale landing zones, please join Sarah Lean and I on April 7 at 8:00 AM PST, or 3:00 PM GMT, on Learn TV where we will be doing a Q&A and deployment of a enterprise-scale landing zone live.

Learn more

Check out additional blog posts in our Tailwind Traders cloud adoption series powered by Microsoft Cloud Adoption Framework for Azure and Azure landing zones


1Tailwind Traders is a fictional company that we reference within this blog post in order to help illustrate how companies can leverage the Cloud Adoption Framework in real world scenarios.