Module 2: Build a Cloud Governance Strategy on Microsoft Azure

by
Contents hide
1 INTRODUCTION – Build a Cloud Governance Strategy on Microsoft Azure
2 KNOWLEDGE CHECK
3 TEST PREP
4 CONCLUSION – Build a Cloud Governance Strategy on Microsoft Azure
Spread the love

INTRODUCTION – Build a Cloud Governance Strategy on Microsoft Azure

In this module, you will look at how different tools and services will help you form a complete cloud governance strategy. You’ll learn about access policies as well as resource locks and tags – important internal means to help manage and organize your resources. You will also learn about Microsoft Azure services such as Azure Policy and Azure Blueprints.

The final things help to enforce compliance and efficient resource management, which bring your cloud environment in line with the standards the organization has set. Knowing all these things will give a complete overview of how to implement a solid framework in governance measures whose direction points towards business advantages while increasing productivity.

Learning Objectives:

  • Governance at scale across multiple Azure subscriptions using Azure Blueprints.
  • Control and audit how resources are created with Azure Policy.
  • Apply tags to Azure resources to help describe their purpose.
  • Apply a resource lock to prevent accidental deletion of resources.
  • Define who can access cloud resources using Azure role-based access control.
  • Make organizational decisions about your cloud environment using the Cloud Adoption Framework for Azure.

KNOWLEDGE CHECK

1. Your company has migrated to Azure cloud services and management wish to chargeback some of the resource cost to various departments on a monthly basis. Which in your opinion is the best solution to meet these requirements with the least amount of administrative effort?

  • Manually track using a Microsoft Excel spreadsheet
  • Create Subscriptions for each department
  • Tags (CORRECT)

Correct: Tags are metadata information about resources, and they help create effective categorization and organization. For example, you might create a tag named “Sales” with a value representing a name in a billing department. Then, you could use Azure Policy to ensure the proper tags are attached to the resources as they’re procured, which helps with the enforcement of consistent tagging procedures throughout your environment.

2. Your Azure deployment consists of multiple subscriptions and resourcegroups. You need to restrict the actions that some of your users can carry out. You are required to allow some users to manage VM’s without having permission to make configuration changes to networking etc. Which of the following solutions allow you to do this?

  • Use Azure AD Role Based Access Control (Azure RBAC) to create role assignments. (CORRECT)
  • Create multiple Resource Groups.
  • Create policies in Azure Policy that will audit resource usage.

Correct: Azure role-based access control allows you to create roles that confer various kinds of access permissions to resources in the cloud environment. For example, the permission to create roles having access only to virtual machines can be defined for users so that they are able to manage those resources. A further role can be created for administrator to give access to all resources in the environment for conducting any operations necessary over the entire cloud infrastructure.

3. Resource Locks in Azure cloud services prevent accidental changes or deletions. Which of the following are valid options when configuring Resource Locks?

Select 2 options.

  • CanNotModify
  • ReadOnly (CORRECT)
  • CanNotDelete (CORRECT)

Correct: The ReadOnly lock holds a resource view for users with privileges yet keeps them from modification and deletion of that particular resource. Applying this lock would thus mean locking all authorized users within the permissions assigned to the Reader role in Azure RBAC: view only properties of the resource without making any changes. As such, it protects important resources from accidental or unauthorized alternations.

Correct: The lock CanNotDelete allows users who have been authorized to read and modify a particular resource but forbids them from deleting that resource unless they remove the locks themselves. It keeps the resources intact while modifications can still be made, protecting them from deletion by accident or malice.

4. Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.

Select Yes if you agree with the following statement otherwise select No:

Azure Policy initiatives are a way of grouping related policies into one set.

  • Yes (CORRECT)
  • No

Correct: Creating an Initiative in Azure Policy makes it possible to bring related policies under a single bundle for effective management and compliance over multiple resources. The definition of the initiative contains all the individual definitions of policies, which makes it possible to track and report the entire compliance status of the implementation in achieving a bigger organizational goal. With initiatives, many policies can be assigned simultaneously to make governance an easy process.

5. An Azure Blueprint is composed of artifacts. Which of the following resources as artifacts are currently supported by Azure Blueprints?

Select 3 options.

  • ARM Templates (CORRECT)
  • Management Groups
  • Policy Assignment (CORRECT)
  • Role Assignment (CORRECT)

Correct: Azure Bluprints now includes the follow ing artifacts: Resource Groups, ARM templates, Policy Assignment, and Role Assignments.

Correct: Superb! If you require any assistance with Azure Blueprints or any further topics just feel free to ask!

Correct: Azure Blueprints nowadays supports four types of artifacts-shaped by: Resource Groups, ARM Templates, Policy Assignments, and Role Assignments.

TEST PREP

1. Tags provide extra information, or metadata, about your resources. What is the easiest way to apply tags to resources that reside within a Resource Group?

  • Create an Azure Policy (CORRECT)
  • Apply a Tag directly to the Resource Group and all resources within that Group will automatically receive this Tag

Correct: It’s possible to tag a resource group but these tags do not get automatically inherited in the resources associated with that group. However, Azure Policy can enforce the inheritance from the parent resource group to its resources.

2. Azure Virtual machines come in different SKU sizes and cost. Your company want to limit the choices available to users when creating new virtual machines to ensure that they only deploy cost-effective virtual machine sizes. What do you think is the best way of doing this?

  • Create an Azure RBAC role that defines the allowed virtual machine SKU sizes.
  • Periodically inspect the deployment manually to see which SKU sizes are used.
  • Create a new Azure Policy that only displays the preferred SKU sizes. (CORRECT)

Correct: The enabling of this policy would apply to the establishment of new virtual machines as well as resizing them. It will make great impact on an existing virtual machine or machines already present in your environment at the time this policy is enabled through Azure Policy evaluation.

3. In Azure cloud services Role-Based Access Control (RBAC) is applied to a scope, which is a resource or set of resources that this access applies to. Select Yes if you believe the following statement is Correct or No if you believe it is incorrect

When you grant access at a parent scope, those permissions are inherited by all child scopes.

  • Yes (CORRECT)
  • No

Correct: You grant permission on higher scope and those permissions are inherited by all child scopes. Rights are inherited across the complete hierarchy for a consistent access control mechanism across related resources.

4. Think back over the tools, documentation, and proven practices that make up the Cloud Adoption Framework. Which one can you use to accelerate development and build a minimum viable product (MVP) for their idea?

  • Azure cloud migration best practices check list
  • Azure innovation guide (CORRECT)
  • Azure setup guide

Correct: With this guide, you will develop faster and build an MVP (Minimum Viable Product) for your idea to be able to test and validate it quickly.

5. You are able to use Azure RBAC to manage all resources and your access gives you the ability to assign roles in Azure RBAC. Which one of the Azure RBAC built-in roles has been assigned to you that gives you this level of access?

  • Reader
  • Contributor
  • Owner (CORRECT)

Correct: Ownership allows complete management of all resources including assigning roles at Azure RBAC.

6. Your company has recently migrated to Azure cloud services the management team wants you to implement resource locks to prevent accidental changes or deletions. Which of the following are valid options when configuring Resource Locks? 

Select all that apply.

  • Reader
  • ReaderOnly (CORRECT)
  • CanNotDelete (CORRECT)

Correct: The ReadOnly role permits an authorized user to view a resource but does not allow for the deletion of it or for making changes to the resource in question.

Correct: The CanNotDelete role allows authorized users to read and modify resources, but they cannot delete that resource unless they first remove the lock on it.

7. You have applied the following policy definition, “System updates should be installed on your machines”. What will this policy enable?

  • This policy enables Azure Security Center to recommend missing security system updates on your servers. (CORRECT)
  • This policy enables you to restrict the locations that your organization can specify when it deploys resources.
  • This policy enables you to specify a set of VM SKUs that your organization can deploy.

Correct: By this definition of policy, Azure Security Center can tell you if any security system updates will be possible for your servers.

8. Tailwind Traders want to automate their governance best practices across multiple subscriptions. Which solution do you think can assist them?

  • Azure Resource Manager Templates
  • Azure Blueprints (CORRECT)
  • Azure Resource Groups

Correct: Using Azure Blueprints, you can automate governance best practices across multiple subscriptions.

CONCLUSION – Build a Cloud Governance Strategy on Microsoft Azure

Beyond that, this module system works towards the fact that you have learned everything you can about creating a strong cloud governance strategy with Azure. Using Azure’s access policies, resource locks, tags, Azure Policy, and Azure Blueprints, you can create compliance, resource optimization, and operational alignment with your organization. This will lead to a stronger governance solution to secure and organize cloud environments.

Leave a Comment