Organizing resources - Azure Tutorial

- [Instructor] Before you can start migrating your workloads to Azure, it's important to have your environment set up correctly. In this module, we're going to look at the things that you need to do to get Azure ready. And I'm going to be focusing on resources, security, costs and reporting. In this first video, we're going to be focusing on resources. How you organize your resources in Azure is critical to how you secure them. It also impacts how you track costs across your estate. Now, some companies, particularly those that develop and deploy their own software, will have two Azure subscriptions, perhaps even more. Typically, one for production workloads, and one for non production workloads. Now in this scenario, our very top layer is what's known as a management group. Think of this as a container that allows you to easily manage access, policies and compliance for multiple subscriptions. Now each subscription that's part of this management group automatically inherits these policies, and it makes it much easier for companies to manage and maintain multiple subscriptions. Now, the subscription itself is where we create our resources, and each subscription has limits or quotas on the amount of resources that can be created or used. Now within our subscription, we create resource groups. These resource groups are logical containers that we deploy our different services to. They inherit any policies from the subscription that they belong to. Finally, we have the services themselves, such as web apps, virtual machines and databases that sit within these resource groups. Again, these will inherit any policies from their parent container. Now this structure is called the management hierarchy. Now you can apply management settings like policies and role based access control at any of the different management levels, and we'll look at some practical examples of this later on. However, the level you choose determines how widely the setting is applied. Lower levels will inherit settings from higher levels. So when you apply a policy to a subscription, that policy is also supplied to all resource groups and resources within that subscription. Typically, it makes sense to apply critical settings at higher levels, such as the management group or subscription level, and then applying the project specific requirements at lower levels, such as at the resource group, or even resource level. Imagine that you want to make sure all resources for your organization are deployed to certain regions, perhaps Northern Europe. Well one way to do that would be to apply a policy to the subscription that specifies the allowed location. As users in your organization add new resource groups and resources, the policy will be automatically enforced. How you organize your cloud-based resources is critical to how you manage and secure those resources. It also has an impact on how you track any costs associated with running your cloud services. So when you're setting up your cloud environment, there are a few things to consider. Firstly, you should decide how you want your subscriptions organized. Now for organizations like H Plus, it probably doesn't make much sense to run multiple subscriptions. However, you may decide that it makes sense for your business. If you do use multiple subscriptions, then you should set up a management group. Secondly, you need to think about how you name your resources in Azure. A good naming standard will help you to identify resources in the Azure portal and on your billing statement. Ideally your naming strategy should include both business and operational details. Finally, you should make use of resource tags. Resource tags are a useful way to quickly identify your resources and resource groups in Azure, and help you to logically organize them. Each tag consists of a name and a value. And after you've applied tags, you can retrieve all the resources in your subscription with the tag name and value. When you organize resources for billing or management, tags can help you retrieve related resources from different resource groups. Tags can also be used to write documentation, automation, and to help with optimizing costs. Now I've already briefly mentioned that you can apply policies, access settings, and compliance settings at various different levels. And that those settings are applied from the top down. So let's have a demo now and see how this works in practice. So here we are in the Azure portal, and what I want to do is create a new policy to ensure that resources can only be created in a particular region. Azure is available across the globe and splits into what is known as regions. Each region representing a data center, or set of data centers in a particular geographic area. Now typically, you deploy resources in regions that are close to your users, or perhaps split your services across multiple regions to provide you some resilience, ensuring your services are still available if a data center suffered some form of outage. So let's start by selecting our subscription. This pane shows you all the details of our subscription. We can see current charges, manage payment methods, and that sort of thing. If we scroll down on the left here, we find the policies option. So let's select that. Here we can define policies that will be applied at the subscription level. Any policy we create here will be inherited by everything within this subscription. Let's create a new policy by selecting assign policy here on the toolbar. If we click here, we can select a predefined policy definition. In the search box, type allowed locations, and then select allowed locations for resource groups. This is going to restrict the locations that we can use when creating resource groups. Next, we need to set out the parameters tab. And then in the allowed locations drop box, select West US two. Finally, click review and create, and then click create. Now it takes about 30 minutes for new policies to be applied. And you can see here that the policy is currently in the not started state. After about 30 minutes, the policy changes to the compliance state. Now we don't currently have any resource groups, so let's start by creating one. Back on the dashboard, select resource groups here at the top, and then select add. Let's try and create a resource group in the East US region. Let's give it a name, and then select review and create. Now straight away we noticed that the operation fails, and we get this error, telling us that it is disallowed by policy. Let's go back and create it in the correct region. Now you can see the resource group is created as expected.