AZ-400 Exam Preparation: Control and organize Azure resources with Azure Resource Manager
Published a month ago
7 minutes read
The content is summarised from the document from the Official Website
Principles of resource groups
- A resource group is a logical container for resources deployed on Azure
- Resources are anything created in Azure Subscription
Resources must be in only one resource group, some resources can be moved to other groups or subscriptions
Things to concern, when putting the resources in the same group
- similar usage
Deleting resource group means deleting all the resources in it
Use resource groups for organization
- Consistent naming convention (msftlearn-core-infrastructure-rg)
- what it is used for (msftlearn)
- types of resources contained within (core-infrastructure)
- type of resource (rg)
- Organizing principles
- organize by resource type
- organize by environment (dev, uat, prod)
- organize by department (finance, marketing, hr)
- combined (prod-finance, dev-marketing)
- organize by authorization
- Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them
- organize for life cycle (delete group, delete all resources - non-production environments)
- organize for billing
Use tagging to organize resources
- to help when one resource group has multiple uses.
- add tag filter to search specific resources
- to group your billing data (tags enable you to retrieve related resources from different resource groups)
- for monitoring some critical resources -> if the resource that has tag Department: Financial down, we then know that now financial department maybe impacted. (contexual information)
- automation (shutdown all resources that have Environment: Dev at 6PM and start at 7 AM)
What are tags?
- tags are name/value pairs that we can apply to resources and resource groups
- A resource can have up to 50 tags
- Tags aren't inherited from parent to resources
- Tags can't be applied to classic resources
# adding tag to virtual network
> az resource tag --tags Department=Finance \
--resource-group msftlearn-core-infrastructure-rg \
--name msftlearn-vnet1 \
We can use policy to automatically add or enforce tags
Use policies to enforce standards
- Policies can enforce the rules when resources are created (e.g., must have Department tag)
- Can be evaluated against existing resources to give visibility into compliance
- Create policy definition then assign it to a resource group
- Restrict which Azure regions you can deploy resources to
- Restrict VM Size
- Enforce naming convention
Secure resources with role-based access control
- RBAC is used to grant users the specific rights they need to perform their jobs.
- It is included in all subscription levels at no cost
- With RBAC, we can:
- Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
- Allow a database administrator (DBA) group to manage SQL databases in a subscription.
- Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
- Allow an application to access all resources in a resource group.
- RBAC uses an allow model for access
RBAC Best Pratices
- Grant only the amount of access the users need to perform their jobs.
- Grant users the lowest privilege level they need to do their work.
- Use Resource Locks to ensure critical resources aren't modified or delered.
Use resource locks to protect resources
- A setting we can apply to any resources to block modification (Ready-only) or deletion.
- Read only -> cannot modify or delete
- Delete -> can read, can modify but not delete.
- We can apply it to subscriptions, resource groups, and to individual resources
- Resource locks are inherited when applied at higher levels.
- Resource locks apply regardless of RBAC permissions.
Placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
Notes for exam
- Tags cannot be applied to classic resource types
- Tags are not inherited
- Resource group cannot be nested
- Tag is useful with Azure Automation to schedule maintenance windows
- Policy to force naming convention