Krish DEV

Krish DEV

AZ-400 Exam Preparation: Control and organize Azure resources with Azure Resource Manager

Published a month ago

7 minutes read

The content is summarised from the document from the Official Website

Azure Resource Group

Principles of resource groups

  • A resource group is a logical container for resources deployed on Azure
  • Resources are anything created in Azure Subscription

Resources must be in only one resource group, some resources can be moved to other groups or subscriptions

Things to concern, when putting the resources in the same group

  • similar usage
  • type
  • location

Deleting resource group means deleting all the resources in it

Use resource groups for organization

  • Consistent naming convention (msftlearn-core-infrastructure-rg)
    • what it is used for (msftlearn)
    • types of resources contained within (core-infrastructure)
    • type of resource (rg)
  • Organizing principles
    • organize by resource type
    • organize by environment (dev, uat, prod)
    • organize by department (finance, marketing, hr)
    • combined (prod-finance, dev-marketing)
    • organize by authorization
      • Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them
  • organize for life cycle (delete group, delete all resources - non-production environments)
  • organize for billing

Use tagging to organize resources

  • to help when one resource group has multiple uses.
  • add tag filter to search specific resources
  • to group your billing data (tags enable you to retrieve related resources from different resource groups)
  • for monitoring some critical resources -> if the resource that has tag Department: Financial down, we then know that now financial department maybe impacted. (contexual information)
  • automation (shutdown all resources that have Environment: Dev at 6PM and start at 7 AM)

Azure Tags

What are tags?

  • tags are name/value pairs that we can apply to resources and resource groups
  • A resource can have up to 50 tags
  • Tags aren't inherited from parent to resources
  • Tags can't be applied to classic resources
# adding tag to virtual network
> az resource tag --tags Department=Finance \
    --resource-group msftlearn-core-infrastructure-rg \ 
    --name msftlearn-vnet1 \ 
    --resource-type  "Microsoft.Network/virtualNetworks"

We can use policy to automatically add or enforce tags

Use policies to enforce standards

  • Policies can enforce the rules when resources are created (e.g., must have Department tag)
  • Can be evaluated against existing resources to give visibility into compliance
  • Create policy definition then assign it to a resource group

Use cases

  • Restrict which Azure regions you can deploy resources to
  • Restrict VM Size
  • Enforce naming convention

Secure resources with role-based access control

  • RBAC is used to grant users the specific rights they need to perform their jobs.
  • It is included in all subscription levels at no cost
  • With RBAC, we can:
    • Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
    • Allow a database administrator (DBA) group to manage SQL databases in a subscription.
    • Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
    • Allow an application to access all resources in a resource group.
  • RBAC uses an allow model for access

RBAC Best Pratices

  • Grant only the amount of access the users need to perform their jobs.
  • Grant users the lowest privilege level they need to do their work.
  • Use Resource Locks to ensure critical resources aren't modified or delered.

Use resource locks to protect resources

Azure Locks

  • A setting we can apply to any resources to block modification (Ready-only) or deletion.
  • Read only -> cannot modify or delete
  • Delete -> can read, can modify but not delete.
  • We can apply it to subscriptions, resource groups, and to individual resources
  • Resource locks are inherited when applied at higher levels.
  • Resource locks apply regardless of RBAC permissions.

Placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.

Notes for exam

  • Tags cannot be applied to classic resource types
  • Tags are not inherited
  • Resource group cannot be nested
  • Tag is useful with Azure Automation to schedule maintenance windows
  • Policy to force naming convention

Recommended Posts

AZ-400 Exam Preparation: Azure Application Insights (Metrics)

AZ-400 Exam Preparation: Azure Application Insights (Metrics)

Exam preparation for AZ-400, in the topic of Azure Application Insights (Metrics)

Read more →

Published a month ago

AZ-400 Exam Preparation: Well-Architected Framework - Performance efficiency

AZ-400 Exam Preparation: Well-Architected Framework - Performance efficiency

Exam preparation for AZ-400, in the topic of Well-Architected Framework - Performance efficiency

Read more →

Published a month ago

AZ-400 Exam Preparation: Well-Architected Framework - Operational excellence

AZ-400 Exam Preparation: Well-Architected Framework - Operational excellence

Exam preparation for AZ-400, in the topic of Well-Architected Framework - Operational excellence

Read more →

Published a month ago

AZ-400 Exam Preparation: Introduction to App Center

AZ-400 Exam Preparation: Introduction to App Center

Exam preparation for AZ-400, in the topic of Azure App Center

Read more →

Published a month ago