WEBVTT 0:00:03.820000 --> 0:00:08.580000 Whenever you are dealing with enterprise resources, you need to think 0:00:08.580000 --> 0:00:09.980000 about governance. 0:00:09.980000 --> 0:00:11.080000 How are you going to manage these? 0:00:11.080000 --> 0:00:13.080000 How are you going to manage access? 0:00:13.080000 --> 0:00:17.220000 You also want to think about how you're going to implement this at scale. 0:00:17.220000 --> 0:00:20.520000 That is what this video on Azure Blueprints is about. 0:00:20.520000 --> 0:00:24.020000 We're going to take a look at the following topics. 0:00:24.020000 --> 0:00:28.140000 We're going to look at managing governance and scale at a very high level. 0:00:28.140000 --> 0:00:30.980000 What are some of the big picture things you need to think about? 0:00:30.980000 --> 0:00:35.480000 Then we'll take a look at what Azure Blueprints are, briefly describe 0:00:35.480000 --> 0:00:38.960000 them, and then we're going to drop in and I'm going to go through a demonstration 0:00:38.960000 --> 0:00:41.160000 of Azure Blueprints. 0:00:41.160000 --> 0:00:43.580000 So let's go ahead and jump in. 0:00:43.580000 --> 0:00:48.020000 When we think about managing governance in general, if I've got a single 0:00:48.020000 --> 0:00:49.620000 subscription in Azure, right? 0:00:49.620000 --> 0:00:53.820000 Now I've got a resource group and I've got some assets in there, some 0:00:53.820000 --> 0:00:58.340000 resources. Really, my governance is not that complicated. 0:00:58.340000 --> 0:01:02.860000 Think about the two big tools that we have using policies so we can define 0:01:02.860000 --> 0:01:06.900000 what can be done and how it's audited and how it has to be set up in some 0:01:06.900000 --> 0:01:09.780000 cases. And then also role-based access control, right? 0:01:09.780000 --> 0:01:10.960000 Who can do these things? 0:01:10.960000 --> 0:01:12.320000 So what can be done? 0:01:12.320000 --> 0:01:13.440000 Who can do them? 0:01:13.440000 --> 0:01:16.960000 Easy to set up. Really, there's not much more discussion there. 0:01:16.960000 --> 0:01:20.380000 And really, even as we grow out a little bit, so we've got a couple of 0:01:20.380000 --> 0:01:24.280000 different subscriptions, we can manage those independently without having 0:01:24.280000 --> 0:01:26.300000 to look at any other level, right? 0:01:26.300000 --> 0:01:31.320000 But as you get more into the enterprise compute environment, now we're 0:01:31.320000 --> 0:01:36.300000 looking at possibly managing many subscriptions, managing governance across 0:01:36.300000 --> 0:01:40.300000 many subscriptions, and different rules for governance. 0:01:40.300000 --> 0:01:43.680000 I may have subscriptions that I use for clients or even allow clients 0:01:43.680000 --> 0:01:47.900000 to access. I may have my corporate, I may have R&D, right? 0:01:47.900000 --> 0:01:51.980000 And I may have department level subscriptions, depending on the size and 0:01:51.980000 --> 0:01:54.060000 makeup of my organization. 0:01:54.060000 --> 0:01:58.940000 So now we're talking about having to look at applying a consistent and 0:01:58.940000 --> 0:02:02.920000 centrally managed set of governance rules. 0:02:02.920000 --> 0:02:09.080000 And that is really what the Azure Blueprint is for, simply put. 0:02:09.080000 --> 0:02:14.620000 Azure Blueprints are essentially an evolution, at least how I look at 0:02:14.620000 --> 0:02:19.700000 them, as an evolution of the ARM template concept. 0:02:19.700000 --> 0:02:22.740000 And the ARM template concept has been around four years. 0:02:22.740000 --> 0:02:24.660000 Blueprints are a bit newer. 0:02:24.660000 --> 0:02:29.620000 The idea of a Blueprint is not only can you define the resources as you 0:02:29.620000 --> 0:02:34.320000 would with an ARM template, but you can define the governance across those 0:02:34.320000 --> 0:02:41.460000 resources. So you have things like role -based access control, role assignments, 0:02:41.460000 --> 0:02:46.740000 policy assignments, ARM template deployments, and even the definition 0:02:46.740000 --> 0:02:48.920000 of resource groups. 0:02:48.920000 --> 0:02:54.260000 And you can also lock these to make sure that those Blueprint deployed 0:02:54.260000 --> 0:02:58.700000 components are in fact kept in place. 0:02:58.700000 --> 0:03:02.080000 And so conceptually, what is an Azure Blueprint for? 0:03:02.080000 --> 0:03:06.620000 It's to define your governance of a subscription. 0:03:06.620000 --> 0:03:12.740000 And the best way to see an Azure Blueprint is think about going and taking 0:03:12.740000 --> 0:03:15.560000 the Blueprint and you apply it to subscriptions. 0:03:15.560000 --> 0:03:19.360000 And it defines all these things within the subscription. 0:03:19.360000 --> 0:03:22.640000 Very simple Blueprint applied to subscription. 0:03:22.640000 --> 0:03:25.380000 Now, I want to take a look at an Azure Blueprint. 0:03:25.380000 --> 0:03:29.920000 One thing to keep in mind, when I say very simple, the base concept of 0:03:29.920000 --> 0:03:32.340000 a Blueprint is pretty straightforward. 0:03:32.340000 --> 0:03:35.740000 You're defining these things, these artifacts, which is actually the term 0:03:35.740000 --> 0:03:37.860000 that's used in Blueprints. 0:03:37.860000 --> 0:03:42.720000 In your environment, if you choose to use Blueprints, it will almost certainly 0:03:42.720000 --> 0:03:47.240000 be complex, not because of the complexity of the Blueprint itself, but 0:03:47.240000 --> 0:03:57.720000 because of the necessary complexity of your environment. 0:03:57.720000 --> 0:04:05.320000 So let's go ahead and let's take a quick look at Azure Blueprints. 0:04:05.320000 --> 0:04:09.780000 All right. I am currently logged in to my portal. 0:04:09.780000 --> 0:04:12.200000 I am in my dashboard. 0:04:12.200000 --> 0:04:16.160000 And now normally, if I'm going to provision something in Azure, I'm going 0:04:16.160000 --> 0:04:17.480000 to go to create a resource. 0:04:17.480000 --> 0:04:22.740000 But your Blueprints are a little bit different because the Blueprint itself 0:04:22.740000 --> 0:04:26.980000 is not actually associated directly with a subscription. 0:04:26.980000 --> 0:04:29.620000 So it has its own interface. 0:04:29.620000 --> 0:04:32.620000 And I can see I currently don't have any Blueprints to file. 0:04:32.620000 --> 0:04:35.860000 For my demonstration subscription. 0:04:35.860000 --> 0:04:43.100000 And none there. But what I'm going to do is go ahead and create a Blueprint. 0:04:43.100000 --> 0:04:50.800000 And there are a number of predefined Blueprints. 0:04:50.800000 --> 0:04:54.960000 So for example, if you are subject to FedRAMP, regulatory compliance, 0:04:54.960000 --> 0:04:56.180000 you could use that. 0:04:56.180000 --> 0:05:01.240000 And it assigns policies that are specific to FedRAMP and many others. 0:05:01.240000 --> 0:05:05.280000 I, however, am going to start with a blank Blueprint. 0:05:05.280000 --> 0:05:11.280000 I'm going to give this a Blueprint name, keeping with my complete lack 0:05:11.280000 --> 0:05:18.940000 of creativity. And nation. 0:05:18.940000 --> 0:05:22.480000 Now the location, typically when we see location, that's going to be a 0:05:22.480000 --> 0:05:29.700000 region. This is actually location within the Management Group hierarchy. 0:05:29.700000 --> 0:05:33.600000 And I'm going to choose the active Management Group because that's got 0:05:33.600000 --> 0:05:35.300000 my subscription in it. 0:05:35.300000 --> 0:05:38.100000 But it could also have many other subscriptions. 0:05:38.100000 --> 0:05:42.680000 And you start to see where we have some real value to this. 0:05:42.680000 --> 0:05:47.060000 Now I'm now going to go ahead and add artifacts. 0:05:47.060000 --> 0:05:50.080000 And when I add artifacts. 0:05:50.080000 --> 0:05:54.180000 Notice I'm at the subscription level. 0:05:54.180000 --> 0:05:56.860000 And I'm going to add an artifact to the subscription. 0:05:56.860000 --> 0:06:00.900000 And here are the artifacts that I can add. 0:06:00.900000 --> 0:06:05.400000 I can set a policy assignment at the subscription level, role assignment. 0:06:05.400000 --> 0:06:09.640000 Now Azure Resource Manager template or ARM template at the subscription 0:06:09.640000 --> 0:06:13.940000 level. That, I mentioned the fact that ARM templates have been around 0:06:13.940000 --> 0:06:16.480000 for a very long time. 0:06:16.480000 --> 0:06:20.520000 However, subscription level ARM templates are newer. 0:06:20.520000 --> 0:06:25.160000 Well, I say very long time, very long time in the scope of the cloud and 0:06:25.160000 --> 0:06:26.860000 Microsoft's cloud. 0:06:26.860000 --> 0:06:30.820000 But you now have the ability to have subscription level ARM templates. 0:06:30.820000 --> 0:06:34.600000 And what they do is they allow you to define things like policy. 0:06:34.600000 --> 0:06:39.800000 Also to define things like resource groups and the resources within them. 0:06:39.800000 --> 0:06:45.520000 So even though, as you will see, I can actually add independent artifacts. 0:06:45.520000 --> 0:06:49.360000 You also could define really just about pretty much everything you want 0:06:49.360000 --> 0:06:53.060000 in the blueprint as a policy and have this deploy the policy. 0:06:53.060000 --> 0:06:54.800000 But you get that flexibility. 0:06:54.800000 --> 0:06:57.440000 I am going to keep it relatively simple. 0:06:57.440000 --> 0:07:00.060000 I'm just going to deploy a resource group. 0:07:00.060000 --> 0:07:02.300000 So I'm going to create a resource group. 0:07:02.300000 --> 0:07:06.400000 It's going to be demo, tall, R, G. 0:07:06.400000 --> 0:07:13.380000 As I deploy this, I have the option to either set certain parameters now 0:07:13.380000 --> 0:07:19.940000 in the blueprint itself, or to allow them to be set when this is created. 0:07:19.940000 --> 0:07:25.320000 And what I'm going to do is I'm going to go ahead. 0:07:25.320000 --> 0:07:27.540000 And define the resource group name. 0:07:27.540000 --> 0:07:30.380000 So that's going to be demo, tall, R, G. 0:07:30.380000 --> 0:07:35.160000 I'm also going to define the location, which if you watch any of my videos, 0:07:35.160000 --> 0:07:39.820000 you will probably not be shocked that I'm setting it to East US. 0:07:39.820000 --> 0:07:43.360000 Now I can also define tags for this group. 0:07:43.360000 --> 0:07:57.560000 Status. I'll just say blueprint defined. 0:07:57.560000 --> 0:07:59.000000 And there we go. 0:07:59.000000 --> 0:08:02.260000 So now I have a resource group. 0:08:02.260000 --> 0:08:05.340000 And then within the resource group, I have this hierarchy. 0:08:05.340000 --> 0:08:07.660000 I can add another artifact. 0:08:07.660000 --> 0:08:10.080000 Notice one is missing. 0:08:10.080000 --> 0:08:13.940000 I don't have the ability to add a resource group because I cannot nest 0:08:13.940000 --> 0:08:16.200000 resource groups in Azure. 0:08:16.200000 --> 0:08:22.300000 But I could, for example, select a policy assignment. 0:08:22.300000 --> 0:08:28.540000 And let's say I want to say resource types. 0:08:28.540000 --> 0:08:31.780000 And I want allowed resource types. 0:08:31.780000 --> 0:08:34.820000 So let's do not allow because that's easier to avoid. 0:08:34.820000 --> 0:08:37.540000 I will not do anything showing you whether or not this works, but I will 0:08:37.540000 --> 0:08:40.260000 show you that it gets applied. 0:08:40.260000 --> 0:08:44.460000 Now I actually clicked off of there before I set the values. 0:08:44.460000 --> 0:08:47.520000 Notice it says zero out of one parameters populated. 0:08:47.520000 --> 0:08:53.220000 Yeah, but I can go back in and it comes up with the parameters. 0:08:53.220000 --> 0:08:54.760000 And the same kind of thing. 0:08:54.760000 --> 0:08:57.140000 I do in fact want to set this. 0:08:57.140000 --> 0:09:06.480000 Takes a minute. And there will be no 84 codes cloud AMPQ servers allowed 0:09:06.480000 --> 0:09:09.520000 in this resource group. 0:09:09.520000 --> 0:09:13.020000 Go ahead and hit OK there. 0:09:13.020000 --> 0:09:19.100000 All right, again, sort of a goofy assignment, but an assignment nonetheless. 0:09:19.100000 --> 0:09:22.240000 Now I'm going to add another artifact. 0:09:22.240000 --> 0:09:27.800000 This time I'm going to add a resource manager template. 0:09:27.800000 --> 0:09:34.680000 And as always demo partially because I forget exactly what's in this template 0:09:34.680000 --> 0:09:37.720000 that I defined specifically for this. 0:09:37.720000 --> 0:09:43.800000 All right, there's my deploy blueprint. 0:09:43.800000 --> 0:09:49.120000 Jason. And I am deploying a network security group. 0:09:49.120000 --> 0:09:52.300000 That's right. I knew that. 0:09:52.300000 --> 0:10:07.000000 There we go. And I'm going to add that. 0:10:07.000000 --> 0:10:10.080000 All right. And I'm being cavalier because it's just a demonstration. 0:10:10.080000 --> 0:10:14.280000 Clearly, of course, if you're doing this in your own enterprise, this 0:10:14.280000 --> 0:10:17.780000 is where you're going to be pretty careful, right? 0:10:17.780000 --> 0:10:23.960000 You're defining what this blueprint is really all about. 0:10:23.960000 --> 0:10:28.760000 What governance is this blueprint going to provide through policy, through 0:10:28.760000 --> 0:10:31.160000 role and through resource creation. 0:10:31.160000 --> 0:10:34.780000 All right. Now at this point, I am going to go ahead and save a draft 0:10:34.780000 --> 0:10:39.400000 of this blueprint. 0:10:39.400000 --> 0:10:45.560000 And. And. Takes a minute or two. 0:10:45.560000 --> 0:10:47.300000 So I'm going to give it a minute or two. 0:10:47.300000 --> 0:10:48.560000 We'll come back. 0:10:48.560000 --> 0:10:53.480000 And once it's realized as it actually has this blueprint, we will pick 0:10:53.480000 --> 0:11:01.380000 this back up. All right. 0:11:01.380000 --> 0:11:03.820000 Now I can see my blueprint. 0:11:03.820000 --> 0:11:06.040000 Now I will tell you I cheated just a little bit. 0:11:06.040000 --> 0:11:13.920000 CNS, I had actually deployed this blueprint not to the subscription, but 0:11:13.920000 --> 0:11:18.220000 actually to the management group kind of switched over and set that as 0:11:18.220000 --> 0:11:22.700000 a scope. But now I've got my blueprint. 0:11:22.700000 --> 0:11:27.660000 And if I go into the blueprint, there's a few things that I can do. 0:11:27.660000 --> 0:11:29.440000 First of all, I can delete it. 0:11:29.440000 --> 0:11:32.380000 I can edit it or I can publish it. 0:11:32.380000 --> 0:11:33.500000 So I'm going to go ahead and publish the blueprint. 0:11:33.500000 --> 0:11:39.920000 I have to give it a version 1.0 and publish. 0:11:39.920000 --> 0:11:44.560000 That was relatively easy. 0:11:44.560000 --> 0:11:50.480000 Now that I've got a blueprint, I can assign the blueprint to a subscription. 0:11:50.480000 --> 0:11:54.740000 Right now, if I look, I have no subscription assignments, which you would 0:11:54.740000 --> 0:12:01.220000 expect. If I go back to my blueprint definitions and I go to my blueprint, 0:12:01.220000 --> 0:12:07.480000 okay, now that it has been published, I have the ability to assign it. 0:12:07.480000 --> 0:12:10.740000 I'm just going to click assign blueprint. 0:12:10.740000 --> 0:12:17.260000 I'm going to pick the subscription I want to assign it to, INE demonstrations. 0:12:17.260000 --> 0:12:19.340000 All right. Assignment name, good with that. 0:12:19.340000 --> 0:12:25.660000 Location, again, not shockingly, we'll go with these US blueprint definition. 0:12:25.660000 --> 0:12:27.480000 Now this is pretty cool. 0:12:27.480000 --> 0:12:30.120000 Okay. I can lock the assignment. 0:12:30.120000 --> 0:12:32.880000 Okay. Right now it's not locked. 0:12:32.880000 --> 0:12:34.080000 The assignment is not locked. 0:12:34.080000 --> 0:12:37.680000 User groups and service principles can modify and delete. 0:12:37.680000 --> 0:12:40.280000 I can also just go ahead and apply a lock. 0:12:40.280000 --> 0:12:41.840000 Let's go ahead and do that. 0:12:41.840000 --> 0:12:47.860000 All right. This has a managed identity and it's showing me my resources. 0:12:47.860000 --> 0:12:51.740000 Notice I've got these grayed out boxes here. 0:12:51.740000 --> 0:12:57.300000 Those are the parameter values that I set automatically. 0:12:57.300000 --> 0:13:04.020000 Now I'm going to go ahead and assign this and it's going to start. 0:13:04.020000 --> 0:13:07.020000 Now the assignment takes a few minutes. 0:13:07.020000 --> 0:13:09.680000 So we'll wait for that assignment to complete and then we'll come back 0:13:09.680000 --> 0:13:13.720000 and we will check out the actual result. 0:13:13.720000 --> 0:13:16.900000 Now you may notice that it flashed up there and said blueprint assignment 0:13:16.900000 --> 0:13:21.600000 is complete. That is actually true, but the full processing of the blueprint 0:13:21.600000 --> 0:13:29.420000 is not complete yet. 0:13:29.420000 --> 0:13:33.040000 All right. Let's take a look at the assignment. 0:13:33.040000 --> 0:13:36.920000 Now the cool thing about the assignment is now you can notice the provision 0:13:36.920000 --> 0:13:38.820000 statement is succeeded. 0:13:38.820000 --> 0:13:45.920000 You can actually go and you can look at what has been provisioned. 0:13:45.920000 --> 0:13:48.260000 Right. So I've got a resource group. 0:13:48.260000 --> 0:13:51.460000 I've got a policy assignment and I've got a network security group. 0:13:51.460000 --> 0:13:55.880000 All right. So I've got a resource group which cannot be deleted. 0:13:55.880000 --> 0:13:59.800000 So let's take a look at that resource group. 0:13:59.800000 --> 0:14:07.800000 All right. There's my dim poll RG. 0:14:07.800000 --> 0:14:11.540000 Notice I've got my blueprint in SG. 0:14:11.540000 --> 0:14:15.660000 All right. Now the interesting thing is if I go to locks, I'm not seeing 0:14:15.660000 --> 0:14:17.520000 any resource locks. 0:14:17.520000 --> 0:14:23.880000 Right. But I go and also just trying to delete this. 0:14:23.880000 --> 0:14:37.760000 There you go. Cannot be deleted and it's going to tell me that it cannot 0:14:37.760000 --> 0:14:41.540000 be deleted because it was created by the blueprint assignment. 0:14:41.540000 --> 0:14:45.660000 So in order to delete this, I would have to first delete the blueprint 0:14:45.660000 --> 0:14:47.800000 assignment. And that's kind of interesting. 0:14:47.800000 --> 0:14:51.860000 Right. That is another level of control and a fairly important level of 0:14:51.860000 --> 0:14:58.140000 control is that ability to lock your blueprint assignment. 0:14:58.140000 --> 0:15:04.680000 And you know that that has serious implications in terms of the way that 0:15:04.680000 --> 0:15:06.000000 you can manage your subscriptions. 0:15:06.000000 --> 0:15:08.380000 And that's really what blueprints are. 0:15:08.380000 --> 0:15:12.400000 Again, the core components of blueprint being able to define resource 0:15:12.400000 --> 0:15:16.920000 groups and templates and policy assignments and role assignments is fairly 0:15:16.920000 --> 0:15:17.800000 straightforward. 0:15:17.800000 --> 0:15:21.200000 The way you implement it is where the complexity is going to come.