Govern multiple subscriptions by using Azure Blueprints

So far, you've explored a number of Azure features that can help you implement your governance decisions, monitor the compliance of your cloud resources, and control access and protect critical resources from accidental deletion.

What happens when your cloud environment starts to grow beyond just one subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions?

Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they're building within organizational compliance with a set of built-in components that speed the development and deployment phases.

Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:

  • Role assignments
  • Policy assignments
  • Azure Resource Manager templates
  • Resource groups

Azure Blueprints in action

When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization.

Implementing a blueprint in Azure Blueprints involves these three steps:

  1. Create an Azure blueprint.
  2. Assign the blueprint.
  3. Track the blueprint assignments.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.

Blueprints are also versioned. Versioning enables you to track and comment on changes to your blueprint.

What are blueprint artifacts?

Each component in the blueprint definition is known as an artifact.

Artifacts can have no parameters. An example is the Deploy threat detection on SQL servers policy, which requires no further configuration.

Artifacts can also contain one or more parameters that you can configure. The following screenshot shows the Allowed locations policy. This policy includes a parameter that specifies the allowed locations.

A screenshot showing the Allowed locations policy. This policy includes a parameter that specifies the allowed locations.

You can specify a parameter's value when you create the blueprint definition or when you assign the blueprint definition to a scope. In this way, you can maintain one standard blueprint but have the flexibility to specify the relevant configuration parameters at each scope where the definition is assigned.

How will Tailwind Traders use Azure Blueprints for ISO 27001 compliance?

ISO 27001 is a standard that applies to the security of IT systems, published by the International Organization for Standardization. As part of its quality process, Tailwind Traders wants to certify that it complies with this standard. Azure Blueprints has several built-in blueprint definitions that relate to ISO 27001.

As an IT administrator, you decide to investigate the ISO 27001: Shared Services Blueprint definition. Here's an outline of your plan.

  1. Define a management group that's named PROD-MG.

    Recall that a management group manages access, policies, and compliance across multiple Azure subscriptions. Every new Azure subscription is added to this management group when the subscription is created.

  2. Create a blueprint definition that's based on the ISO 27001: Shared Services Blueprint template. Then publish the blueprint.

  3. Assign the blueprint to your PROD-MG management group.

The following image shows artifacts that are created when you run an ISO 27001 blueprint from a template.

Screenshot showing artifacts listed when you create an ISO 27001 blueprint from template.

You see that the blueprint template contains policy assignments, Resource Manager templates, and resource groups. The blueprint deploys these artifacts to any existing subscriptions within the PROD-MG management group. The blueprint also deploys these artifacts to any new subscriptions as they're created and added to the management group.