您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

针对复杂企业的管理指南:多云改进Governance guide for complex enterprises: Multicloud improvement

前进叙述Advancing the narrative

Microsoft 认识到,客户出于特定目的可能会采用多个云。Microsoft recognizes that customers may adopt multiple clouds for specific purposes. 本指南中的虚构公司不例外。The fictional company in this guide is no exception. 与 Azure 采用旅程并行,业务成功导致了小型但补充的业务。In parallel with their Azure adoption journey, business success has led to the acquisition of a small but complementary business. 该业务在不同的云服务提供商上运行其所有的 IT 操作。That business is running all of their IT operations on a different cloud provider.

本文介绍集成这家新组织时的事态变化。This article describes how things change when integrating the new organization. 出于叙述的目的,我们假定此公司已完成此调控指南中概述的每个管理迭代。For purposes of the narrative, we assume this company has completed each of the governance iterations outlined in this governance guide.

当前状态的更改Changes in the current state

在此叙述的前一阶段中,公司已经开始实施成本控制和成本监视,因为云支出会成为公司的日常运营费用。In the previous phase of this narrative, the company had begun to implement cost controls and cost monitoring, as cloud spending becomes part of the company's regular operating expenses.

此后出现了一些将会影响治理的变化:Since then, some things have changed that will affect governance:

  • 标识由 Active Directory 的本地实例控制。Identity is controlled by an on-premises instance of Active Directory. 复制到 Azure Active Directory 有助于实现混合标识。Hybrid identity is facilitated through replication to Azure Active Directory.
  • IT 操作或云操作在很大程度上由 Azure Monitor 和相关的自动化功能进行管理。IT operations or cloud operations are largely managed by Azure Monitor and related automation capabilities.
  • 业务连续性和灾难恢复 (BCDR) 由 Azure 恢复服务保管库控制。Business continuity and disaster recovery (BCDR) is controlled by Azure Recovery Services vaults.
  • Azure 安全中心用于监视安全违规和攻击。Azure Security Center is used to monitor security violations and attacks.
  • Azure 安全中心和 Azure Monitor 都用于监视云管理。Azure Security Center and Azure Monitor are both used to monitor governance of the cloud.
  • Azure 蓝图、Azure Policy 和管理组用于自动遵守策略。Azure Blueprints, Azure Policy, and management groups are used to automate compliance to policy.

增量改进未来状态Incrementally improve the future state

目标是尽可能将收购公司整合到现有业务中。The goal is to integrate the acquisition company into existing operations wherever possible.

有形风险的变化Changes in tangible risks

业务购置成本: 预计会在大约5年内盈利,以获得新的业务。Business acquisition cost: Acquisition of the new business is estimated to be profitable in approximately five years. 由于回报慢,董事会希望尽可能多地控制购置成本。Because of the slow rate of return, the board wants to control acquisition costs, as much as possible. 成本控制和技术集成之间存在相互冲突的风险。There is a risk of cost control and technical integration conflicting with one another.

此业务风险可以扩展为几种技术风险:This business risk can be expanded into a few technical risks:

  • 云迁移风险会产生额外的购置成本。There is a risk of cloud migration producing additional acquisition costs.
  • 此外,还有新环境未得到妥善管理或导致违反策略的风险。There is also a risk of the new environment not being properly governed or resulting in policy violations.

策略语句的增量改进Incremental improvement of the policy statements

以下策略更改将有助于修正新的风险和指南的实施。The following changes to policy will help remediate the new risks and guide implementation.

  • 必须通过现有运营管理和安全监视工具来监视辅助云中的所有资产。All assets in a secondary cloud must be monitored through existing operational management and security monitoring tools.
  • 所有组织单位必须集成到现有标识提供者中。All organizational units must be integrated into the existing identity provider.
  • 主要标识提供者应管理对辅助云中的资产的身份验证。The primary identity provider should govern authentication to assets in the secondary cloud.

最佳做法的增量改进Incremental improvement of best practices

本文的此部分改进了调控 MVP 设计,以包括新的 Azure 策略和 Azure 成本管理 + 计费的实现。This section of the article improves the governance MVP design to include new Azure policies and an implementation of Azure Cost Management + Billing. 这两项设计变更将共同实现新的公司策略语句。Together, these two design changes will fulfill the new corporate policy statements.

  1. 连接网络。Connect the networks. 由网络和 IT 安全执行,由管理的支持。Executed by networking and IT security, supported by governance.
    1. 如果将连接从 MPLS 或租用提供商添加到新的云,则会将网络集成。Adding a connection from the MPLS or leased-line provider to the new cloud will integrate networks. 添加路由表和防火墙配置将控制环境之间的访问和流量。Adding routing tables and firewall configurations will control access and traffic between the environments.
  2. 合并标识提供者。Consolidate identity providers. 根据托管在辅助云中的工作负荷,标识提供者的合并有多种选择。Depending on the workloads being hosted in the secondary cloud, there are a variety of options to identity provider consolidation. 下面是几个示例:The following are a few examples:
    1. 对于使用 OAuth 2 进行身份验证的应用程序,可轻松地将辅助云内 Active Directory 中的用户复制到现有 Azure AD 租户中。For applications that authenticate using OAuth 2, users in the Active Directory in the secondary cloud could simply be replicated to the existing Azure AD tenant.
    2. 在其他极端情况下,两个本地标识提供者之间的联合允许将新 Active Directory 域中的用户复制到 Azure。On the other extreme, federation between the two on-premises identity providers, would allow users from the new Active Directory domains to be replicated to Azure.
  3. 将资产添加到 Azure Site Recovery。Add assets to Azure Site Recovery.
    1. 从一开始就将 Azure Site Recovery 构建为混合和多云工具。Azure Site Recovery was built as a hybrid and multicloud tool from the beginning.
    2. 辅助云中的虚拟机可以由用于保护本地资产的同一个 Azure Site Recovery 进程进行保护。Virtual machines in the secondary cloud might be able to be protected by the same Azure Site Recovery processes used to protect on-premises assets.
  4. 将资产添加到 Azure 成本管理 + 计费。Add assets to Azure Cost Management + Billing.
    1. 从一开始就将 Azure 成本管理 + 计费构建为多云工具。Azure Cost Management + Billing was built as a multicloud tool from the beginning.
    2. 辅助云中的虚拟机可能与 Azure 成本管理和某些云提供商的计费兼容。Virtual machines in the secondary cloud might be compatible with Azure Cost Management + Billing for some cloud providers. 可能会收取额外费用。Additional costs may apply.
  5. 将资产添加到 Azure Monitor。Add assets to Azure Monitor.
    1. Azure Site Recovery 从一开始就是作为混合云工具构建的。Azure Monitor was built as a hybrid cloud tool from the beginning.
    2. 辅助云中的虚拟机可能与 Azure Monitor 代理兼容,从而使它们可以包含在 Azure Monitor 中以进行操作监视。Virtual machines in the secondary cloud might be compatible with Azure Monitor agents, allowing them to be included in Azure Monitor for operational monitoring.
  6. 调控强制工具。Governance enforcement tools.
    1. 治理强制执行特定于云。Governance enforcement is cloud-specific.
    2. 在调控指南中建立的公司策略并不特定于云。The corporate policies established in the governance guide are not cloud-specific. 尽管云和云之间的实现不尽相同,但策略声明可以应用于辅助提供程序。While the implementation may vary from cloud to cloud, the policy statements can be applied to the secondary provider.

根据技术需要或特定业务要求,应将多云采用包含在所需的位置。Multicloud adoption should be contained to where it's required based on technical needs or specific business requirements. 随着多云采用的增长,复杂性和安全风险。As multicloud adoption grows, so does complexity and security risks.

后续步骤Next steps

在许多大型企业中,云管理的五个层面可能会受到阻碍。In many large enterprises, the Five Disciplines of Cloud Governance can be blockers to adoption. 接下来的文章介绍了如何做出团队运动,以帮助确保云中的长期成功。The next article has some additional thoughts on making governance a team sport to help ensure long-term success in the cloud.