您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

中心 IT 团队职能Central IT team functions

作为云采用规模,单独的云调控功能可能不足以控制采用工作量。As cloud adoption scales, cloud governance functions alone may not be sufficient to govern adoption efforts. 采用逐步发展时,团队往往会有机开发所需的技能和流程,使其在一段时间内随时适用。When adoption is gradual, teams tend to organically develop the skills and processes needed to be ready for the cloud over time.

但是,当一个云采用团队使用云来实现高性能的业务成果时,很少出现这种情况。But when one cloud adoption team uses the cloud to achieve a high-profile business outcome, gradual adoption is seldom the case. 成功后成功。Success follows success. 这也适用于云采用,但在云规模下发生。This is also true for cloud adoption, but it happens at cloud scale. 当云采用相对迅速地从一个团队扩展到多个团队时,需要现有 IT 人员的其他支持。When cloud adoption expands from one team to multiple teams relatively quickly, additional support from existing IT staff is needed. 但这些员工可能缺乏使用云本机 IT 工具支持云所需的培训和经验。But those staff members may lack the training and experience required to support the cloud using cloud-native IT tools. 这通常会推动对云进行管理的中心 IT 团队的构成。This often drives the formation of a central IT team governing the cloud.


虽然这是一个常见的成熟步骤,但如果不有效地进行管理,它可能会带来高风险,从而可能会妨碍创新和迁移工作。While this is a common maturity step, it can present a high risk to adoption, potentially blocking innovation and migration efforts if not managed effectively. 请参阅下面的风险部分,了解如何减轻集中成为文化对立模式的风险。See the risk section below to learn how to mitigate the risk of centralization becoming a cultural antipattern.

提供集中式 IT 职能所需的技能可通过以下方式提供:The skills needed to provide centralized IT functions could be provided by:

  • 现有的中心 IT 团队An existing central IT team
  • 企业架构师Enterprise architects
  • IT 操作IT operations
  • IT 管理IT governance
  • IT 基础结构IT infrastructure
  • 网络Networking
  • 标识Identity
  • 虚拟化Virtualization
  • 业务连续性和灾难恢复Business continuity and disaster recovery
  • 其中的应用程序所有者Application owners within IT


仅当现有的本地交付基于中心 IT 团队模型时,才应将其集中应用于云中。Centralized IT should only be applied in the cloud when existing delivery on-premises is based on a central IT team model. 如果当前的本地模型基于委托的控制,请考虑一种优秀的云中心 (CCoE) 方法,以提供更具云兼容的替代方法。If the current on-premises model is based on delegated control, consider a cloud center of excellence (CCoE) approach for a more cloud-compatible alternative.

关键职责Key responsibilities

适应现有 IT 做法,以确保采用努力在云中受到良好控制的、管理完善的环境。Adapt existing IT practices to ensure adoption efforts result in well-governed, well-managed environments in the cloud.

通常会定期执行以下任务:The following tasks are typically executed regularly:

战略任务Strategic tasks

技术任务Technical tasks

  • 构建和维护云平台以支持解决方案。Build and maintain the cloud platform to support solutions.
  • 定义和实现平台体系结构。Define and implement the platform architecture.
  • 操作和管理云平台。Operate and manage the cloud platform.
  • 持续改进平台。Continuously improve the platform.
  • 随时了解云平台的新创新。Keep up with new innovations in the cloud platform.
  • 提供新的云功能以支持业务价值创建。Deliver new cloud functionality to support business value creation.
  • 建议自助服务解决方案。Suggest self-service solutions.
  • 确保解决方案满足现有治理和合规性要求。Ensure that solutions meet existing governance and compliance requirements.
  • 创建和验证平台体系结构的部署。Create and validate deployment of platform architecture.
  • 查看发布计划以了解新平台要求的来源。Review release plans for sources of new platform requirements.

会议节奏Meeting cadence

中心 IT 团队的专业知识通常来自工作团队。Central IT team expertise usually comes from a working team. 预期参与者需要提交多个日常计划来协调工作。Expect participants to commit much of their daily schedules to alignment efforts. 贡献并不局限于会议和反馈周期。Contributions aren't limited to meetings and feedback cycles.

中心 IT 团队风险Central IT team risks

组织成熟度的每个云功能和阶段都以 "cloud" 为前缀。Each of the cloud functions and phases of organizational maturity are prefixed with the word "cloud". 中心 IT 团队是唯一的例外。The central IT team is the only exception. 当所有 IT 资产都可以放在少数几个位置(由少量的团队管理,并通过单个操作管理平台进行控制)时,集中式 IT 资产变得非常普遍。Centralized IT became prevalent when all IT assets could be housed in few locations, managed by a small number of teams, and controlled through a single operations management platform. 全球业务实践和数字经济大大降低了这些集中管理的环境的实例。Global business practices and the digital economy have largely reduced the instances of those centrally managed environments.

在 IT 的新式视图中,资产是全球分布的。In the modern view of IT, assets are globally distributed. 责任被委派。Responsibilities are delegated. 操作管理由内部人员、托管服务提供商和云提供商的混合提供。Operations management is delivered by a mixture of internal staff, managed service providers, and cloud providers. 在数字经济上,IT 管理实践正在转换为自助服务和委托控制模型,并使用清晰的 guardrails 来强制进行管理。In the digital economy, IT management practices are transitioning to a model of self-service and delegated control with clear guardrails to enforce governance. 中心 IT 团队成为云代理的一个有价值的撰稿人,并成为创新和业务灵活性合作伙伴。A central IT team can be a valuable contributor to cloud adoption by becoming a cloud broker and a partner for innovation and business agility.

中央 IT 团队非常适合从现有的本地模型中获得宝贵的知识和实践,并将这些做法应用于云交付。A central IT team is well positioned to take valuable knowledge and practices from existing on-premises models and apply those practices to cloud delivery. 但此过程需要进行更改。But this process requires change. 需要新的流程、新技能和新工具才能大规模支持云采用。New processes, new skills, and new tools are required to support cloud adoption at scale. 当中心 IT 团队改编时,它成为云采用工作的重要合作伙伴。When a central IT team adapts, it becomes an important partner in cloud adoption efforts. 但是,如果中心 IT 团队不适应云,或者尝试将云用作严格控制的 catalyst,则很快就会成为采用、创新和迁移的阻碍。But if the central IT team doesn't adapt to the cloud, or attempts to use the cloud as a catalyst for tight-grain controls, it quickly becomes a blocker to adoption, innovation, and migration.

此风险的衡量方法是速度和灵活性。The measures of this risk are speed and flexibility. 云简化了快速采用新技术的速度。The cloud simplifies adopting new technologies quickly. 如果可以在几分钟内部署新的云功能,但中央 IT 团队在部署过程中增加了几周或几个月,则这些集中过程将成为业务成功的主要障碍。When new cloud functionality can be deployed within minutes, but the reviews by the central IT team add weeks or months to the deployment process, then these centralized processes become a major impediment to business success. 遇到此指示器时,请考虑将备用策略交付给 IT。When this indicator is encountered, consider alternative strategies to IT delivery.


许多行业要求严格遵守第三方符合性。Many industries require rigid adherence to third-party compliance. 某些符合性要求仍需要集中式 IT 控制。Some compliance requirements still demand centralized IT control. 根据这些符合性措施,可以将时间添加到部署过程,尤其是对于尚未广泛使用的新技术。Delivering on these compliance measures can add time to deployment processes, especially for new technologies that haven't been used broadly. 在这些情况下,在采用早期阶段的部署过程中会出现延迟。In these scenarios, expect delays in deployment during the early stages of adoption. 与处理敏感客户数据的公司相同,但可能不受第三方符合性要求的影响。Similar situations my exist for companies that deal with sensitive customer data, but may not be governed by a third-party compliance requirement.

在异常中操作Operate within the exceptions

如果需要集中式 IT 流程,并且这些流程在采用新技术时创建适当的检查点,则仍可以快速解决这些创新检查点问题。When centralized IT processes are required and those processes create appropriate checkpoints in adoption of new technologies, these innovation checkpoints can still be addressed quickly. 治理和合规性要求旨在保护敏感的内容,而不是保护所有内容。Governance and compliance requirements are designed to protect those things that are sensitive, not to protect everything. 云提供了简单的机制,用于获取和部署隔离的资源,同时保持适当的 guardrails。The cloud provides simple mechanisms for acquiring and deploying isolated resources while maintaining proper guardrails.

成熟的中心 IT 团队将维护必要的保护,但会协商仍实现创新的做法。A mature central IT team maintains necessary protections but negotiates practices that still enable innovation. 演示此级别的成熟度取决于资源的适当分类和隔离。Demonstrating this level of maturity depends on proper classification and isolation of resources.

在异常中操作的示例叙述性,以使采用Example narrative of operating within exceptions to empower adoption

此示例叙述说明了虚构公司 Contoso 中成熟的 IT 团队为实现采用而使用的方法。This example narrative illustrates the approach taken by a mature central IT team at the fictional company Contoso to empower adoption.

Contoso 采用了中心 IT 团队模型来支持业务的云资源。Contoso has adopted a central IT team model for the support of the business's cloud resources. 为了提供此模型,它们已实现了各种共享服务(例如入口网络连接)的严格控制。To deliver this model, they have implemented tight controls for various shared services such as ingress network connections. 这种迁移降低了云环境的公开程度,并且提供了单个 "移动设备" 设备,在发生违规时阻止所有流量。This wise move reduced the exposure of their cloud environment and provided a single "break-glass" device to block all traffic if a breach occurs. 它们的安全基准策略表明,所有入口流量必须通过中心 IT 团队管理的共享设备。Their Security Baseline policies state that all ingress traffic must come through a shared device managed by the central IT team.

但他们的一个云采用团队现在需要一个环境,该环境具有专门配置的入口网络连接,可以使用特定的云技术。But one of their cloud adoption teams now requires an environment with a dedicated and specially configured ingress network connection to use a specific cloud technology. 不成熟的中心 IT 团队只需拒绝该请求,并根据采用需要排定其现有流程的优先级。An immature central IT team would simply refuse the request and prioritize its existing processes over adoption needs. Contoso 的中心 IT 团队不同。Contoso's central IT team is different. 它们快速确定了一个简单的由四个部分构成的解决方案:They quickly identified a simple four-part solution to this dilemma:

  1. 分类: 由于云采用团队是构建新解决方案的初期阶段,并且没有任何敏感数据或任务关键型支持需求,环境中的资产归类为低风险和非关键任务。Classification: Since the cloud adoption team was in the early stages of building a new solution and didn't have any sensitive data or mission-critical support needs, the assets in the environment were classified as low risk and noncritical. 有效分类是中心 IT 团队的成熟标志。Effective classification is a sign of maturity in a central IT team. 对所有资产和环境分类使策略更清晰。Classifying all assets and environments allows for clearer policies.
  2. 协商: 单独分类是不够的。Negotiation: Classification alone isn't sufficient. 已实现共享服务,以一致地运行敏感和任务关键型资产。Shared services were implemented to consistently operate sensitive and mission-critical assets. 更改规则将危及为需要更多保护的资产设计的管理和合规性策略。Changing the rules would compromise governance and compliance policies designed for the assets that need more protection. 以稳定性、安全性或管理为代价,使采用不会发生。Empowering adoption can't happen at the cost of stability, security, or governance. 这会导致与采用团队协商特定问题。This led to a negotiation with the adoption team to answer specific questions. 企业 led DevOps 团队是否可以为此环境提供操作管理?Could a business-led DevOps team provide operations management for this environment? 此解决方案是否要求直接访问其他内部资源?Would this solution require direct access to other internal resources? 如果云采用团队非常熟悉这些折衷方案,则可能会出现入口流量。If the cloud adoption team is comfortable with those tradeoffs, then the ingress traffic might be possible.
  3. 隔离: 由于业务可以提供其自己的日常运营管理,并且由于解决方案不依赖于到其他内部资产的直接流量,因此在新的订阅中可能会封锁。Isolation: Since the business can provide its own ongoing operations management, and since the solution doesn't rely on direct traffic to other internal assets, it can be cordoned off in a new subscription. 还会将该订阅添加到新管理组层次结构的单独节点。That subscription is also added to a separate node of the new management group hierarchy.
  4. 自动化: 此团队中的另一个成熟度标志是其自动化原则。Automation: Another sign of maturity in this team is their automation principles. 团队使用 Azure 策略自动执行策略。The team uses Azure Policy to automate policy enforcement. 它们还使用 Azure 蓝图自动部署常见平台组件并强制遵守定义的标识基线。They also use Azure Blueprints to automate deployment of common platform components and enforce adherence to the defined identity baseline. 对于此订阅和新管理组中的任何其他订阅,策略和模板略有不同。For this subscription and any others in the new management group, the policies and templates are slightly different. 阻止入口带宽的策略已被提升。Policies blocking ingress bandwidth have been lifted. 它们已被要求通过共享服务订阅(如任何入口流量)路由流量,以强制执行流量隔离。They have been replaced by requirements to route traffic through the shared services subscription, like any ingress traffic, to enforce traffic isolation. 由于本地操作管理工具无法访问此订阅,因此不再需要该工具的代理。Since the on-premises operations management tooling can't access this subscription, agents for that tool are no longer required either. 管理组层次结构中的其他订阅所需的其他所有管理 guardrails 仍将强制实施,以确保有足够的 guardrails。All other governance guardrails required by other subscriptions in the management group hierarchy are still enforced, ensuring sufficient guardrails.

Contoso 中心 IT 团队的成熟创意方式提供了一个不会危及治理或合规性但仍鼓励采用的解决方案。The mature creative approach of Contoso's central IT team provided a solution that didn't compromise governance or compliance, but still encouraged adoption. 这种协调(而不是拥有用于集中式的云本机方法的方法)是构建 (卓越的云中心) 的第一步。This approach of brokering rather than owning cloud-native approaches to centralized IT is the first step toward building a cloud center of excellence (CCoE). 采用这种方法快速改进现有策略,可在需要时进行集中控制,并在可接受更多灵活性时进行管理 guardrails。Adopting this approach to quickly evolve existing policies will allow for centralized control when required and governance guardrails when more flexibility is acceptable. 平衡这两个注意事项会缓解与云中的集中式 IT 关联的风险。Balancing these two considerations mitigates the risks associated with centralized IT in the cloud.

后续步骤Next steps

  • 作为中心 IT 团队逐渐成熟其云功能,下一成熟步骤通常更松散云运营的耦合。As a central IT team matures its cloud capabilities, the next maturity step is typically looser coupling of cloud operations. 对于 PaaS 优先解决方案,云本机操作管理工具的可用性和更低的运营成本通常会导致业务团队 (或更具体地说,这是企业内的 DevOps 团队,) 承担云运营的责任。The availability of cloud-native operations management tooling and lower operating costs for PaaS-first solutions often lead to business teams (or more specifically, DevOps teams within the business) assuming responsibility for cloud operations.

了解详细信息:Learn more about: