您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 中部署 CAF Foundation 蓝图Deploy a CAF Foundation blueprint in Azure

CAF Foundation 蓝图不部署登陆区域。The CAF Foundation blueprint does not deploy a landing zone. 相反,它会将建立监管 MVP 所需的工具部署 (最小可行的产品) ,以开始开发你的监管准则。Instead, it deploys the tools required to establish a governance MVP (minimum viable product) to begin developing your governance disciplines. 此蓝图旨在补充到现有登陆区域,并且可以通过单个操作应用于 CAF 迁移登陆区域蓝图。This blueprint is designed to be additive to an existing landing zone and can be applied to the CAF Migration landing zone blueprint with a single action.

部署蓝图Deploy the blueprint

在云采用框架中使用 CAF Foundation 蓝图之前,请先查看以下设计原则、假设、决策和实施指南。Before you use the CAF Foundation blueprint in the Cloud Adoption Framework, review the following design principles, assumptions, decisions, and implementation guidance. 如果本指南与所需的云采用计划一致,则可以使用部署步骤部署 CAF Foundation 蓝图If this guidance aligns with the desired cloud adoption plan, the CAF Foundation blueprint can be deployed using the deployment steps.

设计原理Design principles

此实现选项为所有 Azure 登陆区域共享的常见设计区域提供了固执方法。This implementation option provides an opinionated approach to the common design areas shared by all Azure landing zones. 有关详细技术信息,请参阅下面的假设和决策。See the assumptions and decisions below for addition technical detail.

部署选项Deployment options

此实现选项部署 MVP,作为调控规范的基础。This implementation option deploys an MVP to serve as the foundation for your governance disciplines. 该团队将遵循基于模块化重构的方法,使用 控制方法来使调控学科更成熟。The team will follow a modular refactoring-based approach to mature the governance disciplines using the Govern methodology.

企业注册Enterprise enrollment

此实现选项不会在企业注册上采用内在的位置。This implementation option does not take an inherent position on enterprise enrollment. 此方法设计为适用于与 Microsoft 或 Microsoft 合作伙伴签订合同协议无关的客户。This approach is designed to be applicable to customers regardless of contractual agreements with Microsoft or Microsoft partners. 在部署此实现选项之前,假定客户已创建目标订阅。Prior to deployment of this implementation option, it's assumed that the customer has already created a target subscription.


此实现选项假定目标订阅已根据 标识管理最佳做法与 Azure Active Directory 实例相关联。This implementation option assumes that the target subscription is already associated with an Azure Active Directory instance in accordance with identity management best practices.

网络拓扑和连接Network topology and connectivity

此实现选项假定登陆区域已根据 网络安全最佳做法已定义网络拓扑。This implementation option assumes the landing zone already has a defined network topology in accordance with network security best practices.

资源组织Resource organization

此实现选项演示 Azure 策略如何通过应用标记添加某些资源组织元素。This implementation option demonstrates how Azure Policy can add some elements of resource organization through the application of tags. 具体而言, CostCenter 将使用 Azure 策略将标记追加到资源。Specifically, a CostCenter tag will be appended to resources using Azure Policy.

调控团队应比较和对比资源组织的元素,以便通过标记与应通过订阅设计解决的元素进行解决。The governance team should compare and contrast the elements of resource organization to be addressed by tagging versus those that should be addressed through subscription design. 这些基本决策将通知资源组织,作为你的云采用计划进度。These fundamental decisions will inform resource organization as your cloud adoption plans progress.

为了在采用周期早期对此进行比较,应考虑以下文章:To aid in this comparison early in adoption cycles, the following articles should be considered:

  • 初始 Azure 订阅:在采用规模的这一阶段,你的操作模型是否需要两个、三个或四个订阅?Initial Azure subscriptions: At this stage of adoption scale, does your operating model require two, three, or four subscriptions?
  • 规模订阅:作为采用规模,将使用哪些条件来推动订阅缩放?Scale subscriptions: As adoption scales, what criteria will be used to drive subscription scaling?
  • 组织订阅:你如何在缩放时组织订阅?Organize subscriptions: How will you organize subscriptions as you scale?
  • 标记标准:需要在标记中一致地捕获哪些其他条件以增加订阅设计?Tagging standards: What other criteria need to be consistently captured in tags to augment your subscription design?

若要在团队进一步结合云采用时帮助进行此比较,请参阅 管理指南-说明性指南 一文中的 "管理模式" 部分。To aid in this comparison when teams are further along with cloud adoption, see the governance patters section of the governance guide - prescriptive guidance article. 本指南的这一部分说明了一组基于特定叙述性和操作模型的模式。This section of the prescriptive guidance demonstrates a set of patterns based on a specific narrative and operating model. 该指南还包括指向应考虑的其他模式的链接。That guidance also includes links to other patterns that should be considered.

治理原则Governance disciplines

此实现展示了一种方法来实现控制方法的成本管理准则。This implementation demonstrates one approach to maturity in the Cost Management discipline of the Govern methodology. 具体而言,它演示了如何使用 Azure 策略来创建特定 Sku 的允许列表。Specifically, it demonstrates how Azure Policy can be used to create an allow list of specific SKUs. 限制可部署到登陆区域中的资源的类型和大小可降低超支的风险。Limiting the types and sizes of resources that can be deployed into a landing zone reduces the risk of overspending.

若要加速其他管理层面的并行开发,请查看 管理方法To accelerate parallel development of the other governance disciplines, review the Govern methodology. 若要继续成熟监管的成本管理学科,请参阅 成本管理准则指南To continue maturing the Cost Management discipline of governance, see the Cost Management discipline guidance.


随着调控学科的成熟,可能需要进行重构。As the governance disciplines mature, refactoring may be required. 可能需要重构。Refactoring may be required. 具体而言,以后可能需要将资源 移到新的订阅或资源组Specifically, resources may later need to be moved to a new subscription or resource group.

操作基线Operations baseline

此实现选项不实现操作基线的任何方面。This implementation option does not implement any aspects of the operations baseline. 如果没有已定义的操作基准,则不应将此登录区域用于任何任务关键型工作负荷或敏感数据。In the absence of a defined operations baseline, this landing zone should not be used for any mission critical workloads or sensitive data. 假设此登陆区域用于有限的生产部署,以与这些早期阶段迁移工作并行启动整个操作模型的学习、迭代和开发。It is assumed that this landing zone is being used for limited production deployment to initiate learning, iteration, and development of the overall operating model in parallel to these early stage migration efforts.

若要加快操作基准的并行开发,请查看 管理方法 ,并考虑部署 Azure 服务器管理指南To accelerate parallel development of an operations baseline, review the Manage methodology and consider deploying the Azure server management guide.


当开发操作基线时,可能需要重构。As the operations baseline is developed, refactoring may be required. 具体而言,以后可能需要将资源 移到新的订阅或资源组Specifically, resources may later need to be moved to a new subscription or resource group.

业务连续性和灾难恢复 (BCDR)Business continuity and disaster recovery (BCDR)

此实现选项不实现任何 BCDR 解决方案。This implementation option does not implement any BCDR solution. 假定在开发操作基线时,将会解决保护和恢复解决方案。It is assumed that the solution for protection and recover will be addressed by the development of the operations baseline.


这一初始蓝图假设团队承诺与最初的云迁移工作并行成熟监管功能。This initial blueprint assumes that the team is committed to maturing governance capabilities in parallel to the initial cloud migration efforts. 如果这些假设符合约束,则可以使用蓝图开始进行监管成熟度的开发过程。If these assumptions align with your constraints, you can use the blueprint to begin the process of developing governance maturity.

  • 符合性: 此登陆区域中不需要第三方符合性要求。Compliance: No third-party compliance requirements are needed in this landing zone.
  • 有限的生产范围: 此登陆区域可能会托管生产工作负荷。Limited production scope: This landing zone could potentially host production workloads. 它不适合用于敏感数据或任务关键型工作负荷。It is not a suitable environment for sensitive data or mission-critical workloads.

如果这些假设符合您当前的采用需求,则这一蓝图可能是构建登陆区域的起点。If these assumptions align with your current adoption needs, then this blueprint might be a starting point for building your landing zone.

自定义或部署此蓝图Customize or deploy this blueprint

了解更多详细信息,并从 Azure 蓝图示例中下载用于部署或自定义的 CAF Foundation 蓝图的参考示例。Learn more and download a reference sample of the CAF Foundation blueprint for deployment or customization from the Azure blueprint samples.

后续步骤Next steps

在部署第一个登陆区域之后,就可以扩展登陆区域了。After deploying your first landing zone, you're ready to expand your landing zone.