適用於複雜企業的治理指南Governance guide for complex enterprises

最佳做法概觀Overview of best practices

這個治理指南會遵循虛構公司在治理成熟度各個階段的體驗,This governance guide follows the experiences of a fictional company through various stages of governance maturity. 它是以真實客戶體驗為基礎。It's based on real customer experiences. 建議的最佳做法則會以該虛構公司的條件約束和需求為主。The suggested best practices are based on the constraints and needs of the fictional company.

此概觀會根據最佳做法來定義治理的最簡可行產品 (MVP) 以作為快速起點。As a quick starting point, this overview defines a minimum viable product (MVP) for governance based on best practices. 它也提供一些治理改進方法的連結,這些改進會隨著新業務或技術風險的出現而進一步新增更多最佳做法。It also provides links to some governance improvements that add further best practices as new business or technical risks emerge.

警告

這個 MVP 是基於一組假設的基準起點。This MVP is a baseline starting point, based on a set of assumptions. 即便是這一系列最基本的最佳做法,也是以獨特的業務風險和風險承受度推動的公司原則為基礎。Even this minimal set of best practices is based on corporate policies that are driven by unique business risks and risk tolerances. 若要查看您是否適用這些假設,請閱讀本文後面較長的敘述To see whether these assumptions apply to you, read the longer narrative that follows this article.

治理最佳做法Governance best practices

這些最佳做法可作為組織在多個 Azure 訂用帳戶間快速且一致地新增治理防護的基礎。These best practices serve as a foundation for an organization to quickly and consistently add governance guardrails across multiple Azure subscriptions.

資源組織Resource organization

下圖顯示組織資源的治理 MVP 階層。The following diagram shows the governance MVP hierarchy for organizing resources.

資源組織圖

每個應用程式都應該在管理群組、訂用帳戶,以及資源群組階層的適當區域中部署。Every application should be deployed in the proper area of the management group, subscription, and resource group hierarchy. 在部署規劃期間,雲端治理小組將在階層中建立必要的節點,使雲端採用小組更具產能。During deployment planning, the cloud governance team will create the necessary nodes in the hierarchy to empower the cloud adoption teams.

  1. 定義每個營業單位的管理群組,其具有能先詳細反映地理位置和環境類型 (例如實際執行或非商業執行環境) 的階層。Define a management group for each business unit with a detailed hierarchy that reflects geography first, then environment type (for example, production or nonproduction environments).

  2. 針對個別業務單位或地理位置的每一個唯一組合,建立實際執行訂用帳戶和非商業執行訂用帳戶。Create a production subscription and a nonproduction subscription for each unique combination of discrete business unit or geography. 建立多個訂用帳戶需要謹慎考慮。Creating multiple subscriptions requires careful consideration. 如需詳細資訊,請參閱訂用帳戶決策指南For more information, see the subscription decision guide.

  3. 在此群組階層的每個層級套用一致的命名法Apply consistent nomenclature at each level of this grouping hierarchy.

  4. 資源群組的部署方式應將其內容生命週期列入考量。Resource groups should be deployed in a manner that considers its contents lifecycle. 一起開發、一起管理,並一起淘汰的資源皆屬於相同資源群組。Resources that are developed together, managed together, and retired together belong in the same resource group. 如需使用資源群組最佳用法的詳細資訊,請參閱資源一致性決策指南For more information about best practices for using resource groups, see the resource consistency decision guide.

  5. 區域選取非常重要,因此必須納入考量,以備妥網路、監視、稽核來進行容錯移轉/容錯回復,並確認所需的 SKU 可在偏好的區域中取得Region selection is incredibly important and must be considered so that networking, monitoring, auditing can be in place for failover/failback as well as confirmation that needed SKUs are available in the preferred regions.

大型企業資源組織圖

這些模式會提供成長的空間,而不會不必要地使階層複雜化。These patterns provide room for growth without making the hierarchy needlessly complicated.

注意

當商務需求改變時,Azure 管理群組可讓您輕鬆重新組織管理階層與訂用帳戶群組指派。In the event of changes to your business requirements, Azure management groups allow you to easily reorganize your management hierarchy and subscription group assignments. 不過,請記住階層中該群組下的所有訂用帳戶,都會繼承原則與套用至管理群組的角色指派。However, keep in mind that policy and role assignments applied to a management group are inherited by all subscriptions underneath that group in the hierarchy. 如果您打算重新指派訂用帳戶之間的管理群組,請確定您已了解可能會造成任何原則和角色指派變更項目。If you plan to reassign subscriptions between management groups, make sure that you are aware of any policy and role assignment changes that may result. 如需詳細資訊,請參閱 Azure 管理群組文件See the Azure management groups documentation for more information.

資源治理Governance of resources

一組全域原則和 RBAC 角色將提供基準層級的加強治理。A set of global policies and RBAC roles will provide a baseline level of governance enforcement. 為了符合雲端治理小組的原則需求,實作治理 MVP 需要完成下列工作:To meet the cloud governance team's policy requirements, implementing the governance MVP requires completing the following tasks:

  1. 識別所需的 Azure 原則定義,以強制執行商務需求。Identify the Azure Policy definitions needed to enforce business requirements. 這可能包含使用內建的定義,以及建立新的自訂定義。This might include using built-in definitions and creating new custom definitions. 為了跟上新發行內建定義的步調,您可以使用內建原則的所有認可 Atom 摘要,以便用於 RSS 摘要。To keep up with the pace of newly released built-in definitions, there's an atom feed of all the commits for built-in policies, which you can use for an RSS feed. 或者,您也可以檢查 AzAdvertizerAlternatively, you can check AzAdvertizer.
  2. 使用這些內建和自訂原則,以及治理 MVP 所需的角色指派,來建立藍圖定義。Create a blueprint definition using these built-in and custom policy and the role assignments required by the governance MVP.
  3. 透過將藍圖定義指派給所有訂用帳戶,即可全域套用原則和設定。Apply policies and configuration globally by assigning the blueprint definition to all subscriptions.

識別原則定義Identify policy definitions

Azure 提供數個內建原則與角色定義,您可以指派給管理群組、訂用帳戶或資源群組。Azure provides several built-in policies and role definitions that you can assign to any management group, subscription, or resource group. 您可以使用內建的定義來處理許多常見的治理需求。Many common governance requirements can be handled using built-in definitions. 不過,您也可能需要建立自訂原則定義,以處理特定需求。However, it's likely that you will also need to create custom policy definitions to handle your specific requirements.

自訂原則定義會儲存於管理群組或訂用帳戶,並透過管理群組階層來繼承。Custom policy definitions are saved to either a management group or a subscription and are inherited through the management group hierarchy. 如果管理群組是原則定義的儲存位置,則可將該原則定義指派給該群組的任何子管理群組或訂用帳戶。If a policy definition's save location is a management group, that policy definition is available to assign to any of that group's child management groups or subscriptions.

由於支援治理 MVP 所需的原則,需要套用至所有目前的訂用帳戶,因此將使用根管理群組中建立的內建定義和自訂定義組合,來實作下列商務需求:Since the policies required to support the governance MVP are meant to apply to all current subscriptions, the following business requirements will be implemented using a combination of built-in definitions and custom definitions created in the root management group:

  1. 可用的角色指派清單以雲端治理小組授權的一組內建 Azure 角色為限。Restrict the list of available role assignments to a set of built-in Azure roles authorized by your cloud governance team. 這需要自訂原則定義This requires a custom policy definition.
  2. 所有資源上都需要下列標記:部門/計費單位、地理位置、資料分類、重要性、SLA、環境、應用程式原型、應用程式及應用程式擁有者。Require the following tags on all resources: Department/Billing Unit, Geography, Data Classification, Criticality, SLA, Environment, Application Archetype, Application, and Application Owner. 這可使用 Require specified tag 內建定義來處理。This can be handled using the Require specified tag built-in definition.
  3. 要求資源的 Application標記應符合相關資源群組的名稱。Require that the Application tag for resources should match the name of the relevant resource group. 這可以使用「需要標籤及其值」內建定義來處理。This can be handled using the "Require tag and its value" built-in definition.

如需定義自訂原則的詳細資訊,請參閱 Azure 原則文件For information on defining custom policies see the Azure Policy documentation. 如需自訂原則的指導方針與範例,請參閱 Azure 原則範例網站和相關聯的 GitHub 存放庫For guidance and examples of custom policies, consult the Azure Policy samples site and the associated GitHub repository.

使用 Azure 藍圖指派 Azure 原則和 RBAC 角色Assign Azure Policy and RBAC roles using Azure Blueprints

Azure 原則可以指派於資源群組、訂用帳戶,以及管理群組層級,而且可以併入 Azure 藍圖定義中。Azure policies can be assigned at the resource group, subscription, and management group level, and can be included in Azure Blueprints definitions. 雖然此治理 MVP 中定義的原則需求會套用到所有目前的訂用帳戶,但未來的部署很可能需要例外狀況或替代的原則。Although the policy requirements defined in this governance MVP apply to all current subscriptions, it's very likely that future deployments will require exceptions or alternative policies. 如此一來,使用管理群組指派原則,讓所有子訂用帳戶繼承這些指派,可能不具備足夠的彈性支援這些案例。As a result, assigning policy using management groups, with all child subscriptions inheriting these assignments, may not be flexible enough to support these scenarios.

Azure 藍圖允許指派一致的原則和角色、Resource Manager 範本的應用程式,以及跨多個訂用帳戶部署資源群組。Azure Blueprints allows consistent assignment of policy and roles, application of Resource Manager templates, and deployment of resource groups across multiple subscriptions. 如同原則定義,藍圖定義會儲存至管理群組或訂用帳戶。Like policy definitions, blueprint definitions are saved to management groups or subscriptions. 原則定義可透過繼承到管理群組階層中任何子系的方式來取得。The policy definitions are available through inheritance to any children in the management group hierarchy.

雲端治理小組已決定透過 Azure 藍圖和相關聯的成品,實作跨訂用帳戶強制執行必要的 Azure 原則和 RBAC 指派:The cloud governance team has decided that enforcement of required Azure Policy and RBAC assignments across subscriptions will be implemented through Azure Blueprints and associated artifacts:

  1. 在根管理群組中,建立名為 governance-baseline 的藍圖定義。In the root management group, create a blueprint definition named governance-baseline.
  2. 在藍圖定義中新增下列藍圖成品:Add the following blueprint artifacts to the blueprint definition:
    1. 在根管理群組定義自訂 Azure 原則定義的原則指派。Policy assignments for the custom Azure Policy definitions defined at the management group root.
    2. 由治理 MVP 建立或控管的訂用帳戶,都需要任何群組的資源群組定義。Resource group definitions for any groups required in subscriptions created or governed by the Governance MVP.
    3. 由治理 MVP 建立或控管的訂用帳戶,都需要標準角色指派。Standard role assignments required in subscriptions created or governed by the Governance MVP.
  3. 發佈藍圖定義。Publish the blueprint definition.
  4. governance-baseline 藍圖定義指派給所有訂用帳戶。Assign the governance-baseline blueprint definition to all subscriptions.

如需有關建立和使用藍圖定義 的詳細資訊,請參閱 Azure 藍圖文件See the Azure Blueprints documentation for more information on creating and using blueprint definitions.

安全混合式 VNetSecure hybrid VNet

特定訂用帳戶對於內部部署資源經常需要某種程度的存取權。Specific subscriptions often require some level of access to on-premises resources. 這在相依資源位在內部部署資料中心的移轉案例或開發案例,是常有的情況。This is common in migration scenarios or dev scenarios where dependent resources reside in the on-premises datacenter.

在雲端環境中完全建立信任之前,務必要嚴密控制和監視內部部署環境與雲端工作負載之間允許的任何通訊,以及保護內部部署網路,防止可能未經授權的雲端式資源存取。Until trust in the cloud environment is fully established it's important to tightly control and monitor any allowed communication between the on-premises environment and cloud workloads, and that the on-premises network is secured against potential unauthorized access from cloud-based resources. 若要支援這些案例,治理 MVP 可新增下列最佳做法:To support these scenarios, the governance MVP adds the following best practices:

  1. 建立雲端安全混合式 VNet。Establish a cloud secure hybrid VNet.
    1. VPN 參考架構會建立在 Azure 中建立 VPN 閘道的模式和部署模型。The VPN reference architecture establishes a pattern and deployment model for creating a VPN Gateway in Azure.
    2. 驗證內部部署安全性和流量管理機制,會將已連線的雲端網路視為不受信任。Validate that on-premises security and traffic management mechanisms treat connected cloud networks as untrusted. 雲端中裝載的資源和服務應該只能存取授權的內部部署服務。Resources and services hosted in the cloud should only have access to authorized on-premises services.
    3. 驗證內部部署資料中心中的本機 Edge 裝置可與 Azure VPN 閘道需求相容,並設定為存取公用網際網路。Validate that the local edge device in the on-premises datacenter is compatible with Azure VPN Gateway requirements and is configured to access the public internet.
    4. 請注意,除了最簡單的工作負載以外,請勿將 VPN 通道視為任何項目的生產環境就緒線路。Note that VPN tunnels should not be considered production ready circuits for anything but the most simple workloads. 除了少數需要內部部署連線的簡單工作負載以外,任何項目都應該使用 Azure ExpressRoute。Anything beyond a few simple workloads requiring on-premises connectivity should use Azure ExpressRoute.
  2. 在根管理群組中,建立名為 secure-hybrid-vnet 的第二個藍圖定義。In the root management group, create a second blueprint definition named secure-hybrid-vnet.
    1. 將 VPN 閘道的 Resource Manager 範本作為成品新增至藍圖定義。Add the Resource Manager template for the VPN Gateway as an artifact to the blueprint definition.
    2. 將虛擬網路的 Resource Manager 範本作為成品新增至藍圖定義。Add the Resource Manager template for the virtual network as an artifact to the blueprint definition.
    3. 發佈藍圖定義。Publish the blueprint definition.
  3. secure-hybrid-vnet 藍圖定義指派給任何需要內部部署連線的訂用帳戶。Assign the secure-hybrid-vnet blueprint definition to any subscriptions requiring on-premises connectivity. 除了 governance-baseline 藍圖定義,還應該指派此定義。This definition should be assigned in addition to the governance-baseline blueprint definition.

IT 安全性與傳統治理小組所引起的最大問題之一,是早期階段的雲端採用有可能使現有資產受損。One of the biggest concerns raised by IT security and traditional governance teams is the risk that early stage cloud adoption will compromise existing assets. 上述方法可讓雲端採用小組建置和移轉混合式解決方案,而降低內部部署資產承受的風險。The above approach allows cloud adoption teams to build and migrate hybrid solutions, with reduced risk to on-premises assets. 隨著雲端環境中的信任逐漸提升,後續的演進可能會移除這個暫時性的解決方案。As trust in the cloud environment increases, later evolutions may remove this temporary solution.

注意

以上是快速建立基準治理 MVP 的起始點。The above is a starting point to quickly create a baseline governance MVP. 這只是治理旅程的開端。This is only the beginning of the governance journey. 隨著公司持續採用雲端,且承受更多來自下列領域的風險,治理將需要進一步演進修正:Further evolution will be needed as the company continues to adopt the cloud and takes on more risk in the following areas:

  • 任務關鍵性工作負載Mission-critical workloads
  • 受保護的資料Protected data
  • 成本管理Cost management
  • 多重雲端案例Multicloud scenarios

此外,此 MVP 的特定詳細資料皆以虛構公司的範例旅程為基礎,相關說明請見後續文章。Moreover, the specific details of this MVP are based on the example journey of a fictional company, described in the articles that follow. 強烈建議您在依照此最佳做法實作之前,應先閱讀這一系列的其他文章。We highly recommend becoming familiar with the other articles in this series before implementing this best practice.

累加式治理改進Incremental governance improvements

一旦部署此 MVP 之後,其他治理層就可以快速地合併到環境中。Once this MVP has been deployed, additional layers of governance can be quickly incorporated into the environment. 以下是一些改進 MVP 以符合特定業務需求的方式:Here are some ways to improve the MVP to meet specific business needs:

本指南提供哪些內容?What does this guidance provide?

在 MVP 中,從部署加速專業領域建立做法和工具,是為了快速套用公司原則。In the MVP, practices and tools from the Deployment Acceleration discipline are established to quickly apply corporate policy. 特別是,MVP 會使用 Azure 藍圖、Azure 原則以及 Azure 管理群組套用幾個基本的公司原則,如這個虛構公司的敘述中所定義。In particular, the MVP uses Azure Blueprints, Azure Policy, and Azure management groups to apply a few basic corporate policies, as defined in the narrative for this fictional company. 那些公司原則會使用 Azure Resource Manager 範本與 Azure 原則來套用,以建立小型的身分識別和安全性基準。Those corporate policies are applied using Azure Resource Manager templates and Azure policies to establish a small baseline for identity and security.

此圖顯示累加式治理 MVP 的範例。

治理做法的漸進式改進Incremental improvements to governance practices

經過一段時間之後,這個治理 MVP 將用於累加式改進治理做法。Over time, this governance MVP will be used to incrementally improve governance practices. 隨著採用率提高,業務風險也會增加。As adoption advances, business risk grows. 雲端採用架構治理模型內的各種專業領域,將會持續調整以管理這些風險。Various disciplines within the Cloud Adoption Framework governance model will adapt to manage those risks. 本系列的後續文章將討論影響虛構公司的公司原則變更。Later articles in this series discuss the changes in corporate policy affecting the fictional company. 這些變更會跨四個專業領域進行:These changes happen across four disciplines:

  • 身分識別基準專業領域 (敘述中的移轉相依性變更時)。The Identity Baseline discipline, as migration dependencies change in the narrative.
  • 成本管理專業領域 (採用擴大規模時)。The Cost Management discipline, as adoption scales.
  • 安全性基準專業領域 (部署受保護的資料時)。The Security Baseline discipline, as protected data is deployed.
  • 資源一致性專業領域 (IT 操作開始支援任務關鍵性工作負載時)。The Resource Consistency discipline, as IT operations begins supporting mission-critical workloads.

此圖顯示治理做法的漸進式改進。

後續步驟Next steps

現在您已經熟悉治理 MVP,並且了解即將發生的治理變更,請閱讀對於其他內容的支援敘述。Now that you're familiar with the governance MVP and the forthcoming governance changes, read the supporting narrative for additional context.