The road to the cloud is actually simple, an account in the Azure portal created, the credit card data deposited and already all available Azure resources can be rolled out. This may be a possible (though not recommended) way to go for test environments. For productive workloads, whether cloud-only or hybrid-scenario, rules are necessary and useful. To structure the environment, to avoid cost explosions and to protect the environment.
Such guidelines and rules can be created and defined with a governance concept. Simple questions, such as a central naming scheme for Azure Services, the design of the networks, or the maximum allowed VM sizes, can be resolved. A governance concept is intended for the entire tenant and therefore valid for subscriptions. The subscriptions are suitable for recording different cost centers or defining project boundaries.
Previously, it was not easy to specify central settings for new subscriptions. This has changed with the introduction of Azure Blueprints. Azure blueprints can be used to specify the central settings that will be applied when a new subscription is rolled out. To use Azure blueprints, management groups are necessary. Management Groups give the opportunity to structure the Azure Tenant from an organizational point of view.
This two-part article will first explain the necessary management groups as prerequisites of Azure Blueprints and then introduce the possibilities of Azure Blueprints and their rollout.
An Azure Blueprint can currently contain four different artifacts:
- Policy Assignment (Azure Policy)
- ARM templates
- Role Assignment (RBAC)
- Resource Groups
Azure Blueprints are managed and replicated by Microsoft through Cosmos DB. To provide Azure blueprints in your own tenant, management groups are necessary. The blueprints are stored and saved within the management groups.
Management Groups are tenant-level and allow for a hierarchy comparable to a company hierarchy. In this way, different departments can be created below a root management group, to which particular subscriptions can be assigned. In this way, for example, the organizational structure of the company is mapped and the subscriptions are assigned to the respective management group as a cost center. Other models can also be mapped, eg management groups by locations or for development phases (Dev, Prestage, Prod) etc.
Within the management groups, you can define Azure policies that apply to all resources assigned to the management group. Also, an Azure blueprint is stored here. As soon as a new subscription is created and assigned to a corresponding management group that contains a blueprint, the predefined artifacts of the blueprint are applied to the newly created subscription.
Create Management Group
To create a management group, we search for “Management Group” in the search box and go to the corresponding administration page. Azure Blueprints – Mgmt Group
At first we do not see any management groups on the administration page.
Using the “Start using mangement groups” button, we create our first management group in the corresponding tenant. The name and the ID are freely selectable, but the ID must be clearly defined and can not be changed after group creation. For productive environments, I recommend at this point to plan a certain hierarchy order of the management groups and to deposit them with a certain naming scheme.
It is important to understand that when creating the first group, another group, the so-called Tenant Root Group, is created. The newly created group and all existing subscriptions are subordinated to the root management group. The root management group is not easily accessible, and even the tenant administrator needs to be given higher privileges in the AzureAD for changes to be made.
As soon as the first management group is created in the portal, the existing subscriptions are also displayed and assigned as subobjects to the already mentioned tenant root group. After completing the process, the management group with the associated subscriptions appears on the administration page.
After further, self-defined management groups have been created, the existing subscriptions can be assigned to the corresponding groups. For this purpose, the proposed management group is selected and then assigned a subscription via “Add Subscription”. In this way, the existing cost centers of the company can be assigned to the hierarchical structure of the management groups, for example.
This concludes the first part of the article. Next, I’ll talk about the possibilities of Azure blueprints, how to create them, and what happens during the rollout.
About the Author:
Gregor is working for sepago GmbH as a Cloud Architect for Azure. Before joining sepago, he was working as Cloud- and Infrastructure architect with main focus on Microsoft technologies.
In October 2018 he was honored with his first MVP award for Azure.
Gregor is mostly find as Speaker on many community conferences, blogs regularly at www.reimling.eu and he is organizer of the Azure Bonn Meetup, an local Azure user group near Cologne.
Reimling, G. (2019). Azure Management Groups and Blueprints – Overview and Setup – Part 1. Available at:
http://www.reimling.eu/2019/04/azure-management-groups-und-blueprints-ueberblick-und-einrichtung-teil-2/ [Accessed: 14th May 2019].