What are Azure Blueprints? How can they help with compliance?
Microsoft Azure offers tonnes of resources for building end-to-end applications in the cloud. For a cloud architect, compliance is a major concern to get a solution off the ground responsibly. Azure Blueprints allow cloud architects to:
- Define a set of rules that Azure subscriptions must abide by;
- Deploy a set of Azure resources that conform to security best practices;
- Rapidly build new environments which comply with organisational standards.
To do that, Blueprints allow you to deploy role and policy assignments, Azure Resource Manager Templates, and Resource Groups. In this video, Mike Brown takes you through the process of deploying an Azure Blueprint, including:
- How to create an Azure Blueprint
- Defining artefacts for the Azure Blueprint to deploy
Hi there, welcome to this Firebrand Q&A. My name is Mike Brown and I'm a senior cloud instructor here at Firebrand Training. These Q&A sessions are designed so that we can answer some of the questions that are asked by our students, questions that are asked of us on a regular basis. We hope to provide answers to questions in these sessions and where appropriate provide demonstrations of the features being discussed. Let's take a look at the question that we're going to try and answer today. Today's question: what are Azure Blueprints and how can they help with compliance? At the time of recording Azure Blueprints are still in preview, but they have the potential to be a great asset for anyone working in Azure. Azure Blueprints will allow cloud architects to:
- Define a set of rules that Azure subscriptions must abide by, by providing security controls and compliance controls to those subscriptions;
- Allow resources to be deployed to Azure but those deployed resources must conform to security best practices;
- And Azure blueprints will allow us to rapidly deploy new environments which comply with our organizational standards.
When creating an Azure blueprint they will allow us to deploy rule assignments, policy assignments, Azure manager templates, and resource groups. So let's take a look at blueprints in action. In this demonstration we will:
- Create a new Azure blueprint
- Define artifacts for the Azure Blueprint to deploy
- And show how the newest Azure blueprint can be deployed
Let's jump right in. Here we are in the Azure console. I've already accessed the blueprints blade. If you're not sure how to navigate here just type blueprints in the search bar. It's worth pointing out again that blueprints are still in preview and like all preview features are subject to change. We should wait until this feature comes out of preview before launching it in production.
If we scroll down this page a little bit we can see the three tasks we need to perform when working with blueprints. Here we can see create a blueprint, apply to a scope and track assignments. You would work through these three tasks in order.
Starting off we'll create a blueprint so let's click create. We're gonna be starting off with a blank blueprint but again if you scroll down you can see that there are samples already created for you. So if you find a sample that closely matches your requirements, use that as your starting point.
If I scroll back up I'm gonna select start with a blank blueprint. This first section is our standard form, where we define a name for the blueprint, a description, and a location - so I'll fill those details in.
Here you can see I've defined a name of our first blueprint, a description, and a location. The location can be a management group, or a subscription inside a management group. I've chosen one of my subscriptions.
The next step is to define artifacts, so let's click Next artifacts. You can see the subscription level is selected. Beneath there, select add artifact. In the artifact type drop-down, select the arrow and here you can see the different types of artifacts you can define with your blueprint.
Let’s start off with a resource group. If we select that and scroll down just a little, what this artifact allows us to do is to deploy resource groups to new or existing subscriptions. We have to provide a display name for the artifact, but then notice the tick boxes.
Underneath resource group and location, we have tick boxes that are already selected that say this value should be specified when the blueprint is assigned. Leaving these ticks box selected means that the assigner of the blueprint gets to fill in these details. Now I don't want to do that, so I'm gonna uncheck both these boxes and provide a name for a resource group and location.
Here you can see those details filled in and I've added a name for the artifact as well. The only other value to add here is tags. If we scroll down a little bit we can see the optional tags that can be added. I'm happy with this configuration so I'll just say add.
So now we see as well as a subscription level and artifacts that can be assigned there, we have our new resource group artifact and artifacts that can be assigned beneath there. So beneath the new resource group let's click Add artifact.
And again let's look at the artifact type so we can deploy here by clicking on the drop down. Slightly different list now because resource groups cannot contain resource groups. But beneath here we can still add policie, rules, and templates.
Let's click on role assignment. And at this resource group level I'm going to assign a role permission to one of my Azure AD users. The role I'm going to assign is contributor so from the role drop-down I choose contributor.
Again I untick the tick-box that says this value will be a specified during blueprint assignment, and I'm going to select one of mine Azure AD users. I'm choosing Bob - I'm going to give Bob the contribute role for this new resource group.
I'll say Add there, and again we can see the artifact listed. We can carry on with this by assigning policies around templates at different levels, but I'm happy with my blueprint so I'm going to say save draft. Once the draft is saved, you'll be sent back to the blueprint blade. Now we created a blueprint, we can apply it - so let's click apply.
The first thing we need to do is select our blueprint, so from the blueprint drop-down select draft. You should see a list of draft blueprints, including the one we just created. Here we can see the blueprint I created, and on the right-hand side we've got the three dots.
If we flick those three dots and from here we choose publish blueprint. We need to provide a version for a blueprint and any notes that we want to share over people. And if we're happy, we click publish. It might take a minute or so to publish a blueprint.
Again, for the drop-down under blueprints instead of draft filter for published. Now we have the blueprint published, it's ready to be assigned - so select the three dots again on the right hand side and choose assign blueprint.
Here we provide an assignment name, a location, and the version of the blueprint we wish to assign. If you scroll down you can see more of the form, including a parameter section. So if they were any parameters to be filled in, it would be done here. If we're happy we click assign.
I'm in my subscription and I can see a list of my resource groups, and you notice amongst them is a resource group called our resource group. This is the resource group that was deployed by the blueprint. if I select that resource group and click access control IAM under role assignments, and contributor, we should see Bob.
So what are Azure blueprints and how can they help with compliance?
- Well, they allow us to map our security and compliance requirements to a group of artifacts that we can deploy together;
- They enforced standard configurations for existing and new subscriptions;
- And give us a configuration that we can repeat, so that we have predictable results.
To learn more about Azure and how you can get certified fast, visit our website at firebrand.training . I've also put links to some of our accelerated courses in the video description. For more videos and tips on all things Azure and cloud, please subscribe to our channel and follow us on social media. If you have any questions about cloud computing, add into the comment section below and we'll do our best to get back to you. Look out from our firebrand Q&A, see you next time!
About Firebrand Q&As
Firebrand Q&As is a series of videos with answers to frequently asked questions at our courses on cloud, cybersecurity, networking, and project management. For more on Microsoft Azure and more, stay tuned to our blog and Youtube channel. Firebrand offers accelerated courses to get you certified up to 50% faster than traditional courses. We offer 700+ courses across IT and project management. Book a course now and get in-person training with our expert instructors. Mike Brown is a lead instructor at Firebrand Training. He has more than 20 years’ experience in Microsoft and Cisco-focused certifications. Mike loves working with new cloud technologies and virtualisation. When he’s not teaching, he spends time making videos on Microsoft technologies and writing books on virtualization.