Forum Discussion
Azure Design Best Practice for Hybrid Cloud
- May 07, 2021Hi
Depending on your use case can follow the either the Standard enterprise governance guide :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/standard/
Or Governance guide for complex enterprises :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/
You will be able with those documents to build Governance, Indentity and Security baseline .on top of your Network.
To build your network an esay starting point is to use secure hybrid network architecture :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal
Then look at the Hub and Spoke topology :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
Check the different virtual network segmentation patterns
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/network-level-segmentation
Then the Hybrid availability and performance monitoring reference architecture
https://docs.microsoft.com/en-us/azure/architecture/hybrid/hybrid-perf-monitoring
At this stage you should be your end to end design MVP
You can of course each component if applicable by a third a third party tool especially if you already have Licences .
The architecture center have many reference which can help you to start
https://docs.microsoft.com/en-us/azure/architecture/browse/
Finally check the different implementation options
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options
Depending on your use case can follow the either the Standard enterprise governance guide :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/standard/
Or Governance guide for complex enterprises :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/
You will be able with those documents to build Governance, Indentity and Security baseline .on top of your Network.
To build your network an esay starting point is to use secure hybrid network architecture :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal
Then look at the Hub and Spoke topology :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli
Check the different virtual network segmentation patterns
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/network-level-segmentation
Then the Hybrid availability and performance monitoring reference architecture
https://docs.microsoft.com/en-us/azure/architecture/hybrid/hybrid-perf-monitoring
At this stage you should be your end to end design MVP
You can of course each component if applicable by a third a third party tool especially if you already have Licences .
The architecture center have many reference which can help you to start
https://docs.microsoft.com/en-us/azure/architecture/browse/
Finally check the different implementation options
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-options
Thanks for your feedback and time. I'll go through this and see if it helps.
One more thing, that I would like to know is that what is the general or most widely used method of organizing resources in Azure. For example - Is it good to have separate resource groups or separate subscriptions for different resources/services that we use in Azure.
- ibnmbodjiMay 19, 2021Iron Contributor
Hi , you're welcome
From my experience i've seen two patterns :
- Group resources sharing the same lifecycle . It can be an application or a solution so you have all the components in the same resource group .
- Group resources by area so you will have monitoring tools in the same rg the security tools in other the networking tools or components in a different one . The idea behind is to leverage Role based access control and provide least privilege. For example a network engineer should able to manage networking components only and nothing else .
The subscription is at an higher level so you can have subscription for each environment
Dev Preprod Prod for example and in each subscription have the relevant resource groups whether they belong to this or that environment .Since there is a quota for some resources per subscription one subscription may not be enough ( Thousand and thousand of vms or containers) but you can still differenciate prod and non prod subscriptions and for the billing purpose it's quite interesting.