SOLVED

Azure Design Best Practice for Hybrid Cloud

%3CLINGO-SUB%20id%3D%22lingo-sub-2334706%22%20slang%3D%22en-US%22%3EAzure%20Design%20Best%20Practice%20for%20Hybrid%20Cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2334706%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20for%20best%20practices%20or%20Diagrams%20that%20can%20assist%20me%20in%20designing%20Azure%20hybrid%20environment.%20I%20am%20beginner%20and%20don't%20have%20much%20experience%20on%20Azure.%20I%20want%20to%20prepare%20landing%20zones%20to%20start%20with%20Azure%20in%20Hybrid%20Model.%3C%2FP%3E%3CP%3ECurrently%2C%20we%20don't%20have%20any%20design%20and%20don't%20use%20Azure%20services(Except%20Azure%20AD)%20for%20production%20environment.%20This%20is%20going%20to%20be%20initial%20setup%20that%20will%20act%20as%20base%20for%20future%20deployments%20so%20I%20want%20to%20configure%20things%20based%20on%20best%20practices.%3C%2FP%3E%3CP%3ESome%20ideas%20like%20hierarchal%20diagrams(Including%20Management%20Groups%2C%20Subscriptions%2C%20Resource%20Groups%20etc)%20for%20Management%2C%20Security%26nbsp%3B%20and%20deployment%20of%20resources%20would%20be%20really%20helpful.%3C%2FP%3E%3CP%3ECan%20someone%20please%20suggest.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2334706%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHybrid%20Cloud%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2336096%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Design%20Best%20Practice%20for%20Hybrid%20Cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2336096%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1047715%22%20target%3D%22_blank%22%3E%40sc2317%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eit%20is%20impossible%20to%20give%20a%20detailed%20recipe%20that%20works%20for%20every%20scenario.%20However%2C%20Microsoft%20has%20very%20good%20content%20that%20will%20help%20you%20into%20your%20decision%20making%20process.%20I%20guess%20you%20heard%20about%20the%20Cloud%20Adoption%20Framework.%20I%20am%20sharing%20the%20link%20to%20the%20Landing%20Zones%20documentation%2C%20but%20you'll%20find%20many%20other%20topics%20of%20interest%20around%20Azure%20adoption%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fready%2Flanding-zone%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWhat%20is%20an%20Azure%20landing%20zone%3F%20-%20Cloud%20Adoption%20Framework%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2336638%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Design%20Best%20Practice%20for%20Hybrid%20Cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2336638%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3EDepending%20on%20your%20use%20case%20can%20follow%20the%20either%20the%20Standard%20enterprise%20governance%20guide%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fgovern%2Fguides%2Fstandard%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fgovern%2Fguides%2Fstandard%2F%3C%2FA%3E%3CBR%20%2F%3EOr%20Governance%20guide%20for%20complex%20enterprises%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fgovern%2Fguides%2Fcomplex%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fgovern%2Fguides%2Fcomplex%2F%3C%2FA%3E%3CBR%20%2F%3EYou%20will%20be%20able%20with%20those%20documents%20to%20build%20Governance%2C%20Indentity%20and%20Security%20baseline%20.on%20top%20of%20your%20Network.%3CBR%20%2F%3ETo%20build%20your%20network%20an%20esay%20starting%20point%20is%20to%20use%20secure%20hybrid%20network%20architecture%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fdmz%2Fsecure-vnet-dmz%3Ftabs%3Dportal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fdmz%2Fsecure-vnet-dmz%3Ftabs%3Dportal%3C%2FA%3E%3CBR%20%2F%3EThen%20look%20at%20the%20Hub%20and%20Spoke%20topology%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fhybrid-networking%2Fhub-spoke%3Ftabs%3Dcli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fhybrid-networking%2Fhub-spoke%3Ftabs%3Dcli%3C%2FA%3E%3CBR%20%2F%3ECheck%20the%20different%20virtual%20network%20segmentation%20patterns%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fhybrid-networking%2Fnetwork-level-segmentation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Freference-architectures%2Fhybrid-networking%2Fnetwork-level-segmentation%3C%2FA%3E%3CBR%20%2F%3EThen%20the%20Hybrid%20availability%20and%20performance%20monitoring%20reference%20architecture%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fhybrid%2Fhybrid-perf-monitoring%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fhybrid%2Fhybrid-perf-monitoring%3C%2FA%3E%3CBR%20%2F%3EAt%20this%20stage%20you%20should%20be%20your%20end%20to%20end%20design%20MVP%3CBR%20%2F%3EYou%20can%20of%20course%20each%20component%20if%20applicable%20by%20a%20third%20a%20third%20party%20tool%20especially%20if%20you%20already%20have%20Licences%20.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20architecture%20center%20have%20many%20reference%20which%20can%20help%20you%20to%20start%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fbrowse%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fbrowse%2F%3C%2FA%3E%3CBR%20%2F%3EFinally%20check%20the%20different%20implementation%20options%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fready%2Flanding-zone%2Fimplementation-options%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fready%2Flanding-zone%2Fimplementation-options%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2367829%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Design%20Best%20Practice%20for%20Hybrid%20Cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2367829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540591%22%20target%3D%22_blank%22%3E%40ibrahimambodji%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20feedback%20and%20time.%20I'll%20go%20through%20this%20and%20see%20if%20it%20helps.%3C%2FP%3E%3CP%3EOne%20more%20thing%2C%20that%20I%20would%20like%20to%20know%20is%20that%20what%20is%20the%20general%20or%20most%20widely%20used%20method%20of%20organizing%20resources%20in%20Azure.%20For%20example%20-%20Is%20it%20good%20to%20have%20separate%20resource%20groups%20or%20separate%20subscriptions%20for%20different%20resources%2Fservices%20that%20we%20use%20in%20Azure.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2367867%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Design%20Best%20Practice%20for%20Hybrid%20Cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2367867%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1047715%22%20target%3D%22_blank%22%3E%40sc2317%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20%2C%26nbsp%3B%20you're%20welcome%3C%2FP%3E%3CP%3EFrom%20my%20experience%20i've%20seen%20two%20patterns%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Group%20resources%26nbsp%3B%20sharing%20the%20same%20lifecycle%20.%20It%20can%20be%20an%20application%20or%20a%20solution%20so%20you%20have%20all%20the%20components%20in%20the%20same%20resource%20group%20.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Group%20resources%20by%20area%20so%20you%20will%20have%20monitoring%20tools%20in%20the%20same%20rg%20the%20security%20tools%20in%20other%20the%20networking%20tools%20or%20components%20in%20a%20different%20one%20.%20The%20idea%20behind%20is%20to%20leverage%20Role%20based%20access%20control%20and%20provide%20least%20privilege.%20For%20example%20a%20network%20engineer%20should%20able%20to%20manage%20networking%20components%20only%20and%20nothing%20else%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%26nbsp%3B%20subscription%20is%20at%20an%20higher%20level%20so%20you%20can%20have%20subscription%20for%20each%20environment%3C%2FP%3E%3CP%3EDev%20Preprod%20Prod%20for%20example%20and%20in%20each%20subscription%20have%20the%20relevant%20resource%20groups%20whether%20they%20belong%20to%20this%20or%20that%20environment%20.Since%20there%20is%20a%20quota%20for%20some%20resources%20per%20subscription%20one%20subscription%20may%20not%20be%20enough%20(%20Thousand%20and%20thousand%20of%20vms%20or%20containers)%20but%20you%20can%20still%20differenciate%20prod%20and%20non%20prod%20subscriptions%20and%20for%20the%20billing%20purpose%20it's%20quite%20interesting.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Team,

 

I am looking for best practices or Diagrams that can assist me in designing Azure hybrid environment. I am beginner and don't have much experience on Azure. I want to prepare landing zones to start with Azure in Hybrid Model.

Currently, we don't have any design and don't use Azure services(Except Azure AD) for production environment. This is going to be initial setup that will act as base for future deployments so I want to configure things based on best practices.

Some ideas like hierarchal diagrams(Including Management Groups, Subscriptions, Resource Groups etc) for Management, Security  and deployment of resources would be really helpful.

Can someone please suggest.

5 Replies

@sc2317,

 

it is impossible to give a detailed recipe that works for every scenario. However, Microsoft has very good content that will help you into your decision making process. I guess you heard about the Cloud Adoption Framework. I am sharing the link to the Landing Zones documentation, but you'll find many other topics of interest around Azure adoption:

 

What is an Azure landing zone? - Cloud Adoption Framework | Microsoft Docs

best response confirmed by sc2317 (New Contributor)
Solution
Hi
Depending on your use case can follow the either the Standard enterprise governance guide :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/standard/
Or Governance guide for complex enterprises :
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/
You will be able with those documents to build Governance, Indentity and Security baseline .on top of your Network.
To build your network an esay starting point is to use secure hybrid network architecture :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs...
Then look at the Hub and Spoke topology :
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-sp...
Check the different virtual network segmentation patterns
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/networ...
Then the Hybrid availability and performance monitoring reference architecture
https://docs.microsoft.com/en-us/azure/architecture/hybrid/hybrid-perf-monitoring
At this stage you should be your end to end design MVP
You can of course each component if applicable by a third a third party tool especially if you already have Licences .

The architecture center have many reference which can help you to start
https://docs.microsoft.com/en-us/azure/architecture/browse/
Finally check the different implementation options
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-op...

@ibrahimambodji 

Thanks for your feedback and time. I'll go through this and see if it helps.

One more thing, that I would like to know is that what is the general or most widely used method of organizing resources in Azure. For example - Is it good to have separate resource groups or separate subscriptions for different resources/services that we use in Azure.

@sc2317 

Hi ,  you're welcome

From my experience i've seen two patterns : 

- Group resources  sharing the same lifecycle . It can be an application or a solution so you have all the components in the same resource group . 

- Group resources by area so you will have monitoring tools in the same rg the security tools in other the networking tools or components in a different one . The idea behind is to leverage Role based access control and provide least privilege. For example a network engineer should able to manage networking components only and nothing else . 

 

The  subscription is at an higher level so you can have subscription for each environment

Dev Preprod Prod for example and in each subscription have the relevant resource groups whether they belong to this or that environment .Since there is a quota for some resources per subscription one subscription may not be enough ( Thousand and thousand of vms or containers) but you can still differenciate prod and non prod subscriptions and for the billing purpose it's quite interesting.  

 

@ibrahimambodji 

 

Hi,
Many thanks for your suggestions. This has helped me a lot to understand and will certainly help me to take decisions going forward.