>> Hi. This is Steve Michelotti of the Azure Government Engineering Team I’m joined here today by Alex Frankel, Program Manager on the Azure Governance Team. Welcome, Alex >> Thank you >> So we are here today to talk about Azure Blueprints in Azure Government Now, some of our Government customers may already be familiar with Blueprints but some of them may not be So why don’t you give us a little bit of intro like what are we talking about here with Blueprints? >> Yes. So we’re not talking about an Excel spreadsheet for sure So this is a native packaging construct for what we call Azure Artifacts So those can be things like Azure policies for auditing certain behaviors or restricting certain behaviors, RBAC, identity management, of course, is really important there Then your Arm templates, which is your infrastructure as code So describing what resources do you want in a subscription or resource group or properties that you want them to have >> Okay. This is really going beyond an Excel checklist so to speak? >> Yes >> Particularly when you mentioned Azure Policy, that’s a service we have in Government which by itself is really powerful >> Yes >> The fact that blueprint is packaging it up, leveraging those features in a cohesive organized way is really powerful >> Right. Yes. Policy is a crucial piece to governance in Azure, whether it’s in government or in the public Cloud But what we found is that there’s a few more things that you need to really construct a proper environment and those are those other two pieces, so the RBAC assignments and the Arm templates for the infrastructure itself >> Okay. All right, so why don’t we dig into this a little bit more Let’s talk a little bit about the problem we’re trying to solve >> Yes. So we did a lot of research in this space We spent like between three and six months looking at why is Azure hard to adopt at scale, essentially So what are the challenges that you start to hit when your environment spans many subscriptions, you have hundreds of app teams using the same Azure tenant? What we found is that there’s this emerging role in pretty much every large organization that it’s the Cloud architect and they’re the ones who are essentially stewarding these application teams to the Cloud to make sure they’re using the Cloud in the right way We all went to the Cloud with this dream of sort of self-service You could just go into Azure, grab whatever infrastructure that you want, send up your applications and you’re done, you’re good to go The reality of that is that you do need to really have a knowledge of the platform to consume the Cloud on the right way The Cloud architects are emerging as that role and they worked with all the app teams. They’re experts They know exactly what they’re doing when it comes to Azure, but they have become the bottleneck in terms of getting these application teams on-boarded, getting their subscription setup just so that they can start to actually deploy their code into Azure So we found it was taking anywhere from 3-12 months for an organization or an application team to go from zero to production application in Azure So what we’re trying to do with blueprints is how can we make that process faster so that when an App team comes to this Cloud architect, they can have a blueprint that’s ready to go for that use case So they are starting to develop a library of these blueprints for different purposes so that they basically have front-loaded all the engineering work for getting subscriptions stood up, and they just have to apply this blueprint to the environment and they’re ready to go >> So it sounds like we will provide some kind of the box blueprints but also an enterprise or an agency can customize and make their own blueprints? >> Yes, exactly. We’ll walk through this in the demo So you can start with a blueprint from scratch and we’ll show what that sort of experience is like But we also have a set of built-in blueprints, some of which are just targeted at getting you started with blueprints faster, understanding the concepts and the types of things that can be brought into them, but the really exciting piece are these blueprints that are built for certain compliance certifications So today, we have the ISO 2701 Blueprint, both for setting up shared services environment, and we’ll talk about this in more detail, as well as one for setting up individual workloads With that, you can deploy all your infrastructure and also get a really good jump-start on meeting those ISO compliance controls which we know is sort of a baseline We know many need to get certifications on top of that ISO certification, but often, that’s a really good place to start >> So that’s a hugely important point for our Government customers because you mentioned ISO but then there’s also your FedRAMP Moderate, FedRAMP High, maybe some customers need [inaudible] So to be able to have blueprints for each one of those is very critical >> Exactly. It’s all on the roadmap Azure itself as a platform has to meet all of these compliance standards So we have the expertise internally for what are the checkboxes that you need, what are the controls that you need to meet for all these different certifications They are actually the ones that we’re working with to build out this library of built-in blueprints >> I think that’s another important point It’s one thing, just because you’re deploying your app to Azure, you’re deploying into a compliant environment, that doesn’t mean you’re automatically compliant

You also need to make sure you’re enforcing on your own artifacts and what you’re deploying and that’s why this is important >> Exactly. My co-worker describes that as the shared responsibility model So you’ve met some of the controls by default There are set of technical controls that you are responsible for meeting after that Then there’s a set of people and process controls that you are also responsible for There’s only so much we can do in that capacity, but we do think we’re giving you a really solid head-start there >> Okay, great. All right, let’s keep going So what do we have next here? >> Yes. So this is really at a high level of what a blueprint is and we only need to touch on this for a minute But it’s taking these core pieces that we’re calling Artifacts So that’s RBAC policy and Arm templates packaging that into a blueprint It’s called a Blueprint Definition before you’re actually using it for your deployments That Blueprint Definition itself can be managed and versioned So you’re not going to be done with compliance on day one You’re going to be constantly evolving what it means to be compliant, what it means to be governed You may be adding new resources, you may be adding new policies, so we give you the pieces to version that out and understand which blueprint versions have been applied to which subscription So that’s what we mean when we say managing blueprints Then, once you’ve done the hard work of codifying your intent of what an environment looks like in a blueprint, now you can start to really scale out because as any new subscription comes online, you just apply a blueprint to it and so you can really start to scale out your use of Azure that way >> I think this concept of enforcement and continually monitoring what you have is hugely important Again, because I’m in the government space I think about how far blueprint’s come from the Excel spreadsheets Even some of the Arm templates if you use an Arm template, okay, you were compliant on day one, but as your infrastructure evolves beyond the Arm template, how do you enforce that? The fact that we now have Azure Policy in there is hugely important >> Yes, exactly. We’ll talk about one other feature as we’re walking through the Blueprint UI, this feature of a blueprint lock So often you need to deploy certain infrastructure in application team subscription, where that application team needs owner access because they need to regulate RBAC themselves and you need owner access to do that sort of thing at a subscription So what the blueprint is going to do, it’s going to add a special type of role assignment called The Deny Assignment What that’s essentially doing is revoking access from the owners of that subscription for these specific resources So the classic example here is virtual networking You need the VNet in that subscription, but you really don’t want your application team mucking with things like IP addresses So with the blueprint if you apply it that way, you can actually prevent them from touching those resources at all >> Very cool. Okay. Is this makes sense for us to get into a demo at this point? >> Yes, let’s get into a demo Let’s see some exciting stuff So Blueprints are a top-level service in Azure and all that means is that you can find it by opening up all services and searching for Blueprints At that point, you can pin it to the sidebar for easy access So let’s dive into what the actual experience is like So this is our getting started page It really just goes over at a high level, the key pieces of what it means to create a blueprint as well as some links to documentation When I click “Create” here, this is where you get to make that first choice Do I want to make a blank blueprint from scratch or do I want to start with one of these built-in blueprints? >> As we add additional ones like FedRAMP, they’ll start to appear in here as well? >> Exactly. As the library blueprints goes, I’m sure we’ll have more features around sorting and rating these things to weed some of the other ones out >> I guess just a quick caveat for the astute observer, they may see that you’re in regular Azure instead of Azure Government So as a member of the Azure Government Engineering team I felt obligated to point it out that at the time of this recording, it’s not in Azure Government but we know that it’s coming in a matter of weeks, so depending on when they’re watching this video, that may already be there >> Right. Yes. So the key pieces are actually stood up in Government right now, we’re in the process of starting our FedRAMP certifications so that all the government agencies can start to consume that But yes, this is the regular Azure portal >> With that caveat out of the way, please proceed >> So this is those two ISO Blueprints This is the one for shared services, so you might be familiar with the Hub-and-Spoke architecture So the shared services is going to be your hub subscription or hub workload Then this one is the ASE/SQL workload So we work with some of the teams within Microsoft that are working with these customers to build out some of these archetypes and these workloads we call them This is the first one for App Service and SQL, which is, of course, really quite a common workload

But we expect to have more of these workloads also with the ISO compliance built into them >> Make sense >> So we can just click “Use this sample.” So we’ll select the shared services environment What we’re going to be doing is essentially taking a copy of this blueprint that we store in the blueprints service and letting you essentially clone it into your tenant The reason that we do that is very rarely will you be able to take a complex environment like this, turnaround and apply it and have it do every single thing that you want it to do You might have some custom tools for things like secrets or logs storage or whatever it is So we clone it into your tenants so that you can start to make changes to some of the key pieces Of course, if you want to deploy it as is, it works really well and all the components work together, but we make it easy to swap some of these components out So that’s why I need to give it a name So I’ll say, this is my ISO Blueprint Then I need to decide where this blueprint is going to live in my tenant So organizations are starting to get a lot more subscriptions, they’re also starting to build out their management group hierarchy So management group if you haven’t started using it is really a grouping constructs for your subscriptions and you can start to develop layers of your management group hierarchy, and that makes things easier to manage from an RBAC perspective or policy perspective So by choosing where in my hierarchy I want to save the Blueprint Definition, that determines what subscriptions can take advantage of that blueprint >> It’s like what’s in scope? >> Yes, what’s in scope. Exactly So I will save it into our favorite organization Contoso, and I’ll switch over to the next tab which is called the Artifacts Tab This is really the mean of what a blueprint is, and since we’re using built-in blueprint, I have all of these artifacts that have already been added to the blueprint So as you can see here, I have a bunch of policies for setting up the Log Analytics agents I have a template for setting up security center This is the key piece, we built a new policy specifically around ISO 2701, and we’re continuing to add new policies to it to cover more controls of the ISO spec So that’s what that is We have some more policies again helping you reach ISO compliance This is all at the subscription level Then, as you can see here, I have resource groups being set up as well So I’m creating a resource group for Log Analytics, and then I have a template that stands up the Log Analytics workspace there Same thing for networking I’m setting up networking into dedicated resource group, Key Vault for secrets, My Jump Box, which is often required in a lot of organizations, and then Active Directory Domain Services We’re setting up a VM with ADDS on it A lot of large organizations still need the full power of On-Prem Active Directory or in a VM Active Directory So that’s why we’re setting up full ADDS here >> Okay. So it’s not just creating policies It’s even creating resources too We know you’re going to need Key Vault to manage your secrets, we’ll make sure that setup for you >> Exactly >> That’s awesome >> Yes. So, this is what I mean when you can start to make changes So if I right-click on any of these artifacts, I can remove them or edit them really easily So if I have a solution for managing logs and metrics, that’s not log analytics, that’s fine, you can just swap those out You can add a new artifact just by clicking the Add artifact button, and depending on what you want to bring in, you can bring in these different artifact types So if I want to add a new policy, I can do that right from here If I want to add a new Arm template to replace specific piece of infrastructure, I can do that right here as well >> So we might have an organization that says, “We only allow MySQL,” and you can add a policy saying, “Don’t allow Azure database,” because we want MySQL So it becomes a situation where the enterprise architect who previously tried to do Visio diagram just says, “Please follow this.” Now you can actually enforce the rules of the agency >> Exactly, they can codify the intent of what they want these subscriptions to look or these environments to look like This is the power that we’re bringing into these Cloud engineers, as they have full control over what things should look like, how they should be deployed >> I see there’s actually an option there for Azure Resource Manager Templates So you really have a lot of flexibility in what you are creating >> Yes, anything that you can deploy in Azure, you should be able to deploy it with a blueprint >> Great >> Yes >> Okay >> So, what we’ll do now, is save this blueprint as a draft The reason why we save the blueprint as a draft by default is so that we know people are going to be constantly tweaking what the shape of this blueprint should look like When you’re ready, you publish a blueprint and you say, “This is the version of this blueprint that I care about.” So I’ll just right-click here and click “Publish” We’ll call this one Point now

This is my initial ISO blueprint The reason why this version is important is so that we can track which versions have been applied to which environments As you continue to update the blueprints, you’re going to want to turn around and upgrade the environments that had this blueprint already You may want to take an environment from blueprint 1.0 to blueprint 2.0 that has the extra resources or the new policies or what have you, and by understanding the difference between those versions, we can more cleanly upgrade them without running into errors and that sort of thing >> Nice >> Yes >> Makes sense >> When I’m ready, I can assign the blueprint So I’ll right-click here and I’ll click “Assign” Assign is the act of deploying the blueprint to an environment So you’ll see here, the first thing I have to choose is which subscription I want to assign this blueprint to So again, we talked about building out that hierarchy of scopes with management groups These are all the subscriptions that are underneath the scope where the blueprint is saved So that determine which subscriptions were eligible for this blueprint to be assigned >> So I can assign multiple subscriptions here in one shot? >> You can, yes, if you want to just deploy it ought to all of your subscriptions, we make that really easy for you >> Okay >> So I’m just going to select one subscription here, and now I have to go through and fill out a few different fields So the version obviously is important, and if you need to apply an old version, that’s no problem, we store all of those for you The next sort of two key decisions you’re going to want to make are on the lock and on the identity that you want to use to deploy the blueprint So the lock we talked about a little bit, you may need to deploy infrastructure into a subscription, but not what anybody who has access to that subscription mess with those resources So you’ve two options here You can set up a “read-only lock”, which will mean there’s no operations you can do besides read on this particular resource or you can do “do not delete” So sort of the canonical example here is a SQL Server or an automation run book where you want to set up a sort of baseline SQL Server with a certain Config and you don’t want people to delete that But you do want people to spin up new SQL databases or new Runbooks, and so with the “delete only lock”, you have a little more flexibility there to do those sorts of things >> Okay >> Then, the last sort of basic piece of a blueprint deployment is what identity that you want to use So by default, we’ll create a system assigned managed identity, and that’s how we can talk to the subscription where everything is being deployed But it only has access to the subscription that you’re talking to So if you need to do anything sort of cross subscription, so VNet peering is a good example of this, where you need to talk to the subscription where you’re setting up, but also the subscription to a hub VNet that might have something like an express route connection So there you would need a user assigned identity where you get to decide what permissions it has and what subscription it can talk to >> But the way that we provide the guidance there and how you pick the appropriate managed identity >> Yes. Exactly, and you have a ton of flexibility They can talk to you whatever it needs to talk to to get that deployment done >> Great >> The rest of this are parameters for the particular artifacts in this blueprint So you’ll see here that for the most part, we’ve defaulted nearly everything So you have a few different things that you need to fill out in order to start the blueprint deployment, but for the most part, all the defaults are good defaults to get started with So we have a whole bunch of parameters here I’m not going to go through each and everyone and fill them all out, but once I’m done, I can just click “Assign”, and that’s when the process will start So it’ll go through and say, “Okay, here’s everything that’s in the blueprint definition Let me go through and deploy them Deploy them in the right sequence etc.” When that is done, I’ll do my cooking show example here I’ll go to the assigned blueprints These are all the blueprints that have already been deployed So I’ll search for a previous ISO Blueprint that I’ve already applied You can see here right at the top of the assignment succeeded These are all the different components that have actually been setup So all the resource groups, the Blueprint Policy initiatives for ISO specifically, NSGEs, storage accounts, VNET, so you name it if you need it in that foundation of shared services environment, it’s captured in the blueprint that’s built-in to Azure >> For our customers where they are agencies that have to provide documentation for the compliance officers, we help them provide that documentation >> Yes. Exactly. So when policies are running, they’re emitting these compliance records that we store on your behalf If you need to export them, you can certainly do that But we give you a view for any given policy or any given initiative which is a set of policies, will give you a view in terms of what is being flagged as non-compliant or what are the resources that are compliant >> Okay, sounds good >> Yes. So this is pretty much it

It’s really quite easy to deploy these complex Conplex infrastructures, and we’re really excited to keep cranking out these Built-in Compliance Blueprints for other needs >> Awesome. What has been hugely important for Azure governments So thanks for joining us today This has been Steve McGrady with Alex Frankel, Program Manager on the Azure governance team. Thanks for watching