Skip to content
  • Blog
  • Events
  • Help
  • Careers
  • Contact
New Signature
  • About
      • Company

        New Signature has built a record of leadership by delivering exceptional technology and web solutions.

        View Company

      • Awards

        As a company, we are regularly recognized within the IT industry as well as the communities we serve.

        View All Awards
      • News

        Learn about the newest company announcements, technologies, and products at New Signature.

        View News

      • Partners

        New Signature works with a number of outstanding technology companies to deliver the best experiences to our customers.

        View Partners
      • Leadership

        New Signature's executive team includes proven leaders from the most innovative and fast-growing technology fields.

        View Leadership

      • Testimonials

        We love transforming our customers businesses, take a look at what they have to say about New Signature.

        View Testimonials
    Close
  • Services
      • Managed Services

        • Application Health
        • Cloud Management for Azure
        • Cloud Management for Office 365
        • Desktop Experience
        • Recovery Experience
        • Security Managed Services
        • System Health
        • Technology Managed Services
      • View Managed Services
      • Professional Services

        • Advanced Analytics
        • Application Development
        • Collaboration
        • Identity and Access
        • Infrastructure
        • Process and Automation
        • Strategy
        • Training and Change Management
        • Unified Communications
      • View Professional Services
    Close
  • Technologies
    • Learn more about the technologies that power New Signature solutions View All Technologies


      • Advanced Threat Analytics
      • Azure Active Directory
      • Azure IoT Suite
      • Azure Site Recovery
      • Cortana Intelligence Suite
      • DocuSign
      • Dynamics 365
      • Employee Self Service
      • Enterprise Mobility Suite
      • Exchange
      • ExpressRoute
      • Hyper-V
      • Microsoft 365
      • Microsoft Azure
      • Microsoft Azure Stack
      • Microsoft Identity Manager
      • Microsoft Intune
      • Microsoft Phone System
      • Microsoft Project
      • Microsoft Teams
      • Nintex
      • Office 365
      • OneDrive for Business
      • Operations Management Suite
      • Power BI
      • SharePoint
      • Skype for Business
      • SQL Server
      • System Center
      • System Center Configuration Manager
      • Visual Studio
      • Windows 10
      • Windows Server
      • Xamarin
      • Yammer

    • New Signature Cloud Management Portal (CMP)

      Our exclusive portal is a core component of our managed services providing customers with insight into Azure spend and usage, access to incident support tickets, and reporting on system health. Learn More

      Login to the CMP

    • New Signature Microsoft Licensing

      A Microsoft environment is not complete and usable until the proper licensing has been purchased and activated for your organization. Learn More

    Close
  • Industries
      • Communications & Media

        We develop technological solutions to increase collaboration for industries that never stop.

        Learn More

      • Health & Life Sciences

        Dynamic solutions that respect patient privacy, increase collaboration, and provide tools to access vital information.

        Learn More
      • Financial & Professional

        Bringing you the tools to develop a streamlined customer banking experience and enhanced security.

        Learn More

      • Manufacturing & Resources

        Providing advanced technological solutions to enhance and optimize manufacturing operations.

        Learn More
      • Government & Associations

        Optimizing your technology to heighten cyber-security efforts, enhance collaboration, and encourage growth.

        Learn More

      • Retail & Consumer Goods

        Optimizing data operations to create a retail solution that empowers employees and customers.

        Learn More
    Close
  • Resources
      • Insights

        Examine a wide array of New Signature thought leadership assets including videos, ebooks and infographics to learn more about our services and offers.

      • View Our Insights

      • Featured Insights Guides & Ebooks

        Our eBooks are a collection of learning guides that deliver a comprehensive look at some of the most pressing business trends, and how technologies can help you overcome those challenges.
        Learn More

      • Case Studies

        Browse a comprehensive list of companies who have created successful partnerships and experienced transformative solutions with New Signature.

      • View All Case Studies

      • Featured Case Study TalkTalk Modern Workplace

        New Signature worked with TalkTalk to define a new Modern Workplace solution based on Microsoft 365, which kept the user firmly at the center of the transformation.
        View Case Study

    Close
    Close
Blog

The Five Disciplines of Cloud Governance – Resource Consistency

New Signature / Blog / The Five Disciplines of Cloud Governance – Resource Consistency
May 28, 2019May 21, 2019| Evan Riser
  • Facebook
  • Twitter
  • LinkedIn
  • Print

In our recent webinar “Controlling Your Azure Environment: Governance for the Modern Enterprise” we touched on the five disciplines of cloud governance from Microsoft’s Cloud Adoption Framework. This blog post is the second in the “The Five Disciplines of Cloud Governance” five-part series expanding on those concepts. If you missed the first post in the series around Deployment Acceleration, check it out here.

In this post we are going to dig a little deeper into the discipline of “Resource Consistency” and will explore the paradoxical relationship of policies and tags.

In the Five Disciplines of Cloud Governance Microsoft explains that: “Cloud operations depends on consistency in resource configuration. Through governance tooling, resources can consistently be configured to manage risks related to on-boarding, drift, discoverability, and recovery.”

Why is it important?

By configuring, deploying and managing Azure resources in a consistent manner you limit your cloud deployment’s exposure to risk. When resources are deployed in a predictable manner, they are discoverable by IT operations preventing shadow IT, as well as sprawl.

Without such controls in place the agility of the cloud becomes a liability as resources come in and out of existence without the operations team involvement and they may go unsupported which results in finger-pointing when something goes wrong or worse yet they create a security hole which exposes the whole organization to bad actors.

The Policy and the Tag

In considering which of the several tools available to address resource consistency in Azure to discuss I decided to dig deeper into the examples provided in the recent Controlling Your Azure Environment: Governance for the Modern Enterprise.

In the webinar I touched on the following:

Azure tags allow you to attributed key/value pairs to resources as an organizational tool. ​

  • Tags work in conjunction with policy where they can refine the scope of a policy. Likewise, policies can be used to enforce the use of tags. ​

Resource Tags

Tagging resources provides a way to describe what a resource is for, who is responsible for it, where it fits in a larger solution and other useful information about the resource.  Tags provide a handle against which you can filter resources in queries used for monitoring as well as billing and to target resources through policy.

Because tags are an open name/value format they offer great flexibility however, this flexibility does not bode well for maintaining consistency.  When configuring tags from the portal you will see listed all of the names and associated values which have been applied in a subscription and should you add your own unique name/value pair it too will be listed for future consumption.  There is nothing to stop someone from adding “CreatedBy” when “Created by” already exists in the list. However, there are two mechanisms which can better shape the use of tags in Azure.

The first mechanism for mitigating eventual tags chaos is to outline of use of tags including a working taxonomy in your cloud governance documentation. Then to affect the management of that taxonomy and employ the terms defined therein you would use the next item in our tool chain, policies.

Policy

Azure policy is one of the most powerful governance tools because it is the embodiment of governance itself. When you a define a policy in real world you are stating how something should be done and expecting a person to abide by it. In Azure, a policy is a technical configuration which controls resources and their existence by allowing or preventing parameters.

Tag Enforcement Policy

Implementing policies in Azure is a two-part process.

  1. Definition- First, the desired behavior must be written in javascript object notation (JSON) so that the Azure resource manager can understand it. This singular artifact is the policy, a collection of policies is called an initiative.
  2. Assignment- Second, the policy or initiative must be assigned to a scope to be used. The scope is defined at the subscription and resource group levels with the ability to further refine the scope through exclusion at the individual resource level.

Definitions

To create our policy, we must navigate to the “Policy” resource in the Azure Portal by searching for “policy” and selecting the associated service. From the Policy overview section, we are going to select “Definitions” under the Authoring section.

Here we see listed all of the Built-in policies available out of the box.  By using the Search box located to the far-right of the toolbar we can filter the list to just those policies for tags.

To achieve our goal of defining tags through policy, we’re going to work with the “Enforce tag and its value” policy.

After clicking on the definition name, click “Duplication definition” to create a copy of this definition that we can modify. (Note: these built in definitions should be viewed as templates and not modified directly)

BASICS

In the first section of the form we will need to assign the following:

  • Definition location: the subscription to which the policy applies
  • Name: make sure this clearly and concisely explains the intent of the policy
  • Description: while not mandatory it is useful to provide details on the policies objective
  • Category: while not mandatory this will help make your policy discoverable for use by others

POLICY RULE

The policy rule section is the JSON code which the Azure resource manager will interpret to enforce the application of tags.

The code block consists of the following:

PolicyRule: this is where the condition of the policy is defined dictating the IF/Then

  • If– here the policy is looking for the presence in tag defined in Parameters in resources of type [virtual machines]
  • Then– here the “effect” of the condition not being met is to add or “append” the tag to the resources

(Note: Here we are using the resource type to identify what resources this should be applied to, instead we could identify the resource by tag thus meeting the other scenario outlined in the webinar where policy is applied to resources based on tag.)

In the example below I have modified the default code to reflect the logic outlined above.

Parameters: In this section the criteria to be applied by the policy is defined. In our use case it is the tag and value.

To constrain the “tagname” and “tagvalue” to specific terms, I have added the “allowedValues” property to limit the term(s) used.

The only modifications that need to be made to the code are to the defaultValue, allowedValues, displayname and description for both the tagName and tagValue.

Assignment

Once the definition of a policy has been articulated we can assign it. From the Definitions section we need to navigate to the Assignments area by selecting “Assignments” under the Authoring section.

Because we are only concerned with an individual policy and not a collection we are going to click “Assign policy” from the top navigation of the Assignments page.

SCOPE

In this first section we need to define the scope of the assignment. By default, the scope is an entire subscription, clicking on the ellipsis in the scope field gives the opportunity to refine the scope by resource group(s).

Scope can be further refined by selecting resources for exclusion from the policy assignment by clicking the ellipsis in the Exclusions field.

BASICS

With the scope defined all that remains is to select the Policy definition you want associated to this assignment and give the assignment a name and description.

Conclusion

To further our understanding of resource consistency in Azure we have created a policy which enforces the use of a specific tag and value for a specific type of resource. In so doing we have seen how that tags can also be used to determine what resources would have a policy applied to them thus illustrating the recursive relationship between the two ideas.

The next in our series on Cloud Adoption will be on Cost Management. If you’re interested in implementing Azure services, reach out to us here.

Categories
Tips and Tricks
Contact New Signature

Blog Posts

  • Automating Build Pipeline Creation using Azure DevOps Services REST API
  • Top Reasons You May Want to Migrate to Azure DevOps
  • New Signature Demonstrates Elite Azure Security Competency with Successful Completion of Microsoft AZ500 and MS500 Exams
  • Azure Launchpad is a GO!

Events

There are no upcoming events at this time.

New Signature
New Signature HQ
901 K Street NW, Suite 450
Washington, DC 20001
Phone: 202-452-5923
New Signature Canada HQ
140 Yonge Street - Suite 400
Toronto, ON M5C 1X6
Phone: 416-971-4267
New Signature UK HQ
57 Bermondsey Street
London SE1 3XJ
Phone: +44 (0) 845-402-1752

About

  • Company
  • Awards
  • News
  • Leadership
  • Partners
  • Testimonials

Managed Services

  • Cloud Management for Azure
  • Cloud Management for Office 365
  • Desktop Experience
  • Recovery Experience
  • System Health
  • Technology Managed Services

Professional Services

  • Advanced Analytics
  • Application Development
  • Collaboration
  • Identity and Access
  • Infrastructure
  • Process and Automation
  • Strategy
  • Training and Change Management
  • Unified Communications

Technologies

  • View all Technologies

Resources

  • Insights
  • Case Studies
  • Industries
Copyright © 2019 New Signature
  • Blog
  • Events
  • Careers
  • Help
  • Contact
  • Privacy Policy
  • CMP Login
  • About
    • Company
    • Culture
    • News
    • Leadership
    • Partners
  • Services
    • Managed Services
    • Professional Services
  • Technologies
  • Industries
  • Resources
    • Case Studies
    • Awards
  • Blog
  • Events
  • Careers
  • Help
  • Contact
  • Search
Cookie Settings
New Signature uses "Required Cookies" to run our website, "Functional Cookies" used by third parties to personalise marketing, including social media features.

Change your preferences by clicking the “Cookie Settings” link at the bottom of every page. Learn more about cookies in our Cookie Policy and our Privacy Policy. By clicking the “Accept Cookies” button below, you consent to our use of cookies.

Please note that “Required Cookies” will be set regardless of your consent.
Cookie SettingsAccept Cookies
Privacy & Cookies Policy

Performance

Performance Cookies provide Content Delivery Network assets that deliver faster site content delivery capabilities.

Required

These cookies are required mainly in order to deliver Multilanguage site capabilities.

Functional

Functional Cookies allow us to provided advanced media capabilities including videos, surveys and other multimedia capabilities.

Disabling Functional cookies will block the playing of videos and other multimedia site components.

Targeting

Targeting Cookies are used to capture user information in order for New Signature to deliver better user experiences.

Save & Accept