Terminology

1) Resource Group

2) Resource

3) Resource Provider

RESOURCE GROUPS

Resource Group – Is the container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. Example – > when we create a new VM we will put all resources related to vm (disks,network etc.) into the same Resource group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization.

Important to know or the best practice is that all the resources in your group should share the same lifecycle. You deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle it should be in another resource group. Each resource can only exist in one resource group, however, you can link resources from another resource group in a resource group. For example, I might link a SQL Server database from another resource group in my resource group if I use that SQL Server database to make it easier to see the resources used by my service. Important to know is that we cannot rename resource group. That what we can do is to move resources to another group. We can do it either with powershell or via Portal

Create new resource group

Browse to the Resource Groups node or blade and click on Add

2018-10-05 13_50_49-Window.png

Type in the name, subscription and the resource group location. Once done click create

2018-10-05 13_53_48-Window.png

2018-10-05 13_54_38-Window.png

We can use powershell as well. First we need to connect to our azure tenant

$azurecredentials = Get-Credential

Login-AzureRmAccount -credential $azurecredentials

To create new Resource Group use

New-AzureRmResourceGroup -Name <name of the group> -Location <location>

2018-10-05 14_00_32-Window.png

Creating RG is a very simple process. Now we can move to Resources.

RESOURCE

A resource is something you provision in your Azure subscription and always belongs to a resource group. For example, a SQL Database, Web App, Storage Account, Redis Cache, Virtual Machine, IoT Hub, and HDInsight are all examples of a resource. Resources in a resource group. We will go much in deep when we start creating VMs, networks, etc.

2018-10-05 14_03_41-Window.png

If for some reasone you would like to move resources to new RG you can do it by clicking on the –>MOVE

You will see 2 options: Move to another RG or move to another subscription

2018-10-05 14_12_04-Window

Then we can select which resource we would like to move and at the bottom we can select existing RG or we can create new one. Acknowledge that you need to update scripts for these resources and select OK.

2018-10-05 14_17_56-Window.png

Powershell

Get-AzureRmResource | where {$_.ResourceGroupName -eq ‘Source resource Group’} | Move-AzureRmResource -DestinationResourceGroupName ‘Destination Resource Group Name’

2018-10-05 14_21_15-Window.png

 

RESOURCE PROVIDER

The resources in your resource groups are created and managed by resource providers. Each resource has a resource provider that knows how to manage and configure the resource. Each resource provider offers operations for working with the resources that are deployed. Some common resource providers are Microsoft.Compute, which supplies the virtual machine resource, Microsoft.Storage, which supplies the storage account resource, and Microsoft.Web, which supplies resources related to web apps.

I had an issues with monitoring of VMs and the issue was resolved by registering provider responsible for the monitoring tasks (microsoft.insights)

Namnlös bild.png

Key to point is that if you want to register new providers you will have to do it on a subscription level.

Click on the Subscriptions and on your subscription

2018-10-05 14_24_24-Window.png

Select the Resource Providers. Find the resource provider you would like to register and click Register

2018-10-05 14_26_02-Window.png

 

RESOURCE GROUP ACCESS CONTROL (IAM)

Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you can grant only the amount of access that users need to perform their jobs. Within each subscription, you can grant up to 2000 role assignments. Some roles are scoped to This resource while others are Inherited from another scope. Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.

You grant access from within the resource, resource group, or subscription that is the scope of the role assignment. Click on the RG –> Access Control –> Add

2018-10-05 14_30_41-Window.png

Select the role that you wish to assign from the Select a role blade, select the access and add users or groups.

2018-10-05 14_33_06-Window

TAGS

The Azure resurce Manager model allows you to logically organize resources within a subscription.

Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your virtual machine instances that helps you track each instance’s owner and stack level. You can search and filter the resources based on the tags you add. There is even a browse by tag feature in Azure

2018-10-05 14_40_04-Window

LOCKS

As an administrator, you may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

You can set the lock level to CanNotDelete or ReadOnly (In the portal, the locks are called Delete and Read-only respectively).

  • CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
  • ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

How locks are applied

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles

2018-10-05 14_46_20-Window.png

 

POLICIES

Azure Policy is a service in Azure that you use to create, assign and, manage policy definitions. Policy definitions enforce different rules and actions over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy runs an evaluation of your resources, scanning for those not compliant with the policy definitions you have. For example, you can have a policy to allow only certain type of virtual machines. Another requires that all resources have a particular tag. These policies are then evaluated when creating and updating resources.

POLICY DEFINITION –> Every policy definition has conditions under which it is enforced. And, it has an accompanying action that takes place if the conditions are met. Some of the built-in Azure policies

2018-10-05 14_48_51-Window.png

POLICY ASSIGNMENT –> A policy assignment is a policy definition that has been assigned to take place within a specific scope. This scope could range from a management group to a resource group. The term scope refers to all the resource groups, subscriptions, or management groups that the policy definition is assigned to. Policy assignments are inherited by all child resources. So, if a policy is applied to a resource group, it is applied to all the resources in that resource group. However, you can exclude a subscope from the policy assignment. For example, at the subscription scope, you can assign a policy that prevents the creation of networking resources. However, you exclude one resource group within the subscription that is intended for networking infrastructure. You grant access to this networking resource group to users that you trust with creating networking resources.

INITIATIVE DEFINITIONS –> An initiative definition is collection of policy definitions that are tailored towards achieving a singular overarching goal. Initiative definitions simplify managing and assigning policy definitions. They simplify by grouping a set of policies as one single item. For example, you could create an initiative titled Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.

INITIATIVE ASSGNMENT –> Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group. From the preceding example, the Enable Monitoring in Azure Security Center initiative can be assigned to different scopes. For example, one assignment can be assigned to subscriptionA. Another can be assigned to subscriptionB.

We will cover monitoring and alerts in future posts. In the next post we will move from Resource Groups to Storage accounts.

Thanks for reading!

Cheers,

Nedim