Ask an expert: How to implement Azure governance best practices

Azure MVP Stephane Lapointe answers governance questions Azure MVP Stephane Lapointe answers governance questions

Knowing you should have a governance strategy in place is one thing, but knowing how to implement it is another. Our Azure expert, Stephane Lapointe, answers your questions around enacting an Azure governance plan while keeping costs, security, and speed top of mind.

During Deploy, ShareGate’s virtual event on Azure governance, cloud solutions architect and Microsoft Azure MVP Stephane Lapointe (@s_lapointe) walked us through ShareGate’s journey into the cloud—both the successes and the “learning opportunities.”

There were a lot of questions from the audience for Stephane, and since we didn’t have time to answer them all during the event, we created this blog with Stephane’s help to make sure you have the information you’ll need to move forward with your governance plan.

ShareGate has helped IT professionals at companies such as Ikea, Fujitsu, and Siemens succeed with the Microsoft cloud. We hope that we answer some of your Azure governance questions here—but if you’re looking for more hands-on, immediate help, check out how ShareGate Overcast can make managing Azure even easier.

How long did it take for ShareGate to reach where it's at in terms of governance? 

For the past four years, we’ve been investing a considerable amount of time in Azure governance. After exploring and experimenting in the cloud for a few years, ShareGate migrated all remaining on-prem workloads to the cloud in 2016. At that point, with our resource use and costs exploding, we realized how essential governance is.

First, we wanted to tackle cost and visibility; once we felt we had that under control, we focused on improving our modern control approach. Even though we’ve done a lot of groundwork and we have a governance strategy and standards in place, there’s always more to do because ShareGate keeps evolving.

Governance never really ends if you embrace a continuous improvement mindset.

Stephane Lapointe (@s_lapointe) Tweet this

We feel like there is always something you can do to improve, especially because Azure offers new features regularly. Governance never really ends if you embrace a continuous improvement mindset.

How do you make sure new users know and practice your team’s standards in Azure?

As people get into the company and join teams, it’s important to repeat and reinforce where the info is a few times. Whether it’s in the intranet or the IT department, remind people. Frequently. 

In your reminders, explain exactly what they’ll find in the your standards—such as your team's Azure naming and tagging conventions and other guidelines your team uses for operating in Azure.

If you combine that with Azure policies and RBAC, then I think you’ll find that people will respect and uphold your standards.  

Do you give developers or operations full access to all DTAP environments? How can you best apply segregation of duty?

We don’t usually give all developers access to all Development, Testing, Acceptance and Production (DTAP) environments. Instead, we ask the teams what makes the most sense for them. ShareGate is a pretty open company, but I know some organizations have a strict model where only one person is allowed access in production.

At ShareGate, every production environment is protected by Privileged Identity Management (PIM), which means that the people who have access to the production environment need to activate that access. They don’t have access every hour of every day.In some scenarios, this means they need to enter a ticket number or justification to be permitted entry.

In the development environment, we keep things much more flexible. Developers don’t need to active PIM “eligible” roles, we just try to make sure that the right people are given active access.

Is there a way to automatically disable a subscription if you spend above a defined budget?

It is possible to disable a subscription with a REST API, but that is a very drastic way to handle things.

Disabling a subscription is like pulling the handbrake in your car: everything will stop right away. All the resource groups and resources within it—all the services you were using—will all stop immediately and without any real warning to the people working with resources in that subscription.

If you’re sure that’s what you want to do, you can do it.

Disabling a subscription is like pulling the handbrake in your car: everything will stop right away.

Is it a good idea? I prefer to have triggers set so when we reach different levels of spending we’re alerted and then we can go talk to the person responsible for different resources or resource groups. But if you need an emergency brake, it can be done.

How do you make cost awareness of certain resources part of the design phase so that developers are aware of how their choices impact costs?

One good way to make your developers aware of resource costs is to make each team accountable for the costs of their solutions. Establish a budget and create best practice guidelines so your developers can follow them to optimize costs.

If you’re working on a particular project, asking developers or architects to provide a cost estimate helps a lot. The sooner you can do this in your development process, the better. That way, if you discover something will cost too much and needs to be changed for a different approach or service, you can make adjustments before you get to the implementation stage.

You can also include “cost estimation/discovery" as an acceptance criteria in feature planning stages to make sure that your team keeps costs in mind.

How do you determine the costs for a project upfront? The Azure calculator often asks detailed questions, but we usually don’t know what the resource usage will be right away.

Unfortunately, there is no magical solution here. You’ll need to try to figure out what those numbers will be.

When I’m in doubt, I prefer to overestimate the potential costs than underestimate them. I’ll put five times what I think might be the value in the calculator, so that we can get a kind of worst-case-scenario number.

That way, if I’m wrong, it's likely because we’re under the projected budget rather than over it.

It’s also important to make sure that you’re including all the environments you may be using in your estimate. Will you be doing developing, testing, staging, and production? Will you be QA-ing resources? Forgetting an environment can have a huge impact on the accuracy of your budget.

In our experience shutting down resources (which is seen as a benefit to lower costs) can't be used on many PaaS components. Do you have any recommendations for saving costs on PaaS?

Usually you can’t shut down PaaS components. But often you can scale in by reducing the number of instances or scale down by reducing the size of the instances. So, let’s say for an app service, you’re running at three or more instances during the day, but maybe during the night you can bring that down to just one or two instances.

You could set this up by creating a schedule and automating it with scripts so that it doesn’t become a laborious manual task for your team. That way you can save money without having to shut any resources down.

Do you have any real-world examples of how we can use Azure Resource Graph to improve governance?

I really love to use Azure Resource Graph (ARG) to test the impact of an Azure Policy before I write it out.

Let's say there’s a scenario we want to put in place; we want to restrict the VMs in a subscription from exceeding eight cores. It’s super easy to use ARG to write a query asking it for all the VMs with a SKU that goes beyond what you’re expecting.

You can include that kind of information in the criteria—and in a matter of seconds, you’ll know which resources are not compliant. And if you have an owner tag on the VMs, you'll know which people in your team can help solve the problem.

So, if you’re comfortable with the rule you want to roll out, instead of deploying a policy and waiting 30 minutes for it to be evaluated by the Azure Policy Engine, you can try it with ARG first and then translate it to an Azure policy.

So, in that way, ARG can provide you with a lot of visibility, which I find is crucial for governance.

Is Azure Resource Graph only useful for large numbers of subscriptions? If not, how can it be useful for a smaller number?

For sure, if you have a large number of subscriptions, ARG is great. But even with a small number, you won’t find the kind of speed that it offers anywhere else.

If you have to query resource by resource, subscription by subscription at the command line or in the Azure portal to fetch out resources and do that kind of discovery yourself, that’ll take several seconds or several minutes for each resource. And that adds up.

Figuring out how to write the query language for ARG can take a while, but think of it as an investment in yourself. In the long run, it’ll save you time since it offers deeper querying capabilities and gives you results for queries in under one second.

Figuring out the right governance strategy for your organization isn’t always easy—unfortunately there’s no one-size-fits-all model. But by learning from other people’s experiences, both what worked for them and what didn’t, you can start to pick and choose what could work best for you.

If you’re looking for more insights into Azure governance, check out the on-demand session recordings from Deploy.

Ready to start proactively managing and optimizing Azure costs?  

Recommended by our team

What did you think of this article?

Order the ShareGate Takeaway, your to-go recap of Ignite 2020 Be the first to catch what we've cooked up!