Azure Migrate- #9 - CAF-Blueprints

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm Dean Sephora and this is the Azure Academy thanks for joining us at the Azure Academy today and we're going to be covering a very cool topic today this is going to be blueprints but there's a special twist today so if you haven't done so already please click on the subscribe button it lets YouTube know that you're interested in our content and give us some comments below on either questions you have or new topics that you'd be interested in we'd love to make those videos for you so there's two new blueprint samples that have been released in the azure portal which we'll be looking at one for the cloud adoption framework foundation and another one for the cloud adoption framework migration landing zones so let's take a look real quickly at our Docs and in our documentation if we go to the architecture center and over here on the bottom we have the cloud adoption framework and I'll click on the intro here so this is the basic overview of the framework we define our strategy for what we want in the cloud we plan to make that happen we get ourselves ready building our migration landing zone as well as our foundation and then we move into the cloud we perform that migration we adopt we innovate and we're built this way so that we can have our environment properly governed and managed that's the framework as a whole and we will be going into how we're going to deal with this framework as part of our blueprint session today so in the azure portal there's quite a few things that we need to cover here we're going to go over to the azure policy section and in here we'll find blueprints and we'll go to create a new blueprint and when we do we see that we have two new blueprints on our list and that is the CAF Foundation and the CAF migration landing zone and this is one of the coolest things about working inside Microsoft and and in the fast-track team in particular that I'm on is that we work very closely with the product group and so I was able to see that these things were repeatable processes that I've done over and over with customers and thought why not create this in a blueprint so when blueprints is code became available I then started to work on this and then other folks in the fast track were work with folks from the cloud adoption framework team and we thought how can we put these two ideas together and here we are now we've got two blueprints that speak to the cloud adoption framework so this is very awesome and we're gonna be deploying both of these today so we're going to recommend that even though you could use these separately from each other that the best practice here is to use the foundation first and then build the migration landing zone on top of it so now the first question is what exactly is in each of these blueprints well let me show you a quick graphic our foundation blueprint will be deployed at our Azure subscription level and in there we'll be deploying four resource groups three of these as you can see here are placeholders and these shared services will have the resources deployed in it setting up monitoring so in there we'll have a log analytics workspace as well as a Azure storage account and a key vault and all of these resource groups will be locked additionally we have a security center over in the top right corner and this is security center standard which is a good best practice and needed for some higher level governance features on top of that we'll be deploying some as your policies and an initiative inside our policies were using several of them here and those will be the ones to allow specific locations for our resources and resource groups also or the particular VM SKUs and storage accounts queues that we want to permit in our environment we'll be enforcing the deployment of network watcher which is a piece of azure monitor as well as enabling secure transfer for our storage accounts and then we'll also have a policy here to deny certain resource types and that way we can block resources that we don't want in our environments then finally we'll be using a cost tag through policies when you deploy this the resource groups themselves will have a cost tag as well as all the resources in them today and in the future will be appended with the same cost tag and then besides that we have an initiative and this initiative is for enabling monitoring throughout your security center so there are several different policies that are a part of this in fact there's almost a hundred of them and they're all part of that built-in initiative once that is deployed for those of you going on to a migration workload we have the migration blueprint now we're gonna layer this on top of our existing environment as I said earlier so we'll be reusing our shared services resource group and network resource group will also be deploying a new Azure migrate resource group and of course we'll be locking all of these groups and then we're deploying a virtual network that's already pre-configured with certain recommended subnets and network security groups and on top of that Azure migrate which is already pre-staged with all of these server and database migration tools that you will be needing all right so with that let's start deploying so we'll open the CAF Foundation first and then we need to give this blueprint a name and then you can change the description if you like and then we need to set a location to store it which I'll choose my management group will hit select and then we hit next for the artifacts and here are all those artifacts that we saw in that animation so we'll hit save draft on that and then we'll create another blueprint and that'll be our CAF migration landing zone we'll give that a name and we'll store that in our management group as well and then hit next for the artifacts we'll hit save draft and now we need to publish these so we'll give them version 1.0 ok so some kind of note telling us the purpose of this blueprint the time stamp and whoever it is that publish this and then we'll hit publish and then we'll repeat that for the other blueprint and we'll publish that as well so now we're ready to do the deployment so we're gonna need a few things and first of which I'll show you is in our documentation and we'll go under products and management and governance and down here we have blueprints and under the samples we have here the CAF Foundation and CAF migration landing zone so we'll go to the foundation overview and this is where you can see everything again that is inside the blueprint so all the resources and things that we'll be deploying and then we have next here for the deployment steps and the deployment steps we'll scroll down a bit here to this artifact table and this tells you what it is that you'll be needing and what each of these things mean and of course we'll be going over this as we deploy it so let's deploy our foundation so we'll our ellipse and go through a sign blueprint so I'm gonna choose this particular subscription I want my managed system ID to be stored in the east us cuz that's where I do my stuff and then my version I've only got one version in this case but again you could deploy multiple different versions here if you want to and then we come to the blueprint parameters the organization name now this must be unique because we're going to take this name and concatenate it with some of our resource groups and resources ok so my organization will be MS Dean's 0 1 so now we need to choose where we're going to deploy our Azure resources I'm going to deploy mine to the east us so our next item here is which as your regions will you allow resources to be built in so this is a filtered list and you can see all of our azure regions are listed here you could just type something like us and then I'll show you all of the regions that have us in the name so that does bring in also Australia so I will just choose the United States regions now these are going to be the only regions that resources will be allowed to deploy into in this subscription not just this blueprint this is an azure policy that says if you don't deploy into these selected regions you don't get to deploy okay so we're bringing in those ideas from the framework how do we govern our environment how do we set it up to be managed correctly and one of those ways is by implementing location restrictions now our next policy here is which storage accounts queue types do we want to allow now this is important and weight of helping to control your cost talking about the framework again how you want to move into the cloud and how you're going to use the cloud native tools to help control your spend so I'm going to allow standard LRS I'm also gonna allow Z RS which is zone redundant and premium and that's just because of the strategy that we are implementing you could have a different strategy where you didn't want to use premium at all you wanted to allow GRS and that's totally fine the next one in controlling cost is virtual machine SKUs so we want to control our spend now I've got three sizes selected here by default but you do not have to go with these you can choose any size as you like and this is a full list of every size okay so I'm just gonna leave it by default here but again you could just check any boxes that you want in this list and then those are the sizes you will be allowed to deploy and you will not be able to deploy anything that does not fall within those selected sizes now we have some stuff around our cost center tags now this is one of the most basic tags that should be used in Azure is who is going to pay for this resource okay one of the easiest ways we can control that as well as do our cost analysis is with tagging so deploying this will assign this cost tag to all of these resources and all of these resource groups so I have a tag that I use that's called AAA - money and so that'll be my tags that'll be applied to all of these resources so I know who is accountable to charge back or show back the cost as well as a policy to deny certain resource types this policy must have something selected and you will get an error in your deployment if you don't select something because there are certain resource types that you don't want deployed in your environment and even if you haven't thought about this until now there definitely is and I'll show you some of those here so I've typed in the word storage here and I'll scroll up to the top of the list and you can see Microsoft dot classic storage everything that's deployed now should be as your resource manager based not as your classic so that at the very least is something I would suggest or maybe you don't want to use the azure CDN services so either way whatever it is select those resources here and then they will not be able to be deployed in your environment so that's a good tip it helps not only keep your spend down it keeps control over the environment okay so coming a little further down we're gonna build a resource group here for shared services and then inside that resource group we're going to be deploying and as your key Balt now in order to create a key vault we have to assign permissions to this key vault so that we can access it for this I've put in here in our description that we need an azure active directory group or user object ID to grant and this is the basic format for what that looks like so if I go to as your active directory and I go under groups and I've got several different groups here and I can click on any one of them in this case my security contributors group is the one I want so I'll come in here and copy the object ID and then go back to my blueprint and paste next in our shared services resource group we're gonna deploy a login oolitic s-- workspace now log analytics is not supported in every Azure region yet so I've just included the regions where it is located at this point so I'm gonna choose east us and then we also can choose how long we want to retain data inside log analytics put in here several different options up to a year I'll just pick 90 days in this case so not too many things to fill out here and so once this is done we just have to click our assign button all right and our blueprint has deployed successfully so if I go over to my resource groups so we have our placeholder resource groups here for our first application identity services and virtual network as well as our shared services resource group for our log Analytics workspace storage account for data archiving and our as your key vault and inside the key vault if we go under access policies and we can see that it is our security group contributors who has the permissions to access this vault and if we go under locks in this resource group you can also see that we are locking each of these resources now we have also deployed a security center standard which we can see under our pricing and settings in the security center and you can see that it is standard here that has been applied now if we look back at the subscription level from here we could also see the resource locks that have been added to this subscription as well as the azure policies that have been assigned okay and these are all of the policies from our blueprint let's test some of this out so we'll go to our shared services resource group and we'll go to deploy a new VM and we'll give it a name here and we'll deploy to the north-central us and then we'll change our size let's pick b1 MS that was not a size that we permitted and then we'll fill in the rest of the information and we'll review and we see we have a validation error the validation error is this VM is disallowed by policy and the policy is the allowed virtual machine skews okay so we can see that that's all being enforced so now that we have our Foundation's set up we're ready to start deploying our workload which in this case was a migration workload so for this we're gonna go back to our policies and to blueprints and our definitions and now we're going to assign our migrate and it's walking through the same basic process here so we'll check the box for which subscription we want to deploy to where we're going to store the manage ID and this can be in a different region so I'll just leave it in west us two to prove that point the organization name we're gonna make the same as we did MS Dean 0 1 and we'll make sure that we're deploying to the same region that way our resource groups will already be exist thing and our key vault and log analytics will be already existing as well so we're not over writing those resources we're going to leverage them we need our adjure Active Directory group object ID again for the key vault and then our log analytics workspace was in the east us and we had selected 90 days and now we are also building a virtual network so we need to tell Azure what address space this virtual network will be in so our note here says that this is a virtual network IP address space provide the first two octets ie 10.0 we're going to build a slash 16 address space on top of this and break it down into multiple subnets that are following our best practices according to the cloud adoption framework we'll also be building some network security groups as part of that as well so in this case I'm just going to leave it as 10.0 and then we have to choose for our next resource where are we going to deploy as your migrate so for myself because I am deploying to the east us I will deploy as close to myself as possible and that will be central us and we'll click assign and our migration landing zone has now completed and if you've built this on top of the foundation then you can see that we've got just the original resource groups that we had plus we've got a migrate resource group inside the V net resource group we do have our virtual network built on whatever address base you chose as well as to network security groups so let's go into the network here so there's our 10.0 address space and then we broken that down into several subnets and we've attached our NS G's to the subnet for our jump box as well as our core and this is where the migration proper will be landing we're also building here the gateway subnet which is necessary for creating the VPN or Express route connection and also a subnet here for the azure firewall if you choose to use that in the future we'll make an update here to also include Azure Bastion as an option on the DNS settings we have also left this as the default meaning that Asscher will control DNS you will have to come in here and add the custom DNS IP addresses I left those out of here so that I didn't put something in here that would confuse the issue so just go ahead and put in your custom IP addresses there for DNS all right so if we go back to our resource groups we also had our azure migrated resource group and it looks like nothing is here this is because as your migrated is currently a hidden resource so if you check the box here for show hidden types and you can see as your migrated project is located here now if we open up azure migrate and we go to servers here on the left and then we go to change our migration project in our drop-down we will now have the particular migration project that has been built through our blueprint and we hit OK right and now you can see that we have already deployed the server assessment and server migration tools and if you're unfamiliar with those and how to do that I'll put a link here in the card so you can just go watch our videos on Azure migrate server assessments and migrations but we have also added under databases a database assessment and migration tool so this means that you have now set up your environment according to the Microsoft cloud adoption framework for Azure so we have defined a strategy for how we're going to move into the cloud and we built a plan and those plans then were set up and implemented through our CAF foundation blueprint and then our migration landing zone blueprints so now our environment is properly set up to be governed and managed and now we can begin our workloads which is the migration phase of the project to move into Azure I hope you've enjoyed looking at the new cloud adoption framework blueprints for the foundation and migration landing zones and please do give us a comment below if you have used these so that we know they have been useful to you and if you have questions or comments for feedback on how we can improve them please do give us those as well we're definitely looking to improve this going forward so if you haven't done so already please click on that subscribe button and don't forget to click on the notification bell while you're down there so that you can receive an email when our videos come out which is roughly once a week while you're at it once you click that thumbs up button that we know that you enjoyed this video and we'll see you in the next one happy learning

Info

Channel: Azure Academy

Views: 8,663

Rating: undefined out of 5

Keywords: Azure CAF, Azure Governance, Azure Cloud Adoption Framework, Azure Blueprint Samples, Migrate, Academy, Microsoft Azure Academy, azure blueprints, Cloud Adoption Framework, Automation, AzureAcademy, Security, azure blueprint examples, Microsoft Azure, migration landing zone, ARM, yt:cc=on, Azure Tutorial, azure blueprints tutorial, Azure, Azure training, Azure Academy, Azure Tips and Tricks, Template, Microsoft, ARM Templates, AzureGovernance, The Azure Academy

Id: rfPoMVXnBIk

Channel Id: undefined

Length: 18min 43sec (1123 seconds)

Published: Mon Aug 26 2019