more Subscriptions = longer it takes to view combined cost analysis. We can't view costs are MGMT group scope, only Sub scope.
@nettitude365Ай бұрын
Tremendous work as always, thank you for keeping this on your priority list, so many depend on your outstanding work!
@ArnaudLandryАй бұрын
Thanks guys !
@MrMattyB27Ай бұрын
Thank you for posting this video so quickly! 👍
@charlesderber2 ай бұрын
Good Q/A, great work community !!
@GoWanderJP2 ай бұрын
Awesome input from both John and Stu and I really look forward to co-pilot using AVM and the autocomplete in visual studio code for both bicep and terraform for AVM.
@nettitude3652 ай бұрын
Absolutely enjoyed the valuable and vibrant exchanges! Love the work!
@yeaharh3 ай бұрын
Great video for Ops Nazis - doesn't address the central concept of how to handle "application environments" despite the enthusiastic belief of the presenters.
@matzeli13 ай бұрын
What happened to the terraform caf modules? Will this merge into AVM?
@packlimo4 ай бұрын
Hi, why isn't the documentation on the official Microsoft website? Such a great concept if it's not flop after a couple years
@maxbashyrov57854 ай бұрын
Yeah, like it was with PSarm...
@roelofsee4 ай бұрын
Great update!
@otesani4 ай бұрын
Fantastic WORK EVERYONE 🤩
@madhurshukla23jan4 ай бұрын
14/03/24 - still waiting for demo video ?
@MicrosoftCAE4 ай бұрын
These are very much on our list to do, but we have just released some self-service labs for both Bicep & Terraform so check these out in the meantime azure.github.io/Azure-Verified-Modules/resources/#-labs
@neunzehn704 ай бұрын
Great Content, thanks for your outstanding work to deliver this to the community. Helps me a lot in my job
@ReidCurryDev4 ай бұрын
First
@robinappleton-power72704 ай бұрын
Very informative video on subscriptions. Just one thing when you say 'overlapping ip assignments within an address space...' could you clarify what you mean by 'ip assignments'. I understand we can't have overlapping ip address with a subnet so was wondering what you meant by overlapping ip assignments?
@bisikuku83765 ай бұрын
Not particularly sure why the Azcaf project as just not furthered and supported. It was a great project.
@RodrigTech5 ай бұрын
Think this would be awesome i spend considerable time validating and tracking modules.
@f2f4ff6f8f05 ай бұрын
Demo ?
@gultekinbutun79105 ай бұрын
No demos just talk, super diappointed.
@MicrosoftCAE5 ай бұрын
We have a video for this planned. Stay tuned!
@charlesderber6 ай бұрын
Great initiative !!
@ali991179 ай бұрын
I know it is an old video, but Kevin and Matt don't seem to be on the same page. At 5:30 (kzfaq.info/get/bejne/bqtzltmF3dHWenU.html), Kevin recommends App A to have all three stages under Corp. But 10:15 (kzfaq.info/get/bejne/bqtzltmF3dHWenU.html) Matt recommends not exactly that. What am I missing here?
@mycoolgamertag3 ай бұрын
I believe the difference is the additional management group level that is crossed out in section discussed by Matt. The dev, test, and prod subscriptions can be under Corp but they can't be under dev, test, and prod management groups under the Corp management group. This discussion is about management groups, not subscriptions. Kevin's did not have the dev, test, and prod management groups.
@JasonPavlas10 ай бұрын
Amazing! I need to learn more about how to democratize the platform, but this video was an excellent start. Studying for the AZ-305 has me wondering if I have just been going rogue with some migrations. Love the content and can't wait to check out the rest of your stuff!
@bangash83011 ай бұрын
Great discussion. If an Azure Kubernetes Service (AKS) cluster is operational within a subscription that necessitates on-premises connectivity via ExpressRoute, while simultaneously utilizing a public Load Balancer (LB) to make an application accessible over the internet, the question arises as to whether this subscription will fall under the Corporate (Corp) management group or the Online management group?
@MicrosoftCAE11 ай бұрын
Thanks @bangash830. If it requires private corp connectivity it would be corp. We recently documented this a bit more here: learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/network-topology-and-connectivity#design-area-overview Corp only applies policies to prevent public IPs from being attached to NICs, which means app GWs etc all can still exist in corp, if requried
@bangash83011 ай бұрын
@@MicrosoftCAE Thank you for your reply, and yes the recent document regarding network topology and connectivity is much clear.
@waynehoggett Жыл бұрын
Great video and guidance as always, Jack!
@tharagz08 Жыл бұрын
If an enterprise is to adopt the cloud adoption framework using Terraform and landing zones, should the root management group and high-level management group (and other near-root level resources) be made manually to follow security best practices, or are there ways of defining those via code securely? If so, does documentation exist on best practices how to do that securely? Or is it typical for organizations to just make those high-level resources manually then IAC the other downstream resources? Struggling on a recommendation on where IAC starts to become "everything as code". When using the portal accelerator and following the enterprise scale model, it's obviously going to require fairly beefy permissions, but that's a one-time deployment, and an organization can then utilize IAC to do the rest from within the subscriptions, or utilize RBAC at the Landing Zone management group to further scope permissions out.
@MicrosoftCAE Жыл бұрын
Hey Mike, please raise an issue over on our terraform repo and we can take the conversation further there: github.com/Azure/terraform-azurerm-caf-enterprise-scale
@rucas79 Жыл бұрын
Look forward to seeing the updates to the TF module.. currently using a custom template to provide the flexibility... Great update and lots of new useful information and features :)
@macro8681 Жыл бұрын
Same here. We would be using the whole thing if not for the lack of MG flexibility. Without that, we're stuck borrowing and modifying what code we can and writing the rest from scratch.
@duraidh7299 Жыл бұрын
Ivory tower discussion.. All the points mentioned are pro multiple subscription and nothing to the contrary. We are a 50 person organization with an IT team of 5 people. Why should we create a management group hierarchy and multiple subscriptions and increase the complexity from the get go ?
@MicrosoftCAE Жыл бұрын
Hey Duraid, thanks for the feedback. I think the point of ALZ is to set you up for long-term success and growth. We know that migrating resources out of single subscription environments can be painful, depending on the services you have within it. Also having a single subscription approach can cause: - Running into Resources/Quota limits faster and when you do, you dont have a scalable way to handle this. - Apps can be impacted by noisy neighbours, using quota they may need etc. - Complex RBAC assignments - hard to give higher level of control to app/workload teams in shared single subscription model - Larger blast radius should a single subscription become compromised Management groups help you enable, operate and govern and multi-subscription environment at scale. Hope that helps
@duraidh7299 Жыл бұрын
@@MicrosoftCAE Thanks for the response. The advantages were mentioned in the video. Thanks for re-iterating them. Non of the trade-offs were mentioned however which an unbalanced design decision. So now we build skyscrapers for everybody even if they need a couple of rooms just in case you need them in the future?
@tharagz08 Жыл бұрын
@@duraidh7299 I think CAE's response was valid, and I'll ask. How does having multiple subscriptions increase complexity? If anything, it allows you to reduce complexity as your company's cloud adoption goes. As architects, we should design environments that scale well. As outlined in the video, a single subscription can run into very painful scalability issues. A multi-subscription environment on the other hand might avoid those. If the complexity is not large (and there is no additional cost involved), why not create the more scalable solution? One final question that I'll ask that probably could have summarized my entire response. What about multiple subscriptions do you find more complex than a single subscription? The requirement for additional VNet Peering perhaps?
@duraidh7299 Жыл бұрын
@@tharagz08Complexity
@Architekt909 Жыл бұрын
Great video, but as someone getting started with the "proper" way to structure my Azure layout, one thing I'd like to see clarified is what exactly is meant by "corp" vs. "online"? What would go in a corp management group vs online? Is Corp meant just for internal applications that should never be customer facing? And therefore is "online" meant to be your actual deployed products that are released into the world for customers to use? I haven't found in any of the documentation what exactly the differences are besides a very complex all-encompassing enterprise-level diagram of how to 100% layout an organization from scratch. Thanks!
@MicrosoftCAE Жыл бұрын
Hey, thanks! The TLDR on Corp & Online are as follows: Corp == Corporate connected applications, that require hybrid connectivity back to on-premises or other VNet spokes via traditional Layer 3 Routing (think VNet Peering to a Hub etc.) Online == Workloads that don't need traditional Layer 3 routing to on-premise or other VNet spokes. And if they do require connectivity to them they would either interact via each applications API exposure "publicly" (over the MSFT backbone if all in Azure) or use service like Private Link to connect between each other without the need for VNet Peering. We are actually creating a document in CAF for just this topic in terms of how Corp & Online Networking should be done in more detail and some common scenarios. Stay tuned.
@kienng4510 Жыл бұрын
At 36:09 we see all stages of Corp App 1 and Corp App 2 under the same management group with no additional layer in between. Is this best practice? How about adding a Corp App 1 MG and Corp App 2 MG and place the stages there. Otherwise you could end up with dozens of subscriptions under Corp.
@MicrosoftCAE Жыл бұрын
Hey, yes this is indeed best practice. We only advise creating additional Management Groups if they have different governance requirements. Checkout the guidance we have on Tailoring ALZ (aka.ms/alz/tailoring)
@evolagenda Жыл бұрын
Would be nice to see something on how you govern the change of policy. If you have multiple subs for multiple envs under a single branch of the hierarchy a single change to policy with unintended consequences has a larger blast radius. I wonder if having a management group for policy changes would be beneficial where it mirrors "online" or "corp" but you can move a subscription like dev into it, to test that the policy is the expected change for a trial period before moving it back and applying the policy for real.
@tharagz08 Жыл бұрын
Azure Policy can be applied at the Management Group, Subscription, Resource Group or individual resource level. If you apply a policy at a higher level, it gets inherited down. If there is a more restrictive policy it will always win, regardless of the level it has been applied. Meaning, it does not matter if the policy is applied on management group or individual resource level, the deny will win for the resources the policy is assigned to. If policies are not conflicting, they will be complementary. In your example if I felt I was going to apply a more restrictive policy, I would consider applying it at a lower level for testing. Also, we should strive to have production and non-production versions of our applications, so ideally, we would be able to apply the more restrictive policy to the non-production side first, test and validate, then roll into production once we felt comfortable. As mentioned in the video you can deploy Policy in Audit mode, so following the above feedback with this, you should be able to accomplish what you are asking: learn.microsoft.com/en-us/azure/governance/policy/concepts/effects
@evolagenda Жыл бұрын
@@tharagz08 audit mode with some validation process makes most sense. Your example works but I was specific about testing policy applied at the root, or more specifically corporation subroot which are intended to be inherited by all, like a change nist or something.
@tharagz08 Жыл бұрын
@@evolagenda I think audit mode would make the most sense in that scenario then.
@evolagenda Жыл бұрын
Good idea for content
@AustinHoldsworth Жыл бұрын
Thanks for the videos guys. I've just shared this with my client as they're at a critical juncture with their journey. Hopefully, this will help them design a subscription model which is aligned with the organisation's operating model and industry regulations.
@retok.511 Жыл бұрын
Good videos, I like it! Would love to see a discussion about Platform subscriptions.
@SRizvi-pl5wg Жыл бұрын
@Jack Tracey why would Cloud Networking Team would object to different subscriptions? What about Secure Hub-spoke landing zone with different subscription? Any idea Great Knowledge Base Info. Please keep coming with videos with your advisory about what to use not use as well.
@JinKang23 Жыл бұрын
Is there a set time/date for the community call? How can someone join the call? Thanks!
@Keyes117 Жыл бұрын
Hey Jin, I think there are a couple pointers in the Video's Metadata above :)
@MatthewSelkirkKey Жыл бұрын
Great discussion, really insightful, helpful and useful. Having tried to the prod/test/dev MGs under a Corp/Online hierarchy, I would love to hear more about why "it just doesn't scale" @10:25 some tales from the field would be awesome to hear, policy can be a very tricky discussion to have with customers for sure! cheers and thanks for the videos.
@MicrosoftCAE Жыл бұрын
Thanks Matt. Stay tuned we have another video planned for just this.
@MatthewSelkirkKey Жыл бұрын
@@MicrosoftCAE awesome, that would be amazing, looking forward to it 😎
@lisa3399 Жыл бұрын
Would be really great with some practical examples of the scaling issues. Are about to decide on MG structure and tend to go for MGs on prod and dev.
@reecemcdowell2 жыл бұрын
Good video, the linked FAQ are really handy!
@damiancdavis2 жыл бұрын
Dream team at work!
@valleydoofer2 жыл бұрын
Loving the content chaps!
@vasudev87992 жыл бұрын
Good informative stuff.. let us have next deep dive sessions
@adamtuckwell13832 жыл бұрын
Awesome vid, great content and key areas covered in 15 mins. Good work.
@3rdeye19832 жыл бұрын
good stuff gents
@IlkinJamalli2 жыл бұрын
Thanks for the video. Would be great to make a end to end "demo" of a say Contoso cloud deployment using IaC after this one.
@kevinr812 жыл бұрын
Funny you should ask, as we're currrently working on recording some epsiodes for the Azure Enablement Show which will include demos using our Bicep and Terraform implementations. I'll try to remember to post links here once they go live!