My Azure Enterprise Scale cheat sheet. Not as a replacement for the documentation, purely to act as a quick reference.
- The CAF Ready phase
- Design Guidelines
- Landing Zone Arch
- Landing Zone Implement
- Enterprise scale in a box
- Enterprise scale sample diagram
- Azure Virtual WAN
Solely key guidance, prescriptive or not is summarised here.
- Think of as a network spoke, used for an application or similar group of applications.
- Governed, well managed area for business units to build in.
- Cultural/organisational pre-requisites.
- Enterprise-scale landing zones provides guidance for architectural decisions.
- Landing Zone owners should have subnet creation on the vnet
- Primary place where AzPolicies are applied in the management group structure
- Business units should manage themselves
- Azure Policy provides guardrails, don’t insist on centralised control.
- Should be used as a unit of management/scale/cost
- Use Accounts to separate EA Dev/Test from Production workloads
- Clear guidance on when to have a new subscription (scale/management/policy/vnet design)
- Dedicated sub’s for AzMonitor and AzAutomation
- Dedicated sub for AD DC’s
- Dedicated sub for vnet Hub/dns/expressroute
- Management group structures must be considered thoroughly when an organization plans Azure adoption at scale. This is a critical design area.
- Use to aggregate AzPolicies
- Keep hierarchy as flat as possible, no more than 3-4 levels of hierarchy
- Management groups replicate governance, not a OU structure - don’t merge the two
- Manage with a dedicated SPN to reduce users with elevated rights
- Avoid policies and subscriptions in the root group scope
- MFA/SSO/Conditional access/PIM
- Break glass accounts to avoid lockout
- Consider different tenants for Dev/Test if a STRONG requirement
- Integrate logs with Az Monitor
- Use MSI to mitigate credential theft, and instead of SP’s
- Use custom roles (samples provided in EntScale)
- Use different ranges for different Azure regions (eg. at the /16 level)
- Each AzRegion should have a network Hub (can be in the same sub)
- If using ER, use multiple circuits and redundant gateways
- Design: Hub and Spoke VS Azure Virtual WAN
- If you’re using AzFirewall, make use of Firewall Manager in Virtual WAN
- Use DDOS for vnets exposed to the internet
- Use a centralised Log Analytics workspace in most cases
- Leverage WORM AzStorage for long term log retention
- Aim for centralised AzAutomation to provide consistency in automationOps
PaaS vs IaaS
The enterprise-scale architecture approach favors using Azure-native platform services and capabilities whenever possible.