Azure Organizational Structure
Tech Talk Tuesday
February 26th, 2019
A Tale of Two Azures
Enrollment → Department → Account
Also referred to as "Environment" in some Azure tools
Separate, But Not Equal
Differences between Commercial and Government:
- Data Centers
- Active Directory (Tenant)
- Available Features
Subscriptions
- What we call an "Environment"
- Dev/Test is cheaper
- Enterprise Monitoring is "different" (hopefully not needed much longer)
Resource Groups
- Not physical, but assigned to a region
- Represents access controls and resource organization
- No cost
Resources
- Belong to a Resource Group
- Deployed to a region (may match Resource Group)
- Data egress charges
- Feature availability
Common Resources
- App Service
- Azure Database/Server
- Storage Account
- Service Bus (Topics/Subscriptions)
- Key Vault
- Azure VM, et al
VM Components
- AZ-S-APP01: Virtual machine
- IaaSDiagnostics (AZ-S-APP01/IaaSDiagnostics): Microsoft.Compute/virtualMachines/extensions
- azsapp01diag: Storage account
- AzureBackup_az-s-app01: Microsoft.Compute/restorePointCollections
- JISStageVault: Recovery Services vault
- micourtsuitestagingrg531: Storage account
- AZ-S-APP01_OsDisk_1_...: Disk
- az-s-app01505: Network interface
- AZ-S-APP01-ip: Public IP address
- AZ-S-APP01-nsg: Network security group
Shared JIS Resources
- JIS Common: App Service Plan
- JIS Logging: Cosmos DB
- Proxy Service: App Service/Plan
Application Insights
- Not yet available in Government Cloud
- Unique Subscription
Hybrid Connectivity
- Hybrid Connection
- VPN connected VNET
AD Groups
- Owners
- Contributors
- Readers
Key Vault
- Applications as the primary consumer
- Hardware level encryption
- Easily leveraged during deployment
Managed Service Identity
- Applications as the only consumer
- Automatically rotating
- High entropy
- Manged in ARM template
Pleasant Password Server
- Users as the only consumer
- Uses AD
- Demo