I am sure most of you have seen the recent announcements relative to the blueprint as well as several Microsoft posts about the service and what it can do to improve your environment. However, what if you are not sure what they are and if they are usable for your environment? Hope this post comes up. I am going to explain exactly what they are doing and why you can use an Azure Template. This may allow you to decide whether you need them or not.
Next, I think that is the first basic point about Azure Blueprint. Similar to many other new services in Azure, the functionality is great and can help a lot of environments progress, but that doesn’t mean they help, or are useful in many other environments as well. Assess the service, understand it, evaluate your needs vs. usability testing test! Don’t forget, the blueprints are still in preview so there is no workload yet.
So, what is a blueprint? To try to explain this clearly, it is a collection of governance and resource services, defined in such a way that you can repeat the deployment to a defined standard.
How Azure Blueprint can break down, manage and scale
The collection of governance and resource services within a blueprint is referred to as artifacts. Within each blueprint, you can use any of the following combinations:
Once your blueprint is defined, your next step is to publish it. When publishing, you should indicate a version. I found it strange that it is not restricted in any way, you can literally name one version “1.0” and the next “B”, so I would recommend adding notes with each version and try to stick to a pattern . However, it does make sense if you are going to use different versions for different assignments (I explain that next), so choose relative to your needs.
When your blueprint is published, you can assign it.
A good feature is the ability to assign different versions of the blueprint to different subscriptions. For example, you can have two versions of a blueprint that have different subscriptions (think test version and production version) assigned to different subscriptions. They can also be updated independently.
In the assignment, membership as well as some options are selected. They are resource locking and managed detection.
For managed detection, it is recommended that you simply choose Assign System because the Blueprint service will then manage the security lifecycle. More on managed detection to help you understand and choose what is right for your environment.
The resource locking feature actually allows you to maintain control of your governed deployment. If you are not familiar with resource locks, see this post. The familiar situation applies to resources deployed by blueprint assignments:
can not delete
However, once the condition is applied, even a user / object with the role of owner cannot modify it. This is due to the implementation of these states. If the assignment selects the Read Only or Do Not Delete option, the RBAC Deny Assignment Deny for artifact activities during a blueprint assignment.
So, how do you edit or delete your resources?
Update your blueprint “not locked” and push the update to the corresponding assignment. This method prevents unwanted and unexpected changes occurring outside the scope of the blueprint.
There is quite a learning curve for blueprints, I think they combine many other services that you should be familiar with, so for me, you have to start there. Completely understand each of the artifacts so that you can see how they can work well if defined in your environment.
Recently, a sample blueprint has been released to allow you to deploy pre-designed environments governed with a few added clicks, a sample ISO27001 shared service that I think helps make the service understandable. Is, even if it is a bit complicated for you first test.
Again, the blueprints are still in preview.
So always be vigilant with your production environment. I look forward to seeing what changes come with GA, which is not to be thought of any longer that the blueprint was announced back on Ignite. When this happens I will update this post relevant to GA.