Governance considerations for the Azure Integration Services landing zone accelerator
Governance involves making sure any policies you have in place are being followed, and that you can show your applications are compliant with any legal, financial, regulatory, or internal requirements they are subject to. For smaller applications, governance may be a manual process; for larger applications, automation is essential. Azure contains several offerings designed to make the compliance and governance process easier.
This article deals with the Control Plane only - meaning how we create, manage, and configure the resources in Azure (generally via the Azure Resource Manager). This article does not deal with governance of the Data Plane - meaning how the endpoints for your resources are governed or secured or monitored.
Design considerations
Have you defined the roles and responsibilities for all individuals that interact with your resources?
Have you defined a Disaster Recovery (DR) plan, and do you need to automate your recovery activities? For example, do you need to automatically provision redundant resources in geographically disparate regions?
Do you have specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO) policies that need to be adhered to?
Do you have an alert or escalation plan that needs to be implemented?
What industry, legal, or financial regulations are your resources subject to, and how do you ensure that you are compliant?
What tooling do you have for managing all your resources? Do you need to perform manual remediation, or can it be automated? How are you alerted if any part of your estate is not in compliance?
Design recommendations
Use Azure Policy to enforce organizational standards, and help you assess compliance. Azure Policy can provide you with an aggregated view, enabling to evaluate the overall state of your environment, with the ability to drill down to per-resource per-policy granularity. For example, you can have policies that look for unauthorized or expensive resources; or which look for resources that are provisioned without adequate security.
Automate your deployments using a Continuous Integration/Continuous Deployment (CI/CD) tool like Azure DevOps and Terraform. This helps ensure that any policies you have in place are followed, without the need for manual configuration.
Use Automation tasks to automate tasks like sending alerts on weekly or monthly spend on resources; or to archive or delete old data. Automation tasks use Logic Apps (Consumption) workflows to perform the tasks.
Use Role-based access control (RBAC) to restrict user and application access to differing levels of scope.
Use monitoring tools such as Azure Monitor or to identify where resources are either in breach of policy, or to identify resources that are in danger of breaching policy soon.
Enable Microsoft Defender for Cloud to help identify resources that are in breach of security of endpoint policies.