diff --git a/catalog-info.yaml b/catalog-info.yaml index 9a02bc8..4f33ecd 100644 --- a/catalog-info.yaml +++ b/catalog-info.yaml @@ -3,7 +3,7 @@ kind: Component metadata: name: "public-cloud-techdocs" title: "Public cloud development guide" - description: "Learn about building and deploying applications through B.C. government AWS landing zone" + description: "Learn about building and deploying applications through B.C. government AWS and Azure landing zones" annotations: github.com/project-slug: bcgov/public-cloud-techdocs backstage.io/techdocs-ref: dir:. diff --git a/docs/.DS_Store b/docs/.DS_Store deleted file mode 100644 index 32f65de..0000000 Binary files a/docs/.DS_Store and /dev/null differ diff --git a/docs/design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md b/docs/aws/design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md similarity index 100% rename from docs/design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md rename to docs/aws/design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md diff --git a/docs/design-build-and-deploy-an-application/iam-user-service.md b/docs/aws/design-build-and-deploy-an-application/iam-user-service.md similarity index 100% rename from docs/design-build-and-deploy-an-application/iam-user-service.md rename to docs/aws/design-build-and-deploy-an-application/iam-user-service.md diff --git a/docs/design-build-and-deploy-an-application/networking.md b/docs/aws/design-build-and-deploy-an-application/networking.md similarity index 98% rename from docs/design-build-and-deploy-an-application/networking.md rename to docs/aws/design-build-and-deploy-an-application/networking.md index 2b04af9..10ed13a 100644 --- a/docs/design-build-and-deploy-an-application/networking.md +++ b/docs/aws/design-build-and-deploy-an-application/networking.md @@ -1,7 +1,9 @@ # Networking within the AWS Secure Environment Accelerator (ASEA) + Last updated: **January 5, 2023** ## Introduction + This document simplifies the centralized networking of the AWS Secure Environment Accelerator (ASEA) and provides best practices for networking on the platform. Our goal is to make ASEA's networking easy to understand for anyone working on the platform within the guardrails of the BC Gov ASEA. Networking plays a crucial role as the backbone of cloud technology, connecting everything, ensuring safety, and facilitating smooth operations. Understanding it is essential for maximizing the benefits of cloud tools. ## Network architecture @@ -15,8 +17,6 @@ These resources are accessible through AWS Resource Access Manager (RAM), which This streamlined approach eliminates the need for duplicating resources across multiple accounts reducing the operational burden associated with managing resources in each individual account. - - The distinction between the Shared Networking and Perimeter accounts is driven by the need for "separation of duties" in networking and security. In essence, ASEA's networking architecture guarantees centralized, well-organized, and secure communication. This is achieved through Transit Gateway routing, distinct security measures for the Perimeter VPC, and efficient resource management in the Shared Network account, as depicted in the B.C. Government ASEA's networking diagram below: ![networking-architecture](../images/networking/network-architecture.png) @@ -31,9 +31,9 @@ For further reading beyond this document please visit the [AESA network architec In the Perimeter account, we employ a [Gateway Load Balancer (GWLB)](https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/) to evenly distribute traffic load among our firewall instances. These instances, operating in a highly available pair, utilize Checkpoint Firewalls obtained from the AWS Marketplace. The Checkpoint Firewall Manager, coupled with Checkpoint's Smart Console, is instrumental in configuring traffic rules. -Our firewall setup strictly permits only HTTP/HTTPS traffic, with all other forms of traffic being blocked. This includes SSH egress traffic, which might affect accessing git repositories and other services relying on SSH. For git repository access, we recommend using HTTPS instead of SSH. +Our firewall setup strictly permits only HTTP/HTTPS traffic, with all other forms of traffic being blocked. This includes SSH egress traffic, which might affect accessing git repositories and other services relying on SSH. For git repository access, we recommend using HTTPS instead of SSH. -If your application necessitates non-HTTP/HTTPS traffic, please don't hesitate to reach out to the team by contacting them by email at Cloud.Pathfinder@gov.bc.ca +If your application necessitates non-HTTP/HTTPS traffic, please don't hesitate to reach out to the team by contacting them by email at ## Transit gateway @@ -77,11 +77,12 @@ Workload VPCs are strategically structured for Development (Dev), Testing (Test) - CIDR blocks define the IP address range for each VPC, ensuring unique and non-overlapping address spaces - Enables proper addressing and routing - In summary, Workload VPCs are organized by environments (Dev, Test, Prod, Tools), share resources through AWS RAM for centralized management via Shared Networking account, and each VPC is configured with a /16 CIDR block to define its IP address range. This structure and configuration support the secure and scalable hosting of applications across different stages of development and testing in the ASEA. ### Subnets + All subnets within Workload VPCs, including Web, App, and Data, are private. This subnet configuration ensures a secure and organized environment, with each subnet tailored for distinct purposes within the ASEA infrastructure. + - **Differentiation between Public and Private Subnets** - All subnets in a Workload VPC are designated as private. There is no distinction between public and private subnets within the Workload VPCs. @@ -109,6 +110,7 @@ All subnets within Workload VPCs, including Web, App, and Data, are private. Thi - All workload accounts in the same VPC/subnet share the same IP address pool. ### Security groups and NACLs + Security Groups and Network Access Control Lists (NACLs) play distinct roles in ensuring the security of Workload VPCs, with Security Groups acting as instance-level firewalls and NACLs providing an additional layer of defense at the subnet level - **Difference between security groups and NACLs** @@ -142,6 +144,7 @@ Security Groups and Network Access Control Lists (NACLs) play distinct roles in ### Exposing services to the internet Generally, in the ASEA we recommend one of two methods of exposing services to the internet: + - API Gateway - Application Load Balancer (ALB) @@ -151,22 +154,23 @@ Making strategic choices between AWS API Gateway and ALBs is essential for optim For general instructions on how to cerate an API gateway and safely expose it to the internet please see this [AWS documentation on HTTP APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api.html). For ASEA specific examples deployed using Terraform via GitHub Actions please see our [serverless, or container based sample applications](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#sample-applications). Creating resources via Terraform/ automation is always preferred. **Benefits of using API Gateway and VPC Link** -- **Security and isolation** API Gateway and VPC Link provide a secure and isolated connection between your internet-facing API and backend services within a VPC. AWS WAF can also be used alongside your API gateway. - -- **Scalability** + +- **Security and isolation** API Gateway and VPC Link provide a secure and isolated connection between your internet-facing API and backend services within a VPC. AWS WAF can also be used alongside your API gateway. + +- **Scalability** API Gateway scales automatically to handle varying levels of traffic, ensuring the availability of your internet-facing services. - -- **Managed service** + +- **Managed service** API Gateway is a fully managed service, reducing operational overhead and allowing you to focus on building and improving your APIs. **When to use ALBs** -While API Gateway is recommended for modern applications, there is still a use case for ALBs with legacy applications where it may be difficult or impossible to use an API Gateway. If your application is unable to accommodate an API Gateway, then please reach out to Cloud.Pathfinder@gov.bc.ca for integration support. +While API Gateway is recommended for modern applications, there is still a use case for ALBs with legacy applications where it may be difficult or impossible to use an API Gateway. If your application is unable to accommodate an API Gateway, then please reach out to for integration support. ## Serverless resources Serverless resources within the AWS Secure Environment Accelerator (ASEA) possess the flexibility to operate within or outside a VPC. When deployed within a VPC, these resources are assigned an Elastic Network Interface (ENI), utilizing an IP address from the corresponding subnet's IP pool. Access to VPC resources, including critical databases such as RDS, is exclusive to serverless resources configured **within** the VPC, ensuring a controlled and secure networking environment. ## Related pages + - [AESA network architecture docs](https://aws-samples.github.io/aws-secure-environment-accelerator/latest/architectures/sensitive/network/) - [GWLB architecture](https://aws-samples.github.io/aws-secure-environment-accelerator/latest/architectures/sensitive/images/perimeter-NFW-GWLB.png) - diff --git a/docs/design-build-and-deploy-an-application/requirements-for-building-your-application.md b/docs/aws/design-build-and-deploy-an-application/requirements-for-building-your-application.md similarity index 89% rename from docs/design-build-and-deploy-an-application/requirements-for-building-your-application.md rename to docs/aws/design-build-and-deploy-an-application/requirements-for-building-your-application.md index ebd9111..88da4c5 100644 --- a/docs/design-build-and-deploy-an-application/requirements-for-building-your-application.md +++ b/docs/aws/design-build-and-deploy-an-application/requirements-for-building-your-application.md @@ -14,7 +14,7 @@ The following sections describe the requirements for building your application o ## Limitations of the AWS Landing Zone -Take the following into consideration when building your application on the AWS Landing zone: +Take the following into consideration when building your application on the AWS Landing zone: * There is no direct (private) connectivity to the B.C. government network. Any application requiring access to data on this network must use a public endpoint @@ -28,27 +28,27 @@ Take the following into consideration when building your application on the AWS * IAM Users and their access keys can only be generated by the [IAM User management service](../design-build-and-deploy-an-application/iam-user-service.md), which is created and managed by the Public Cloud team - ## Other requirements and best practices -To use GitHub Actions for deploying your application, [OpenID Connect (OIDC) authentication](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#configuring-github-action-oidc-authentication-to-aws) is required. +To use GitHub Actions for deploying your application, [OpenID Connect (OIDC) authentication](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#configuring-github-action-oidc-authentication-to-aws) is required. -To deploy your application: +To deploy your application: * Use a CI/CD pipeline * Use infrastructure as code, such as Terraform * Set up a monitoring solution for your application -* Through the [Product Registry](https://registry.developer.gov.bc.ca/login) configure budgets to receive notifications when your quota is close to being exceeded +* Through the [Product Registry](https://registry.developer.gov.bc.ca/login) configure budgets to receive notifications when your quota is close to being exceeded * Only grant access to your AWS accounts for those who actually need it ## Local deployment -To facilitate local deployments into AWS, from your machine. The process involves using Terraform as an Infrastructure as Code (IaC) tool, AWS CLI and Visual Studio Code (VSCode) as an Integrated Development Environment (IDE). + +To facilitate local deployments into AWS, from your machine. The process involves using Terraform as an Infrastructure as Code (IaC) tool, AWS CLI and Visual Studio Code (VSCode) as an Integrated Development Environment (IDE). * Install Terraform by following the [official Terraform guide](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli), * Understand and install [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) * Set up [Visual Studio Code](https://code.visualstudio.com/docs/setup/setup-overview) -After all the tools have been installed, you can provision S3 bucket in AWS using Terraform: +After all the tools have been installed, you can provision S3 bucket in AWS using Terraform: Save this code in a file with a ".tf" extension, for example, main.tf. @@ -76,7 +76,7 @@ To apply this configuration, follow these steps: Ensure you have AWS credentials, obtainable by visiting the AWS login page and clicking on the `Click for Credentials` button for the desired authorization role as shown in the image below. ![aws-credential-cli](../images/requirements-for-building-your-application/aws-credential-cli.png) -2. Copy the credential +2. Copy the credential ![aws-credential-cli](../images/requirements-for-building-your-application/click-credential.png) @@ -84,35 +84,39 @@ Ensure you have AWS credentials, obtainable by visiting the AWS login page and c ![aws-credential-cli](../images/requirements-for-building-your-application/terminal.png) - 4. Initialize your Terraform configuration: + ``` terraform init ``` 5. Create an execution plan: + ``` terraform plan ``` + 6. Apply the changes to create the S3 bucket: + ``` terraform apply ``` + 7. Confirm by typing yes when prompted. This script creates an S3 bucket with the specified configuration. Adjust parameters as needed for your specific use case. -For deploying to AWS using Terraform, [find this comprehensive tutorial](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/aws-build ). +For deploying to AWS using Terraform, [find this comprehensive tutorial](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/aws-build ). This combined approach of Terraform AWS CLI and VSCode streamlines the deployment process, promoting ease of use and efficiency in AWS infrastructure management. ## Next steps -- [Deploy an application to the B.C. Government AWS Landing Zone](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) +* [Deploy an application to the B.C. Government AWS Landing Zone](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) ## Related pages -- [Provision a project set](get-started/provision-a-project-set.md) -- [Account access](get-started/provision-a-project-set.md#account-access) -- [Configuring GitHub Action OIDC Authentication to AWS](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#configuring-github-action-oidc-authentication-to-aws) -- [Deploy an application to the B.C. Government AWS Landing Zone](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) +* [Provision a project set](get-started/provision-a-project-set.md) +* [Account access](get-started/provision-a-project-set.md#account-access) +* [Configuring GitHub Action OIDC Authentication to AWS](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#configuring-github-action-oidc-authentication-to-aws) +* [Deploy an application to the B.C. Government AWS Landing Zone](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) diff --git a/docs/aws/design-build-and-deploy-an-application/sample-apps.md b/docs/aws/design-build-and-deploy-an-application/sample-apps.md new file mode 100644 index 0000000..6629d6d --- /dev/null +++ b/docs/aws/design-build-and-deploy-an-application/sample-apps.md @@ -0,0 +1,10 @@ +# AWS Sample applications + +Last updated: **October 16, 2024** + +We have several example applications to help you get started with building and deploying applications in the AWS Landing Zone. + +* Container-based application: [AWS Startup Sample Application (Containers)](https://github.com/bcgov/startup-sample-project-aws-containers) +* Serverless-based application: [AWS Startup Sample Application (Serverless)](https://github.com/bcgov/startup-sample-project-aws-serverless-TFC) + +For additional guidance on application architecture, please refer to the [AWS Architecture Center](https://aws.amazon.com/architecture/). diff --git a/docs/aws/design-build-and-deploy-an-application/security-guardrails.md b/docs/aws/design-build-and-deploy-an-application/security-guardrails.md new file mode 100644 index 0000000..dbf5056 --- /dev/null +++ b/docs/aws/design-build-and-deploy-an-application/security-guardrails.md @@ -0,0 +1,93 @@ +# AWS Security and compliance guardrails + +Last updated: **October 16, 2024** + +As an AWS user, you must understand the restrictions and guidelines to ensure security and compliance. This document outlines the key points you need to know when using your AWS account. + +## Supported regions + +You can only use AWS services in the following regions: + +* Canada (Central) - ca-central-1 +* US East (N. Virginia) - us-east-1 + +Most actions and resource creation outside these regions will be blocked. This means: + +* Deploy all your applications and services in these two regions +* Traditional multi-region architectures for disaster recovery or global applications may not be possible. Discuss alternatives with the central team for critical applications that might need such capabilities +* Some global services (such as IAM, CloudFront, Route 53) are still available, but your actions may be limited + +## Protected resources + +Some resources in your account are managed by our central team and are protected from modification. You can identify these resources by: + +* Names beginning with "PBMM" +* The tag "Accelerator: PBMM" + +You can't change, delete, or in some cases even interact with these protected resources, such as certain CloudFormation stacks, IAM roles, S3 buckets, and network components. + +This means: + +* If your application needs to interact with PBMM-protected resources, you may need to request permissions or assistance from the central team +* You can't change the encryption settings of existing PBMM-tagged storage resources +* While you can view security findings from services like GuardDuty or Security Hub, you might not be able to dismiss or change these findings directly if they're related to protected resources + +## Network and infrastructure + +* You can't create, modify, or delete core networking components like VPCs, subnets, internet gateways, and NAT gateways +* You can't create or modify VPC endpoints, except for the PrivateLink endpoints for API Gateway +* You can add routes to existing routes tables, but you can't modify or delete the routes. So be cautious when adding routes + +This means: + +* You can't create new VPCs or modify existing ones that are part of the protected infrastructure. Plan your resource deployments within the existing network structure +* Resources deployed in your VPCs are not directly accessible from the internet. If your application requires internet access, you'll need to use an API Gateway with PrivateLink or route your traffic through the landing zone's perimeter network using a public ALB. For more information, see [Exposing Services to the Internet](../design-build-and-deploy-an-application/networking.md#exposing-services-to-the-internet) + +## Security and compliance + +1. Encryption: + - Encryption is mandatory for services like EBS volumes, RDS instances, and EFS file systems + - You can't disable encryption on resources that require it + + This means: + + - When creating new S3 buckets, EBS volumes, or RDS instances, you must ensure they are encrypted. The system will enforce this, but be aware that you can't create unencrypted storage resources + +2. Security services: + - You have limited ability to modify settings for services like GuardDuty, Security Hub, and Macie. + +3. Logging and monitoring: + - You can't modify or delete CloudWatch logs, alarms, and dashboards related to our managed infrastructure + - You can create your own CloudWatch alarms and dashboards, but you can't modify ones that are part of the protected infrastructure + +## Account management + +- You can't perform high-level account actions such as leaving the AWS organization or closing the account +- Creation of new IAM users and groups is restricted. A limited custom service is deployed in your accounts to create IAM users. See [IAM User Service](./iam-user-service.md) for more information + +Implications: + +- You can't create new IAM users or groups. If you need to onboard new team members or create new roles, you can do that using the [Product Registry](https://registry.developer.gov.bc.ca). See [BC Gov's Product Registry - User management documentation](./user-management.md) for more information +- Be cautious when attaching policies that grant broad permissions. Use the least privilege principle when assigning permissions + +## Service restrictions + +Access to AWS Marketplace is limited. Please contact the central team if you need software or services from the Marketplace + +Implications: + +* Some AWS services might be entirely restricted. Always check if you can access a service before planning to use it in your projects +* For services that are available, you might find that certain actions within those services are restricted +* If you need specific software or tools from AWS Marketplace, you'll need to request it through the central team. Plan ahead for any software needs in your projects + +## Cost management + +You don't have direct access to billing information or the ability to set up detailed cost allocation tags. However, you can view your total spend and associated costs using AWS Cost Explorer. + +Budgets and notifications are pre-configured to alert you when your spend is approaching limits. These values are set in the [Platform Product Registry](https://registry.developer.gov.bc.ca). You may also set up additional budgets and alerts as needed. + +To provide a centralized view of costs across all accounts and projects, the Public Cloud team has created a Cost Explorer dashboard. This dashboard helps track and analyze costs for all projects and accounts. For more details, see [AWS billing and cost management dashboards](../understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md). + +By following these guidelines, you help maintain the security and compliance of our AWS environment. If these limitations significantly impact your work, contact the Public Cloud team for guidance, workarounds, or to request exceptions for critical business needs. + +If you have any questions or need assistance, please contact the Public Cloud team at cloud.pathfinder@gov.bc.ca. diff --git a/docs/design-build-and-deploy-an-application/user-management.md b/docs/aws/design-build-and-deploy-an-application/user-management.md similarity index 94% rename from docs/design-build-and-deploy-an-application/user-management.md rename to docs/aws/design-build-and-deploy-an-application/user-management.md index 3a3407d..38ea343 100644 --- a/docs/design-build-and-deploy-an-application/user-management.md +++ b/docs/aws/design-build-and-deploy-an-application/user-management.md @@ -1,9 +1,10 @@ # BC Gov's Product Registry - User management documentation + Last updated: **March 12, 2024** Welcome to the BC Gov's Product Registry documentation. This guide provides detailed information about the new user interface changes and the enhanced user management feature available at [BC Gov's Product Registry](https://registry.developer.gov.bc.ca/). With the latest update, users can now manage AWS permissions directly from the website, enhancing the overall user experience and streamlining project management. -## New user interface +## New user interface The BC Gov's Product Registry has undergone significant UI improvements to provide a more intuitive and user-friendly experience. You can now easily navigate through the website, access different sections, and manage your projects and users more efficiently. @@ -18,6 +19,7 @@ One of the key updates is the introduction of a comprehensive user management fe 5. **Security auditors** ![AWS landing zone product registry screen preview of the dashboard to manage users showing different users with different access options](../images/user-management/registry_roles.png) + ### Prerequisites - Users must have a valid IDIR to be added to these roles. @@ -72,17 +74,19 @@ Assigning users to these roles grants them specific permissions to AWS accounts ``` ## Accessing the Public Cloud AWS Landing Zone + - Once a user is added to a role, they can access the product (AWS accounts) from the [Public Cloud Landing Zone.](https://login.nimbus.cloud.gov.bc.ca/) If users have multiple roles, they can choose any of those roles when logging in to the account. ![AWS landing zone screen preview of the dashboard showing access to choose different types to login based on user credentials](../images/user-management/landing_zone.png) ## AWS managed policies overview + - AWS managed policies are predefined policies that provide permissions for many common use cases. These policies are maintained by AWS and provide a set of permissions that align with common job functions in the AWS environment. By using AWS managed policies, you can ensure that the permissions are set up correctly and updated by AWS as necessary. - - AdministratorAccess: Provides full access to AWS services and resources - - ReadOnlyAccess: Provides read-only access to AWS services and resources - - SecurityAudit: Provides permissions to view configuration data for security auditing + - AdministratorAccess: Provides full access to AWS services and resources + - ReadOnlyAccess: Provides read-only access to AWS services and resources + - SecurityAudit: Provides permissions to view configuration data for security auditing # Conclusion + - The new user management feature in the BC Gov's Product Registry enhances the ability of product owners and technical leads to manage AWS permissions efficiently. By understanding the roles and their associated policies, you can ensure that users have the appropriate access to your AWS resources. - For more information on AWS managed policies and best practices, visit the [AWS Identity and Access Management documentation.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) - diff --git a/docs/get-started/bc-govs-aws-landing-zone-overview.md b/docs/aws/get-started-with-aws/bc-govs-aws-landing-zone-overview.md similarity index 96% rename from docs/get-started/bc-govs-aws-landing-zone-overview.md rename to docs/aws/get-started-with-aws/bc-govs-aws-landing-zone-overview.md index cb947f5..d2481e5 100644 --- a/docs/get-started/bc-govs-aws-landing-zone-overview.md +++ b/docs/aws/get-started-with-aws/bc-govs-aws-landing-zone-overview.md @@ -1,4 +1,4 @@ -# B.C. Government OCIO AWS Landing Zone overview +# B.C. Government OCIO AWS Landing Zone overview Last updated: **February 5, 2024** @@ -32,11 +32,11 @@ Explore a [comprehensive guide](https://digital.gov.bc.ca/cloud/services/public/ In this section, we'll provide a high level overview of the components and features of the OCIO's Landing Zone in AWS. -### Product Registry +### Platform Product Registry -The Product Registry service is a comprehensive solution designed to streamline the process of requesting and creating AWS Project Sets for B.C. government ministry teams. Each Project Set comprises four distinct AWS accounts: Development (dev), Testing (test), Production (prod), and Tools. This service plays a crucial role, not just in setting up the necessary AWS infrastructure, but also in managing various aspects of a product's lifecycle in the cloud. +The Platform Product Registry service is a comprehensive solution designed to streamline the process of requesting and creating AWS Project Sets for B.C. government ministry teams. Each Project Set comprises four distinct AWS accounts: Development (dev), Testing (test), Production (prod), and Tools. This service plays a crucial role, not just in setting up the necessary AWS infrastructure, but also in managing various aspects of a product's lifecycle in the cloud. -### Key Features of the Product Registry Service +### Key Features of the Platform Product Registry Service 1. **AWS Project Set creation** - Helps create a set of four AWS accounts (Dev, Test, Prod, Tools) customized for different stages of the application development lifecycle @@ -103,7 +103,7 @@ The AWS Secure Environment Accelerator (ASEA) product provides a security framew The ASEA security framework ensures that you can develop and deploy applications in a secure, compliant, and controlled AWS environment, enabling them to focus on delivering innovative and effective digital services. - +For more information, see [AWS Security & Compliance Guardrails](../design-build-and-deploy-an-application/security-guardrails.md). ### Networking diff --git a/docs/images/iam-user-service/create-user.png b/docs/aws/images/iam-user-service/create-user.png similarity index 100% rename from docs/images/iam-user-service/create-user.png rename to docs/aws/images/iam-user-service/create-user.png diff --git a/docs/images/iam-user-service/iam-users.png b/docs/aws/images/iam-user-service/iam-users.png similarity index 100% rename from docs/images/iam-user-service/iam-users.png rename to docs/aws/images/iam-user-service/iam-users.png diff --git a/docs/images/iam-user-service/parameter.png b/docs/aws/images/iam-user-service/parameter.png similarity index 100% rename from docs/images/iam-user-service/parameter.png rename to docs/aws/images/iam-user-service/parameter.png diff --git a/docs/images/iam-user-service/table.png b/docs/aws/images/iam-user-service/table.png similarity index 100% rename from docs/images/iam-user-service/table.png rename to docs/aws/images/iam-user-service/table.png diff --git a/docs/images/networking/network-architecture.png b/docs/aws/images/networking/network-architecture.png similarity index 100% rename from docs/images/networking/network-architecture.png rename to docs/aws/images/networking/network-architecture.png diff --git a/docs/images/networking/shared-vpc.png b/docs/aws/images/networking/shared-vpc.png similarity index 100% rename from docs/images/networking/shared-vpc.png rename to docs/aws/images/networking/shared-vpc.png diff --git a/docs/images/requirements-for-building-your-application/aws-credential-cli.png b/docs/aws/images/requirements-for-building-your-application/aws-credential-cli.png similarity index 100% rename from docs/images/requirements-for-building-your-application/aws-credential-cli.png rename to docs/aws/images/requirements-for-building-your-application/aws-credential-cli.png diff --git a/docs/images/requirements-for-building-your-application/click-credential.png b/docs/aws/images/requirements-for-building-your-application/click-credential.png similarity index 100% rename from docs/images/requirements-for-building-your-application/click-credential.png rename to docs/aws/images/requirements-for-building-your-application/click-credential.png diff --git a/docs/images/requirements-for-building-your-application/terminal.png b/docs/aws/images/requirements-for-building-your-application/terminal.png similarity index 100% rename from docs/images/requirements-for-building-your-application/terminal.png rename to docs/aws/images/requirements-for-building-your-application/terminal.png diff --git a/docs/images/user-management/landing_zone.png b/docs/aws/images/user-management/landing_zone.png similarity index 100% rename from docs/images/user-management/landing_zone.png rename to docs/aws/images/user-management/landing_zone.png diff --git a/docs/images/user-management/registry_roles.png b/docs/aws/images/user-management/registry_roles.png similarity index 100% rename from docs/images/user-management/registry_roles.png rename to docs/aws/images/user-management/registry_roles.png diff --git a/docs/aws/index.md b/docs/aws/index.md new file mode 100644 index 0000000..7510f16 --- /dev/null +++ b/docs/aws/index.md @@ -0,0 +1,64 @@ +# Welcome to the Public Cloud AWS Technical Documentation + +## Get started with AWS + +Start here for the first steps on working in our AWS Secure Environment Accelerator (ASEA): + +* [B.C. Government AWS Landing Zone overview](get-started/bc-govs-aws-landing-zone-overview.md) +* [Provision a project set in AWS](get-started/provision-a-project-set.md) +* [Account access](get-started/provision-a-project-set.md#account-access) + +## Build, deploy and maintain apps + +Best practices on the platform: + +* [Requirements for building your application](design-build-and-deploy-an-application/requirements-for-building-your-application.md) +* [Deploy an application to the B.C. Government AWS Landing Zone](design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) +* [Networking](design-build-and-deploy-an-application/networking.md) + + + +## Understand your AWS billing + +Use the Cost Management Dashboard to get an overview of your spend in AWS: + +* [AWS billing and cost management dashboards](understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md) + + + + + + + +### Rocket.Chat + +Rocket.Chat will be your main communication channel for platform updates and support while you work in the BC Gov Private Cloud PaaS. Read about [how to stay connected in Rocket.Chat](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). + +If you already have access, you can +[log in to Rocket.Chat](https://chat.developer.gov.bc.ca). + +### Platform community MeetUps + +Every six weeks, we host a platform community MeetUp where we talk about changes to the platform. + +[Learn how to register for this and other events](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). + +### Reusable code and services + +We have several [sample applications](design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#sample-applications) which will deploy a simple application into your AWS Accounts utilizing different architectures. Use these to learn about best practices, how a GitHub Actions pipeline interacts with an AWS account in the ASEA, and give your team a launchpad to begin development in AWS. + +### External training + +See some [external training resources](https://digital.gov.bc.ca/cloud/services/public/get-support/#training). + + \ No newline at end of file diff --git a/docs/aws/support/enterprise-support.md b/docs/aws/support/enterprise-support.md new file mode 100644 index 0000000..003f737 --- /dev/null +++ b/docs/aws/support/enterprise-support.md @@ -0,0 +1,6 @@ +# AWS Enterprise Support + +Last updated: **October 8, 2024** + +Once your Project Set has been provisioned, the AWS Account will be enrolled in the AWS Enterprise Support. Only the Production AWS Account will be enrolled in the AWS Enterprise Support. + diff --git a/docs/understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md b/docs/aws/understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md similarity index 100% rename from docs/understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md rename to docs/aws/understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md diff --git a/docs/upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md b/docs/aws/upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md similarity index 100% rename from docs/upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md rename to docs/aws/upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md diff --git a/docs/azure/best-practices/be-mindful.md b/docs/azure/best-practices/be-mindful.md new file mode 100644 index 0000000..aacb290 --- /dev/null +++ b/docs/azure/best-practices/be-mindful.md @@ -0,0 +1,88 @@ +# Be mindful + +The following are some things to be aware of when working within the Azure Landing Zone. + +## Virtual Network (VNet) integration + +If you are using an [Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/overview), and you plan to [integrate it with an Azure Virtual Network](https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration), it is important to be aware of the following limitation: _You can't delete a subnet that has previously had an integrated App Service, if the integration has not been removed_. + +As a best practice for using Azure App Services with VNet integration, if you plan to delete the App Service, ensure that you **remove the integration** with the Virtual Network **before** deleting the App Service. This will allow you to delete the associated Subnet without any issues. + +## Private Endpoints and DNS + +As a security requirement, some Azure services (ie. Databases, Key Vaults, etc.) have been restricted to private-only connectivity. This means during deployment, you will need to include the creation of a [Private Endpoint](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview) for this service. + +As part of creating the Private Endpoint, you will be asked about **Private DNS Integration**. The Azure portal defaults the "**Integrate with private DNS zone**" option to "**Yes**". However, we have the Azure Landing Zones already configured with custom Private DNS Zones, so you should select "**No**" for this option. + +![Private Endpoint - Private DNS Integration](../images/private-endpoints-dns.png "Private Endpoint - Private DNS Integration") + +Once your resource is deployed, a DNS `A-record` will be automatically created in the custom Private DNS Zone in approximately **10 minutes**, pointing to the private IP address of the resource. This will allow you to access the resource using the custom DNS name within the private network. + +However, since the endpoint is private-only, you will not be able to access the resource from outside the VNet. To access and work with these specific resources, you need to use either [Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview) or [Azure Virtual Desktop (AVD)](https://learn.microsoft.com/en-us/azure/virtual-desktop/overview) from within the VNet. + +In the future, once [Express Route](../upcoming-features/express-route.md) is available, you will also be able to access these resources from the on-premises network. + +## Using Terraform to create Subnets + +If you are using Terraform to create your infrastructure, in particular the subnets within your assigned Virtual Network, please be aware of the following challenge. + +The Azure Landing Zones have an Azure Policy implemented that requires every subnet to have an associated Network Security Group (NSG) for security controls compliance. The issue is that Terraform does not support the creation of subnets with an associated NSG in a _single step_. + +Therefore, instead of using the `azurerm_subnet` resource to create subnets, you must use the `azapi_update_resource` resource from the [AzAPI Terraform Provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs). This resource allows you to create subnets with an associated NSG in a single step. + +**Example code:** + +```hcl +resource "azapi_update_resource" "subnets" { + type = "Microsoft.Network/virtualNetworks/subnets@2023-04-01" + + name = "SubnetName" + parent_id = data.azurerm_virtual_network.vnet.id + # Note: Discovered the `locks` attribute for AzAPI from the following GitHub Issue: https://github.com/Azure/terraform-provider-azapi/issues/503 + # A list of ARM resource IDs which are used to avoid create/modify/delete azapi resources at the same time. + locks = [ + data.azurerm_virtual_network.vnet.id + ] + + body = jsonencode({ + properties = { + networkSecurityGroup = { + id = azurerm_network_security_group.id + } + } + }) + + response_export_values = ["*"] +} +``` + +For further details about this limitation, please refer to the following GitHub Issue: [Example of using the Subnet Association resources with Azure Policy](https://github.com/hashicorp/terraform-provider-azurerm/issues/9022). + +## AzAPI Terraform provider (using `azapi_update_resource`) + +If you are using the [AzAPI Terraform Provider](https://learn.microsoft.com/en-us/azure/developer/terraform/overview), specifically the [azapi_update_resource](https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/update_resource) resource, be aware of the following limitation: _When you delete `azapi_update_resource`, no operation will be performed, and these properties will stay unchanged. If you want to restore the modified properties to some values, you must apply the restored properties before deleting_. + +This means, changes to the `azapi_update_resource` resource may _appear_ to apply changes (ie. remove properties/configurations previous added according to the `terraform plan` output), but this doesn't actually apply those changes in Azure. + +## Working with resource locks + +As part of our security and governance measures, resource locks are automatically applied to critical infrastructure components, particularly networking resources like Virtual Networks (VNets). While these locks provide an important safeguard against accidental deletion, they can sometimes interfere with legitimate resource management tasks. + +### Deleting resources protected by locks + +If you encounter issues when trying to delete a resource you've created (such as a VM) due to a lock on the parent resource (like a VNet), follow these steps: + +1. **Identify the lock**: Locate the resource lock on the parent resource (usually the VNet). + +2. **Remove the lock**: You have permissions to remove these locks when necessary. To do so: + - Navigate to the VNet in the Azure portal + - Go to the "Locks" section + - Delete the lock that's preventing the operation + +3. **Perform your operation**: Once the lock is removed, you should be able to delete your resource as needed. + +4. **Be aware of automation**: Our automation systems will periodically reapply these locks to ensure ongoing protection. If you need the lock to remain off for an extended period, please contact the Cloud Pathfinder team. + +5. **Best practice**: After completing your task, if the automation hasn't yet reapplied the lock, consider manually reapplying it to maintain security. + +Remember, these locks are in place for good reason. Always double-check that you're deleting the correct resources and understand the implications before removing any locks. diff --git a/docs/azure/best-practices/ci-cd.md b/docs/azure/best-practices/ci-cd.md new file mode 100644 index 0000000..074c14e --- /dev/null +++ b/docs/azure/best-practices/ci-cd.md @@ -0,0 +1,30 @@ +# CI/CD Best practices + +## GitHub Actions + +If you are using GitHub Actions for your CI/CD pipeline, consider the following best practices: + +* Use [OpenID Connect (OIDC) authentication](#configuring-github-action-oidc-authentication-to-azure) for GitHub Actions to authenticate with Azure. + +* [Self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) on Azure are required to access data storage and database services from GitHub Actions. Public access to these services is not supported. + +* If using [Terraform](https://www.terraform.io/), be aware of the limitations when [creating Subnets](../best-practices/be-mindful.md#using-terraform-to-create-subnets), and the use of the [AzAPI Terraform Provider](be-mindful.md#azapi-terraform-provider-using-azapi_update_resource) + +### Configuring GitHub Action OIDC Authentication to Azure + +To allow GitHub Actions to securely access Azure subscriptions, use OpenID Connect (OIDC) authentication. + +For detailed instructions, see the [GitHub Actions OIDC Authentication Guide](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure). + +Here's a quick summary on how to set it up: + +1. The GitHub Identity Provider has already been configured in the Azure subscriptions in your Project Set +2. In your Azure subscription: + - Create an Entra ID application and a service principal + - Add federated credentials for the Entra ID application + - Create GitHub secrets for storing Azure configuration +3. In your GitHub workflows: + - Add permissions settings for the token + - Use the [azure/login](https://github.com/Azure/login) action to exchange the OIDC token (JWT) for a cloud access token + +This allows GitHub Actions to authenticate to Azure and access resources. diff --git a/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md b/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md new file mode 100644 index 0000000..243154e --- /dev/null +++ b/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md @@ -0,0 +1,50 @@ +# Deploy to the Azure Landing Zone + +Last updated: **September 24, 2024** + +There are multiple ways to deploy your application to the Azure Landing Zone. This document outlines a few examples at a high-level, but it is up to each team to determine the best approach for their application. + +## Azure portal (UI) + +The Azure Portal is a web-based application that allows you to manage your Azure resources. You can deploy your application to the Azure Landing Zone using the Azure Portal by following these steps: + +1. Sign in to the [Azure Portal](https://portal.azure.com/). +2. Click on the **Create a resource** button. +3. Search for the resource you want to create. +4. Click on the **Create** button. +5. Fill in the required information. +6. Click on the **Review + create** button. +7. Click on the **Create** button. + +![Azure Portal](../images/azure-portal-create-resource.png "Azure Portal") + +## Azure CLI + +The Azure CLI is a command-line tool that allows you to manage your Azure resources. You can deploy your application to the Azure Landing Zone using the Azure CLI by following these steps: + +1. Install the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli). +2. Sign in to your Azure account by running the `az login` command. +3. Create the resource you want by using the appropriate `az create` command. + +```azurecli +az login +az account set --subscription "" +``` + +**Note:** There are other command-line tools like [Azure PowerShell](https://learn.microsoft.com/en-us/powershell/azure/), that you can use to manage your Azure resources. You can choose the tool that you are most comfortable with. + +## GitHub Actions / Infrastructure-as-Code (IaC) + +GitHub Actions is a feature of GitHub that allows you to automate your workflow. Microsoft developed GitHub Actions for Azure and designed them be used with Azure. You can see all of the GitHub Actions for Azure in the [GitHub Marketplace](https://github.com/marketplace?query=Azure&type=actions). + +![GitHub Actions for Azure](../images/azure-github-actions-marketplace.png "GitHub Actions for Azure") + +**Note:** Be sure to review the [CI/CD Best Practices](../best-practices/ci-cd.md) before implementing GitHub Actions. + +### Infrastructure-as-Code (IaC) + +There are multiple ways to deploy your application to the Azure Landing Zone using Infrastructure-as-Code (IaC). You can use tools like [Terraform](https://www.terraform.io/), [Azure Resource Manager (ARM) templates](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/), [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep), [Ansible](https://learn.microsoft.com/en-us/azure/developer/ansible/overview), [Chef](https://learn.microsoft.com/en-us/azure/developer/chef/overview), or [Pulumi](https://devblogs.microsoft.com/devops/infrastructure-as-code-azure-python-wpulumi/) to define your infrastructure as code and deploy it to Azure. + +While we don't have a specific example for each tool, we recommend that you choose the tool that you are most comfortable with and that best fits your needs. + +**Important:** If you are using Terraform to deploy your application to Azure, please take note of the following: [Using Terraform to Create Subnets](../best-practices/be-mindful.md#using-terraform-to-create-subnets) and [AzAPI Terraform Provider (using azapi_update_resource)](../best-practices/be-mindful.md#azapi-terraform-provider-using-azapi_update_resource). diff --git a/docs/azure/design-build-deploy/networking.md b/docs/azure/design-build-deploy/networking.md new file mode 100644 index 0000000..5dabcd7 --- /dev/null +++ b/docs/azure/design-build-deploy/networking.md @@ -0,0 +1,54 @@ +# Networking within the Azure Landing Zone + +Last updated: **October 3, 2024** + +Within each Project Set deployed in the Azure Landing Zone, a [Virtual Network (VNet)](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) is created to provide network isolation and security for the resources deployed within it. This VNet is the foundation for all network connectivity within the Azure Landing Zone. + +This VNet is connected with the central hub (vWAN), and receives default routes to direct all traffic (ie. Internet and private) through the firewall in the central hub. + +There are no subnets that are pre-created within the VNet. Each team is responsible for creating their own subnets based on their requirements. Subnets should be created within the VNet to segment resources based on their function or security requirements. + +**IMPORTANT:** There are some security controls in place, that require every subnet to have an associated [Network Security Group (NSG)](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview). This may cause some challenges when creating subnets. The simplest approach is to create a NSG first, and then create the subnet (with the NSG associated with it). + +For further guidance on creating subnets with associated NSGs, refer to the [Be Mindful](../best-practices/be-mindful.md#using-terraform-to-create-subnets) documentation. + +## Spoke-to-Spoke connectivity + +If your team has multiple environments (ie. Dev, Test, Prod, Tools) within the same Project Set, you may require connectivity between the different environments. This is known as spoke-to-spoke connectivity. + +By default, this connectivity is disabled for security reasons. If you require spoke-to-spoke connectivity, you must submit a request to the Cloud Pathfinder team, who will review the request based on the security requirements, and make any necessary changes in the firewall to allow this type of traffic. + +## Internet connectivity + +All outbound traffic from the Azure Landing Zone is routed through the central hub and the firewall. This ensures that all traffic is inspected and monitored for security compliance. + +Advanced features are implemented and configured including: + +* Transport Layer Security (TLS) inspection + * Protection against malicious traffic that is sent from an internal client hosted in Azure to the Internet + * Protection against East-West traffic that goes from/to an on-premises network, to protect Azure workloads from potential malicious traffic sent from within Azure +* Intrusion Detection and Prevention (IDPS) + * Signature-based detection (applicable for both application and network-level traffic) +* URL filtering + * Applied both on HTTP and HTTPS traffic + * Target URL extraction and validation +* Web categories + * Allow or deny access to web site categories based on FQDN + +### Exposing services to the internet + +For more complex applications, an [Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/overview) is the preferred method for exposing your application to the Internet. It provides a web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web applications. + +To adhere to security best practices, the Application Gateway should also be configured with a [Web Application Firewall (WAF)](https://learn.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall) to protect your web applications from common exploits and vulnerabilities. + +## Resource locks on networking components + +To maintain the integrity and stability of the networking infrastructure, resource locks are automatically applied to key networking components, including Virtual Networks (VNets). These locks prevent accidental deletion of critical resources. + +**Important:** If you need to delete a resource that you've created within the VNet (such as a VM), you may encounter issues due to these locks. In such cases: + +* You can temporarily remove the lock to perform the necessary operation. +* You have the permissions to remove these locks when needed. +* Be aware that our automation will reapply the locks periodically to ensure ongoing protection. + +For more detailed guidance on working with resource locks, please refer to the [Be Mindful](../best-practices/be-mindful.md#working-with-resource-locks) documentation. diff --git a/docs/azure/design-build-deploy/requirements.md b/docs/azure/design-build-deploy/requirements.md new file mode 100644 index 0000000..e6822da --- /dev/null +++ b/docs/azure/design-build-deploy/requirements.md @@ -0,0 +1,38 @@ +# Requirements for building your application in Azure + +Last updated: **October 2, 2024** + +The following sections describe the requirements for building your application on the B.C. Government Public Cloud Azure Landing Zone. + +## Prerequisites + +1. Create a [provisioning request for a Project Set](../../get-started/provision-a-project-set.md) for your team on the B.C. Government Public Cloud. + +2. Once approved, your Project Set will be provisioned, followed up by an email sent to the Product Owner and Technical Lead(s) once the provisioning is complete. + +3. Learn how to manage user access to Azure by reviewing [User Management in Azure](user-management.md). + +## Limitations of the Azure Landing Zone + +Take the following into consideration when building your application in the Azure Landing zone: + +* There is no direct (private) connectivity to the B.C. Government network. Any application requiring access to data on this network must use a public endpoint. + * See [Upcoming Features: Express Route](../upcoming-features/express-route.md) for more information. + +* Only HTTPS applications that are compatible with public endpoints through [Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/overview) are supported. + +* The only supported regions are Canada Central (ie. `canadacentral`) and Canada East (ie. `canadacentral`). + +* Most networking is under the management of the Azure Landing Zone and is not subject to change. + * See [Networking within the Azure Landing Zone](networking.md) for more information. + +## Next steps + +* [Deploy to the Azure Landing Zone](deploy-to-the-azure-landing-zone.md) + +## Related pages + +* [Provision a Project Set](../../get-started/provision-a-project-set.md) +* [User Management in Azure](user-management.md) +* [Configuring GitHub Action OIDC Authentication to Azure](../best-practices/ci-cd.md#configuring-github-action-oidc-authentication-to-azure) +* [Deploy to the Azure Landing Zone](deploy-to-the-azure-landing-zone.md) diff --git a/docs/azure/design-build-deploy/sample-apps.md b/docs/azure/design-build-deploy/sample-apps.md new file mode 100644 index 0000000..52325db --- /dev/null +++ b/docs/azure/design-build-deploy/sample-apps.md @@ -0,0 +1,10 @@ +# Azure Sample Applications + +Last updated: **October 8, 2024** + +We have several example applications to help you get started with building and deploying applications in the Azure Landing Zone. + +* Container-based application: [Azure Startup Sample Application (Containers)](https://github.com/bcgov/azure-startup-sample-app-containers) +* Serverless-based application: [Azure Startup Sample Application (Serverless)](https://github.com/bcgov-c/ecf-azure-startup-sample-app-serverless) + +For additional guidance on application architecture, please refer to the [Microsoft Architecture Center](https://docs.microsoft.com/en-us/azure/architecture/). diff --git a/docs/azure/design-build-deploy/user-management.md b/docs/azure/design-build-deploy/user-management.md new file mode 100644 index 0000000..aed92fe --- /dev/null +++ b/docs/azure/design-build-deploy/user-management.md @@ -0,0 +1,61 @@ +# User management in the Azure Landing Zone + +Last updated: **October 3, 2024** + +This guide provides an overview of user management in the Azure Landing Zone, specifically tailored for Product Owners (POs) and Technical Leads (TLs) who have been granted a restricted Owner role on the Project Set Management Group. This role is inherited on the subscription within the Project Set. + +## What you can do + +As a Product Owner or Technical Lead with restricted Owner permissions, you have the ability to: + +* Assign users to roles at various levels: + + - Project Set Management Group (prefixed with your Project Set license plate, ie. "abc123") + - Subscription (prefixed with your Project Set license plate, ie. "abc123") + - Resource groups + - Individual resources + +* Create [custom Roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles) +* Create and manage [Service Principals](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) +* Create and manage [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +* Create and manage all resources within your subscription + +## What you can't do + +As a Product Owner or Technical Lead with restricted Owner permissions, you do not have the ability to: + +* Assign users to an Owner role + +## Best practices for user management + +To ensure secure and efficient user management, we recommend the following best practices: + +1. **Assign roles at higher levels**: Whenever possible, assign users to roles at the Management Group or Subscription levels. This approach simplifies management and provides consistent access across resources. + +2. **Follow the principle of least privilege**: Only give users the roles they need to perform their specific job functions. This minimizes potential security risks. + +3. **Regularly review access**: Periodically review user access and remove unnecessary permissions to maintain a secure environment. + +## How to manage users in the Azure portal + +To manage users and their roles: + +1. Log in to the [Azure portal](https://portal.azure.com). + +2. Navigate to your Subscription or Management Group (remember, these are prefixed with your Project Set license plate, ie. "abc123"). + +3. In the left sidebar, click on "**Access control (IAM)**". + +4. Use the "**Add**" button to assign new roles to users. + +5. Use the "**Role assignments**" tab to view and manage existing role assignments. + +6. To create custom roles, use the "**Roles**" tab and click "**Add custom role**". + +Remember, user management is a critical aspect of maintaining a secure and well-organized Azure environment. Always double-check your assignments and follow your organization's security policies. + +For more detailed instructions on specific tasks or advanced user management techniques, please refer to the [official Azure documentation](https://docs.microsoft.com/en-us/azure/role-based-access-control/). + +## Note on Project Set license plates + +Your Subscriptions and Management Groups are prefixed with your unique Project Set license plate (ie. "abc123"). This prefix helps identify and organize resources specific to your project. When navigating the Azure portal or assigning roles, always look for resources and groups that start with your Project Set license plate. diff --git a/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md b/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md new file mode 100644 index 0000000..a65d953 --- /dev/null +++ b/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md @@ -0,0 +1,60 @@ +# B.C. Government OCIO Azure Landing Zone overview + +Last updated: **October 3, 2024** + +An overview of the B.C. Government OCIO's Landing Zone in Azure, how to get access, its benefits, components, and features. + +--- + +## Benefits of building apps in the Azure Public Cloud + +For B.C. Government ministry teams developing applications in the Azure Public Cloud, the OCIO Landing Zone provides a secure, compliant, and efficient pathway. This facilitates the creation of innovative and responsive applications that effectively serve the public. + +The [Microsoft Cloud Adoption Framework (CAF)](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/overview), and [Well-Architected Framework (WAF)](https://learn.microsoft.com/en-us/azure/well-architected/what-is-well-architected-framework) ensures that you can develop and deploy applications in a secure, compliant, and controlled Azure environment, enabling you to focus on delivering innovative and effective digital services. + +The following diagram illustrates the Cloud Adoption Framework (CAF) and the various components that support the Landing Zones. For more information, please refer to the official Microsoft documentation on [What is an Azure Landing Zone?](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/) + +[![Microsoft Azure Landing Zone Architecture](../images/azure-landing-zone-architecture-diagram-hub-spoke.svg "Microsoft Azure Landing Zone Architecture")](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/media/azure-landing-zone-architecture-diagram-hub-spoke.svg#lightbox) + +## Components and features + +In this section, we'll provide a high level overview of the components and features of the OCIO's Landing Zone in Azure. + +### Security guardrails + +The built-in Azure Policy [Regulatory Compliance](https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-initiatives#regulatory-compliance) initiatives provides a security framework for B.C. Government ministry teams developing applications in the Azure Public Cloud. This framework includes both preventative and detective controls to ensure a secure and compliant cloud environment. + +[Microsoft Defender for Cloud (MDfC)](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) (formerly known as Security Center) offers a centralized dashboard for assessing the security posture of your resources in Azure. Defender for Cloud frameworks such as the [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/en-us/security/benchmark/azure/overview), [CIS Microsoft Azure Foundations Benchmark](https://learn.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-2-0-0), [Cloud Security Posture Management (CSPM)](https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management), [NIST SP 800-53](https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r5), and [Canada Federal PBMM](https://learn.microsoft.com/en-us/azure/governance/policy/samples/canada-federal-pbmm) have been enabled for comprehensive checks against Azure resources. + +[![Defender for Cloud Overview](../images/defender-for-cloud-overview.png "Defender for Cloud Overview")](https://learn.microsoft.com/en-us/azure/reusable-content/ce-skilling/azure/media/defender-for-cloud/overview.png#lightbox) + +### Networking + +The Cloud Adoption Framework (CAF) implements a hub-and-spoke network topology. The hub is the central point of connectivity to the on-premises network, and the spoke is the virtual network that connects to the hub. The hub-and-spoke model allows for the centralization of services and management, while providing isolation and segmentation for workloads. + +B.C. Government has implemented the hub-and-spoke module using the modern [Virtual WAN (vWAN)](https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about) architecture. Within this architecture, each Project Set is provisioned with a spoke Virtual Network (VNet) that connects to the Virtual Hub (vHub) Virtual Network (VNet). + +[![Virtual WAN Network Topology](../images/virtual-wan-topology.png "Virtual WAN Network Topology")](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/media/virtual-wan-topology.png#lightbox) + +For additional information, please refer to the [Networking within the Azure Landing Zone](../design-build-deploy/networking.md) documentation. + +### Monitoring and logging + +The Cloud Adoption Framework (CAF) implements the components necessary for centralized monitoring and logging, include: [Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/overview), [Azure Activity Logs](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-insights), [Azure Metrics](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-platform-metrics), and a centralized [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview). + +Baseline metric, activity log, and log query alerts are available for landing zone platform components and other selected landing zone components. They're based on Microsoft-recommended practices for proactive monitoring, such as setting up alerts, thresholds, and notifications for timely problem detection and response. + +[![Azure Monitor Baseline Alerts](../images/azure-monitor-baseline-alerts-policy-initiative-flow.svg "Azure Monitor Baseline Alerts")](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/media/azure-monitor-baseline-alerts-policy-initiative-flow.svg#lightbox) + +While some default baselines have been implemented (primarily for regulatory compliance), each team is responsible for setting up [Alerts / Rules](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview) and [Action Groups](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups) based on their specific requirements. + +## Next steps + +- [Deploy to the Azure Landing Zone](../design-build-deploy/deploy-to-the-azure-landing-zone.md) + +## Related pages + +- [Public cloud services](https://digital.gov.bc.ca/cloud/services/public) +- [Public cloud hosting 101](https://digital.gov.bc.ca/cloud/services/public/intro/) +- [Deploy to the Azure Landing Zone](../design-build-deploy/deploy-to-the-azure-landing-zone.md) +- [IAM User Management](../design-build-deploy/user-management.md) diff --git a/docs/azure/images/accumulated-costs-view.png b/docs/azure/images/accumulated-costs-view.png new file mode 100644 index 0000000..9e00d8a Binary files /dev/null and b/docs/azure/images/accumulated-costs-view.png differ diff --git a/docs/azure/images/advisor-recommendations.png b/docs/azure/images/advisor-recommendations.png new file mode 100644 index 0000000..d1d6503 Binary files /dev/null and b/docs/azure/images/advisor-recommendations.png differ diff --git a/docs/azure/images/azure-github-actions-marketplace.png b/docs/azure/images/azure-github-actions-marketplace.png new file mode 100644 index 0000000..6a55734 Binary files /dev/null and b/docs/azure/images/azure-github-actions-marketplace.png differ diff --git a/docs/azure/images/azure-landing-zone-architecture-diagram-hub-spoke.svg b/docs/azure/images/azure-landing-zone-architecture-diagram-hub-spoke.svg new file mode 100644 index 0000000..cdee4ee --- /dev/null +++ b/docs/azure/images/azure-landing-zone-architecture-diagram-hub-spoke.svg @@ -0,0 +1,10195 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + VBackground-11 + + + Solid + + + + + + + + + + + + + + ALZ Hub & Spoke + + + + Sheet.6004 + + + + + + + Sheet.8337 + + + + + + + Sheet.6041 + Service principal(s) Security group(s) Users + + + + + + + · Service principal(s)· Security group(s)· Users + + Sheet.6044 + + + + + + + Sheet.6005 + + + + + + + Sheet.6006 + + + + + + + Sheet.6008 + + + + + + + Sheet.6017 + Enrollment/Billing Account + + + + + + + Enrollment/Billing Account + + Sheet.6020 + Department/Billing Profile + + + + + + + Department/Billing Profile + + Sheet.6023 + + + + + + + Sheet.6031 + + + + + + + Sheet.6035 + Enterprise Enrollment/Microsoft Customer Agreement + + + + + + + Enterprise Enrollment/Microsoft Customer Agreement + + Sheet.6358 + + + + + + + + + + Sheet.6056 + + Sheet.6057 + + Sheet.6058 + + + + Sheet.6059 + + + + Sheet.6060 + + + + + Sheet.6061 + + f2ddd4d7-46fc-4e48-ae24-8fde036 + + + + e15034b6-eebb-4253-ac69-86068a1 + + + + f3d2a589-08f4-4e99-9635-cc67aba + + + + bc7793e0-f7bc-4cc4-abb0-181c6c6 + + + + + + Sheet.6077 + + + + + + + Sheet.6078 + Active Directory Domain Services + + + + + + + Active Directory Domain Services + + Sheet.6092 + Privileged Identity Management + + + + + + + Privileged Identity Management + + + + + Sheet.6359 + + Sheet.6360 + + + + Sheet.6361 + + + + Sheet.6363 + + + + Sheet.6364 + + + + Sheet.6365 + + + + + + + + Sheet.6366 + + Sheet.6073 + + + + Sheet.6074 + + + + + + + + Sheet.6367 + + Sheet.6033 + + + + Sheet.6034 + + + + + Sheet.6368 + + + + + + + Sheet.6369 + Microsoft Entra ID + + + + + + + Microsoft Entra ID + + Sheet.6370 + On-premises + + + + + + + On-premises + + Sheet.6371 + Identity and access management + + + + + + + Identity and access management + + Sheet.6372 + Approval workflow Notifications MFA Access reviews/packages A... + + + + + + + · Approval workflow· Notifications· MFA· Access reviews/packages· Audit reports + + Dynamic connector.6373 + + + + + + + + + + Sheet.6374 + + Sheet.6069 + + + + + Sheet.6070 + + + + Sheet.6071 + + + + + Sheet.6375 + App/DevOps Subscription manager Other custom roles + + + + + + + · App/DevOps· Subscription manager· Other custom roles + + Sheet.6381 + + + + + + + Sheet.6387 + + + + + + + Sheet.6391 + + + + + + + Sheet.6392 + + + + + + + Sheet.6393 + + + + + + + Sheet.6394 + + + + + + + Sheet.6398 + + + + + + + Sheet.6401 + Tenant root group + + + + + + + Tenant root group + + Sheet.6402 + + + + + + + + + + Sheet.6418 + + Sheet.6419 + + + + Sheet.6420 + + + + + + + + Sheet.6421 + + Sheet.6422 + + + + Sheet.6423 + + + + Sheet.6424 + + + + Sheet.6425 + + + + Sheet.6426 + + + + Sheet.6427 + + + + + Sheet.6428 + + + + + + + + Sheet.6430 + + + + + + + + Sheet.6431 + + + + + + + Sheet.6456 + + + + + + + Sheet.6467 + + + + + + + + Sheet.6468 + + + + + + + Sheet.6577 + Online + + + + + + + Online + + Sheet.6578 + Landing zones + + + + + + + Landing zones + + Sheet.6579 + Decommissioned + + + + + + + Decommissioned + + Sheet.6580 + Sandbox + + + + + + + Sandbox + + Sheet.6581 + Contoso + + + + + + + Contoso + + Sheet.6582 + Platform + + + + + + + Platform + + Sheet.6583 + Management + + + + + + + Management + + Sheet.6584 + Identity + + + + + + + Identity + + Sheet.6585 + Connectivity + + + + + + + Connectivity + + Sheet.6587 + Identity subscription + + + + + + + Identitysubscription + + Sheet.6588 + Connectivity subscription + + + + + + + Connectivitysubscription + + Sheet.6589 + Decommissioned subscription + + + + + + + Decommissionedsubscription + + Sheet.6590 + Sandbox subscription 1 + + + + + + + Sandboxsubscription 1 + + Sheet.6591 + Sandbox subscription 2 + + + + + + + Sandboxsubscription 2 + + Sheet.6597 + + + + + + + + + + Sheet.6598 + + Sheet.6599 + + + + Sheet.6600 + + + + + Sheet.6601 + + + + + + + Sheet.6602 + + + + + + + Sheet.6603 + + + + + + + Sheet.6604 + + + + + + + Sheet.6605 + + + + + + + Sheet.6607 + + + + + + + Sheet.6608 + + + + + + + + + + Sheet.6609 + + Sheet.6610 + + + + Sheet.6611 + + + + + a91f0ca4-8fb7-4019-9c09-0a52e2c + + + + + + + Sheet.6616 + + + + + + + Sheet.6617 + + + + + + + Sheet.6624 + + + + + + + + Sheet.6625 + + + + + + + Sheet.6626 + + + + + + + Sheet.6627 + + + + + + + Sheet.6628 + + + + + + + + Sheet.6891 + Management group and subscription organization + + + + + + + Management group and subscription organization + + Sheet.6892 + Management group + + + + + + + Management group + + Sheet.6893 + Subscriptions + + + + + + + Subscriptions + + Sheet.6894 + Platform DevOps team + + + + + + + PlatformDevOps team + + Sheet.6895 + DevOps + + + + + + + DevOps + + Sheet.6896 + Boards + + + + + + + Boards + + Sheet.6897 + Wiki + + + + + + + Wiki + + Sheet.6898 + Deployment pipeline(s) + + + + + + + Deploymentpipeline(s) + + Sheet.6899 + Role definitions PolicySet definitions Policy definitions Rol... + + + + + + + · Role definitions· PolicySet definitions· Policy definitions· Role assignments· Policy assignments· Resource templates + + Sheet.6900 + Subscription provisioning Role provisioning Policy deployment... + + + + + + + · Subscription provisioning· Role provisioning· Policy deployment· Platform deployment + + Sheet.6901 + Git Repository + + + + + + + Git Repository + + + + + Sheet.7458 + + Sheet.7459 + + + + Sheet.7460 + + + + Sheet.7461 + + + + Sheet.7462 + + + + Sheet.7463 + + + + Sheet.7464 + + + + Sheet.7465 + + + + Sheet.7466 + + + + + + + + Sheet.7477 + + Sheet.7478 + + + + Sheet.7479 + + + + Sheet.7480 + + + + Sheet.7481 + + + + Sheet.7482 + + + + + + + + Sheet.7529 + + Sheet.7530 + + + + Sheet.7531 + + + + Sheet.7532 + + + + Sheet.7533 + + + + Sheet.7534 + + + + Sheet.7535 + + + + Sheet.7536 + + + + + + + + Sheet.7689 + + Sheet.7690 + + + + Sheet.7691 + + + + + + + + Sheet.8321 + + Sheet.8322 + + Sheet.8323 + + + + Sheet.8324 + + + + Sheet.8325 + + + + Sheet.8326 + + + + + Sheet.8327 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.8332 + Connectivity subscription + + + + + + + Connectivity subscription + + Sheet.8333 + Role assignment + + + + + + + Roleassignment + + Sheet.8334 + Policy assignment + + + + + + + Policy assignment + + Sheet.8335 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.8336 + Defender for Cloud + + + + + + + Defender for Cloud + + Sheet.8338 + VNet peering + + + + + + + VNet peering + + Sheet.8341 + Azure DDoS Network Protection + + + + + + + Azure DDoS NetworkProtection + + Dynamic connector.8376 + + + + + + + Sheet.8659 + + + + + + + Sheet.8660 + + + + + + + + + + Sheet.8672 + + Sheet.8673 + + + + Sheet.8674 + + + + Sheet.8675 + + + + Sheet.8676 + + + + Sheet.8677 + + + + Sheet.8678 + + + + Sheet.8679 + + + + Sheet.8680 + + + + + + + + Sheet.8691 + + Sheet.8692 + + + + Sheet.8693 + + + + Sheet.8694 + + + + Sheet.8695 + + + + Sheet.8696 + + + + + Sheet.8697 + + + + + + + Sheet.8698 + + + + + + + Sheet.8699 + + + + + + + + + + Sheet.8700 + + Sheet.8701 + + + + Sheet.8702 + + + + + Sheet.8703 + Applications + + + + + + + Applications + + Sheet.8704 + Applications + + + + + + + Applications + + Sheet.8705 + Applications + + + + + + + Applications + + Sheet.8706 + Role assignment + + + + + + + Roleassignment + + Sheet.8707 + Policy assignment + + + + + + + Policy assignment + + Sheet.8708 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.8709 + Defender for Cloud + + + + + + + Defender for Cloud + + + + + Icon-manage-316.8730 + + Sheet.8731 + + + + Sheet.8732 + + + + Sheet.8733 + + + + Sheet.8734 + + + + Sheet.8735 + + + + Sheet.8736 + + + + Sheet.8737 + + + + Sheet.8738 + + + + Sheet.8739 + + + + + + + + Icon-manage-316.8750 + + Sheet.8751 + + + + Sheet.8752 + + + + Sheet.8753 + + + + Sheet.8754 + + + + Sheet.8755 + + + + Sheet.8756 + + + + Sheet.8757 + + + + Sheet.8758 + + + + Sheet.8759 + + + + + + + + Sheet.8760 + + Sheet.8761 + + Sheet.8762 + + + + Sheet.8763 + + + + Sheet.8764 + + + + Sheet.8765 + + + + + Sheet.8766 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.8771 + Sandbox subscription + + + + + + + Sandboxsubscription + + Dynamic connector.8772 + + + + + + + + + + Sheet.8777 + + Sheet.8778 + + + + a1bc77ea-5288-41a0-8f9a-2d282~1 + + + + + + + + Sheet.11002 + + Sheet.6385 + + + + Sheet.6386 + + + + + Sheet.11003 + Account/Invoice Section + + + + + + + Account/Invoice Section + + Sheet.11004 + Subscription + + + + + + + Subscription + + + + + Sheet.6489 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + + + Sheet.6916 + + Sheet.6917 + + Sheet.6918 + + + + Sheet.6919 + + + + Sheet.6920 + + + + Sheet.6921 + + + + Sheet.6922 + + + + + + + + + Sheet.6923 + + Sheet.6924 + + Sheet.6925 + + + + Sheet.6926 + + + + Sheet.6927 + + + + Sheet.6928 + + + + Sheet.6929 + + + + + + + + + Sheet.11011 + + Sheet.11012 + Cost management + + + + Costmanagement + + Sheet.11013 + + Sheet.11014 + + + + Sheet.11015 + + + + + + + + + Sheet.11023 + + Sheet.11024 + Cost management + + + + Costmanagement + + Sheet.11025 + + Sheet.11026 + + + + Sheet.11027 + + + + + + + + + Icon-identity-225 + + Sheet.11029 + + + + Sheet.11030 + + + + Sheet.11031 + + + + b36c7b72-34c8-47c6-ac8b-a96783f + + Sheet.11033 + + + + + + Sheet.1 + + + + + + + + + Sheet.2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sheet.3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sheet.11053 + + Sheet.11054 + + f57e105d-6d2d-4ad7-b8c3-c10684c + + + + + Sheet.11056 + + + + Sheet.11057 + + + + Sheet.11058 + + + + Sheet.11059 + + + + + Sheet.11060 + Azure DNS + + + + Azure DNS + + + + + + Sheet.11293 + + Sheet.7484 + + + + + + + Sheet.7485 + + + + + + + + + + Sheet.7486 + + Sheet.7487 + + + + Sheet.7488 + + + + + Sheet.7489 + + + + + + + Sheet.7490 + + + + + + + Sheet.7491 + + + + + + + Sheet.7492 + + + + + + + Sheet.7493 + + + + + + + + + + + Sheet.7628 + + Sheet.7629 + + + + Sheet.7630 + + + + Sheet.7631 + + + + Sheet.7632 + + + + Sheet.7633 + + + + + Sheet.7661 + + + + + + + Sheet.7662 + + + + + + + Dynamic connector.8373 + + + + + + + Sheet.8374 + Compliant VM templates + + + + + + + CompliantVM templates + + Sheet.8375 + Access credentials In-guest policies/DSC Backup policy Extens... + + + + + + + · Access credentials· In-guest policies/DSC· Backup policy· Extensions· Tagging + + Dynamic connector.11005 + + + + + + + Sheet.8372 + VM SKU(s) + + + + + + + VM SKU(s) + + + + + Sheet.7663 + + Sheet.7664 + + + + Sheet.7665 + + + + Sheet.7666 + + + + Sheet.7667 + + + + Sheet.7668 + + + + Sheet.7669 + + + + Sheet.7670 + + + + + + + + Sheet.7671 + + Sheet.7672 + + + + Sheet.7673 + + + + Sheet.7674 + + + + Sheet.7675 + + + + Sheet.7676 + + + + Sheet.7677 + + + + Sheet.7678 + + + + Sheet.7679 + + + + Sheet.7680 + + + + Sheet.7681 + + + + Sheet.7682 + + + + Sheet.7683 + + + + Sheet.7684 + + + + Sheet.7685 + + + + Sheet.7686 + + + + Sheet.7687 + + + + Sheet.7688 + + + + + + Dynamic connector.11005 + + + + + + + Sheet.11391 + VNet peering + + + + + + + VNet peering + + + + + Sheet.11420 + + Sheet.11421 + + Sheet.11422 + + + + Sheet.11423 + + + + Sheet.11424 + + + + Sheet.11425 + + + + Sheet.11426 + + + + Sheet.11427 + + + + Sheet.11428 + + + + Sheet.11429 + + + + Sheet.11430 + + + + Sheet.11431 + + + + Sheet.11432 + + + + Sheet.11433 + + + + Sheet.11434 + + + + Sheet.11435 + + + + Sheet.11436 + + + + Sheet.11437 + + + + Sheet.11438 + + + + Sheet.11439 + + + + + + + + + Sheet.11456 + + Sheet.8342 + + + + + + + Sheet.11062 + Hub VNet Region 1 + + + + + + + Hub VNetRegion 1 + + + + + Sheet.11063 + + Sheet.8340 + Azure DNS Private Resolver + + + + + + + Azure DNS Private Resolver + + + + + + DNS Private Resolver Networking + + + + + Sheet.11047 + + + + + Sheet.11048 + + Sheet.11049 + + + + + + + Sheet.11050 + + + + + + + Sheet.11051 + + + + + + + + Sheet.11052 + + + + + + + + + + + + + Sheet.11382 + + Sheet.11383 + + + + Sheet.11384 + + + + Sheet.11385 + + + + Sheet.11386 + + + + Sheet.11387 + + + + Sheet.11388 + + + + Sheet.11389 + + + + + + + + Sheet.11452 + + Sheet.11445 + VPN/ExpressRoute Gateways + + + + + + + VPN/ExpressRoute Gateways + + + + + Sheet.11451 + + + + + Icon-networking-63.11446 + + Sheet.11447 + + + + Sheet.11448 + + + + Sheet.11449 + + + + Sheet.11450 + + + + + + + + Icon-networking-63 + + Sheet.11441 + + + + Sheet.11442 + + + + Sheet.11443 + + + + Sheet.11444 + + + + + + + + + + Sheet.11453 + + + + + Icon-networking-84 + + Sheet.11407 + + + + Sheet.11408 + + + + Sheet.11409 + + + + Sheet.11410 + + + + Sheet.11411 + + + + Sheet.11412 + + + + Sheet.11413 + + + + Sheet.11414 + + + + Sheet.11415 + + + + Sheet.11416 + + + + Sheet.11417 + + + + Sheet.11418 + + + + + Sheet.11419 + Azure Firewall + + + + + + + Azure Firewall + + + + + + + Sheet.11458 + + Sheet.11459 + + + + + + + Sheet.11460 + Hub VNet Region N + + + + + + + Hub VNetRegion N + + + + + Sheet.11461 + + Sheet.11462 + Azure DNS Private Resolver + + + + + + + Azure DNS Private Resolver + + + + + + DNS Private Resolver Networking + + + + + Sheet.11464 + + + + + Sheet.11465 + + Sheet.11466 + + + + + + + Sheet.11467 + + + + + + + Sheet.11468 + + + + + + + + Sheet.11469 + + + + + + + + + + + + + Sheet.11470 + + Sheet.11471 + + + + Sheet.11472 + + + + Sheet.11473 + + + + Sheet.11474 + + + + Sheet.11475 + + + + Sheet.11476 + + + + Sheet.11477 + + + + + + + + Sheet.11478 + + Sheet.11479 + VPN/ExpressRoute Gateways + + + + + + + VPN/ExpressRoute Gateways + + + + + Sheet.11480 + + + + + Icon-networking-63.11446 + + Sheet.11482 + + + + Sheet.11483 + + + + Sheet.11484 + + + + Sheet.11485 + + + + + + + + Icon-networking-63 + + Sheet.11487 + + + + Sheet.11488 + + + + Sheet.11489 + + + + Sheet.11490 + + + + + + + + + + Sheet.11491 + + + + + Icon-networking-84 + + Sheet.11493 + + + + Sheet.11494 + + + + Sheet.11495 + + + + Sheet.11496 + + + + Sheet.11497 + + + + Sheet.11498 + + + + Sheet.11499 + + + + Sheet.11500 + + + + Sheet.11501 + + + + Sheet.11502 + + + + Sheet.11503 + + + + Sheet.11504 + + + + + Sheet.11505 + Azure Firewall + + + + + + + Azure Firewall + + + + Sheet.11454 + + + + + + + + + + Sheet.11508 + + + + + Sheet.11506 + + + + + Icon-networking-79 + + Sheet.11393 + + + + Sheet.11394 + + + + Sheet.11395 + + + + Sheet.11396 + + + + Sheet.11397 + + + + Sheet.11398 + + + + + + + + Icon-networking-79.11399 + + Sheet.11400 + + + + Sheet.11401 + + + + Sheet.11402 + + + + Sheet.11403 + + + + Sheet.11404 + + + + Sheet.11405 + + + + + + Sheet.11507 + ExpressRoute Circuits + + + + + + + ExpressRoute Circuits + + + Sheet.11509 + Azure Firewall Policies + + + + + + + Azure FirewallPolicies + + Sheet.11510 + VNet peering + + + + + + + VNet peering + + Dynamic connector.11511 + + + + + + + Sheet.11516 + Version: 2024-08-16 + + + + + + + Version: 2024-08-16 + + Sheet.4 + + + + + + + + + + + + Icon-manage-316.11536 + + Sheet.11537 + + + + Sheet.11538 + + + + Sheet.11539 + + + + Sheet.11540 + + + + Sheet.11541 + + + + Sheet.11542 + + + + Sheet.11543 + + + + Sheet.11544 + + + + Sheet.11545 + + + + + Sheet.11546 + + + + + + + Sheet.11547 + + + + + + + Sheet.11548 + + + + + + + Sheet.11549 + + + + + + + + + + Icon-manage-316.11580 + + Sheet.11581 + + + + Sheet.11582 + + + + Sheet.11583 + + + + Sheet.11584 + + + + Sheet.11585 + + + + Sheet.11586 + + + + Sheet.11587 + + + + Sheet.11588 + + + + Sheet.11589 + + + + + + + + Icon-manage-316.11590 + + Sheet.11591 + + + + Sheet.11592 + + + + Sheet.11593 + + + + Sheet.11594 + + + + Sheet.11595 + + + + Sheet.11596 + + + + Sheet.11597 + + + + Sheet.11598 + + + + Sheet.11599 + + + + + + + + Icon-manage-316.11600 + + Sheet.11601 + + + + Sheet.11602 + + + + Sheet.11603 + + + + Sheet.11604 + + + + Sheet.11605 + + + + Sheet.11606 + + + + Sheet.11607 + + + + Sheet.11608 + + + + Sheet.11609 + + + + + Sheet.6576 + Corp + + + + + + + Corp + + + + + Icon-manage-316.11620 + + Sheet.11621 + + + + Sheet.11622 + + + + Sheet.11623 + + + + Sheet.11624 + + + + Sheet.11625 + + + + Sheet.11626 + + + + Sheet.11627 + + + + Sheet.11628 + + + + Sheet.11629 + + + + + + + + Icon-manage-316.11630 + + Sheet.11631 + + + + Sheet.11632 + + + + Sheet.11633 + + + + Sheet.11634 + + + + Sheet.11635 + + + + Sheet.11636 + + + + Sheet.11637 + + + + Sheet.11638 + + + + Sheet.11639 + + + + + + + + Icon-manage-316.11640 + + Sheet.11641 + + + + Sheet.11642 + + + + Sheet.11643 + + + + Sheet.11644 + + + + Sheet.11645 + + + + Sheet.11646 + + + + Sheet.11647 + + + + Sheet.11648 + + + + Sheet.11649 + + + + + + + + Icon-manage-316.11650 + + Sheet.11651 + + + + Sheet.11652 + + + + Sheet.11653 + + + + Sheet.11654 + + + + Sheet.11655 + + + + Sheet.11656 + + + + Sheet.11657 + + + + Sheet.11658 + + + + Sheet.11659 + + + + + + + + Icon-manage-316.11660 + + Sheet.11661 + + + + Sheet.11662 + + + + Sheet.11663 + + + + Sheet.11664 + + + + Sheet.11665 + + + + Sheet.11666 + + + + Sheet.11667 + + + + Sheet.11668 + + + + Sheet.11669 + + + + + + + + Sheet.11670 + + Sheet.7081 + + + + + + + + + + Sheet.7082 + + Sheet.7083 + + + + Sheet.7084 + + + + Sheet.7085 + + + + Sheet.7086 + + + + Sheet.7087 + + + + Sheet.7088 + + + + Sheet.7089 + + + + Sheet.7090 + + + + + + + + Sheet.7101 + + Sheet.7102 + + + + Sheet.7103 + + + + Sheet.7104 + + + + Sheet.7105 + + + + Sheet.7106 + + + + + + + + Sheet.7119 + + Sheet.7120 + + + + bd0aa3dd-0b00-4321-a08d-35d4016 + + + + bda038fc-05f8-4c73-8191-dcc998c + + + + f698805f-4654-42cb-b2bf-38f0a92 + + + + f83fd769-9efd-4d02-bd0d-a012d7e + + + + + + + + Sheet.7125 + + Sheet.7126 + + + + Sheet.7127 + + + + + + + + + Sheet.7128 + + Sheet.7129 + + + + Sheet.7130 + + + + + + + + + Sheet.7135 + + Sheet.7136 + + + + Sheet.7137 + + + + + Sheet.7411 + Management subscription + + + + + + + Management subscription + + Sheet.7412 + Dashboards (Azure portal) + + + + + + + Dashboards (Azure portal) + + Sheet.7413 + Automation account(s) + + + + + + + Automationaccount(s) + + Sheet.7414 + Log Analytics Workspace + + + + + + + Log AnalyticsWorkspace + + Sheet.7415 + Role assignment + + + + + + + Roleassignment + + Sheet.7416 + Policy assignment + + + + + + + Policy assignment + + Sheet.7417 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.7418 + Defender for Cloud + + + + + + + Defender for Cloud + + Sheet.7419 + Change tracking Inventory management Update management + + + + + + + · Change tracking· Inventory management· Update management + + Sheet.7420 + Dashboards Queries Alerting + + + + + + + · Dashboards· Queries· Alerting + + Sheet.7425 + On-premises systems + + + + + + + On-premises systems + + Dynamic connector.7426 + Subset + + + + + + + + Subset + + + + + Sheet.8320 + + Sheet.7139 + + Sheet.7140 + + + + Sheet.7141 + + + + Sheet.7142 + + + + Sheet.7143 + + + + + Sheet.7144 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + + + + Icon-manage-316.8720 + + Sheet.8721 + + + + Sheet.8722 + + + + Sheet.8723 + + + + Sheet.8724 + + + + Sheet.8725 + + + + Sheet.8726 + + + + Sheet.8727 + + + + Sheet.8728 + + + + Sheet.8729 + + + + + + + + Sheet.8776 + + Sheet.8774 + + + + a1bc77ea-5288-41a0-8f9a-2d282~1 + + + + + + + + Sheet.6909 + + Sheet.6910 + + Sheet.6911 + + + + Sheet.6912 + + + + Sheet.6913 + + + + Sheet.6914 + + + + Sheet.6915 + + + + + + + + + Sheet.11010 + + Sheet.11006 + Cost management + + + + Costmanagement + + Sheet.11007 + + Sheet.11008 + + + + Sheet.11009 + + + + + + + Sheet.11673 + + + + + + + Sheet.11674 + + + + + + + + + + Sheet.11688 + + Sheet.11689 + + + + Sheet.11690 + + + + Sheet.11691 + + + + Sheet.11692 + + + + + + + + Sheet.11693 + + Sheet.11694 + + + + Sheet.11695 + + + + Sheet.11696 + + + + Sheet.11697 + + + + Sheet.11698 + + + + Sheet.11699 + + + + Sheet.11700 + + + + + + + + Sheet.11720 + + Sheet.11721 + + + + Sheet.11722 + + + + Sheet.11723 + + + + Sheet.11724 + + + + Sheet.11725 + + + + Sheet.11726 + + + + Sheet.11727 + + + + Sheet.11728 + + + + + + + + Sheet.11729 + + Sheet.11730 + + + + Sheet.11731 + + + + Sheet.11732 + + + + Sheet.11733 + + + + Sheet.11734 + + + + + Sheet.11735 + Role assignment + + + + + + + Roleassignment + + Sheet.11736 + Policy assignment + + + + + + + Policy assignment + + Sheet.11737 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.11738 + Defender for Cloud + + + + + + + Defender for Cloud + + + + + Sheet.11739 + + Sheet.11740 + + Sheet.11741 + + + + Sheet.11742 + + + + Sheet.11743 + + + + Sheet.11744 + + + + + Sheet.11745 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.11750 + Identity subscription + + + + + + + Identitysubscription + + Sheet.11751 + vNet Region 1 + + + + + + + vNet Region 1 + + Sheet.11752 + DNS + + + + + + + DNS + + Sheet.11753 + UDR(s) + + + + + + + UDR(s) + + Sheet.11754 + NSG/ASG(s) + + + + + + + NSG/ASG(s) + + + + + Icon-manage-316.11762 + + Sheet.11763 + + + + Sheet.11764 + + + + Sheet.11765 + + + + Sheet.11766 + + + + Sheet.11767 + + + + Sheet.11768 + + + + Sheet.11769 + + + + Sheet.11770 + + + + Sheet.11771 + + + + + + + + Sheet.11800 + + Sheet.11801 + + Sheet.11802 + + + + Sheet.11803 + + + + Sheet.11804 + + + + Sheet.11805 + + + + Sheet.11806 + + + + + + + + + Sheet.11807 + + Sheet.11808 + Cost management + + + + Costmanagement + + Sheet.11809 + + Sheet.11810 + + + + Sheet.11811 + + + + + + + + + Sheet.11825 + + Sheet.11826 + + + + Sheet.11827 + + + + Sheet.11828 + + + + Sheet.11829 + + + + + + + + Sheet.11830 + + Sheet.11831 + + + + Sheet.11832 + + + + Sheet.11833 + + + + Sheet.11834 + + + + Sheet.11835 + + + + Sheet.11836 + + + + Sheet.11837 + + + + + Sheet.11854 + DNS + + + + + + + DNS + + Sheet.11855 + UDR(s) + + + + + + + UDR(s) + + Sheet.11856 + NSG/ASG(s) + + + + + + + NSG/ASG(s) + + Sheet.11861 + vNet Region N + + + + + + + vNet Region N + + Sheet.11812 + + + + + + + + + + Sheet.11841 + + Sheet.11842 + + Sheet.11843 + + + + Sheet.11844 + + + + Sheet.11845 + + + + + Sheet.11846 + + + + Sheet.11847 + + + + Sheet.11848 + + + + Sheet.11849 + + + + Sheet.11850 + + + + Sheet.11851 + + + + Sheet.11852 + + + + Sheet.11853 + + + + + Sheet.11857 + Resource groups(s) + + + + + + + Resource groups(s) + + Dynamic connector.11860 + + + + + + + + + + Sheet.11945 + + Sheet.11933 + DC1 + + + + + + + DC1 + + Sheet.11934 + DC2 + + + + + + + DC2 + + Sheet.11941 + DC3 + + + + + + + DC3 + + + + + Sheet.11942 + + Sheet.11923 + + + + + + + Sheet.11924 + + + + + + + Sheet.11925 + + + + + + + Sheet.11926 + + + + + + + Sheet.11927 + + + + + + + + + + + Sheet.11943 + + Sheet.11928 + + + + + + + Sheet.11929 + + + + + + + Sheet.11930 + + + + + + + Sheet.11931 + + + + + + + Sheet.11932 + + + + + + + + + + + Sheet.11944 + + Sheet.11936 + + + + + + + Sheet.11937 + + + + + + + Sheet.11938 + + + + + + + Sheet.11939 + + + + + + + Sheet.11940 + + + + + + + + + Sheet.11946 + OR + + + + + + + OR + + + + + Icon-identity-222 + + Sheet.11948 + + + + Sheet.11949 + + + + Sheet.11950 + + + + Sheet.11951 + + + + Sheet.11952 + + + + Sheet.11953 + + + + Sheet.11954 + + + + Sheet.11955 + + + + Sheet.11956 + + + + + Sheet.11957 + Entra ID Domain Services + + + + + + + Entra ID Domain Services + + + + + Sheet.11959 + + Sheet.11960 + + + + + + + + + + Sheet.11961 + + Sheet.11962 + + Sheet.11963 + + + + Sheet.11964 + + + + Sheet.11965 + + + + + Sheet.11966 + + + + Sheet.11967 + + + + Sheet.11968 + + + + Sheet.11969 + + + + Sheet.11970 + + + + Sheet.11971 + + + + Sheet.11972 + + + + Sheet.11973 + + + + + Sheet.11974 + Resource groups(s) + + + + + + + Resource groups(s) + + Dynamic connector.11860 + + + + + + + + + + Sheet.11976 + + Sheet.11977 + DC1 + + + + + + + DC1 + + Sheet.11978 + DC2 + + + + + + + DC2 + + Sheet.11979 + DC3 + + + + + + + DC3 + + + + + Sheet.11980 + + Sheet.11981 + + + + + + + Sheet.11982 + + + + + + + Sheet.11983 + + + + + + + Sheet.11984 + + + + + + + Sheet.11985 + + + + + + + + + + + Sheet.11986 + + Sheet.11987 + + + + + + + Sheet.11988 + + + + + + + Sheet.11989 + + + + + + + Sheet.11990 + + + + + + + Sheet.11991 + + + + + + + + + + + Sheet.11992 + + Sheet.11993 + + + + + + + Sheet.11994 + + + + + + + Sheet.11995 + + + + + + + Sheet.11996 + + + + + + + Sheet.11997 + + + + + + + + + Sheet.11998 + OR + + + + + + + OR + + + + + Icon-identity-222 + + Sheet.12000 + + + + Sheet.12001 + + + + Sheet.12002 + + + + Sheet.12003 + + + + Sheet.12004 + + + + Sheet.12005 + + + + Sheet.12006 + + + + Sheet.12007 + + + + Sheet.12008 + + + + + Sheet.12009 + Entra ID Domain Services + + + + + + + Entra ID Domain Services + + + + + + Sheet.12010 + + + + + Sheet.11868 + + Sheet.11869 + + + + Sheet.11870 + + + + Sheet.11871 + + + + + Sheet.11885 + Recovery Services vault(s) + + + + + + + Recovery Servicesvault(s) + + + Sheet.12012 + + + + + + + Sheet.12013 + + + + + + + Sheet.12014 + VNet peering + + + + + + + VNet peering + + Sheet.12015 + VNet peering + + + + + + + VNet peering + + Dynamic connector.7422 + + + + + + + Sheet.6586 + Management subscription + + + + + + + Managementsubscription + + Dynamic connector.12016 + + + + + + + + + + Sheet.12017 + + + + + Sheet.12018 + + Sheet.12019 + + + + Sheet.12020 + + + + Sheet.12021 + + + + + Sheet.12022 + Recovery Services vault(s) + + + + + + + Recovery Servicesvault(s) + + + + + + Sheet.6937 + + Icon-manage-307 + + Sheet.6939 + + + + Sheet.6940 + + + + Sheet.6941 + + + + + + Sheet.6991 + For platform logs + + + + + + + For platform logs + + Sheet.7835 + + + + + + + Sheet.11373 + + + + + + + Sheet.7583 + + + + + + + Sheet.6455 + + + + + + + + + + + Sheet.8959 + + Sheet.8780 + + + + + + + + + + Sheet.8781 + + Sheet.8782 + + + + Sheet.8783 + + + + Sheet.8784 + + + + Sheet.8785 + + + + Sheet.8786 + + + + Sheet.8787 + + + + Sheet.8788 + + + + Sheet.8789 + + + + + + + + Sheet.8790 + + Sheet.8791 + + + + Sheet.8792 + + + + Sheet.8793 + + + + Sheet.8794 + + + + Sheet.8795 + + + + + + + + Sheet.8807 + + Sheet.8808 + + Sheet.8809 + + + + Sheet.8810 + + + + Sheet.8811 + + + + Sheet.8812 + + + + + Sheet.8813 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.8818 + Landing zone P1 Subscription + + + + + + + Landing zone P1 Subscription + + Sheet.8819 + Role assignment + + + + + + + Roleassignment + + Sheet.8820 + Policy assignment + + + + + + + Policy assignment + + Sheet.8821 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.8822 + Defender for Cloud + + + + + + + Defender for Cloud + + + + + Icon-manage-316.8824 + + Sheet.8825 + + + + Sheet.8826 + + + + Sheet.8827 + + + + Sheet.8828 + + + + Sheet.8829 + + + + Sheet.8830 + + + + Sheet.8831 + + + + Sheet.8832 + + + + Sheet.8833 + + + + + + + + Sheet.8834 + + Sheet.8835 + + Sheet.8836 + + + + Sheet.8837 + + + + Sheet.8838 + + + + Sheet.8839 + + + + Sheet.8840 + + + + + + + + + Sheet.8841 + + Sheet.8842 + Cost management + + + + Costmanagement + + Sheet.8843 + + Sheet.8844 + + + + Sheet.8845 + + + + + + Sheet.8912 + + + + + + + Sheet.8934 + Platform team hosted capability For example: VM image managem... + + + + + + + Platform team hosted capabilityFor example: VM image management, Platform Team APIs (for subscription vending, Entra ID tasks, etc.) + + Sheet.8950 + Example of how platform teams host their own services/applica... + + + + + + + Example of how platform teams host their own services/applications in normal Landing Zone subscriptions. This may be in one or many subscriptions depending on the subscription vending model that has been adopted. + + + + + Sheet.8955 + + + + + Sheet.8872 + + Icon-compute-33 + + Sheet.8874 + + + + Sheet.8875 + + + + Sheet.8876 + + + + Sheet.8877 + + + + Sheet.8878 + + + + Sheet.8879 + + + + Sheet.8880 + + + + Sheet.8881 + + + + + + + + + Sheet.8882 + + Sheet.8883 + + Sheet.8884 + + + + Sheet.8885 + + + + Sheet.8886 + + + + Sheet.8887 + + + + Sheet.8888 + + + + Sheet.8889 + + + + Sheet.8890 + + + + + + + + + Sheet.8848 + + MSI_2 + + Sheet.8850 + + + + Sheet.8851 + + + + Sheet.8852 + + + + Sheet.8853 + + + + Sheet.8854 + + + + Sheet.8855 + + + + Sheet.8856 + + + + Sheet.8857 + + + + Sheet.8858 + + + + + + + + + Sheet.8913 + + Sheet.8914 + + Sheet.8915 + + + + Sheet.8916 + + + + Sheet.8917 + + + + Sheet.8918 + + + + Sheet.8919 + + + + + + + + + Sheet.8920 + + aacf8311-a317-400f-b613-74bd00d + + + + Sheet.8922 + + + + Sheet.8923 + + bd983c41-db73-40ec-a4f4-da1213f + + + + ad2e7e44-9bfd-4775-8bf4-8ef26a5 + + + + a996fbff-3936-4b24-b407-369336c + + + + bb12d31c-3352-4a18-87dd-a169a4a + + + + + + + + + Sheet.8928 + + Icon-manage-307 + + Sheet.8930 + + + + Sheet.8931 + + + + Sheet.8932 + + + + + + + + + Sheet.8859 + + Sheet.8860 + + Sheet.8861 + + + + Sheet.8862 + + + + Sheet.8863 + + + + Sheet.8864 + + + + Sheet.8865 + + + + + + + + + Sheet.8866 + + Sheet.8867 + + Sheet.8868 + + + + Sheet.8869 + + + + Sheet.8870 + + + + Sheet.8871 + + + + + + + + + + Sheet.8956 + + Sheet.8957 + + + + Sheet.8958 + + + + + + + + + Sheet.6992 + + Sheet.7445 + + + + + + + Sheet.7446 + + + + + + + Sheet.8378 + + + + + + + Sheet.7500 + + + + + + + Sheet.7501 + + + + + + + Sheet.7502 + + + + + + + + + + Sheet.7549 + + Sheet.7550 + + + + Sheet.7551 + + + + Sheet.7552 + + + + Sheet.7553 + + + + + + + + Sheet.7575 + + Sheet.7576 + + + + Sheet.7577 + + + + Sheet.7578 + + + + Sheet.7579 + + + + Sheet.7580 + + + + Sheet.7581 + + + + Sheet.7582 + + + + + Sheet.7634 + + + + + + + Sheet.7635 + + + + + + + Sheet.7636 + + + + + + + + + + + Sheet.7692 + + Sheet.7693 + + + + Sheet.7694 + + + + + + + + Sheet.7695 + + Sheet.7696 + + Sheet.7697 + + + + Sheet.7698 + + + + Sheet.7699 + + + + + Sheet.7700 + + + + Sheet.7701 + + + + Sheet.7702 + + + + Sheet.7703 + + + + Sheet.7704 + + + + Sheet.7705 + + + + Sheet.7706 + + + + Sheet.7707 + + + + + + + + Sheet.7708 + + Sheet.7709 + + + + Sheet.7710 + + + + Sheet.7711 + + + + Sheet.7712 + + + + Sheet.7713 + + + + Sheet.7714 + + + + Sheet.7715 + + + + Sheet.7716 + + + + + + + + Sheet.7727 + + Sheet.7728 + + + + Sheet.7729 + + + + Sheet.7730 + + + + Sheet.7731 + + + + Sheet.7732 + + + + + Sheet.8345 + Role assignment + + + + + + + Roleassignment + + Sheet.8346 + Policy assignment + + + + + + + Policy assignment + + Sheet.8347 + Network Watcher + + + + + + + NetworkWatcher + + Sheet.8348 + Defender for Cloud + + + + + + + Defender for Cloud + + + + + Sheet.8349 + + Sheet.8350 + + Sheet.8351 + + + + Sheet.8352 + + + + Sheet.8353 + + + + Sheet.8354 + + + + + Sheet.8355 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.8360 + Landing zone A2 subscription + + + + + + + Landing zone A2 subscription + + Sheet.8361 + vNet Region 1 + + + + + + + vNet Region 1 + + Sheet.8362 + DNS + + + + + + + DNS + + Sheet.8363 + UDR(s) + + + + + + + UDR(s) + + Sheet.8364 + NSG/ASG(s) + + + + + + + NSG/ASG(s) + + Sheet.8365 + Resource groups(s) + + + + + + + Resource groups(s) + + Sheet.8367 + Other Applications/Components + + + + + + + Other Applications/Components + + Dynamic connector.8381 + + + + + + + + + + Icon-manage-316.8740 + + Sheet.8741 + + + + Sheet.8742 + + + + Sheet.8743 + + + + Sheet.8744 + + + + Sheet.8745 + + + + Sheet.8746 + + + + Sheet.8747 + + + + Sheet.8748 + + + + Sheet.8749 + + + + + + + + Sheet.7600 + + Sheet.7601 + + + + + Sheet.7602 + + + + + Sheet.7603 + + Sheet.7604 + + + + Sheet.7605 + + + + + Sheet.7606 + + + + + Sheet.7607 + + + + + Sheet.7608 + + Sheet.7609 + + + + Sheet.7610 + + + + Sheet.7611 + + + + Sheet.7612 + + + + Sheet.7613 + + + + e99c3387-15c3-4f28-bd4b-cb209b4 + + + + + Sheet.7615 + + Sheet.7616 + + Sheet.7617 + + + + Sheet.7618 + + + + Sheet.7619 + + + + Sheet.7620 + + + + Sheet.7621 + + + + + Sheet.7622 + + Sheet.7623 + + + + Sheet.7624 + + + + Sheet.7625 + + + + Sheet.7626 + + + + Sheet.7627 + + + + + + + + + + Sheet.6930 + + Sheet.6931 + + Sheet.6932 + + + + Sheet.6933 + + + + Sheet.6934 + + + + Sheet.6935 + + + + Sheet.6936 + + + + + + + + + Sheet.11016 + + Sheet.11017 + Cost management + + + + Costmanagement + + Sheet.11018 + + Sheet.11019 + + + + Sheet.11020 + + + + + + Sheet.11294 + + + + + + + Sheet.11296 + + + + + + + Sheet.11297 + + + + + + + Sheet.11298 + + + + + + + + + + Sheet.11307 + + Sheet.11308 + + + + Sheet.11309 + + + + Sheet.11310 + + + + Sheet.11311 + + + + + + + + Sheet.11312 + + Sheet.11313 + + + + Sheet.11314 + + + + Sheet.11315 + + + + Sheet.11316 + + + + Sheet.11317 + + + + Sheet.11318 + + + + Sheet.11319 + + + + + Sheet.11320 + + + + + + + Sheet.11321 + + + + + + + Sheet.11322 + + + + + + + + + + + Sheet.11323 + + Sheet.11324 + + Sheet.11325 + + + + Sheet.11326 + + + + Sheet.11327 + + + + + Sheet.11328 + + + + Sheet.11329 + + + + Sheet.11330 + + + + Sheet.11331 + + + + Sheet.11332 + + + + Sheet.11333 + + + + Sheet.11334 + + + + Sheet.11335 + + + + + Sheet.11337 + DNS + + + + + + + DNS + + Sheet.11338 + UDR(s) + + + + + + + UDR(s) + + Sheet.11339 + NSG/ASG(s) + + + + + + + NSG/ASG(s) + + Sheet.11340 + Resource groups(s) + + + + + + + Resource groups(s) + + Dynamic connector.11343 + + + + + + + Sheet.11372 + vNet Region N + + + + + + + vNet Region N + + + + + Sheet.7494 + + Sheet.7495 + + + + bd0aa3dd-0b00-4321-a08d-35d4016 + + + + bda038fc-05f8-4c73-8191-dcc998c + + + + f698805f-4654-42cb-b2bf-38f0a92 + + + + f83fd769-9efd-4d02-bd0d-a012d7e + + + + + + + + Sheet.7641 + + Sheet.7642 + + + + Sheet.7643 + + + + Sheet.7644 + + + + Sheet.7645 + + Sheet.7646 + + + + Sheet.7647 + + + + Sheet.7648 + + + + Sheet.7649 + + + + Sheet.7650 + + + + + Sheet.7651 + + + + Sheet.7652 + + + + + Sheet.8369 + Dashboards (Azure portal) + + + + + + + Dashboards(Azure portal) + + Sheet.8371 + Shared services + + + + + + + Sharedservices + + Dynamic connector.11517 + + + + + + + Dynamic connector.11518 + + + + + + Sheet.11520 + + + + + + + Sheet.11521 + + + + + + + Sheet.11522 + + + + + + + Sheet.11523 + + + + + + + Sheet.11524 + + + + + + + Sheet.11525 + + + + + + + + + + Sheet.11344 + + Sheet.11345 + + + + + Sheet.11346 + + + + + Sheet.11347 + + Sheet.11348 + + + + Sheet.11349 + + + + + Sheet.11350 + + + + + Sheet.11351 + + + + + Sheet.11352 + + Sheet.11353 + + + + Sheet.11354 + + + + Sheet.11355 + + + + Sheet.11356 + + + + Sheet.11357 + + + + e99c3387-15c3-4f28-bd4b-cb209b4 + + + + + Sheet.11359 + + Sheet.11360 + + Sheet.11361 + + + + Sheet.11362 + + + + Sheet.11363 + + + + Sheet.11364 + + + + Sheet.11365 + + + + + Sheet.11366 + + Sheet.11367 + + + + Sheet.11368 + + + + Sheet.11369 + + + + Sheet.11370 + + + + Sheet.11371 + + + + + + + Sheet.7759 + Azure Key Vault + + + + + + + AzureKey Vault + + + + + Sheet.7760 + + aacf8311-a317-400f-b613-74bd00d + + + + Sheet.7762 + + + + Sheet.7763 + + bd983c41-db73-40ec-a4f4-da1213f + + + + ad2e7e44-9bfd-4775-8bf4-8ef26a5 + + + + a996fbff-3936-4b24-b407-369336c + + + + bb12d31c-3352-4a18-87dd-a169a4a + + + + + + Sheet.7768 + Storage (file, blob) + + + + + + + Storage (file, blob) + + Sheet.7769 + + + + + + + Sheet.7770 + Backup/Site Recovery Vaults + + + + + + + Backup/Site Recovery Vaults + + + + + Sheet.7771 + + Icon-manage-307 + + Sheet.7773 + + + + Sheet.7774 + + + + Sheet.7775 + + + + + + + + + Sheet.7776 + + Sheet.7777 + + Sheet.7778 + + + + Sheet.7779 + + + + Sheet.7780 + + + + Sheet.7781 + + + + Sheet.7782 + + + + + + + + + Sheet.7783 + + Sheet.7784 + + Sheet.7785 + + + + Sheet.7786 + + + + Sheet.7787 + + + + + + Sheet.7788 + For application logs + + + + + + + For application logs + + + + + Sheet.7790 + + Sheet.7791 + Azure Key Vault + + + + + + + AzureKey Vault + + + + + Sheet.7792 + + aacf8311-a317-400f-b613-74bd00d + + + + Sheet.7794 + + + + Sheet.7795 + + bd983c41-db73-40ec-a4f4-da1213f + + + + ad2e7e44-9bfd-4775-8bf4-8ef26a5 + + + + a996fbff-3936-4b24-b407-369336c + + + + bb12d31c-3352-4a18-87dd-a169a4a + + + + + + Sheet.7800 + Storage (file, blob) + + + + + + + Storage (file, blob) + + Sheet.7801 + + + + + + + Sheet.7802 + Backup/Site Recovery Vaults + + + + + + + Backup/Site Recovery Vaults + + + + + Sheet.7803 + + Icon-manage-307 + + Sheet.7805 + + + + Sheet.7806 + + + + Sheet.7807 + + + + + + + + + Sheet.7808 + + Sheet.7809 + + Sheet.7810 + + + + Sheet.7811 + + + + Sheet.7812 + + + + Sheet.7813 + + + + Sheet.7814 + + + + + + + + + Sheet.7815 + + Sheet.7816 + + Sheet.7817 + + + + Sheet.7818 + + + + Sheet.7819 + + + + + + + Sheet.7821 + Other Applications/Components + + + + + + + Other Applications/Components + + + + + Sheet.7833 + + Sheet.8370 + Managed Identities + + + + + + + Managed Identities + + + + + Sheet.7822 + + MSI_2 + + Sheet.7824 + + + + Sheet.7825 + + + + Sheet.7826 + + + + Sheet.7827 + + + + Sheet.7828 + + + + Sheet.7829 + + + + Sheet.7830 + + + + Sheet.7831 + + + + Sheet.7832 + + + + + + + Sheet.8952 + Log Analytics Workspace + + + + + + + Log Analytics Workspace + + Sheet.8953 + For application logs + + + + + + + For application logs + + Sheet.8954 + Log Analytics Workspace + + + + + + + Log Analytics Workspace + + + + + + Sheet.6993 + + Sheet.6592 + Landing zone A1 subscription + + + + + + + Landing zoneA1 subscription + + Sheet.6593 + Landing zone A2 subscription + + + + + + + Landing zoneA2 subscription + + Dynamic connector.8951 + + + + + + + Sheet.7834 + Landing zone P1 subscription + + + + + + + Landing zone P1 subscription + + Dynamic connector.8384 + + + + + + + + diff --git a/docs/azure/images/azure-monitor-baseline-alerts-policy-initiative-flow.svg b/docs/azure/images/azure-monitor-baseline-alerts-policy-initiative-flow.svg new file mode 100644 index 0000000..95dcf6a --- /dev/null +++ b/docs/azure/images/azure-monitor-baseline-alerts-policy-initiative-flow.svg @@ -0,0 +1,9158 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + VBackground-1 + + + Solid + + + + + + + + + + + + + + azure-monitor-baseline-alerts-policy-initiative-flow + + + + + + + Sheet.2 + + + + Sheet.3 + + + + Sheet.4 + Microsoft Entra ID + + + + + Microsoft Entra ID + + Sheet.5 + + + + Sheet.6 + + + + Sheet.7 + + + + Sheet.8 + + + + Sheet.9 + + + + Sheet.10 + + + + + Sheet.11 + + + + Sheet.12 + Tenant root group + + + + + Tenant root group + + Sheet.13 + + + + Sheet.14 + SAP + + + + + SAP + + Sheet.15 + + Sheet.16 + + + + Sheet.17 + + + + Sheet.18 + + + + Sheet.19 + + + + Sheet.20 + + + + Sheet.21 + + + + + Sheet.22 + + Sheet.23 + + + + Sheet.24 + + + + + + Sheet.25 + + Sheet.26 + + + + Sheet.27 + + + + + + Sheet.28 + + Sheet.29 + + + + Sheet.30 + + + + + + Sheet.31 + + + + + Sheet.32 + + Sheet.33 + + + + Sheet.34 + + + + + + Sheet.35 + + + + + Sheet.36 + + Sheet.37 + + + + Sheet.38 + + + + + + Sheet.39 + + + + + Sheet.40 + Online + + + + + Online + + Sheet.41 + Decommissioned + + + + + Decommissioned + + Sheet.42 + Contoso + + + + + Contoso + + Sheet.43 + Decommissioned subscription + + + + + Decommissionedsubscription + + Sheet.44 + Sandbox subscription 1 + + + + + Sandboxsubscription 1 + + Sheet.45 + Sandbox subscription 2 + + + + + Sandboxsubscription 2 + + Sheet.46 + Management group + + + + + Management group + + Sheet.47 + Subscriptions + + + + + Subscriptions + + Sheet.48 + + Sheet.49 + + + + Sheet.50 + + + + Sheet.51 + + + + Sheet.52 + + + + Sheet.53 + + + + Sheet.54 + + + + Sheet.55 + + + + Sheet.56 + + + + + Sheet.57 + + Sheet.58 + + + + Sheet.59 + + + + Sheet.60 + + + + Sheet.61 + + + + Sheet.62 + + + + + Sheet.63 + Management subscription + + + + + Management subscription + + Sheet.64 + + + + Sheet.65 + Role assignment + + + + + Roleassignment + + Sheet.66 + Policy assignment + + + + + Policy assignment + + Sheet.67 + Network Watcher + + + + + NetworkWatcher + + Sheet.68 + Defender for Cloud + + + + + Defender for Cloud + + Sheet.69 + + + + Sheet.70 + + + + Sheet.71 + + + + Sheet.72 + Azure Key Vault + + + + + AzureKey Vault + + Sheet.73 + + Sheet.74 + + + + Sheet.75 + + + + Sheet.76 + + + + Sheet.77 + + + + Sheet.78 + + + + Sheet.79 + + + + Sheet.80 + + + + Sheet.81 + + + + + Sheet.82 + + Sheet.83 + + + + Sheet.84 + + + + Sheet.85 + + + + Sheet.86 + + + + Sheet.87 + + + + + Sheet.88 + + + + Sheet.89 + + + + Sheet.90 + + + + + Sheet.91 + + + + + Sheet.92 + + + + + Sheet.93 + + + + + Sheet.94 + + Sheet.95 + + + + Sheet.96 + + + + + + Sheet.97 + + Sheet.98 + + + + bd0aa3dd-0b00-4321-a08d-35d4016 + + + + bda038fc-05f8-4c73-8191-dcc998c + + + + f698805f-4654-42cb-b2bf-38f0a92 + + + + f83fd769-9efd-4d02-bd0d-a012d7e + + + + + Sheet.103 + + + + Sheet.104 + + + + Sheet.105 + + + + Sheet.106 + + aacf8311-a317-400f-b613-74bd00d + + + + Sheet.108 + + + + Sheet.109 + + bd983c41-db73-40ec-a4f4-da1213f + + + + ad2e7e44-9bfd-4775-8bf4-8ef26a5 + + + + a996fbff-3936-4b24-b407-369336c + + + + bb12d31c-3352-4a18-87dd-a169a4a + + + + + + Sheet.114 + + Sheet.115 + + + + Sheet.116 + + + + Sheet.117 + + + + Sheet.118 + + + + Sheet.119 + + + + Sheet.120 + + + + Sheet.121 + + + + + Sheet.122 + + Sheet.123 + + + + Sheet.124 + + + + Sheet.125 + + + + Sheet.126 + + + + + Sheet.127 + + f57e105d-6d2d-4ad7-b8c3-c10684c + + Sheet.129 + + + + Sheet.130 + + + + + + Sheet.131 + + + + Sheet.132 + + + + Sheet.133 + + + + Sheet.134 + + + + + Sheet.135 + + Sheet.136 + + + + Sheet.137 + + + + Sheet.138 + + + + Sheet.139 + + + + Sheet.140 + + + + Sheet.141 + + + + Sheet.142 + + + + + Sheet.143 + + Sheet.144 + + + + Sheet.145 + + + + Sheet.146 + + + + Sheet.147 + + + + Sheet.148 + + + + + Sheet.149 + + + + + Sheet.150 + + + + + Sheet.151 + + Sheet.152 + + + + Sheet.153 + + + + + + Sheet.154 + + Sheet.155 + + + + Sheet.156 + + + + Sheet.157 + + + + + Sheet.158 + + Sheet.159 + + + + Sheet.160 + + + + Sheet.161 + + + + Sheet.162 + + Sheet.163 + + + + Sheet.164 + + + + Sheet.165 + + + + Sheet.166 + + + + Sheet.167 + + + + + Sheet.168 + + + + Sheet.169 + + + + + Sheet.170 + + + + Sheet.171 + + + + + Sheet.172 + + Sheet.173 + + Sheet.174 + + + + Sheet.175 + + + + Sheet.176 + + + + + Sheet.177 + + + + Sheet.178 + + + + Sheet.179 + + + + Sheet.180 + + + + Sheet.181 + + + + Sheet.182 + + + + Sheet.183 + + + + Sheet.184 + + + + + Sheet.185 + + Sheet.186 + + + + Sheet.187 + + + + Sheet.188 + + + + Sheet.189 + + + + Sheet.190 + + + + Sheet.191 + + + + Sheet.192 + + + + Sheet.193 + + + + + Sheet.194 + + Sheet.195 + + + + Sheet.196 + + + + Sheet.197 + + + + Sheet.198 + + + + Sheet.199 + + + + + Sheet.200 + + Sheet.201 + + Sheet.202 + + + + Sheet.203 + + + + Sheet.204 + + + + Sheet.205 + + + + + Sheet.206 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.211 + Connectivity subscription + + + + + Connectivity subscription + + Sheet.212 + Role assignment + + + + + Roleassignment + + Sheet.213 + Policy assignment + + + + + Policy assignment + + Sheet.214 + Network Watcher + + + + + NetworkWatcher + + Sheet.215 + Defender for Cloud + + + + + Defender for Cloud + + Sheet.216 + VNet peering + + + + + VNet peering + + Sheet.217 + Azure DNS + + + + + Azure DNS + + Sheet.218 + Azure DDoS Standard + + + + + AzureDDoSStandard + + Sheet.219 + Role assignment + + + + + Roleassignment + + Sheet.220 + Policy assignment + + + + + Policy assignment + + Sheet.221 + Network Watcher + + + + + NetworkWatcher + + Sheet.222 + Defender for Cloud + + + + + Defender for Cloud + + Sheet.223 + + Sheet.224 + + Sheet.225 + + + + Sheet.226 + + + + Sheet.227 + + + + Sheet.228 + + + + + Sheet.229 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.234 + Landing zone A2 subscription + + + + + Landing zone A2 subscription + + Sheet.235 + Virtual network + + + + + Virtualnetwork + + Sheet.236 + DNS + + + + + DNS + + Sheet.237 + UDR(s) + + + + + UDR(s) + + Sheet.238 + NSG/ASG(s) + + + + + NSG/ASG(s) + + Sheet.239 + Resource groups(s) + + + + + Resource groups(s) + + Sheet.240 + Application + + + + + Application + + Sheet.241 + Application + + + + + Application + + Sheet.242 + Application + + + + + Application + + Sheet.243 + Dashboards (Azure portal) + + + + + Dashboards(Azure portal) + + Sheet.244 + Recovery Services vault(s) + + + + + Recovery Servicesvault(s) + + Sheet.245 + Shared services + + + + + Sharedservices + + Dynamic connector.8373 + + + + Sheet.247 + Compliant VM templates + + + + + CompliantVM templates + + Sheet.248 + Access credentials In-guest policies/DSC Backup policy Extens... + + + + + · Access credentials· In-guest policies/DSC· Backup policy· Extensions· Tagging + + Sheet.249 + File Share + + + + + File Share + + Sheet.250 + Recovery... + + + + + Recovery... + + Dynamic connector.8381 + + + + Dynamic connector.8382 + + + + Dynamic connector.8383 + + + + Dynamic connector.8384 + + + + Sheet.255 + + + + Sheet.256 + + + + Sheet.257 + + + + Sheet.258 + Recovery... + + + + + Recovery... + + Sheet.259 + Azure Key Vault + + + + + AzureKey Vault + + Sheet.260 + + aacf8311-a317-400f-b613-74bd00d + + + + Sheet.262 + + + + Sheet.263 + + bd983c41-db73-40ec-a4f4-da1213f + + + + ad2e7e44-9bfd-4775-8bf4-8ef26a5 + + + + a996fbff-3936-4b24-b407-369336c + + + + bb12d31c-3352-4a18-87dd-a169a4a + + + + + + Sheet.268 + + + + Sheet.269 + + + + Sheet.270 + + + + Sheet.271 + + + + Sheet.272 + + + + Sheet.273 + + + + Sheet.274 + + + + Sheet.275 + + + + Sheet.276 + + + + Sheet.277 + + + + Sheet.278 + DC1 + + + + + DC1 + + Sheet.279 + DC2 + + + + + DC2 + + Sheet.280 + Identity subscription + + + + + Identity subscription + + Sheet.281 + + Sheet.282 + + Sheet.283 + + + + Sheet.284 + + + + Sheet.285 + + + + Sheet.286 + + + + + Sheet.287 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.292 + Resource group(s) + + + + + Resource group(s) + + Dynamic connector.8644 + + + + Sheet.294 + Cost management + + + + + Costmanagement + + Sheet.295 + Azure Monitor + + + + + AzureMonitor + + Sheet.296 + Role assignment + + + + + Roleassignment + + Sheet.297 + Policy assignment + + + + + Policy assignment + + Sheet.298 + Network Watcher + + + + + NetworkWatcher + + Sheet.299 + Defender for Cloud + + + + + Defender for Cloud + + Sheet.300 + + Sheet.301 + + Sheet.302 + + + + Sheet.303 + + + + Sheet.304 + + + + + Sheet.305 + + + + Sheet.306 + + + + Sheet.307 + + + + Sheet.308 + + + + Sheet.309 + + + + Sheet.310 + + + + Sheet.311 + + + + + Sheet.312 + + Sheet.313 + + + + Sheet.314 + + + + + Sheet.315 + + Sheet.316 + + + + Sheet.317 + + + + Sheet.318 + + + + Sheet.319 + + + + Sheet.320 + + + + Sheet.321 + + + + Sheet.322 + + + + Sheet.323 + + + + Sheet.324 + + + + + Sheet.325 + + Sheet.326 + + + + Sheet.327 + + + + Sheet.328 + + + + Sheet.329 + + + + Sheet.330 + + + + Sheet.331 + + + + Sheet.332 + + + + Sheet.333 + + + + + Sheet.334 + + Sheet.335 + + + + Sheet.336 + + + + Sheet.337 + + + + Sheet.338 + + + + Sheet.339 + + + + + Sheet.340 + + + + Sheet.341 + + + + Sheet.342 + + Sheet.343 + + + + Sheet.344 + + + + Sheet.345 + + + + Sheet.346 + + + + Sheet.347 + + + + Sheet.348 + + + + Sheet.349 + + + + Sheet.350 + + + + + Sheet.351 + + Sheet.352 + + + + Sheet.353 + + + + Sheet.354 + + + + Sheet.355 + + + + Sheet.356 + + + + + Sheet.357 + + + + Sheet.358 + + + + Sheet.359 + + + + Sheet.360 + Applications + + + + + Applications + + Sheet.361 + Applications + + + + + Applications + + Sheet.362 + Applications + + + + + Applications + + Sheet.363 + Role assignment + + + + + Roleassignment + + Sheet.364 + Policy assignment + + + + + Policy assignment + + Sheet.365 + Network Watcher + + + + + NetworkWatcher + + Sheet.366 + Defender for Cloud + + + + + Defender for Cloud + + Icon-manage-316 + + Sheet.368 + + + + Sheet.369 + + + + Sheet.370 + + + + Sheet.371 + + + + Sheet.372 + + + + Sheet.373 + + + + Sheet.374 + + + + Sheet.375 + + + + Sheet.376 + + + + + Icon-manage-316.8720 + + Sheet.378 + + + + Sheet.379 + + + + Sheet.380 + + + + Sheet.381 + + + + Sheet.382 + + + + Sheet.383 + + + + Sheet.384 + + + + Sheet.385 + + + + Sheet.386 + + + + + Icon-manage-316.8730 + + Sheet.388 + + + + Sheet.389 + + + + Sheet.390 + + + + Sheet.391 + + + + Sheet.392 + + + + Sheet.393 + + + + Sheet.394 + + + + Sheet.395 + + + + Sheet.396 + + + + + Icon-manage-316.8740 + + Sheet.398 + + + + Sheet.399 + + + + Sheet.400 + + + + Sheet.401 + + + + Sheet.402 + + + + Sheet.403 + + + + Sheet.404 + + + + Sheet.405 + + + + Sheet.406 + + + + + Icon-manage-316.8750 + + Sheet.408 + + + + Sheet.409 + + + + Sheet.410 + + + + Sheet.411 + + + + Sheet.412 + + + + Sheet.413 + + + + Sheet.414 + + + + Sheet.415 + + + + Sheet.416 + + + + + Sheet.417 + + Sheet.418 + + Sheet.419 + + + + Sheet.420 + + + + Sheet.421 + + + + Sheet.422 + + + + + Sheet.423 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Sheet.428 + Sandbox subscription + + + + + Sandboxsubscription + + Dynamic connector.8772 + + + + Sheet.430 + + Sheet.431 + + + + Sheet.432 + + + + + Sheet.433 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + Dynamic connector.11005 + + + + Sheet.439 + + Sheet.440 + + Sheet.441 + + + + Sheet.442 + + + + + + Sheet.443 + + Sheet.444 + + + + Sheet.445 + + + + + + Sheet.446 + + Sheet.447 + + + + Sheet.448 + + Sheet.449 + + + + Sheet.450 + + + + + + Sheet.451 + + Sheet.452 + + + + Sheet.453 + + + + + + Sheet.454 + + + + + Sheet.455 + + Sheet.456 + + + + Sheet.457 + + + + Sheet.458 + + + + Sheet.459 + + + + Sheet.460 + + + + e99c3387-15c3-4f28-bd4b-cb209b4 + + + + + Sheet.462 + + Sheet.463 + + Sheet.464 + + + + Sheet.465 + + + + Sheet.466 + + + + Sheet.467 + + + + Sheet.468 + + + + + Sheet.469 + + Sheet.470 + + + + Sheet.471 + + + + Sheet.472 + + + + Sheet.473 + + + + Sheet.474 + + + + + + + Sheet.475 + VM SKU(s) + + + + + VM SKU(s) + + Sheet.476 + + Sheet.477 + + + + Sheet.478 + + + + Sheet.479 + + + + Sheet.480 + + + + Sheet.481 + + + + Sheet.482 + + + + Sheet.483 + + + + + Sheet.484 + + Sheet.485 + + + + Sheet.486 + + + + Sheet.487 + + + + Sheet.488 + + + + Sheet.489 + + + + Sheet.490 + + + + Sheet.491 + + + + Sheet.492 + + + + Sheet.493 + + + + Sheet.494 + + + + Sheet.495 + + + + Sheet.496 + + + + Sheet.497 + + + + Sheet.498 + + + + Sheet.499 + + + + Sheet.500 + + + + Sheet.501 + + + + + Sheet.502 + + Sheet.503 + + Sheet.504 + + + + Sheet.505 + + + + Sheet.506 + + + + Sheet.507 + + + + Sheet.508 + + + + + + Sheet.509 + + Sheet.510 + + Sheet.511 + + + + Sheet.512 + + + + Sheet.513 + + + + Sheet.514 + + + + Sheet.515 + + + + + + Sheet.516 + + Sheet.517 + + Sheet.518 + + + + Sheet.519 + + + + Sheet.520 + + + + Sheet.521 + + + + Sheet.522 + + + + + + Sheet.523 + + Sheet.524 + + Sheet.525 + + + + Sheet.526 + + + + Sheet.527 + + + + Sheet.528 + + + + Sheet.529 + + + + + + Sheet.530 + + Sheet.531 + + Sheet.532 + + + + Sheet.533 + + + + Sheet.534 + + + + Sheet.535 + + + + Sheet.536 + + + + + + Sheet.537 + + Sheet.538 + Cost management + + + + + Costmanagement + + Sheet.539 + + Sheet.540 + + + + Sheet.541 + + + + + + Sheet.542 + + Sheet.543 + Cost management + + + + + Costmanagement + + Sheet.544 + + Sheet.545 + + + + Sheet.546 + + + + + + Dynamic connector + + + + Sheet.548 + + Sheet.549 + Cost management + + + + + Costmanagement + + Sheet.550 + + Sheet.551 + + + + Sheet.552 + + + + + + Alerts.1160 + + Sheet.554 + + + + + + + Sheet.555 + + + + + + + Sheet.556 + + + + + + + + Alerts.1156 + + Sheet.558 + + + + + + + Sheet.559 + + + + + + + Sheet.560 + + + + + + + + Alerts.1141 + + Sheet.562 + + + + + + + Sheet.563 + + + + + + + Sheet.564 + + + + + + + + Sheet.565 + Alerts + + + + + Alerts + + Sheet.566 + Resource group(s) + + + + + Resource group(s) + + Sheet.567 + + Sheet.568 + + Sheet.569 + + + + Sheet.570 + + + + Sheet.571 + + + + + Sheet.572 + + + + Sheet.573 + + + + Sheet.574 + + + + Sheet.575 + + + + Sheet.576 + + + + Sheet.577 + + + + Sheet.578 + + + + + Alerts.1900 + + Sheet.580 + + + + + + + Sheet.581 + + + + + + + Sheet.582 + + + + + + + + Alerts.1904 + + Sheet.584 + + + + + + + Sheet.585 + + + + + + + Sheet.586 + + + + + + + + Alerts.1908 + + Sheet.588 + + + + + + + Sheet.589 + + + + + + + Sheet.590 + + + + + + + + Sheet.591 + Alerts + + + + + Alerts + + Sheet.592 + + Sheet.593 + + + + Sheet.594 + Networking + + + + + Networking + + Sheet.595 + Storage + + + + + Storage + + Sheet.596 + + Sheet.597 + + Sheet.598 + + + + Sheet.599 + + + + Sheet.600 + + + + + Sheet.601 + + + + Sheet.602 + + + + Sheet.603 + + + + Sheet.604 + + + + Sheet.605 + + + + Sheet.606 + + + + Sheet.607 + + + + + Sheet.608 + Resource group(s) + + + + + Resource group(s) + + + Sheet.609 + + + + Sheet.610 + + Sheet.611 + + Sheet.612 + + + + Sheet.613 + + + + Sheet.614 + + + + Sheet.615 + + + + + Sheet.616 + + e3d1e58c-f78e-4fb5-9857-0c9331d + + + + a21a8f7a-61cc-4035-8449-e5c8fe4 + + + + ecd3189c-fb1e-4a0e-a2b6-ba2f11d + + + + a1949a3c-4818-4bd1-b236-0d970b9 + + + + + + Alerts.2276 + + Sheet.622 + + + + + + + Sheet.623 + + + + + + + Sheet.624 + + + + + + + + Alerts.2280 + + Sheet.626 + + + + + + + Sheet.627 + + + + + + + Sheet.628 + + + + + + + + Alerts.2284 + + Sheet.630 + + + + + + + Sheet.631 + + + + + + + Sheet.632 + + + + + + + + Sheet.633 + Alerts + + + + + Alerts + + Alerts.2290 + + Sheet.635 + + + + + + + Sheet.636 + + + + + + + Sheet.637 + + + + + + + + Alerts.2294 + + Sheet.639 + + + + + + + Sheet.640 + + + + + + + Sheet.641 + + + + + + + + Alerts.2298 + + Sheet.643 + + + + + + + Sheet.644 + + + + + + + Sheet.645 + + + + + + + + Sheet.646 + Alerts + + + + + Alerts + + + Icon-manage-316.1914 + Alerting-ServiceHealth Initiative + + Sheet.648 + + + + Sheet.649 + + + + Sheet.650 + + + + Sheet.651 + + + + Sheet.652 + + + + Sheet.653 + + + + Sheet.654 + + + + Sheet.655 + + + + Sheet.656 + + + + + + Alerting-ServiceHealth Initiative + + + Sheet.657 + D + + + + + + + D + + Dynamic connector.1928 + + + + + Icon-manage-316.1932 + Alerting-Identity Initiative + + Sheet.660 + + + + Sheet.661 + + + + Sheet.662 + + + + Sheet.663 + + + + Sheet.664 + + + + Sheet.665 + + + + Sheet.666 + + + + Sheet.667 + + + + Sheet.668 + + + + + + Alerting-Identity Initiative + + + + Icon-manage-316.1942 + Alerting-Management Initiative + + Sheet.670 + + + + Sheet.671 + + + + Sheet.672 + + + + Sheet.673 + + + + Sheet.674 + + + + Sheet.675 + + + + Sheet.676 + + + + Sheet.677 + + + + Sheet.678 + + + + + + Alerting-Management Initiative + + + + Icon-manage-316.1952 + Alerting-Connectivity Initiative + + Sheet.680 + + + + Sheet.681 + + + + Sheet.682 + + + + Sheet.683 + + + + Sheet.684 + + + + Sheet.685 + + + + Sheet.686 + + + + Sheet.687 + + + + Sheet.688 + + + + + + Alerting-Connectivity Initiative + + + + Icon-manage-316.1962 + Alerting-LandingZone Initiative + + Sheet.690 + + + + Sheet.691 + + + + Sheet.692 + + + + Sheet.693 + + + + Sheet.694 + + + + Sheet.695 + + + + Sheet.696 + + + + Sheet.697 + + + + Sheet.698 + + + + + + Alerting-LandingZone Initiative + + + Sheet.699 + + + + + Sheet.700 + + + + + Sheet.701 + + + + + Sheet.702 + + + + + Sheet.703 + + + + Sheet.704 + + + + + + Sheet.705 + + Sheet.706 + + + + Sheet.707 + + Sheet.708 + + Sheet.709 + + + + Sheet.710 + + + + Sheet.711 + + + + + Sheet.712 + + + + Sheet.713 + + + + Sheet.714 + + + + Sheet.715 + + + + Sheet.716 + + + + Sheet.717 + + + + Sheet.718 + + + + + Sheet.719 + rg-alz-monitor + + + + + rg-alz-monitor + + + Service Health.1127 + Service Health + + Sheet.721 + + + + + + + + + + Sheet.722 + + Sheet.723 + + + + Sheet.724 + + + + + + + + + Sheet.725 + + Sheet.726 + + + + Sheet.727 + + + + + + + + Service Health + + + + Alerts.1123 + Activity Log Alerts + + Sheet.729 + + + + + + + Sheet.730 + + + + + + + Sheet.731 + + + + + + + + + Activity Log Alerts + + + Sheet.732 + Alert Processing Rules + + + + + Alert Processing Rules + + Sheet.733 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.1138 + + + + Dynamic connector.1139 + + + + Dynamic connector.1808 + + + + + Sheet.737 + + Sheet.738 + Actions + + + + + Actions + + Sheet.739 + + Mail + + + + + + + + Logic Apps + + Sheet.742 + + + + + + + Sheet.743 + + + + + + + Sheet.744 + + + + + + + Sheet.745 + + + + + + + Sheet.746 + + + + + + + + + + + + + + + + + + + + Automation Runbook + + Sheet.748 + + Sheet.749 + + + + Sheet.750 + + + + Sheet.751 + + + + + + Event Hubs + + Sheet.753 + + + + + + + Sheet.754 + + + + + + + Sheet.755 + + + + + + + + + + Sheet.756 + + Sheet.757 + + + + + + + Sheet.758 + + + + + + + + + + + Sheet.759 + + Sheet.760 + + + + + + + Sheet.761 + + + + + + + + Sheet.762 + + + + + + + + + + Sheet.763 + + Sheet.764 + + + + + + + Sheet.765 + + + + + + + + + + + Sheet.766 + + Sheet.767 + + + + + + + Sheet.768 + + + + + + + + Sheet.769 + + + + + + + + Sheet.770 + + Sheet.771 + + + + Sheet.772 + + + + Sheet.773 + + + + + Function Apps.2327 + + Sheet.775 + + + + + + + Sheet.776 + + + + + + + Sheet.777 + + + + + + + Sheet.778 + + + + + + + Sheet.779 + + + + + + + + + + Dynamic connector.2655 + + + + Sheet.781 + + Sheet.782 + + + + Sheet.783 + + Sheet.784 + + Sheet.785 + + + + Sheet.786 + + + + Sheet.787 + + + + + Sheet.788 + + + + Sheet.789 + + + + Sheet.790 + + + + Sheet.791 + + + + Sheet.792 + + + + Sheet.793 + + + + Sheet.794 + + + + + Sheet.795 + rg-amba-monitoring-001 + + + + + rg-amba-monitoring-001 + + + Service Health.1127 + Service Health + + Sheet.797 + + + + + + + + + + Sheet.798 + + Sheet.799 + + + + Sheet.800 + + + + + + + + + Sheet.801 + + Sheet.802 + + + + Sheet.803 + + + + + + + + Service Health + + + + Alerts.1123 + Activity Log Alerts + + Sheet.805 + + + + + + + Sheet.806 + + + + + + + Sheet.807 + + + + + + + + + Activity Log Alerts + + + Sheet.808 + Alert Processing Rules + + + + + Alert Processing Rules + + Sheet.809 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.1138 + + + + Dynamic connector.1139 + + + + Dynamic connector.1807 + + + + Dynamic connector.1808 + + + + + Sheet.814 + + Sheet.815 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.818 + + + + + + + Sheet.819 + + + + + + + Sheet.820 + + + + + + + Sheet.821 + + + + + + + Sheet.822 + + + + + + + + Event Hubs + + Sheet.824 + + + + + + + Sheet.825 + + + + + + + Sheet.826 + + + + + + + + + + Sheet.827 + + Sheet.828 + + + + + + + Sheet.829 + + + + + + + + + + + Sheet.830 + + Sheet.831 + + + + + + + Sheet.832 + + + + + + + + Sheet.833 + + + + + + + + + + Sheet.834 + + Sheet.835 + + + + + + + Sheet.836 + + + + + + + + + + + Sheet.837 + + Sheet.838 + + + + + + + Sheet.839 + + + + + + + + Sheet.840 + + + + + + + + Sheet.841 + + Sheet.842 + + + + Sheet.843 + + + + Sheet.844 + + + + + Function Apps.2327 + + Sheet.846 + + + + + + + Sheet.847 + + + + + + + Sheet.848 + + + + + + + Sheet.849 + + + + + + + Sheet.850 + + + + + + + + + Sheet.851 + + Sheet.852 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.855 + + + + + + + Sheet.856 + + + + + + + Sheet.857 + + + + + + + Sheet.858 + + + + + + + Sheet.859 + + + + + + + + Event Hubs + + Sheet.861 + + + + + + + Sheet.862 + + + + + + + Sheet.863 + + + + + + + + + + Sheet.864 + + Sheet.865 + + + + + + + Sheet.866 + + + + + + + + + + + Sheet.867 + + Sheet.868 + + + + + + + Sheet.869 + + + + + + + + Sheet.870 + + + + + + + + + + Sheet.871 + + Sheet.872 + + + + + + + Sheet.873 + + + + + + + + + + + Sheet.874 + + Sheet.875 + + + + + + + Sheet.876 + + + + + + + + Sheet.877 + + + + + + + + Sheet.878 + + Sheet.879 + + + + Sheet.880 + + + + Sheet.881 + + + + + Function Apps.2327 + + Sheet.883 + + + + + + + Sheet.884 + + + + + + + Sheet.885 + + + + + + + Sheet.886 + + + + + + + Sheet.887 + + + + + + + + + Sheet.888 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.2760 + + + + Dynamic connector.1809 + + + + Sheet.891 + + + + Sheet.892 + + + + Sheet.893 + + Sheet.894 + + + + Sheet.895 + + Sheet.896 + + Sheet.897 + + + + Sheet.898 + + + + Sheet.899 + + + + + Sheet.900 + + + + Sheet.901 + + + + Sheet.902 + + + + Sheet.903 + + + + Sheet.904 + + + + Sheet.905 + + + + Sheet.906 + + + + + Sheet.907 + rg-amba-monitoring-001 + + + + + rg-amba-monitoring-001 + + + Service Health.1127 + Service Health + + Sheet.909 + + + + + + + + + + Sheet.910 + + Sheet.911 + + + + Sheet.912 + + + + + + + + + Sheet.913 + + Sheet.914 + + + + Sheet.915 + + + + + + + + Service Health + + + + Alerts.1123 + Activity Log Alerts + + Sheet.917 + + + + + + + Sheet.918 + + + + + + + Sheet.919 + + + + + + + + + Activity Log Alerts + + + Sheet.920 + Alert Processing Rules + + + + + Alert Processing Rules + + Sheet.921 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.1138 + + + + Dynamic connector.1139 + + + + Dynamic connector.1807 + + + + Dynamic connector.1808 + + + + + Sheet.926 + + Sheet.927 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.930 + + + + + + + Sheet.931 + + + + + + + Sheet.932 + + + + + + + Sheet.933 + + + + + + + Sheet.934 + + + + + + + + Event Hubs + + Sheet.936 + + + + + + + Sheet.937 + + + + + + + Sheet.938 + + + + + + + + + + Sheet.939 + + Sheet.940 + + + + + + + Sheet.941 + + + + + + + + + + + Sheet.942 + + Sheet.943 + + + + + + + Sheet.944 + + + + + + + + Sheet.945 + + + + + + + + + + Sheet.946 + + Sheet.947 + + + + + + + Sheet.948 + + + + + + + + + + + Sheet.949 + + Sheet.950 + + + + + + + Sheet.951 + + + + + + + + Sheet.952 + + + + + + + + Sheet.953 + + Sheet.954 + + + + Sheet.955 + + + + Sheet.956 + + + + + Function Apps.2327 + + Sheet.958 + + + + + + + Sheet.959 + + + + + + + Sheet.960 + + + + + + + Sheet.961 + + + + + + + Sheet.962 + + + + + + + + + Sheet.963 + + Sheet.964 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.967 + + + + + + + Sheet.968 + + + + + + + Sheet.969 + + + + + + + Sheet.970 + + + + + + + Sheet.971 + + + + + + + + Event Hubs + + Sheet.973 + + + + + + + Sheet.974 + + + + + + + Sheet.975 + + + + + + + + + + Sheet.976 + + Sheet.977 + + + + + + + Sheet.978 + + + + + + + + + + + Sheet.979 + + Sheet.980 + + + + + + + Sheet.981 + + + + + + + + Sheet.982 + + + + + + + + + + Sheet.983 + + Sheet.984 + + + + + + + Sheet.985 + + + + + + + + + + + Sheet.986 + + Sheet.987 + + + + + + + Sheet.988 + + + + + + + + Sheet.989 + + + + + + + + Sheet.990 + + Sheet.991 + + + + Sheet.992 + + + + Sheet.993 + + + + + Function Apps.2327 + + Sheet.995 + + + + + + + Sheet.996 + + + + + + + Sheet.997 + + + + + + + Sheet.998 + + + + + + + Sheet.999 + + + + + + + + + Sheet.1000 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.2882 + + + + Sheet.1002 + + Sheet.1003 + Cost management + + + + + Costmanagement + + Sheet.1004 + + Sheet.1005 + + + + Sheet.1006 + + + + + + Dynamic connector.1913 + + + + Sheet.1008 + + + + Sheet.1009 + + Sheet.1010 + + Sheet.1011 + + + + Sheet.1012 + + + + Sheet.1013 + + + + + Sheet.1014 + + + + Sheet.1015 + + + + Sheet.1016 + + + + Sheet.1017 + + + + Sheet.1018 + + + + Sheet.1019 + + + + Sheet.1020 + + + + + Sheet.1021 + rg-amba-monitoring-001 + + + + + rg-amba-monitoring-001 + + + Service Health.1127 + Service Health + + Sheet.1023 + + + + + + + + + + Sheet.1024 + + Sheet.1025 + + + + Sheet.1026 + + + + + + + + + Sheet.1027 + + Sheet.1028 + + + + Sheet.1029 + + + + + + + + Service Health + + + + Alerts.1123 + Activity Log Alerts + + Sheet.1031 + + + + + + + Sheet.1032 + + + + + + + Sheet.1033 + + + + + + + + + Activity Log Alerts + + + Sheet.1034 + Alert Processing Rules + + + + + Alert Processing Rules + + Sheet.1035 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.1138 + + + + Dynamic connector.1139 + + + + Dynamic connector.1807 + + + + Sheet.1039 + + Sheet.1040 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.1043 + + + + + + + Sheet.1044 + + + + + + + Sheet.1045 + + + + + + + Sheet.1046 + + + + + + + Sheet.1047 + + + + + + + + Event Hubs + + Sheet.1049 + + + + + + + Sheet.1050 + + + + + + + Sheet.1051 + + + + + + + + + + Sheet.1052 + + Sheet.1053 + + + + + + + Sheet.1054 + + + + + + + + + + + Sheet.1055 + + Sheet.1056 + + + + + + + Sheet.1057 + + + + + + + + Sheet.1058 + + + + + + + + + + Sheet.1059 + + Sheet.1060 + + + + + + + Sheet.1061 + + + + + + + + + + + Sheet.1062 + + Sheet.1063 + + + + + + + Sheet.1064 + + + + + + + + Sheet.1065 + + + + + + + + Sheet.1066 + + Sheet.1067 + + + + Sheet.1068 + + + + Sheet.1069 + + + + + Function Apps.2327 + + Sheet.1071 + + + + + + + Sheet.1072 + + + + + + + Sheet.1073 + + + + + + + Sheet.1074 + + + + + + + Sheet.1075 + + + + + + + + + Sheet.1076 + + Sheet.1077 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.1080 + + + + + + + Sheet.1081 + + + + + + + Sheet.1082 + + + + + + + Sheet.1083 + + + + + + + Sheet.1084 + + + + + + + + Event Hubs + + Sheet.1086 + + + + + + + Sheet.1087 + + + + + + + Sheet.1088 + + + + + + + + + + Sheet.1089 + + Sheet.1090 + + + + + + + Sheet.1091 + + + + + + + + + + + Sheet.1092 + + Sheet.1093 + + + + + + + Sheet.1094 + + + + + + + + Sheet.1095 + + + + + + + + + + Sheet.1096 + + Sheet.1097 + + + + + + + Sheet.1098 + + + + + + + + + + + Sheet.1099 + + Sheet.1100 + + + + + + + Sheet.1101 + + + + + + + + Sheet.1102 + + + + + + + + Sheet.1103 + + Sheet.1104 + + + + Sheet.1105 + + + + Sheet.1106 + + + + + Function Apps.2327 + + Sheet.1108 + + + + + + + Sheet.1109 + + + + + + + Sheet.1110 + + + + + + + Sheet.1111 + + + + + + + Sheet.1112 + + + + + + + + + Sheet.1113 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.2986 + + + + Dynamic connector.2988 + + + + Sheet.1116 + Automation account(s) + + + + + Automationaccount(s) + + Sheet.1117 + Log analytics workspace + + + + + Log analyticsworkspace + + Sheet.1118 + + Sheet.1119 + + + + Sheet.1120 + + Sheet.1121 + + Sheet.1122 + + + + Sheet.1123 + + + + Sheet.1124 + + + + + Sheet.1125 + + + + Sheet.1126 + + + + Sheet.1127 + + + + Sheet.1128 + + + + Sheet.1129 + + + + Sheet.1130 + + + + Sheet.1131 + + + + + Sheet.1132 + rg-amba-monitoring-001 + + + + + rg-amba-monitoring-001 + + + Service Health.3003 + Service Health + + Sheet.1134 + + + + + + + + + + Sheet.1135 + + Sheet.1136 + + + + Sheet.1137 + + + + + + + + + Sheet.1138 + + Sheet.1139 + + + + Sheet.1140 + + + + + + + + Service Health + + + + Alerts.3007 + Activity Log Alerts + + Sheet.1142 + + + + + + + Sheet.1143 + + + + + + + Sheet.1144 + + + + + + + + + Activity Log Alerts + + + Sheet.1145 + Alert Processing Rules + + + + + Alert Processing Rules + + Sheet.1146 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.3013 + + + + Dynamic connector.3014 + + + + Dynamic connector.3015 + + + + Dynamic connector.1808 + + + + Sheet.1151 + + Sheet.1152 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.1155 + + + + + + + Sheet.1156 + + + + + + + Sheet.1157 + + + + + + + Sheet.1158 + + + + + + + Sheet.1159 + + + + + + + + Event Hubs + + Sheet.1161 + + + + + + + Sheet.1162 + + + + + + + Sheet.1163 + + + + + + + + + + Sheet.1164 + + Sheet.1165 + + + + + + + Sheet.1166 + + + + + + + + + + + Sheet.1167 + + Sheet.1168 + + + + + + + Sheet.1169 + + + + + + + + Sheet.1170 + + + + + + + + + + Sheet.1171 + + Sheet.1172 + + + + + + + Sheet.1173 + + + + + + + + + + + Sheet.1174 + + Sheet.1175 + + + + + + + Sheet.1176 + + + + + + + + Sheet.1177 + + + + + + + + Sheet.1178 + + Sheet.1179 + + + + Sheet.1180 + + + + Sheet.1181 + + + + + Function Apps.2327 + + Sheet.1183 + + + + + + + Sheet.1184 + + + + + + + Sheet.1185 + + + + + + + Sheet.1186 + + + + + + + Sheet.1187 + + + + + + + + + Sheet.1188 + + Sheet.1189 + Actions + + + + + Actions + + Mail + + + + + + + + Logic Apps + + Sheet.1192 + + + + + + + Sheet.1193 + + + + + + + Sheet.1194 + + + + + + + Sheet.1195 + + + + + + + Sheet.1196 + + + + + + + + Event Hubs + + Sheet.1198 + + + + + + + Sheet.1199 + + + + + + + Sheet.1200 + + + + + + + + + + Sheet.1201 + + Sheet.1202 + + + + + + + Sheet.1203 + + + + + + + + + + + Sheet.1204 + + Sheet.1205 + + + + + + + Sheet.1206 + + + + + + + + Sheet.1207 + + + + + + + + + + Sheet.1208 + + Sheet.1209 + + + + + + + Sheet.1210 + + + + + + + + + + + Sheet.1211 + + Sheet.1212 + + + + + + + Sheet.1213 + + + + + + + + Sheet.1214 + + + + + + + + Sheet.1215 + + Sheet.1216 + + + + Sheet.1217 + + + + Sheet.1218 + + + + + Function Apps.2327 + + Sheet.1220 + + + + + + + Sheet.1221 + + + + + + + Sheet.1222 + + + + + + + Sheet.1223 + + + + + + + Sheet.1224 + + + + + + + + + Sheet.1225 + Action Group (Notifications, actions) + + + + + Action Group(Notifications, actions) + + Dynamic connector.3092 + + + + + Dynamic connector.2377 + + + + + Icon-manage-316.3095 + Notification Assets Initiative + + Sheet.1229 + + + + Sheet.1230 + + + + Sheet.1231 + + + + Sheet.1232 + + + + Sheet.1233 + + + + Sheet.1234 + + + + Sheet.1235 + + + + Sheet.1236 + + + + Sheet.1237 + + + + + + Notification Assets Initiative + + + Sheet.1238 + + + + + Dynamic connector.3106 + + + + Dynamic connector.3107 + + + + Dynamic connector.3108 + + + + Dynamic connector.3109 + + + + Dynamic connector.3110 + + + + Dynamic connector.3111 + + + + Dynamic connector.3112 + + + + Dynamic connector.3113 + + + + Dynamic connector.3114 + + + + Dynamic connector.3115 + + + + Dynamic connector.3116 + + + + Dynamic connector.3117 + + + + Dynamic connector.3118 + + + + Dynamic connector.3119 + + + + Sheet.1253 + Identity subscription + + + + + Identitysubscription + + Sheet.1254 + Management subscription + + + + + Managementsubscription + + Sheet.1255 + Connectivity subscription + + + + + Connectivitysubscription + + Sheet.1256 + Management + + + + + Management + + Sheet.1257 + Connectivity + + + + + Connectivity + + Sheet.1258 + Identity + + + + + Identity + + Sheet.1259 + Platform + + + + + Platform + + Sheet.1260 + Corp + + + + + Corp + + Sheet.1261 + Landing zones + + + + + Landing zones + + Sheet.1262 + Sandbox + + + + + Sandbox + + Sheet.1263 + Landing zone A1 subscription + + + + + Landing zoneA1 subscription + + Sheet.1264 + Landing zone A2 subscription + + + + + Landing zoneA2 subscription + + Sheet.1265 + + + + Sheet.1266 + Created by Health Service Alert Initiative + + + + + + + Created by Health Service Alert Initiative + + Sheet.1267 + Created by Alerting Initiatives + + + + + + + Created by Alerting Initiatives + + Sheet.1268 + Created by Notification Assets Initiatives + + + + + + + Created by Notification Assets Initiatives + + Sheet.1269 + Management group and subscription organization + + + + + Management group and subscription organization + + diff --git a/docs/azure/images/azure-portal-create-resource.png b/docs/azure/images/azure-portal-create-resource.png new file mode 100644 index 0000000..ea05ec7 Binary files /dev/null and b/docs/azure/images/azure-portal-create-resource.png differ diff --git a/docs/azure/images/budget-set-alert.png b/docs/azure/images/budget-set-alert.png new file mode 100644 index 0000000..64734b6 Binary files /dev/null and b/docs/azure/images/budget-set-alert.png differ diff --git a/docs/azure/images/cost-analysis.png b/docs/azure/images/cost-analysis.png new file mode 100644 index 0000000..e00e1ba Binary files /dev/null and b/docs/azure/images/cost-analysis.png differ diff --git a/docs/azure/images/defender-for-cloud-overview.png b/docs/azure/images/defender-for-cloud-overview.png new file mode 100644 index 0000000..60fb6cc Binary files /dev/null and b/docs/azure/images/defender-for-cloud-overview.png differ diff --git a/docs/azure/images/express-route.png b/docs/azure/images/express-route.png new file mode 100644 index 0000000..209dcf6 Binary files /dev/null and b/docs/azure/images/express-route.png differ diff --git a/docs/azure/images/help-and-support.png b/docs/azure/images/help-and-support.png new file mode 100644 index 0000000..b2e5fb4 Binary files /dev/null and b/docs/azure/images/help-and-support.png differ diff --git a/docs/azure/images/private-endpoints-dns.png b/docs/azure/images/private-endpoints-dns.png new file mode 100644 index 0000000..ef2ccff Binary files /dev/null and b/docs/azure/images/private-endpoints-dns.png differ diff --git a/docs/azure/images/virtual-wan-topology.png b/docs/azure/images/virtual-wan-topology.png new file mode 100644 index 0000000..33a4162 Binary files /dev/null and b/docs/azure/images/virtual-wan-topology.png differ diff --git a/docs/azure/index.md b/docs/azure/index.md new file mode 100644 index 0000000..a41c7eb --- /dev/null +++ b/docs/azure/index.md @@ -0,0 +1,27 @@ +# Welcome to the Public Cloud Azure Technical Documentation + +## Get started with Azure + +Start here for the first steps on working in our Azure Landing Zone (ALZ): + +* [Azure Landing Zone Overview](get-started/bc-govs-azure-landing-zone-overview.md) +* [Provision a Project Set](../get-started/provision-a-project-set.md) +* [User Management in Azure](design-build-deploy/user-management.md) + +## Build, deploy and maintain apps + +Best practices on the platform: + +* [Requirements for building your application](design-build-deploy/requirements.md) +* [Deploy to the Azure Landing Zone](design-build-deploy/deploy-to-the-azure-landing-zone.md) +* [Networking](design-build-deploy/networking.md) +* [Be Mindful in Azure](best-practices/be-mindful.md) + +### Reusable code and examples + +* Container-based application: [Azure Startup Sample Application (Containers)](https://github.com/bcgov/azure-startup-sample-app-containers) +* Serverless-based application: [Azure Startup Sample Application (Serverless)](https://github.com/bcgov-c/ecf-azure-startup-sample-app-serverless) + +### External training + +* See some [external training resources](https://digital.gov.bc.ca/cloud/services/public/get-support/#training). diff --git a/docs/azure/support/enterprise-support.md b/docs/azure/support/enterprise-support.md new file mode 100644 index 0000000..df3e5df --- /dev/null +++ b/docs/azure/support/enterprise-support.md @@ -0,0 +1,19 @@ +# Microsoft Azure Enterprise Support + +Last updated: **October 16, 2024** + +Once your Project Set has been provisioned, each Azure Subscription will be enrolled in the Azure Unified Support plan. There is a delay of approximately **2 weeks** for the Azure Unified Support plan to be activated. + +Note: If you use a third-party vendor's landing zone in Azure, you can't use the B.C. government's Unified Enterprise support plan for applications hosted in the vendor's landing zone. +  +Ministry teams working in the OCIO-managed landing zone in Azure can currently access the Unified Enterprise support services for free. + +You can view the full list of services available to the ministries under the [Unified Enterprise support plan](https://www.microsoft.com/en-IN/unifiedsupport/details). + +## How to receive support + +1. Log into Azure Portal with your IDIR. Only users with access to applications in the OCIO-managed landing zone can use the Unified Enterprise support plan. New users may take up to 7 business days to gain access. If you need to open a support case before access is enabled, contact the OCIO Public cloud team at cloud.pathfinder@gov.bc.ca + +2. Review step-by-step instructions on opening an [Azure support request](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) + +3. Learn [how to manage](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-manage-azure-support-request) Azure support requests \ No newline at end of file diff --git a/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md b/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md new file mode 100644 index 0000000..2d8fae4 --- /dev/null +++ b/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md @@ -0,0 +1,48 @@ +# Azure billing and cost management + +Last updated: **October 3, 2024** + +Learn more about managing your Azure spending and resources with [Azure Cost Management](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management). + +![Azure Cost Management](../images/accumulated-costs-view.png "Azure Cost Management") + +Azure Cost Management is a set of tools that help you manage and optimize your Azure costs. You can use Azure Cost Management to: + +- Monitor your costs and usage +- Analyze cost drivers +- Optimize your spending +- Set budgets and alerts + +## Monitor your costs and usage + +Azure Cost Management provides a dashboard that shows your costs and usage over time. You can see how much you're spending and where you're spending it. You can also see how your spending compares to your budget. + +## Analyze cost drivers + +Azure Cost Management helps you understand what's driving your costs. You can see which services are costing you the most money and which resources are using the most resources, using [cost reporting and analytics](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/reporting-get-started). + +!["Cost Analysis"](../images/cost-analysis.png "Cost Analysis") + +## Optimize your spending + +Azure Cost Management provides recommendations for [optimizing your spending](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-opt-recommendations). You can see where you can save money by changing your resource configurations or by using reserved instances. + +!["Advisor Cost Optimization Recommendations"](../images/advisor-recommendations.png "Advisor Cost Optimization Recommendations") + +## Set budgets and alerts + +Azure Cost Management lets you set [budgets](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets?tabs=psbudget) and [alerts](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/tutorial-acm-create-budgets?tabs=psbudget#configure-forecasted-budget-alerts) to help you stay on top of your spending. You can set a budget for your spending and get alerts when you're close to exceeding it. + +!["Set Budget Alerts"](../images/budget-set-alert.png "Set Budget Alerts") + +## Next steps + +* [Provision a Project Set](../../get-started/provision-a-project-set.md) +* [User Management in Azure](../design-build-deploy/user-management.md) +* [Deploy to the Azure Landing Zone](../design-build-deploy/deploy-to-the-azure-landing-zone.md) + +## Resources + +* [Azure Cost Management overview](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management) +* [How to optimize your cloud investment with Cost Management](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-best-practices) +* [Understand and work with scopes](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/understand-work-scopes) diff --git a/docs/azure/upcoming-features/domain-join.md b/docs/azure/upcoming-features/domain-join.md new file mode 100644 index 0000000..7b3e3b8 --- /dev/null +++ b/docs/azure/upcoming-features/domain-join.md @@ -0,0 +1,11 @@ +# DNS for Domain Join + +Last updated: **October 3, 2024** + +## Overview + +To support domain join for Windows-based virtual machines (VMs) in the Azure Landing Zone, a Domain Name System (DNS) service is required. This DNS service is used to resolve the Fully Qualified Domain Name (FQDN) of the domain controller(s) that the VMs will join. + +### Current status + +Preliminary discussions have been initiated to determine the best approach for implementing the DNS service within the Azure Landing Zone. The team is evaluating the use of Microsoft Entra Domain Services or a custom DNS solution to meet the requirements of domain join. diff --git a/docs/azure/upcoming-features/express-route.md b/docs/azure/upcoming-features/express-route.md new file mode 100644 index 0000000..f3a986c --- /dev/null +++ b/docs/azure/upcoming-features/express-route.md @@ -0,0 +1,15 @@ +# Express Route Connectivity to On-Premises + +Last updated: **October 2, 2024** + +## Overview + +To support on-premises resources and workloads accessing resources in Azure, and Azure resources accessing on-premises resources, hybrid cloud connectivity (known as [Express Route](https://learn.microsoft.com/en-us/azure/expressroute/expressroute-introduction)) will be deployed. This will provide a dedicated, private connection between on-premises and Azure resources. + +Additionally, to adhere to data-in-transit security requirements, the Express Route connection will be encrypted using IPsec. + +![Express Route](../images/express-route.png "Express Route") + +### Current status + +Architecture and design for the Express Route connectivity to on-premises resources is in progress. We are working with the Hosting Team on the timing and execution of the implementation phase, which is tentatively scheduled for the end of the current calendar year. diff --git a/docs/get-started/provision-a-project-set.md b/docs/get-started/provision-a-project-set.md deleted file mode 100644 index 3ee8a52..0000000 --- a/docs/get-started/provision-a-project-set.md +++ /dev/null @@ -1,94 +0,0 @@ -# Provision a new AWS project set -Last updated: **November 21, 2023** - -On the Public Cloud platform, different teams organize their work on isolated [project sets](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#aws-accounts-in-your-project-set). Before working on the platform, the [Product Owner](../get-started/bc-govs-aws-landing-zone-overview.md#key-features-of-the-product-registry-service) of the respective team must submit a project set provisioning request for your team on the B.C. Government Public Cloud. - ---- - -## Prerequisites - -New requests must be reviewed and approved. The same rule applies for teams that already have projects on the platform and require additional project sets. - -To do that you must meet the prerequisites for provisioning a project set outlined in our [onboarding documentation](https://digital.gov.bc.ca/cloud/services/public/onboard/). - -## Process to request a project set - -1. Login to the [BC Gov Product Registry](https://registry.developer.gov.bc.ca/login) - - Take into consideration that you will need: - - - A descriptive product name (no acronyms) - - Contact details and IDIR accounts for the Product Owner and up to 2 Technical Leads - - For B.C. Gov's Landing Zone in AWS an estimate for the product's projected monthly spend on cloud services [Refer to the AWS Cost Calculator](https://calculator.aws/#/) and an AWS Account Code (Refer to Memorandum of Understanding (MoU)). - - For **new product teams** requesting space in the AWS Landing Zone complete the following 2 steps before submitting the provisioning request: - - - Sign a Memorandum of Understanding (MoU) with OCIO. Request an MoU template from cloud.pathfinder@gov.bc.ca - - Book an onboarding session with the Cloud Pathfinder Team at cloud.pathfinder@gov.bc.ca - - -2. Navigate to the top menu called **Public Cloud Products** - - ![public-cloud](../images/provision-a-project-set/public-cloud.png) - -3. On the top right side of the screen click on the button **Create +** to create a project set - - ![create](../images/provision-a-project-set/create.png) - -4. Enter the **name** and **description** of your project - - - Project names should be descriptive, avoid the use acronyms. - - ![description](../images/provision-a-project-set/description.png) - - - -5. Enter your **ministry** and desired **service provider** - - ![ministry-provider](../images/provision-a-project-set/ministry-provider.png) - -6. Enter the [Product Owner](../get-started/bc-govs-aws-landing-zone-overview.md#key-features-of-the-product-registry-service) and [Technical Lead(s)](get-started/bc-govs-aws-landing-zone-overview.md#key-features-of-the-product-registry-service) **details** per each required field. - - - - - The Product Owner and Technical Lead(s) will be granted access to the 4 AWS accounts in the [Project Set](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#aws-accounts-in-your-project-set) via the Admin role - - The Admin role is attached to the AWS managed policy [AdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html) which provides unrestricted access into AWS accounts. However, because we are operating under the ASEA's [guardrails](../get-started/bc-govs-aws-landing-zone-overview.md#security-guardrails) the Admin role is restricted within those bounds in all accounts in the ASEA. As long as the user with an Admin role is not breaching the guardrails, they will be unrestricted within the account. - - ![po-tech-lead](../images/provision-a-project-set/po-tech-leads.png) - - -6. Enter your **billing number** - - This number should be reflected on the team's signed MoU, and is related to the expense authority funding the project. - - ![billing](../images/provision-a-project-set/billing.png) - - - -7. Enter your **estimated budgets** for the **four AWS accounts** - - Budgets are a tool for the team to receive email billing alerts so it's important that they are accurate, however they can be updated later. - - You will receive a budget alert when your monthly spend has reached 50%, 80%, and 100% of your estimated monthly budget. This tool is intended to allow ministry teams to quickly react and control cost surges within the accounts. - - For help estimating your budget please see the [costs and billing](https://digital.gov.bc.ca/cloud/services/public/intro/#costs) section of our introductory documentation. - - ![budget](../images/provision-a-project-set/budget.png) - - - -## Account access - -Once the AWS accounts have been provisioned, the [Product Owner](../get-started/bc-govs-aws-landing-zone-overview.md#key-features-of-the-product-registry-service) and [Technical Lead(s)](../get-started/bc-govs-aws-landing-zone-overview.md#key-features-of-the-product-registry-service) will be able to see them all in the [Login Application](https://login.nimbus.cloud.gov.bc.ca/) and they will have Admin access into the accounts. - -For other team members access, please have the Product Owner email: cloud.pathfinder@gov.bc.ca with the following information: - -- Team members full name -- Role that the user should be granted (Admin, Developer, Viewer, Billing Viewer, Security Auditor) - - Note that the Developer role has the same AWS owned policy [AdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html) as the Admin role, however they won't be granted access to the Production AWS Account. -- License plate of the project set, e.g. "a1b2c3" - ---- - -## Related pages -- [Platform Project Registry](https://registry.developer.gov.bc.ca/login) -- [OnBoarding Guide for BC Gov AWS ASEA](https://digital.gov.bc.ca/cloud/services/public/onboard/) -- [B.C. Government AWS Landing Zone overview](../get-started/bc-govs-aws-landing-zone-overview.md) -- [Deploy an application to the B.C. Government AWS Landing Zone](../design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) \ No newline at end of file diff --git a/docs/images/provision-a-project-set/.DS_Store b/docs/images/provision-a-project-set/.DS_Store deleted file mode 100644 index 5008ddf..0000000 Binary files a/docs/images/provision-a-project-set/.DS_Store and /dev/null differ diff --git a/docs/images/provision-a-project-set/billing.png b/docs/images/provision-a-project-set/billing.png index ad0ae04..15a3847 100644 Binary files a/docs/images/provision-a-project-set/billing.png and b/docs/images/provision-a-project-set/billing.png differ diff --git a/docs/images/provision-a-project-set/budget.png b/docs/images/provision-a-project-set/budget.png index f892885..d978236 100644 Binary files a/docs/images/provision-a-project-set/budget.png and b/docs/images/provision-a-project-set/budget.png differ diff --git a/docs/images/provision-a-project-set/create.png b/docs/images/provision-a-project-set/create.png index 26edbdc..b2bb828 100644 Binary files a/docs/images/provision-a-project-set/create.png and b/docs/images/provision-a-project-set/create.png differ diff --git a/docs/images/provision-a-project-set/description.png b/docs/images/provision-a-project-set/description.png index 2393528..1250c4b 100644 Binary files a/docs/images/provision-a-project-set/description.png and b/docs/images/provision-a-project-set/description.png differ diff --git a/docs/images/provision-a-project-set/ministry-provider.png b/docs/images/provision-a-project-set/ministry-provider.png index 55f0348..1148fc9 100644 Binary files a/docs/images/provision-a-project-set/ministry-provider.png and b/docs/images/provision-a-project-set/ministry-provider.png differ diff --git a/docs/images/provision-a-project-set/old/billing.png b/docs/images/provision-a-project-set/old/billing.png new file mode 100644 index 0000000..ad0ae04 Binary files /dev/null and b/docs/images/provision-a-project-set/old/billing.png differ diff --git a/docs/images/provision-a-project-set/old/budget.png b/docs/images/provision-a-project-set/old/budget.png new file mode 100644 index 0000000..f892885 Binary files /dev/null and b/docs/images/provision-a-project-set/old/budget.png differ diff --git a/docs/images/provision-a-project-set/old/create.png b/docs/images/provision-a-project-set/old/create.png new file mode 100644 index 0000000..26edbdc Binary files /dev/null and b/docs/images/provision-a-project-set/old/create.png differ diff --git a/docs/images/provision-a-project-set/old/description.png b/docs/images/provision-a-project-set/old/description.png new file mode 100644 index 0000000..2393528 Binary files /dev/null and b/docs/images/provision-a-project-set/old/description.png differ diff --git a/docs/images/provision-a-project-set/old/ministry-provider.png b/docs/images/provision-a-project-set/old/ministry-provider.png new file mode 100644 index 0000000..55f0348 Binary files /dev/null and b/docs/images/provision-a-project-set/old/ministry-provider.png differ diff --git a/docs/images/provision-a-project-set/old/po-tech-leads.png b/docs/images/provision-a-project-set/old/po-tech-leads.png new file mode 100644 index 0000000..9d2bb62 Binary files /dev/null and b/docs/images/provision-a-project-set/old/po-tech-leads.png differ diff --git a/docs/images/provision-a-project-set/old/public-cloud.png b/docs/images/provision-a-project-set/old/public-cloud.png new file mode 100644 index 0000000..e980a9b Binary files /dev/null and b/docs/images/provision-a-project-set/old/public-cloud.png differ diff --git a/docs/images/provision-a-project-set/po-tech-leads.png b/docs/images/provision-a-project-set/po-tech-leads.png index 9d2bb62..48e758a 100644 Binary files a/docs/images/provision-a-project-set/po-tech-leads.png and b/docs/images/provision-a-project-set/po-tech-leads.png differ diff --git a/docs/images/provision-a-project-set/public-cloud.png b/docs/images/provision-a-project-set/public-cloud.png index e980a9b..6164615 100644 Binary files a/docs/images/provision-a-project-set/public-cloud.png and b/docs/images/provision-a-project-set/public-cloud.png differ diff --git a/docs/index.md b/docs/index.md index 078a9ca..c3bdceb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,64 +1,44 @@ # Welcome to the Public Cloud Technical Documentation -## Get started +## Overview -Start here for the first steps on working in our AWS Secure Environment Accelerator (ASEA): +This documentation provides information for using Public Cloud services within the B.C. Government. It covers both [Amazon Web Services (AWS)](#amazon-web-services-aws) and [Microsoft Azure](#microsoft-azure) platforms, offering resources for [provisioning project sets](#provision-a-project-set), and for designing, building, and deploying applications in these environments. Whether you're new to cloud computing or an experienced developer, you'll find valuable information to help you navigate the B.C. Government's public cloud infrastructure. -* [B.C. Government AWS Landing Zone overview](get-started/bc-govs-aws-landing-zone-overview.md) -* [Provision a project set in AWS](get-started/provision-a-project-set.md) -* [Account access](get-started/provision-a-project-set.md#account-access) +## Provision a Project Set -## Build, deploy and maintain apps +To get started in the Public Cloud you can provision a Project Set in AWS or Azure using the [BC Gov Product Registry](https://registry.developer.gov.bc.ca). -Best practices on the platform: +For more information, see [Provision a Project Set](get-started/provision-a-project-set.md). -* [Requirements for building your application](design-build-and-deploy-an-application/requirements-for-building-your-application.md) -* [Deploy an application to the B.C. Government AWS Landing Zone](design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md) -* [Networking](design-build-and-deploy-an-application/networking.md) +## Amazon Web Services (AWS) - +## Microsoft Azure -## Understand your AWS billing +Azure is a comprehensive set of cloud services that developers and IT professionals use to build, deploy, and manage applications through Microsoft's global network of datacenters. -Use the Cost Management Dashboard to get an overview of your spend in AWS: - -* [AWS billing and cost management dashboards](understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md) - - - - - - +- [Azure Landing Zone Overview](azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md) +- [Requirements for Building Your Application in Azure](azure/design-build-deploy/requirements-for-building-your-application.md) +- [User Management in Azure](azure/design-build-deploy/user-management.md) +- [Networking in Azure](azure/design-build-deploy/networking.md) +- [Deploy to the Azure Landing Zone](azure/design-build-deploy/deploy-to-the-azure-landing-zone.md) ### Rocket.Chat -Rocket.Chat will be your main communication channel for platform updates and support while you work in the BC Gov Private Cloud PaaS. Read about [how to stay connected in Rocket.Chat](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). +Rocket.Chat will be your main communication channel for platform updates and support while you work in the BC Gov Private Cloud. Read about [how to stay connected in Rocket.Chat](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). If you already have access, you can [log in to Rocket.Chat](https://chat.developer.gov.bc.ca). -### Platform community MeetUps +### Platform Community MeetUps Every six weeks, we host a platform community MeetUp where we talk about changes to the platform. [Learn how to register for this and other events](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). - -### Reusable code and services - -We have several [sample applications](design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md#sample-applications) which will deploy a simple application into your AWS Accounts utilizing different architectures. Use these to learn about best practices, how a GitHub Actions pipeline interacts with an AWS account in the ASEA, and give your team a launchpad to begin development in AWS. - -### External training - -See some [external training resources](https://digital.gov.bc.ca/cloud/services/public/get-support/#training). - - \ No newline at end of file diff --git a/docs/welcome/provision-a-project-set.md b/docs/welcome/provision-a-project-set.md new file mode 100644 index 0000000..209f4da --- /dev/null +++ b/docs/welcome/provision-a-project-set.md @@ -0,0 +1,101 @@ +# Provision a new Project Set + +Last updated: **October 3, 2024** + +On the Public Cloud platform, different teams organize their work in isolated **Project Sets**. Before working in the cloud platform, the **Product Owner** of the respective team must submit a Project Set provisioning request for your team, through the [BC Platform Services Product Registry](https://registry.developer.gov.bc.ca/login). + +--- + +## What is a Project Set? + +A project set consists of four distinct environments for development (`dev`), testing (`test`), production (`prod`), and tooling (`tools`). This isolates and protects each stage of the deployment lifecycle. + +- The **`dev`** account is for developers to experiment and test features +- The **`test`** account mirrors production and is used for quality assurance testing +- The **`prod`** account is the live environment accessed by end users +- The **`tools`** account contains shared resources like CI/CD pipelines, container registries, and automation tools + +## Prerequisites + +New requests must be reviewed and approved by the Public Cloud platform team. The same rule applies for teams that already have projects on the platform and require additional Project Sets. + +To do that you must meet the prerequisites for provisioning a Project Set outlined in our [onboarding documentation](https://digital.gov.bc.ca/cloud/services/public/onboard/). + +## Process to request a Project Set + +1. Login to the [BC Platform Services Product Registry](https://registry.developer.gov.bc.ca/login) + + You will need to provide the following information: + + - A descriptive product name (no acronyms) + - Contact details and IDIR accounts for the Product Owner and up to 2 Technical Leads + - An estimate for the product's projected monthly spend on cloud services + - For estimating AWS monthly costs, please use the [AWS Cost Calculator](https://calculator.aws/#/) + - For estimating Azure monthly costs, please use the [Azure Pricing Calculator](https://azure.microsoft.com/en-ca/pricing/calculator/) + - An AWS Account code, or Azure Subscription ID, for billing purposes. Refer to the Memorandum of Understanding (MoU) for more information. + + For **new product teams** requesting a Project Set in a Public Cloud Landing Zone, complete the following 2 steps before submitting the provisioning request: + + - Sign a Memorandum of Understanding (MoU) with the OCIO. Request an MoU template from . + - Book an onboarding session with the Cloud Pathfinder team at . + +2. Navigate to the top menu called **Public Cloud Products**. + + ![public-cloud](../images/provision-a-project-set/public-cloud.png) + +3. On the top right side of the screen click on the button **Create +** to create a Project Set. + + ![create](../images/provision-a-project-set/create.png) + +4. Enter the **name** and **description** of your project. + + - Project names should be descriptive. Avoid the use acronyms. + + ![description](../images/provision-a-project-set/description.png) + +5. Enter your **ministry** and desired **service provider**. + + ![ministry-provider](../images/provision-a-project-set/ministry-provider.png) + +6. Enter the **Product Owner** and **Technical Lead(s)** details per each required field. + + - The Product Owner and Technical Lead(s) will be granted access to the accounts/subscriptions in the Project Set via the Admin/Owner role. + + ![po-tech-lead](../images/provision-a-project-set/po-tech-leads.png) + +7. Enter your **billing number**. + + - This number should be reflected on the team's signed MoU, and is related to the Expense Authority funding the project. + + ![billing](../images/provision-a-project-set/billing.png) + +8. Enter your **estimated budgets**. + + - Budgets are a tool for the team to receive email billing alerts, so it's important that they are accurate. However they can be updated later. + - You will receive a budget alert when your monthly spend has reached 50%, 80%, and 100% of your estimated monthly budget. This tool is intended to allow ministry teams to quickly react and control cost surges within the accounts. + - For help estimating your budget please see the [costs and billing](https://digital.gov.bc.ca/cloud/services/public/intro/#costs) section of our introductory documentation. + + ![budget](../images/provision-a-project-set/budget.png) + +## Accessing your Project Set + +### AWS + +Once the AWS accounts have been provisioned, the Product Owner and Technical Lead(s) will be able to see them all in the [Login Application](https://login.nimbus.cloud.gov.bc.ca/) and they will have Admin access into the accounts. + +Other team members can be added to the Project Set by the Product Owner or Technical Lead(s) via the [AWS User Management](../aws/design-build-and-deploy-an-application/user-management.md) feature in the Product Registry. + +### Azure + +Once the Azure subscriptions have been provisioned, the Product Owner and Technical Lead(s) will be able to see them all in the [Azure Portal](https://portal.azure.com/) and they will have a restricted Owner role on the subscriptions. + +Other team members can be added to the Project Set by the Product Owner or Technical Lead(s) directly in the [Azure Portal](https://portal.azure.com/). For more information on how to do this, see [Azure User Management](../azure/design-build-deploy/user-management.md). + +--- + +## Related pages + +- [Platform Project Registry](https://registry.developer.gov.bc.ca/login) +- [Onboard your team to public cloud hosting](https://digital.gov.bc.ca/cloud/services/public/onboard/) +- [AWS Landing Zone Overview](../aws/get-started/bc-govs-aws-landing-zone-overview.md) +- [Azure Landing Zone Overview](../azure/get-started/bc-govs-azure-landing-zone-overview.md) diff --git a/docs/welcome/support.md b/docs/welcome/support.md new file mode 100644 index 0000000..1154a7a --- /dev/null +++ b/docs/welcome/support.md @@ -0,0 +1,18 @@ +# Public Cloud Support + +Last updated: **October 8, 2024** + +## Support options + +There are multiple ways to get support for the Public Cloud Platform, including: + + +- [Email the Public Cloud Platform team](mailto:cloud.pathfinder@gov.bc.ca) +- [Rocket.Chat](https://chat.developer.gov.bc.ca/) + +## Cloud vendor support + +Each cloud vendor provides support for their services. Here are the support options for each vendor: + +- [AWS Support](../aws/support/enterprise-support.md) +- [Azure Support](../azure/support/enterprise-support.md) diff --git a/docs/welcome/training.md b/docs/welcome/training.md new file mode 100644 index 0000000..580b62e --- /dev/null +++ b/docs/welcome/training.md @@ -0,0 +1,25 @@ +# Public Cloud Training + +Last updated: **October 8, 2024** + +## AWS + +Amazon Web Services (AWS) has a variety of training resources available to help you get started with their services. Here are some of the most popular resources: + +- [AWS Skill Builder](https://explore.skillbuilder.aws/learn) +- [AWS Training and Certification](https://www.aws.training/) +- [AWS Learning Library](https://www.aws.training/LearningLibrary) +- [AWS Workshops](https://workshops.aws/) + +For more information, please refer to the [Public Cloud Support - Training](https://digital.gov.bc.ca/cloud/services/public/get-support/#training) page. + +## Azure + +Microsoft Azure offers a range of training resources to help you learn about their cloud services. Here are some of the most popular resources: + +- [Microsoft Learn](https://learn.microsoft.com/en-us/training/) +- [Microsoft Applied Skills](https://learn.microsoft.com/en-us/credentials/browse/?credential_types=applied%20skills) +- [Microsoft Virtual Training Days](https://events.microsoft.com/en-us/mvtd) +- [Enterprise Skills Initiative](https://esi.microsoft.com/) + +For more information, please refer to the [Public Cloud Support - Training](https://digital.gov.bc.ca/cloud/services/public/get-support/#training) page. diff --git a/docs/welcome/why-use-public-cloud.md b/docs/welcome/why-use-public-cloud.md new file mode 100644 index 0000000..bf4dd42 --- /dev/null +++ b/docs/welcome/why-use-public-cloud.md @@ -0,0 +1,31 @@ +# Why use the B.C. Government Landing Zones in Public Cloud? + +Last updated: **October 3, 2024** + +## Benefits of building apps in the Public Cloud + +Ministry teams in the B.C. government who want to build applications in the Public Cloud can rely on the OCIO's secure and compliant Landing Zones. It offers a robust, secure, and efficient framework designed to meet the needs and compliance requirements of the B.C. government. This ensures that applications are developed within a secure and well-governed cloud environment. The OCIO's Landing Zones offers several significant benefits: + +1. **Enhanced security compliance**: It aligns with high-standard security frameworks like [NIST 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) and the [Canadian Centre for Cybersecurity (CCCS) Medium](https://www.cyber.gc.ca/en/guidance/annex-4a-profile-1-protected-b-medium-integrity-medium-availability-itsg-33) Cloud Control Profile, which is crucial for government applications handling sensitive, Protected B data. This compliance ensures that your applications meet the necessary security standards, providing peace of mind for both developers and stakeholders. + +2. **Streamlined development process**: It helps ministry teams concentrate on developing applications, instead of managing foundational infrastructure, by automating various aspects of the cloud environment setup. This boosts the speed of government application development. + +3. **Customizable and scalable architecture**: It gives you the freedom to customize the cloud architecture for your project, supporting a variety of application patterns. Whether you're working on small projects, or large complex applications, it adapts to meet your needs. + +4. **Operational consistency and governance**: By using OCIO's Landing Zone, you adopt a uniform approach to cloud infrastructure, ensuring consistency. This uniformity is vital for upholding operational standards and governance. + + +5. **Long-term management and evolution**: This tool not only helps deploy applications initially, but also aids in their ongoing management and evolution. This feature is crucial for government applications, which frequently need updates and adjustments to align with changing policy requirements and citizen needs. + +6. **Leveraging cutting-egde capabilities in public cloud**: When you build in the Public Cloud, you can tap into a wide range of services and capabilities, spanning from advanced analytics to Artificial Intelligence (AI) and Machine Learning (ML) tools. This integration has the potential to greatly boost the functionality and reach of government applications. + +For B.C. Government ministry teams developing applications in the Public Cloud, the OCIO Landing Zone provides a secure, compliant, and efficient pathway. This facilitates the creation of innovative and responsive applications that effectively serve the public. + +## Next steps + +- [Provision a Project Set](provision-a-project-set.md) + +## Related pages + +- [Public cloud services](https://digital.gov.bc.ca/cloud/services/public) +- [Public cloud hosting 101](https://digital.gov.bc.ca/cloud/services/public/intro/) diff --git a/mkdocs.yml b/mkdocs.yml index 17c1096..667f18e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -3,19 +3,47 @@ docs_dir: docs repo_url: https://github.com/bcgov/public-cloud-techdocs edit_uri: edit/main/docs/ nav: -- Get started: - - Get started: index.md - - B.C. Government AWS Landing Zone overview: get-started/bc-govs-aws-landing-zone-overview.md - - Provision a project set in AWS: get-started/provision-a-project-set.md -- Design, build and deploy an application: - - Requirements for building your application: design-build-and-deploy-an-application/requirements-for-building-your-application.md - - User management: design-build-and-deploy-an-application/user-management.md - - Deploy an app to BC Gov's AWS Landing Zone: design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md - - Networking: design-build-and-deploy-an-application/networking.md - - AWS IAM User service: design-build-and-deploy-an-application/iam-user-service.md -- Understand your AWS billing: - - AWS Cost Management Dashboard: understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md -- Upcoming features: - - AWS Calgary region: upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md + - Welcome: + - Overview: index.md + - Why use the Public cloud: welcome/why-use-public-cloud.md + - Provision a Project Set: welcome/provision-a-project-set.md + - Training: welcome/training.md + - Support: welcome/support.md + - AWS: + - Get started with AWS: + - Overview: aws/index.md + - AWS Landing Zone overview: aws/get-started-with-aws/bc-govs-aws-landing-zone-overview.md + - Design, build, and deploy: + - Requirements: aws/design-build-and-deploy-an-application/requirements-for-building-your-application.md + - User Management: aws/design-build-and-deploy-an-application/user-management.md + - Deploy an app to BC Gov's AWS Landing Zone: aws/design-build-and-deploy-an-application/deploy-an-app-to-the-aws-landing-zone.md + - Networking: aws/design-build-and-deploy-an-application/networking.md + - AWS IAM User service: aws/design-build-and-deploy-an-application/iam-user-service.md + - Sample apps: aws/design-build-and-deploy-an-application/sample-apps.md + - Understand your AWS billing: + - AWS Cost Management dashboard: aws/understanding-your-aws-bill/aws-billing-and-cost-management-dashboard-via-quicksight.md + - Upcoming features: + - AWS Calgary region: aws/upcoming-features/calgary-region-in-aws-secure-environment-accelerator.md + - Enterprise Support: + - AWS Enterprise Support: aws/support/enterprise-support.md + - Azure: + - Get started with Azure: + - Azure Landing Zone overview: azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md + - Design, build, and deploy: + - Requirements: azure/design-build-deploy/requirements.md + - User management: azure/design-build-deploy/user-management.md + - Deploy to the Azure Landing Zone: azure/design-build-deploy/deploy-to-the-azure-landing-zone.md + - Networking: azure/design-build-deploy/networking.md + - Sample apps: azure/design-build-deploy/sample-apps.md + - Best practices: + - Be mindful: azure/best-practices/be-mindful.md + - CI/CD: azure/best-practices/ci-cd.md + - Understand your billing: + - Azure Cost Management: azure/understanding-your-bill/azure-billing-and-cost-management.md + - Upcoming features: + - Domain Join: azure/upcoming-features/domain-join.md + - Express route: azure/upcoming-features/express-route.md + - Enterprise support: + - Azure Enterprise Support: azure/support/enterprise-support.md plugins: -- techdocs-core + - techdocs-core