diff --git a/docs/azure/best-practices/azure-ai.md b/docs/azure/best-practices/azure-ai.md new file mode 100644 index 0000000..53c865f --- /dev/null +++ b/docs/azure/best-practices/azure-ai.md @@ -0,0 +1,41 @@ +# Azure AI services + +Last updated: **December 2, 2024** + +Many of the ministry teams are using Azure AI services to build intelligent applications. Artificial Intelligence and Machine Learning are rapidly changing technologies. The following are some recommendations and guidance based on observations and experiences from the ministry teams. + +## Region availability + +Although the [Azure AI Foundry (formerly Azure AI Studio)](https://learn.microsoft.com/en-us/azure/ai-studio/what-is-ai-studio) is available in the Canada Azure regions, not all [models](https://azure.microsoft.com/en-us/products/ai-model-catalog?msockid=2274ddfe4fb768de0595c8be4e1d6918#tabs-pill-bar-oc92d8_tab0) or services may be available in the Canada regions. It is recommended to check the availability of the services in the Canada region before starting the development. + +The most common Azure AI Services that are used by the ministry teams are: + +- Azure OpenAI +- AI Search +- Document Intelligence + +## Deploying models + +When using Azure AI services, you may need to deploy a Virtual Machine within the Azure network. This is because security guardrails protect government data from the Internet. To successfully deploy models, you can use an [Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/quickstart-host-portal) within your virtual network. + +The simplest method to do this, is to deploy an [Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/quickstart-host-portal) within your virtual network. + +> Note: The minimum Bastion SKU required is **Basic**, as the **Developer** tier is not currently available in the Canada regions. + +This does require a specific Subnet to be created within the VNet. The subnet name must be **AzureBastionSubnet**. The subnet address range that you specify must be **/26 or larger** (for example, /25 or /24). After adding this subnet to your virtual network, you can deploy Bastion. + +Additionally, you will need to create the appropriate ingress and egress Network Security Group (NSG) rules to allow traffic to and from the Azure Bastion service. Please refer to the [Working with NSG access and Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg#apply) documentation for specific details. + +> Note: The rule priority does not need to match the example below, but the rule configuration should be similar. + +[![Azure Bastion - Ingress Rules](../images/azure-bastion-inbound-nsg-rules.png "Azure Bastion - Ingress Rules")](https://learn.microsoft.com/en-us/azure/bastion/media/bastion-nsg/inbound.png#lightbox) + +[![Azure Bastion - Egress Rules](../images/azure-bastion-outbound-nsg-rules.png "Azure Bastion - Egress Rules")](https://learn.microsoft.com/en-us/azure/bastion/media/bastion-nsg/outbound.png#lightbox) + +## Azure OpenAI and Private DNS + +When working with Azure OpenAI, you may need to create a Private Endpoint to resolve the Azure OpenAI service endpoints. + +It has been observed in several cases, where the DNS `A-Record` for the Azure OpenAI service is not being created properly in the Private DNS Zone. This can cause issues with the service not being able to resolve the endpoint. + +If you encounter this issue, please open a [support ticket](../../welcome/support.md) with the Public Cloud Platform support team to investigate and resolve the issue. diff --git a/docs/azure/best-practices/be-mindful.md b/docs/azure/best-practices/be-mindful.md index aacb290..7ad424f 100644 --- a/docs/azure/best-practices/be-mindful.md +++ b/docs/azure/best-practices/be-mindful.md @@ -1,5 +1,7 @@ # Be mindful +Last updated: **November 20, 2024** + The following are some things to be aware of when working within the Azure Landing Zone. ## Virtual Network (VNet) integration @@ -10,17 +12,25 @@ As a best practice for using Azure App Services with VNet integration, if you pl ## Private Endpoints and DNS -As a security requirement, some Azure services (ie. Databases, Key Vaults, etc.) have been restricted to private-only connectivity. This means during deployment, you will need to include the creation of a [Private Endpoint](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview) for this service. +As a security requirement, some Azure PaaS services (ie. Databases, Key Vaults, etc.) have been restricted to private-only connectivity. This means during deployment, you will need to include the creation of a [Private Endpoint](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview) for this service. -As part of creating the Private Endpoint, you will be asked about **Private DNS Integration**. The Azure portal defaults the "**Integrate with private DNS zone**" option to "**Yes**". However, we have the Azure Landing Zones already configured with custom Private DNS Zones, so you should select "**No**" for this option. +As part of creating the Private Endpoint, you will be asked about **Private DNS Integration**. The Azure portal defaults the "**Integrate with private DNS zone**" option to "**Yes**". However, we have the Azure Landing Zones already configured with centralized custom Private DNS Zones, so you should select "**No**" for this option. ![Private Endpoint - Private DNS Integration](../images/private-endpoints-dns.png "Private Endpoint - Private DNS Integration") Once your resource is deployed, a DNS `A-record` will be automatically created in the custom Private DNS Zone in approximately **10 minutes**, pointing to the private IP address of the resource. This will allow you to access the resource using the custom DNS name within the private network. -However, since the endpoint is private-only, you will not be able to access the resource from outside the VNet. To access and work with these specific resources, you need to use either [Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview) or [Azure Virtual Desktop (AVD)](https://learn.microsoft.com/en-us/azure/virtual-desktop/overview) from within the VNet. +However, since the endpoint is private-only, you will not be able to access the resource from outside the VNet. To access and work with these specific resources, you need to use either [Azure Bastion](https://learn.microsoft.com/en-us/azure/bastion/bastion-overview) or an [Azure Virtual Desktop (AVD)](https://learn.microsoft.com/en-us/azure/virtual-desktop/overview) from within the VNet. + +In the future, once [Express Route](../upcoming-features/express-route.md) is available, you will also be able to access these resources from the on-premises network or through a VPN. + +## Custom DNS Zones -In the future, once [Express Route](../upcoming-features/express-route.md) is available, you will also be able to access these resources from the on-premises network. +In some scenarios, you may have a need to create a custom DNS Zone. Generally, this is not recommended, as the Azure Landing Zones are already configured with centralized custom Private DNS Zones for the Azure services. However, when working with third-party services (ie. Confluent Cloud), we might not have a Private DNS Zone for the specific service. + +If this is your scenario, please submit a [Public Cloud Support request](https://citz-do.atlassian.net/servicedesk/customer/portal/3), so that the Public Cloud team can work with you to create and attach the custom DNS Zone to the central Private DNS Resolver. + +> Note: Attaching your custom Private DNS Zone to your Virtual Network (VNet) will not work, as all DNS queries are routed through the central Private DNS Resolver. ## Using Terraform to create Subnets @@ -30,6 +40,8 @@ The Azure Landing Zones have an Azure Policy implemented that requires every sub Therefore, instead of using the `azurerm_subnet` resource to create subnets, you must use the `azapi_update_resource` resource from the [AzAPI Terraform Provider](https://registry.terraform.io/providers/Azure/azapi/latest/docs). This resource allows you to create subnets with an associated NSG in a single step. +> Note: You need to use the `azapi_update_resource` resource, because you are updating an existing Virtual Network (VNet) with a new subnet (and associated Network Security Group). + **Example code:** ```hcl @@ -81,8 +93,18 @@ If you encounter issues when trying to delete a resource you've created (such as 3. **Perform your operation**: Once the lock is removed, you should be able to delete your resource as needed. -4. **Be aware of automation**: Our automation systems will periodically reapply these locks to ensure ongoing protection. If you need the lock to remain off for an extended period, please contact the Cloud Pathfinder team. +4. **Be aware of automation**: Our automation systems will periodically reapply these locks to ensure ongoing protection. If you need the lock to remain off for an extended period, please contact the Public Cloud team. 5. **Best practice**: After completing your task, if the automation hasn't yet reapplied the lock, consider manually reapplying it to maintain security. Remember, these locks are in place for good reason. Always double-check that you're deleting the correct resources and understand the implications before removing any locks. + +## Azure Control-Plane vs Data-Plane access differences + +When working with Azure services, it's important to understand the differences between [control-plane](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane#control-plane) and [data-plane](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane#data-plane) access. The control plane is used to manage resources, while the data plane is used to interact with the resources themselves. + +Even though someone may have **Owner-level** permissions on a resource, they may not have the necessary permissions to interact with the **data plane**. This is because the data plane permissions are separate from the control plane permissions. + +For example, some Azure services and solution patterns may require additional data-level permissions, such as [Storage Blob Data Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-reader), [Search Index Data Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/ai-machine-learning#search-index-data-contributor), etc. + +For a list of built-in roles and their permissions, refer to the [Azure built-in roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) documentation. diff --git a/docs/azure/best-practices/ci-cd.md b/docs/azure/best-practices/ci-cd.md index 074c14e..133b3f6 100644 --- a/docs/azure/best-practices/ci-cd.md +++ b/docs/azure/best-practices/ci-cd.md @@ -1,5 +1,7 @@ # CI/CD Best practices +Last updated: **November 20, 2024** + ## GitHub Actions If you are using GitHub Actions for your CI/CD pipeline, consider the following best practices: @@ -8,7 +10,7 @@ If you are using GitHub Actions for your CI/CD pipeline, consider the following * [Self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners) on Azure are required to access data storage and database services from GitHub Actions. Public access to these services is not supported. -* If using [Terraform](https://www.terraform.io/), be aware of the limitations when [creating Subnets](../best-practices/be-mindful.md#using-terraform-to-create-subnets), and the use of the [AzAPI Terraform Provider](be-mindful.md#azapi-terraform-provider-using-azapi_update_resource) +* If using [Terraform](https://www.terraform.io/), be aware of the limitations when [creating Subnets](../best-practices/be-mindful.md#using-terraform-to-create-subnets), and the use of the [AzAPI Terraform Provider](be-mindful.md#azapi-terraform-provider-using-azapi_update_resource). ### Configuring GitHub Action OIDC Authentication to Azure @@ -20,10 +22,13 @@ Here's a quick summary on how to set it up: 1. The GitHub Identity Provider has already been configured in the Azure subscriptions in your Project Set 2. In your Azure subscription: + - Create an Entra ID application and a service principal - Add federated credentials for the Entra ID application - Create GitHub secrets for storing Azure configuration + 3. In your GitHub workflows: + - Add permissions settings for the token - Use the [azure/login](https://github.com/Azure/login) action to exchange the OIDC token (JWT) for a cloud access token diff --git a/docs/azure/best-practices/governance.md b/docs/azure/best-practices/governance.md new file mode 100644 index 0000000..f214038 --- /dev/null +++ b/docs/azure/best-practices/governance.md @@ -0,0 +1,30 @@ +# Governance + +Last updated: **November 26, 2024** + +The following describes how to manage and govern your Azure environment. While the Public Cloud team provides the initial guardrails and standards for the environment, **each ministry team is responsible** for managing their own resources and ensuring compliance with the standards. + +## Security + +Within the Azure portal, navigate to [Microsoft Defender for Cloud](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0). This service provides a centralized view of the security posture and regulatory compliance of your Azure environment. It also provides recommendations on how to improve your security. + +![Defender for Cloud Security Posture](../images/defender-for-cloud-security-posture.png "Defender for Cloud Security Posture") + +![Defender for Cloud Regulatory Compliance](../images/defender-for-cloud-regulatory-compliance.png "Defender for Cloud Regulatory Compliance") + +## Compliance + +Within the Azure portal, navigate to [Azure Policy](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Compliance). This service provides a centralized view of the compliance of your Azure environment. It also provides recommendations on how to improve your compliance. + +![Azure Policy Overview](../images/azure-policy-overview.png "Azure Policy Overview") + +## Cost + +Within the Azure portal, navigate to the [Cost Management - Cost Analysis](https://portal.azure.com/#blade/Microsoft_Azure_CostManagement/Menu/costanalysis) view. This service provides a centralized view of the costs of your Azure environments. + +> **IMPORTANT** +> +> Please make sure that you select the appropriate **Scope** to view the costs of your environment. +> ![Azure Cost Management - Scope](../images/azure-cost-management-scope.png "Azure Cost Management - Scope") + +For more detail about managing costs, see the **Understand your billing** > [Azure Cost Management](../understanding-your-bill/azure-billing-and-cost-management.md) section. diff --git a/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md b/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md index 243154e..58159f1 100644 --- a/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md +++ b/docs/azure/design-build-deploy/deploy-to-the-azure-landing-zone.md @@ -1,6 +1,6 @@ # Deploy to the Azure Landing Zone -Last updated: **September 24, 2024** +Last updated: **November 20, 2024** There are multiple ways to deploy your application to the Azure Landing Zone. This document outlines a few examples at a high-level, but it is up to each team to determine the best approach for their application. @@ -29,13 +29,14 @@ The Azure CLI is a command-line tool that allows you to manage your Azure resour ```azurecli az login az account set --subscription "" +az create ... ``` -**Note:** There are other command-line tools like [Azure PowerShell](https://learn.microsoft.com/en-us/powershell/azure/), that you can use to manage your Azure resources. You can choose the tool that you are most comfortable with. +**Note:** There are other command-line tools like [Azure PowerShell](https://learn.microsoft.com/en-us/powershell/azure/), that you can use to create and manage your Azure resources. You can choose the tool that you are most comfortable with. ## GitHub Actions / Infrastructure-as-Code (IaC) -GitHub Actions is a feature of GitHub that allows you to automate your workflow. Microsoft developed GitHub Actions for Azure and designed them be used with Azure. You can see all of the GitHub Actions for Azure in the [GitHub Marketplace](https://github.com/marketplace?query=Azure&type=actions). +GitHub Actions is a feature of GitHub that allows you to automate your workflow. Microsoft developed **GitHub Actions for Azure** and designed them be used with Azure. You can see all of the GitHub Actions for Azure in the [GitHub Marketplace](https://github.com/marketplace?query=Azure&type=actions). ![GitHub Actions for Azure](../images/azure-github-actions-marketplace.png "GitHub Actions for Azure") @@ -43,7 +44,7 @@ GitHub Actions is a feature of GitHub that allows you to automate your workflow. ### Infrastructure-as-Code (IaC) -There are multiple ways to deploy your application to the Azure Landing Zone using Infrastructure-as-Code (IaC). You can use tools like [Terraform](https://www.terraform.io/), [Azure Resource Manager (ARM) templates](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/), [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep), [Ansible](https://learn.microsoft.com/en-us/azure/developer/ansible/overview), [Chef](https://learn.microsoft.com/en-us/azure/developer/chef/overview), or [Pulumi](https://devblogs.microsoft.com/devops/infrastructure-as-code-azure-python-wpulumi/) to define your infrastructure as code and deploy it to Azure. +There are multiple ways to deploy your application to the Azure Landing Zone using Infrastructure-as-Code (IaC). You can use tools like [Terraform](https://www.terraform.io/), [Azure Resource Manager (ARM) templates](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/), [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep), [Ansible](https://learn.microsoft.com/en-us/azure/developer/ansible/overview), [Chef](https://learn.microsoft.com/en-us/azure/developer/chef/overview), or [Pulumi](https://devblogs.microsoft.com/devops/infrastructure-as-code-azure-python-wpulumi/) to define your Infrastructure-as-Code and deploy it to Azure. While we don't have a specific example for each tool, we recommend that you choose the tool that you are most comfortable with and that best fits your needs. diff --git a/docs/azure/design-build-deploy/networking.md b/docs/azure/design-build-deploy/networking.md index 5dabcd7..7de8f53 100644 --- a/docs/azure/design-build-deploy/networking.md +++ b/docs/azure/design-build-deploy/networking.md @@ -1,22 +1,22 @@ # Networking within the Azure Landing Zone -Last updated: **October 3, 2024** +Last updated: **December 4, 2024** Within each Project Set deployed in the Azure Landing Zone, a [Virtual Network (VNet)](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview) is created to provide network isolation and security for the resources deployed within it. This VNet is the foundation for all network connectivity within the Azure Landing Zone. -This VNet is connected with the central hub (vWAN), and receives default routes to direct all traffic (ie. Internet and private) through the firewall in the central hub. +This VNet is connected with the central hub (vWAN), and receives default routes to direct all traffic (ie. Internet and private) through the firewall located in the central hub. There are no subnets that are pre-created within the VNet. Each team is responsible for creating their own subnets based on their requirements. Subnets should be created within the VNet to segment resources based on their function or security requirements. **IMPORTANT:** There are some security controls in place, that require every subnet to have an associated [Network Security Group (NSG)](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview). This may cause some challenges when creating subnets. The simplest approach is to create a NSG first, and then create the subnet (with the NSG associated with it). -For further guidance on creating subnets with associated NSGs, refer to the [Be Mindful](../best-practices/be-mindful.md#using-terraform-to-create-subnets) documentation. +For further guidance on creating subnets with associated NSGs (specifically using Terraform), refer to the [Be Mindful](../best-practices/be-mindful.md#using-terraform-to-create-subnets) documentation. ## Spoke-to-Spoke connectivity If your team has multiple environments (ie. Dev, Test, Prod, Tools) within the same Project Set, you may require connectivity between the different environments. This is known as spoke-to-spoke connectivity. -By default, this connectivity is disabled for security reasons. If you require spoke-to-spoke connectivity, you must submit a request to the Cloud Pathfinder team, who will review the request based on the security requirements, and make any necessary changes in the firewall to allow this type of traffic. +By default, this connectivity is disabled for security reasons. If you require spoke-to-spoke connectivity, you must [submit a request](https://citz-do.atlassian.net/servicedesk/customer/portal/3) to the Public Cloud team, who will review the request based on the security requirements, and make any necessary changes in the firewall to allow this type of traffic. ## Internet connectivity @@ -26,7 +26,7 @@ Advanced features are implemented and configured including: * Transport Layer Security (TLS) inspection * Protection against malicious traffic that is sent from an internal client hosted in Azure to the Internet - * Protection against East-West traffic that goes from/to an on-premises network, to protect Azure workloads from potential malicious traffic sent from within Azure + * Protection against East-West traffic that goes to/from an Azure Virtual Network (VNet), to protect Azure workloads from potential malicious traffic sent from within Azure * Intrusion Detection and Prevention (IDPS) * Signature-based detection (applicable for both application and network-level traffic) * URL filtering @@ -39,11 +39,11 @@ Advanced features are implemented and configured including: For more complex applications, an [Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/overview) is the preferred method for exposing your application to the Internet. It provides a web traffic (OSI layer 7) load balancer that enables you to manage traffic to your web applications. -To adhere to security best practices, the Application Gateway should also be configured with a [Web Application Firewall (WAF)](https://learn.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall) to protect your web applications from common exploits and vulnerabilities. +To adhere to security best practices, the Application Gateway should also be configured with a [Web Application Firewall (WAF)](https://learn.microsoft.com/en-us/azure/application-gateway/features#web-application-firewall) to protect your applications from common exploits and vulnerabilities. ## Resource locks on networking components -To maintain the integrity and stability of the networking infrastructure, resource locks are automatically applied to key networking components, including Virtual Networks (VNets). These locks prevent accidental deletion of critical resources. +To maintain the integrity and stability of the networking infrastructure, [resource locks](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json) are automatically applied to key networking components, including Virtual Networks (VNets). These locks prevent accidental deletion of critical resources. **Important:** If you need to delete a resource that you've created within the VNet (such as a VM), you may encounter issues due to these locks. In such cases: diff --git a/docs/azure/design-build-deploy/requirements.md b/docs/azure/design-build-deploy/requirements.md index e6822da..faadcf3 100644 --- a/docs/azure/design-build-deploy/requirements.md +++ b/docs/azure/design-build-deploy/requirements.md @@ -1,6 +1,6 @@ # Requirements for building your application in Azure -Last updated: **October 2, 2024** +Last updated: **December 4, 2024** The following sections describe the requirements for building your application on the B.C. Government Public Cloud Azure Landing Zone. @@ -21,7 +21,7 @@ Take the following into consideration when building your application in the Azur * Only HTTPS applications that are compatible with public endpoints through [Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/overview) are supported. -* The only supported regions are Canada Central (ie. `canadacentral`) and Canada East (ie. `canadacentral`). +* The only supported regions are Canada Central (ie. `canadacentral`) and Canada East (ie. `canadaeast`). * Most networking is under the management of the Azure Landing Zone and is not subject to change. * See [Networking within the Azure Landing Zone](networking.md) for more information. diff --git a/docs/azure/design-build-deploy/user-management.md b/docs/azure/design-build-deploy/user-management.md index aed92fe..511d3e4 100644 --- a/docs/azure/design-build-deploy/user-management.md +++ b/docs/azure/design-build-deploy/user-management.md @@ -1,6 +1,6 @@ # User management in the Azure Landing Zone -Last updated: **October 3, 2024** +Last updated: **December 4, 2024** This guide provides an overview of user management in the Azure Landing Zone, specifically tailored for Product Owners (POs) and Technical Leads (TLs) who have been granted a restricted Owner role on the Project Set Management Group. This role is inherited on the subscription within the Project Set. @@ -58,4 +58,4 @@ For more detailed instructions on specific tasks or advanced user management tec ## Note on Project Set license plates -Your Subscriptions and Management Groups are prefixed with your unique Project Set license plate (ie. "abc123"). This prefix helps identify and organize resources specific to your project. When navigating the Azure portal or assigning roles, always look for resources and groups that start with your Project Set license plate. +Your Management Groups and Subscriptions are prefixed with your unique Project Set license plate (ie. "abc123"). This prefix helps identify and organize resources specific to your project. When navigating the Azure portal or assigning roles, always look for resources and groups that start with your Project Set license plate. diff --git a/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md b/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md index a65d953..b63680c 100644 --- a/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md +++ b/docs/azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md @@ -1,6 +1,6 @@ # B.C. Government OCIO Azure Landing Zone overview -Last updated: **October 3, 2024** +Last updated: **December 4, 2024** An overview of the B.C. Government OCIO's Landing Zone in Azure, how to get access, its benefits, components, and features. @@ -32,7 +32,7 @@ The built-in Azure Policy [Regulatory Compliance](https://learn.microsoft.com/en The Cloud Adoption Framework (CAF) implements a hub-and-spoke network topology. The hub is the central point of connectivity to the on-premises network, and the spoke is the virtual network that connects to the hub. The hub-and-spoke model allows for the centralization of services and management, while providing isolation and segmentation for workloads. -B.C. Government has implemented the hub-and-spoke module using the modern [Virtual WAN (vWAN)](https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about) architecture. Within this architecture, each Project Set is provisioned with a spoke Virtual Network (VNet) that connects to the Virtual Hub (vHub) Virtual Network (VNet). +The B.C. government has implemented the hub-and-spoke module using the modern [Virtual WAN (vWAN)](https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about) architecture. Within this architecture, each Project Set is provisioned with a spoke Virtual Network (VNet) that connects to the Virtual Hub (vHub). [![Virtual WAN Network Topology](../images/virtual-wan-topology.png "Virtual WAN Network Topology")](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/media/virtual-wan-topology.png#lightbox) @@ -42,11 +42,19 @@ For additional information, please refer to the [Networking within the Azure Lan The Cloud Adoption Framework (CAF) implements the components necessary for centralized monitoring and logging, include: [Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/overview), [Azure Activity Logs](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-insights), [Azure Metrics](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-platform-metrics), and a centralized [Log Analytics Workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview). -Baseline metric, activity log, and log query alerts are available for landing zone platform components and other selected landing zone components. They're based on Microsoft-recommended practices for proactive monitoring, such as setting up alerts, thresholds, and notifications for timely problem detection and response. +Baseline metric, activity log, and log query alerts are available for landing zone platform components and other selected landing zone components. They're based on Microsoft recommended practices for proactive monitoring, such as setting up alerts, thresholds, and notifications for timely problem detection and response. [![Azure Monitor Baseline Alerts](../images/azure-monitor-baseline-alerts-policy-initiative-flow.svg "Azure Monitor Baseline Alerts")](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/media/azure-monitor-baseline-alerts-policy-initiative-flow.svg#lightbox) -While some default baselines have been implemented (primarily for regulatory compliance), each team is responsible for setting up [Alerts / Rules](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview) and [Action Groups](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups) based on their specific requirements. +While Microsoft provides various "insights or solutions" for popular services (ie. [Storage Insights](https://learn.microsoft.com/en-us/azure/storage/common/storage-insights-overview), [VM Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview), [Container Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview)), these do not cover everything. + +We have leveraged the [Azure Monitor Baseline Alerts (AMBA)](https://azure.github.io/azure-monitor-baseline-alerts/welcome/) to provide a starting point "What should be monitored in Azure?" for the Landing Zones. This includes a set of alerts that are based on Microsoft recommended practices for proactive monitoring, such as setting up [alerts](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview), [thresholds](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-dynamic-thresholds), and notifications for timely problem detection and response. Included in this, is a generic [Action Group](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/action-groups) and [Alert Processing Rule](https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-processing-rules?tabs=portal) that can be used to send notifications to a variety of endpoints (email, SMS, etc.). + +While these baselines have been implemented (primarily for regulatory compliance), each team is responsible for configuring the Alerts, and Action Group settings based on their specific requirements. You can also create custom [Azure Dashboards](https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-dashboards) to visualize and monitor your resources. + +[![Azure Monitor Dashboard](../images/azure-monitor-dashboard-example.png "Azure Monitor Dashboard")](https://learn.microsoft.com/en-us/azure/azure-monitor/media/visualizations/dashboard.png) + +For additional information and guidance, please refer to the Microsoft [Advanced Alerting Strategies for Azure Monitoring](https://techcommunity.microsoft.com/blog/startupsatmicrosoftblog/advanced-alerting-strategies-for-azure-monitoring/4268698) article. ## Next steps diff --git a/docs/azure/images/azure-bastion-inbound-nsg-rules.png b/docs/azure/images/azure-bastion-inbound-nsg-rules.png new file mode 100644 index 0000000..62975d2 Binary files /dev/null and b/docs/azure/images/azure-bastion-inbound-nsg-rules.png differ diff --git a/docs/azure/images/azure-bastion-outbound-nsg-rules.png b/docs/azure/images/azure-bastion-outbound-nsg-rules.png new file mode 100644 index 0000000..b674b93 Binary files /dev/null and b/docs/azure/images/azure-bastion-outbound-nsg-rules.png differ diff --git a/docs/azure/images/azure-cost-management-cost-analysis.png b/docs/azure/images/azure-cost-management-cost-analysis.png new file mode 100644 index 0000000..2ac882e Binary files /dev/null and b/docs/azure/images/azure-cost-management-cost-analysis.png differ diff --git a/docs/azure/images/azure-cost-management-scope.png b/docs/azure/images/azure-cost-management-scope.png new file mode 100644 index 0000000..3d35065 Binary files /dev/null and b/docs/azure/images/azure-cost-management-scope.png differ diff --git a/docs/azure/images/azure-monitor-dashboard-example.png b/docs/azure/images/azure-monitor-dashboard-example.png new file mode 100644 index 0000000..c660c20 Binary files /dev/null and b/docs/azure/images/azure-monitor-dashboard-example.png differ diff --git a/docs/azure/images/azure-policy-overview.png b/docs/azure/images/azure-policy-overview.png new file mode 100644 index 0000000..ff6c24a Binary files /dev/null and b/docs/azure/images/azure-policy-overview.png differ diff --git a/docs/azure/images/defender-for-cloud-regulatory-compliance.png b/docs/azure/images/defender-for-cloud-regulatory-compliance.png new file mode 100644 index 0000000..c5bee3e Binary files /dev/null and b/docs/azure/images/defender-for-cloud-regulatory-compliance.png differ diff --git a/docs/azure/images/defender-for-cloud-security-posture.png b/docs/azure/images/defender-for-cloud-security-posture.png new file mode 100644 index 0000000..b0aa8fc Binary files /dev/null and b/docs/azure/images/defender-for-cloud-security-posture.png differ diff --git a/docs/azure/support/enterprise-support.md b/docs/azure/support/enterprise-support.md index df3e5df..21e6c7d 100644 --- a/docs/azure/support/enterprise-support.md +++ b/docs/azure/support/enterprise-support.md @@ -1,19 +1,19 @@ # Microsoft Azure Enterprise Support -Last updated: **October 16, 2024** +Last updated: **November 20, 2024** Once your Project Set has been provisioned, each Azure Subscription will be enrolled in the Azure Unified Support plan. There is a delay of approximately **2 weeks** for the Azure Unified Support plan to be activated. -Note: If you use a third-party vendor's landing zone in Azure, you can't use the B.C. government's Unified Enterprise support plan for applications hosted in the vendor's landing zone. -  -Ministry teams working in the OCIO-managed landing zone in Azure can currently access the Unified Enterprise support services for free. +> **Note:** If you use a third-party vendor's landing zone in Azure, you can't use the B.C. government's Unified Enterprise support plan for applications hosted in the vendor's landing zone. +> +> Ministry teams working in the OCIO-managed landing zone in Azure can currently access the Unified Enterprise support services for free. -You can view the full list of services available to the ministries under the [Unified Enterprise support plan](https://www.microsoft.com/en-IN/unifiedsupport/details). +You can view the full list of services available to the ministries under the [Unified Enterprise support plan](https://www.microsoft.com/en-IN/unifiedsupport/details). -## How to receive support +## How to receive support 1. Log into Azure Portal with your IDIR. Only users with access to applications in the OCIO-managed landing zone can use the Unified Enterprise support plan. New users may take up to 7 business days to gain access. If you need to open a support case before access is enabled, contact the OCIO Public cloud team at cloud.pathfinder@gov.bc.ca -2. Review step-by-step instructions on opening an [Azure support request](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) +2. Review step-by-step instructions on opening an [Azure support request](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) -3. Learn [how to manage](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-manage-azure-support-request) Azure support requests \ No newline at end of file +3. Learn [how to manage](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-manage-azure-support-request) Azure support requests \ No newline at end of file diff --git a/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md b/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md index 2d8fae4..4cfdb36 100644 --- a/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md +++ b/docs/azure/understanding-your-bill/azure-billing-and-cost-management.md @@ -1,6 +1,22 @@ # Azure billing and cost management -Last updated: **October 3, 2024** +Last updated: **November 20, 2024** + +## Cost Reporting and Cost Recovery + +As part of applying the [principles of FinOps](https://www.finops.org/framework/principles/), and to help streamline our cost tracking processes, we've implemented an automated tagging policy that will now apply standardized tags to all resources within your subscriptions. This is designed to improve our cost recovery process while requiring no action on your part. + +### Tags Being Applied + +You'll notice the following tags appearing on your resources: + +* `account_coding` +* `billing_group` +* `ministry_name` + +These tags are inherited from the Subscription-level tags (which are created using the information you provide when [provisioning a new Project Set](https://developer.gov.bc.ca/docs/default/component/public-cloud-techdocs/welcome/provision-a-project-set/)). + +## Manage your Azure spending Learn more about managing your Azure spending and resources with [Azure Cost Management](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management). @@ -44,5 +60,9 @@ Azure Cost Management lets you set [budgets](https://learn.microsoft.com/en-us/a ## Resources * [Azure Cost Management overview](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/overview-cost-management) -* [How to optimize your cloud investment with Cost Management](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-best-practices) * [Understand and work with scopes](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/understand-work-scopes) +* [How to optimize your cloud investment with Cost Management](https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-best-practices) +* [How to budget your Azure cloud spend with Microsoft Cost Management](https://techcommunity.microsoft.com/blog/finopsblog/how-to-budget-your-azure-cloud-spend-with-microsoft-cost-management/4153963) +* [Identify your savings potential in Azure](https://techcommunity.microsoft.com/blog/finopsblog/identify-your-savings-potential-in-azure/4131194) +* [Unlock savings potential with Azure Advisor's Cost Optimization workbook](https://techcommunity.microsoft.com/blog/finopsblog/unlock-savings-potential-with-azure-advisors-cost-optimization-workbook/4135863) +* [Switch off Virtual Machines on a schedule using an Azure Tag](https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/switch-off-virtual-machines-on-a-schedule-using-an-azure-tag/4207182) diff --git a/docs/azure/upcoming-features/express-route.md b/docs/azure/upcoming-features/express-route.md index f3a986c..8070ba7 100644 --- a/docs/azure/upcoming-features/express-route.md +++ b/docs/azure/upcoming-features/express-route.md @@ -1,6 +1,6 @@ # Express Route Connectivity to On-Premises -Last updated: **October 2, 2024** +Last updated: **November 20, 2024** ## Overview @@ -12,4 +12,4 @@ Additionally, to adhere to data-in-transit security requirements, the Express Ro ### Current status -Architecture and design for the Express Route connectivity to on-premises resources is in progress. We are working with the Hosting Team on the timing and execution of the implementation phase, which is tentatively scheduled for the end of the current calendar year. +Architecture and design for the Express Route connectivity to on-premises resources is in progress. We are working with the Hosting Team on the timing and execution of the implementation phase, which is tentatively scheduled for the first quarter of 2025. diff --git a/docs/index.md b/docs/index.md index c3bdceb..8e3cb1e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -8,7 +8,7 @@ This documentation provides information for using Public Cloud services within t To get started in the Public Cloud you can provision a Project Set in AWS or Azure using the [BC Gov Product Registry](https://registry.developer.gov.bc.ca). -For more information, see [Provision a Project Set](get-started/provision-a-project-set.md). +For more information, see [Provision a Project Set](welcome/provision-a-project-set.md). ## Amazon Web Services (AWS) @@ -25,7 +25,7 @@ AWS offers a broad set of global cloud-based products including compute, storage Azure is a comprehensive set of cloud services that developers and IT professionals use to build, deploy, and manage applications through Microsoft's global network of datacenters. - [Azure Landing Zone Overview](azure/get-started-with-azure/bc-govs-azure-landing-zone-overview.md) -- [Requirements for Building Your Application in Azure](azure/design-build-deploy/requirements-for-building-your-application.md) +- [Requirements for Building Your Application in Azure](azure/design-build-deploy/requirements.md) - [User Management in Azure](azure/design-build-deploy/user-management.md) - [Networking in Azure](azure/design-build-deploy/networking.md) - [Deploy to the Azure Landing Zone](azure/design-build-deploy/deploy-to-the-azure-landing-zone.md) @@ -37,8 +37,8 @@ Rocket.Chat will be your main communication channel for platform updates and sup If you already have access, you can [log in to Rocket.Chat](https://chat.developer.gov.bc.ca). -### Platform Community MeetUps +### Public Cloud Community Updates -Every six weeks, we host a platform community MeetUp where we talk about changes to the platform. +Every six weeks, we host a community update to provide you with the latest news and interesting information about the Public Cloud Accelerator Service (also known as CloudPathFinder) and its community, and changes to the platform. [Learn how to register for this and other events](https://digital.gov.bc.ca/cloud/services/public/get-support/#contact). diff --git a/docs/welcome/provision-a-project-set.md b/docs/welcome/provision-a-project-set.md index 209f4da..8464993 100644 --- a/docs/welcome/provision-a-project-set.md +++ b/docs/welcome/provision-a-project-set.md @@ -37,7 +37,7 @@ To do that you must meet the prerequisites for provisioning a Project Set outlin For **new product teams** requesting a Project Set in a Public Cloud Landing Zone, complete the following 2 steps before submitting the provisioning request: - Sign a Memorandum of Understanding (MoU) with the OCIO. Request an MoU template from . - - Book an onboarding session with the Cloud Pathfinder team at . + - Book an onboarding session with the Public Cloud team at . 2. Navigate to the top menu called **Public Cloud Products**. diff --git a/docs/welcome/support.md b/docs/welcome/support.md index 1154a7a..7c3db0e 100644 --- a/docs/welcome/support.md +++ b/docs/welcome/support.md @@ -1,12 +1,13 @@ # Public Cloud Support -Last updated: **October 8, 2024** +Last updated: **November 26, 2024** ## Support options There are multiple ways to get support for the Public Cloud Platform, including: - +- [Jira Service Management (JSM)](https://citz-do.atlassian.net/servicedesk/customer/portal/3) (preferred method) + - [Email the Public Cloud Platform team](mailto:cloud.pathfinder@gov.bc.ca) - [Rocket.Chat](https://chat.developer.gov.bc.ca/) diff --git a/docs/welcome/training.md b/docs/welcome/training.md index 580b62e..fbc3b76 100644 --- a/docs/welcome/training.md +++ b/docs/welcome/training.md @@ -1,15 +1,15 @@ # Public Cloud Training -Last updated: **October 8, 2024** +Last updated: **November 20, 2024** ## AWS Amazon Web Services (AWS) has a variety of training resources available to help you get started with their services. Here are some of the most popular resources: -- [AWS Skill Builder](https://explore.skillbuilder.aws/learn) -- [AWS Training and Certification](https://www.aws.training/) -- [AWS Learning Library](https://www.aws.training/LearningLibrary) -- [AWS Workshops](https://workshops.aws/) +* [AWS Skill Builder](https://explore.skillbuilder.aws/learn) +* [AWS Training and Certification](https://www.aws.training/) +* [AWS Learning Library](https://www.aws.training/LearningLibrary) +* [AWS Workshops](https://workshops.aws/) For more information, please refer to the [Public Cloud Support - Training](https://digital.gov.bc.ca/cloud/services/public/get-support/#training) page. @@ -17,9 +17,13 @@ For more information, please refer to the [Public Cloud Support - Training](http Microsoft Azure offers a range of training resources to help you learn about their cloud services. Here are some of the most popular resources: -- [Microsoft Learn](https://learn.microsoft.com/en-us/training/) -- [Microsoft Applied Skills](https://learn.microsoft.com/en-us/credentials/browse/?credential_types=applied%20skills) -- [Microsoft Virtual Training Days](https://events.microsoft.com/en-us/mvtd) -- [Enterprise Skills Initiative](https://esi.microsoft.com/) +* [Microsoft Learn](https://learn.microsoft.com/en-us/training/) +* [Microsoft Applied Skills](https://learn.microsoft.com/en-us/credentials/browse/?credential_types=applied%20skills) +* [Microsoft Virtual Training Days](https://events.microsoft.com/en-us/mvtd) +* [Enterprise Skills Initiative](https://esi.microsoft.com/) For more information, please refer to the [Public Cloud Support - Training](https://digital.gov.bc.ca/cloud/services/public/get-support/#training) page. + +### Topic specific training + +* [Become a Microsoft Defender for Cloud Ninja](https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/become-a-microsoft-defender-for-cloud-ninja/1608761) diff --git a/mkdocs.yml b/mkdocs.yml index 667f18e..7fcf134 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -38,6 +38,8 @@ nav: - Best practices: - Be mindful: azure/best-practices/be-mindful.md - CI/CD: azure/best-practices/ci-cd.md + - Governance: azure/best-practices/governance.md + - Azure AI Services: azure/best-practices/azure-ai.md - Understand your billing: - Azure Cost Management: azure/understanding-your-bill/azure-billing-and-cost-management.md - Upcoming features: