Understanding landing zones for Azure Cloud Adoption Framework – Terraform edition

Microsoft Cloud Adoption Framework (http://aka.ms/caf) is the one Microsoft guidance to adopt Azure in entreprise. One of the fastest way to put the framework in action and deploy an environment fast and good, is to use CAF landing zones for
Terraform.

CAF landing zones are an open source project living on GitHub and we welcome any contribution: https://aka.ms/tf-landingzones

In this article, you will find a set of videos and articles that should help you understanding the landing zones architectures and how to start crafting your own.

Cloud Adoption Framework: Introduction landing zones for Terraform


Cloud Adoption Framework: Deep-dive on landing zones for Terraform


First Deployment:


Setup Environment:

Cloud Adoption Framework landing zones with Terraform

Official Cloud Adoption Framework landing zones:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/expanded-scope/terraform-landing-zone

If you are getting started with Terraform on Azure:

Operating governance on cloud native technologies:

Cloud Adoption Framework landing zones with Terraform

At Microsoft Ignite 2019, we announced that Cloud Adoption Framework for Azure now has a Terraform edition of it’s landing zones. We see landing zones as a great way to enable value quicker on Azure, and as we see tremendous excitment and growth in this area, we are evolving the experience to make it simpler and more powerful.

Adopting CAF landing zones with Terraform, customer consistenly realize they can:

  • deploy foundations of cloud environments fast
  • easily deploy governance and policies as code (with ongoing compliance enforcement and remediation)
  • have consistent ways to deploy innovation (infra as code, policies as code or application code are using the same mechanisms).
  • and many more.

This overall enables them to: optimize their operations, innovate faster and cheaper, but we will come back to that in another article.

For now, let’s get you started with landing zones development and deployment!

 

Setting up development environment

When deploying Infra-As-Code environments, we found it extremely important to have:

  • strong versioning (accross dev environment, DevOps pipelines, etc.).
  • short feedback loops: ability to innovate fast on your development, test new code without having to go through the whole pull-request and so mechanisms.
  • accomodate diversity of environments (running Windows, Mac, Linux).
  • strong identity consistency and no secret in any code.

In order to enable that, we use Docker containers as development (on your laptop) and deployment (CI/CD pipelines) environement. The toolset is packaged inside what we called the rover and in order to get started – whichever your platform is, just:

Once its done, make sure Docker is up and running, then Open Visual Studio Code:

We need to install “Remote Development” extension, so click the Extensions icon and then find and install “Remote Development” from Microsoft:

Screenshot 2019-11-15 at 10.10.05 AM.png

To make your life easier, we are going to leverage Visual Studio Development Containers, which allows you to seamlessly work on your machine and execute your code in the rover container.:

68747470733a2f2f636f64652e76697375616c73747564696f2e636f6d2f6173736574732f646f63732f72656d6f74652f636f6e7461696e6572732f6172636869746563747572652d636f6e7461696e6572732e706e67

So on your machine, you will have your Terraform files, with your Git connection and other tools, but when you run the code, its seemlessly integrated with the Rover running in the container, so you can develop, test, run the complete environment.

 

Deploying your first landing zone

Once you have deployed the prerequisites, you can just clone (with Git, or GitHub Desktop) from our repository: http://aka.ms/tf-landingzones and open it in Visual Studio.

If you look at the files, it’s classic Terraform scripts except for the  .devcontainer folder where we have two files:

  • devcontainer.json: describes how to connect to the container, the mounting points and extensions.
  • docker-compose.yml: describes the container configuration needed, especially where to get the rover image (tip: we put it on the Docker registry so you dont have to manage it)

Screenshot 2019-11-15 at 10.18.53 AM.png

You can then go to the bottom left, green part of Visual Studio Code and select Screenshot 2019-11-15 at 10.21.51 AM.png

Open Remote-Containers: Open Workspace in Container, then select the default workspace we created for you (workspace.code-workspace). You will see a new window opening and you can see the details of the Docker container operations:

  • downloading the container from registry
  • mounting the volumes
  • creating the network
  • installing VSCode drivers in the containers

Screenshot 2019-11-15 at 10.24.33 AM.png

You are now ready to start hacking, you can start by launching:

  1. rover login 
  2. rover /tf/caf/landingzones/landingzone_caf_foundations plan 
  3. rover /tf/caf/landingzones/landingzone_caf_foundations apply Screenshot 2019-11-15 at 10.29.00 AM

So let the fun begin!

 

Demo

TLDR; Here is a video with the different steps I described:

 

Happy hacking, let me know your feedbacks and lets connect!

@arnaudlheureux

Azure Sentinel – on the fast track

Azure Sentinel is Microsoft cloud-native SIEM and SOAR. Say goodbye to 6 months SIEM solution setup and architecture – get started with visibility on you environement just now, and use the rich ecosystem of connectors to extend intelligence to your complete security suite.

On-demand session

Here is the link to attend the full session, on-demand: https://info.microsoft.com/AP-AzureSec-WBNR-FY20-10Oct-24-AzureSentinel-SRDEM10204_LP02OnDemandRegistration-ForminBody.html 

Slides

Demos

Onboarding Sentinel and dahsboards exploration

Security Investigations with Azure Sentinel

Additionnal resources:

As usual, happy to hear your feedbacks!

Arnaud

Azure DDoS Protection Standard

Azure DDoS Protection Standard is a service that enables AI-based protection of your cloud applications. Below is the list of resources of our webinar aired on 19th September 2019.

As a quick reminder, below is the set of network protections in front of your Azure instances. DDoS protection exists in a free tier which is present by default on all resources you publish using a public IP address. In this session we discuss about the addition of the “Standard” edition of the Azure DDos protection.

azuresecurityarchitecture

On demand session

https://info.microsoft.com/AP-AzureINFRA-WBNR-FY20-09Sep-19-AzureDDoSProtectionStandard-SRDEM4832_LP01Registration-ForminBody.html \

Slides

Demo

Additionnal links:

As usual, feel free to send your feedbacks and suggestions!

Arnaud

Azure landing zones using Terraform: Getting started

This article describes the old experience for Azure CAF landing zones on Terraform, please refer to this article for the new updated experience:

https://www.arnaudlheureux.io/2019/11/15/cloud-adoption-framework-landing-zones-with-terraform/

 

Cloud Adoption Framework for Azure has a great set of recommendations to accelerate deployment of Azure for entreprises who seek to consolidate their IT environment in the cloud and innovate on their applications.

CAF introduces landing zones as a concept that describes all the elements that must be in place to deploy a production-grade quality deployment (ie, that includes a minimal set of auditing, controls, policies, etc).

In order to accelerate that, let’s review how to deploy our first landing zone for Azure based on Terraform! We assume that you know Terraform and Azure already, if thats not the case, spend some time on my previous post.

We have published and will keep on updating a repository on GitHub: http://aka.ms/tf-landingzones

Getting started

The fastest way is to use Azure Cloud Shell:

  1. Open https://shell.azure.com
  2. Go to the clouddrive directory: cd clouddrive
  3. Clone the GitHub repo from http://aka.ms/tf-landingzones git clone https://github.com/aztfmod/blueprints.git
  4. Initialize the environment – this will create the fundamentals for the Terraform state, like Storage Account, Azure Key Vault, and the managed identities: ./launchpad.sh
  5. Deploy your first tranquility blueprint: ./launchpad.sh landingzone_vdc_level1 plan
  6. Review the configuration and if you are ok with it, deploy it by running: ./launchpad.sh landingzone_vdc_level1 apply

Below is a quick demo of doing that:

Customization

In order to ease your first contact with the landing zone, we created a sample configuration file proto.landing_zone_vdc_level1.auto.tfvars. As any .auto.tfvars file, it is going to be picked up automatically by Terraform when running. This file automatically configures all variables needed to get started:

  • Retention period for Activity logs, and operations logs.
  • Names of the resource groups to be created.
  • Location of the resources to be deployed.
  • Tags for the resources.
  • Name of log analytics and list of solutions to be deployed.
  • Security center contact details.

You can tune it to match your criteria, we hope the syntax is self explanatory, feel free to provide feedback on it!

Screenshot 2019-09-17 at 3.09.49 PM

Quick tour of the architecture:

Currently the solution is composed of 3 main components:

1. Launchpad.sh

Is a shell script, it initiates the Terraform state locally, uploads it to the Azure storage account, manages the environment variables and communication accross landing zones and other components.

2. Level0_launchpad

Creates a Key Vault, an Azure managed identity a storage account that is used to create store the Terraform state of our environment. It also creates a serie of service principals to be used to access the Terraform state and to integrate with Azure DevOps (in a future release). For full documentation, refer to the readme file.

3. Landingzone_vdc_level1

This vdc level1 landing zones leverages one blueprint (called tranquility) that sets the foundation for everything accounting and operations logs in your Azure subscription:

  • Resource groups
  • Activity Logging
  • Diagnostics Logging
  • Log Analytics
  • Security Center

Each of those features deployments are accomplished by a respective module, which is also on the GitHub, which Terraform download when it needs it (at the plan stage).

A diagram of landingzone_vdc_level1 would look something like that:

Screenshot 2019-09-17 at 3.32.02 PM.png

For full documentation, refer to the readme file.

That’s it for now, it should be enough for you to get started on the Azure Landing Zones using Terraform. Keep in mind there is much more to come on the Landing Zones, we will keep on publishing more and we will have a couple of webinars to go deep dive on the subject!

Happy landing landing zones crafting!

Arnaud Lheureux