Cloud Roles and Operations Management

Prescriptive guidance for cloud roles, tasks, and initiatives for targeted operations. It is intended as input to a cloud operating model and operations plan.

Why do we need an operating model and operations plan for the cloud?

• "Delivering on a cloud strategy requires solid planning, readiness, and adoption. But it's the ongoing operation of the digital assets that delivers tangible business outcomes." - CAF
• Operating a cloud is a shared responsibility.
• Architecture decisions during the adoption phase need to be reviewed over time to keep up with evolving technology and business requirements. Enhancements that deliver better security, reliability and performance are examples that necessitate active operations.
• Architecture tradeoffs often need to be mitigated by sound operations. An example is to execute a well-understood, practiced system recovery within an RTO, where cost constraints may have resulted in an architecture without highly available components.
• Typical Architecture tradeoffs:
  • Security vs Reliability
  • Security vs Cost Optimization
  • Security vs Operational Excellence
  • Cost vs Reliability
  • Cost vs Performance Efficiency
  • Cost vs Operational Excellence
  • Performance Efficiency vs Operational Excellence
  • Performance Efficiency vs Reliability
  • Performance Efficiency vs Security
• Important questions like 'did I architect my solution cost efficiently, when the expected system load was still an unknown, or did I over-provision?' need to be answered once services go fully into production.
• A well-managed cloud needs an operating model with an aligned operations plan, and modern tools to focus our management efforts.

Artifacts

• Excel spreadsheet

  • Use as-as, or import to Devops (e.g, Azure Devops work items or Github issues) or an ITSM tool
  • Includes recommended tasks, RACI, frequency, links and notes

• Basic Azure portal workbook

  

  • Environment information along with task and initiative direction in the Azure portal
  • Also includes service management information, suggested documentation and a a 'management score' (based on key indicators of management practices in the environment)
  • Documentation templates
  • Task definitions
  • Initiative definitions
  • Environment
  • Management score

• Updateable Azure portal workbook

  • Updateable version of the workbook (allows simple excel updates that flow through to Azure)
  • Requires Excel on the web, an office script, an Azure Logic App, and an Azure Log Analytics Workspace

Table of included guidance

Category	Technology	Version	Tasks
Foundation	Generic	Pilot	60
Platform	Azure Bastion	Pilot	11
Platform	Azure Firewall	Pilot	48
Platform	Azure Key Vault	Pilot	33
Platform	Azure Storage	Pilot	33
Platform	Azure Virtual Network	Pilot	53
Platform	ExpressRoute	Pilot	43
Service	Active Directory Domain Services	Pilot	21
Service	Azure Active Directory	Pilot	44
Service	Azure Advisor	Pilot	15
Service	Azure Backup	Pilot	49
Service	Azure Monitor	Pilot	75
Service	Azure Site Recovery	Pilot	30
Service	Azure Update Management	Pilot	29
Service	Defender for Cloud	Pilot	33
Service	Microsoft Sentinel	Pilot	48
Application	Application Gateway	Pilot	48
Application	Azure App Service	Pilot	46
Application	Application Gateway	Pilot	48
Application	Azure Data Factory	Pilot	42
Application	Azure Databricks	Pilot	34
Application	Azure SQL	Pilot	96
Application	Azure Virtual Machines	Pilot	53
Solution	Azure Virtual Desktop	Pilot	59
Solution	SAP on Azure	Pilot	46

What is a well-managed cloud?

A well-managed cloud is one that is compliant, observable, recoverable, reliable, performant, updateable, cost managed, secured, inventoried and operationally excellent. This list represent an expansion of the 5 pillars of the Microsoft Azure Well-Architected Framework, and is suggested as a framework for managing Azure environments.

Compliant (WAF: Security)

Services that can be used to manage compliance in Azure include:

• Azure Devops Services
• Github
• Azure Policy
• Defender for Cloud
• Azure Monitor
• Azure Resource Graph
• In-guest VM Policy
• Desired State Configuration

Observable (WAF: Operational Excellence)

Services that can be used to manage observability in Azure include:

• Azure Monitor
• Log Analytics
• Microsoft Sentinel
• Defender for Cloud
• AAD Audit and Sign-in
• Activity Log
• Network Watcher

Recoverable (WAF: Reliability)

Services that can be used to manage recovery in Azure include:

• Azure Backup
• Azure Site Recovery
• Devops Redeploy

Reliable (WAF: Reliability)

Services that can be used to manage reliability in Azure include:

• Azure Advisor
• Azure Chaos Studio
• Azure Monitor
• Log Analytics
• Workbooks
• Alerts that prevent downtime or reduce MTTR

Performant (WAF: Performance)

Services that can be used to manage performance in Azure include:

• Azure Advisor
• Azure Monitor
• Log Analytics
• Microsoft Sentinel
• Metrics
• Workbooks
• Network Watcher

Updateable (WAF: Reliability)

Services that can be used to manage updates in Azure include:

• Azure Advisor
• Customer managed via UM and LAWS
• Planned maintenance (Service Health)
• Devops Update

Cost Managed (WAF: Cost Management)

Services that can be used to manage cost in Azure include:

• Azure Advisor
• Cost Management & Billing
• EA Portal (Account hierarchy, credit balance, cost for each department, account, and subscription)

Secured (WAF: Security)

Services that can be used to manage security in Azure include:

• Azure Advisor
• AAD
• MFA
• CA
• PIM
• Role Entitlement
• Policy
• In-Guest Policy
• Network Watcher
• Defender for Cloud
• Microsoft Sentinel
• Key Vault
• DDoS
• NSG

Inventoried (WAF: Operational Excellence)

Services that can be used to manage inventory in Azure include:

• Azure Resource graph
• Defender for Cloud (Inventory)
• Automation (Change Tracking & Inventory)

Operational Excellence (WAF: Operational Excellence)

Services that can be used to provide operational excellence in Azure include:

• Azure Advisor
• People
• Process
• RACI
• Dashboards
• Reports
• Reviews
• Automation (AA, LA, Functions)

Examples

Activities, alerts and policies for Azure services, platform resources, application resources and solutions are presented for each of the critical areas of management in this project.

Example 1: Azure Virtual Desktop

Example 2: ExpressRoute

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.