π‘οΈ Part 7 β Security & Governance
Where Architecture Becomes Control
Up to now, you have:
- MG structure β
- Subscription model β
- Network design β
- Identity model β
But none of this matters if:
People can bypass it
π₯ First Principle
In cloud, governance is not a document β it is enforced through policy
β The Most Common Mistake
Teams do:
- define standards in PPT
- write governance documents
- share guidelines
But never enforce them.
π Result:
Everyone builds differently anyway
π§ What Governance Actually Means
Governance is:
- what is allowed
- what is denied
- what is monitored
- what is enforced automatically
π· Core Governance Components
1. Azure Policy (Most Critical)
This is your enforcement engine
What it does
- Deny non-compliant deployments
- Enforce configurations
- Audit resources
- Auto-remediate
Real Examples
- β Deny public IP creation
- β Deny deployment outside approved regions
- β Enforce tagging
- β Require encryption
- β Enable diagnostic logs
π₯ Policy Types
| Type | Purpose |
|---|---|
| Deny | Block non-compliant resources |
| Audit | Detect issues |
| DeployIfNotExists | Auto-fix |
| Modify | Enforce configuration |
Real Example (PCI MG)
At PCI MG:
- Deny public IP
- Require private endpoints
- Enforce Defender
- Require logging
π All workloads inherit automatically
2. Policy Initiatives (Policy Sets)
Group policies into logical bundles
For Example:
βPCI Baseline Initiativeβ
- No public IP
- Encryption required
- Logging mandatory
- Approved regions
π Applied once β enforces everything
3. Microsoft Defender for Cloud
Security posture + threat protection
What it does
- vulnerability assessment
- security recommendations
- threat detection
- compliance scoring
Real Example
- detects exposed ports
- flags missing patches
- alerts suspicious activity
4. Microsoft Sentinel (SIEM/SOAR)
Central security monitoring
What it does
- collects logs
- correlates events
- detects threats
- automates response
Real Example
- detects brute-force attempts
- flags unusual login patterns
- triggers incident workflows
5. Key Vault
Secure secrets management
Stores:
- passwords
- certificates
- API keys
Real Example
- app retrieves secrets securely
- no hardcoded credentials
6. Backup & DR Governance
Tools
- Recovery Services Vault
- Azure Backup
- Site Recovery
Enforced via policy
- backup must be enabled
- retention rules
- geo-redundancy
7. Tagging Governance
Critical for cost + ownership
Example tags
- Application
- Owner
- Environment
- Cost Center
Enforced via:
- policy (mandatory tags)
- automation
β οΈ Common Mistakes
β Too many policies too early
π blocks teams
β Audit-only mode forever
π no real enforcement
β No exception process
π teams bypass governance
β Policies without testing
π break deployments
π§ Architect Thinking
You donβt ask:
βWhat policies should I create?
You ask:
βWhat behavior must never be allowed in this environment?β
If itβs not enforced, itβs not governance
π How Everything Connects
| Layer | Role |
|---|---|
| Identity | Who can access |
| Network | How traffic flows |
| Policy | What is allowed |
Governance is what turns architecture into a platform
Without it:
- you have cloud
With it:
- you have controlled cloud
What Comes Next
Now we move into:
βοΈ Deployment & Automation (IaC, CI/CD, Platform Engineering)
Because:
If governance defines rules
Automation ensures they are followed consistently
| β¬ Back to Series Home | β¬ Back to: Identity Design β‘ | Next: Deployment & Automation β‘ |