November (17/11/2021) ESLZ Community Call

[jtracey93]

We are excited to invite you to our 2nd external Enterprise-Scale community call on the 17th of November 18.00 CET!

As before we have an open agenda, so please comment below with things you would like to cover👍

Agenda:

• Enterprise-Scale Landing Zones news roundup
• ESLZ/ALZ Bicep module demo
• Open Feedback Discussion - Day 2 operations for ESLZ
• Q&A (please raise topics and questions to discuss in this issue)

Sign up for the call here!

We look forward to another interactive discussion with lots interesting topics!

For links to our previous community calls see: https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls

[cveld]

Questions:

• What is your opinion on AzOps?
• There seems a cut between the landing zone and the use case side. Is there anything to be expected on the use case side? Also see ticket Question: What is your story on factorization and plaform versus workload? AzOps#463
• policies.json is 15,000+ lines in size. How to manage this best? In last community call you were considering factorization.
• When to to use deploy if not exists for deploying resources. When to deploy resources the regular way
• We require elevation for many of our deployment types (Azure and Windows Server Active Directory operations, certificate access, principal management). Currently we don't see a clear way to apply elevation into bicep modules. What is your guidance? 1)
• Do you provide Azure Pipelines or GitHub Actions guidance as AzOps does.

1. We are currently using Azure DevOps custom pipeline tasks - we provide a custom task for each Azure resource type a team can provision self-service. We are planning to add two components: 1) a router/authorization function and 2) hidden Azure Pipelines only accessible by the function. The function will be called from our custom tasks (e.g. virtual machine or app service plan) providing the service principal from the selected Azure Resource Manager service connection. The router function will verify (authorize) the incoming principal and route the provision request to the related hidden pipeline (e.g. virtual machine or app service plan). Through a websocket (Azure SignalR Service) the hidden pipeline streams its logs to the custom pipeline task and the "I am done" signal.

[mw8er]

Questions:

• For community: Do you adjust the default management group to be able to block "out-of-enterprise-scale" subscriptions?
• Is there any (work-in-) progress on the recommendation for subscription owner? We have workloads that use RBAC a lot and would be blocked due to that setting, hence we added that
• There are many RBAC assignments due to policy assignments. Is there anything on the roadmap to simplify the situation (e.g. user-managed identities)?
• Private Endpoints, i.e. restricting access to VNet only, and Azure DevOps/Github do not get along so well. Is there any guidance to get a more convenient integration?

[jtracey93]

Have locked the conversation to enable us to prepare answers to the above before this afternoons call 👍

There will still be an open Q&A session for additional questions 👍

See you all there

[jtracey93]

Recording and deck is now live here: https://github.com/Azure/Enterprise-Scale/wiki/Community-Calls#17th-november-2021-17112021

Thanks all for attending and see you in the new year!