Saturday, September 29, 2018

Azure Blueprints: First Steps

In a previous post I described one of the newest features to the Azure Governance toolset: Blueprints.  In this post, I will walk through creating a simple blueprint from the portal.  If you looking for the official documentation, click here.

The goal is to use blueprints to model out what I would like my "production" environment to look like.  In this post, we will focus only on creating relevant resource groups that I require in all my environment.  There is one per-requisite that you will need to have in place, and that is Azure Management Groups.  Without them, you will not be able to assign your blueprint.

From the portal, you will want to navigate to blueprints from the All Services menu.  The main screen looks something like this.



After that, click on create under the Create A Blueprint heading.  The first two boxes on this screen are simple, and allow you name your blueprint and provide a detailed description for future reference.



The third box above asks for the definition location.  This is where Azure management groups comes in.  One of the features of Azure Blueprints is that instead of being a definition file that lives in source control (or on someones computer, or in someones head), this document is actually stored inside the management group hierarchy.  In my case, I just selected the root of my Azure Management hierarchy, in order to make this blueprint available to all nodes below.  (Just to make it easy for now).

One you have all that figured out, you will be taken to a screen that allows you to add artifacts.





Clicking on Add Artifact will pop up a side bar.  Select Resource Group as the Artifact Type.  In this example, I'm going to use a static parameter for the name (to enforce consistency) but use a dynamic parameter for the location.  To learn more about blueprint parameters, see this document.  Here is what your artifact list should look like when complete.



In the above diagram:

prodsharedservices:  Resource group for shared services such as Active directory deployments.
prodnetwork:  Resource group for networking components (VNETs, gateways, etc)
prodsecuritygroups:  Resource group for firewalls, and app/network security groups

After you have that set up, click on the Save Draft button at the bottom.  After the blueprint has saved, you should see it show up in the Blueprint Definitions tab.


In order to deploy this template to my subscription, there are two additional steps that are required.  The first is to publish the template.  You can do this by clicking on the template in the screen above and selecting Publish Blueprint.  It will ask you for a version.



When you have selected a good enough name (and put in some lengthy change notes) click on Publish at the bottom. Now that the blueprint is published, we can assign it to a scope.  This is done by navigating back to the blueprint, and selecting Assign Blueprint.

If you remember from above, one of the parameters (the name) was statically set in the template.  The other (the location) was left to be specified at assignment time.  We will now have to enter in the location.  Here is what that page looks like.



After filling out the required data, click on Assign.  Voila, we have now have our resource groups automatically created in our subscription.



In conclusion, the goal of this post was to take some initial first steps with blueprints.  We created a production blueprint that specified 3 common resource groups (and enforced their names).  We then applied that blueprint to an appropriate scope.  Enjoy!