cloud – wedoAzure

Updated: March 2024 – repo link now updated to new Github structure!

A common requirement for many tenants is to control or restrict the regions in which Azure can be used, this is most commonly done via Azure Policy. Wanting/needing to restrict regions can be for several reasons, below are some of the most common:

Alignment – Align to local presence for performance etc.
Governance – Align to compliance, residency and data restriction requirements.
Features – Not all data regions are created equally – restrict to those with features required.

For anyone who has created a Policy like this in the past, the experience is quite straight forward. Azure provides an out-of-the-box template, you simply have to pick which regions are allowed from a drop down. However, there are actually three policies you should consider for this in my opinion, all are included here.

Allowed Locations – when a resource deploys, it must align
Allowed Locations for Resource Groups – when an RG deploys, it must align
Audit resource location matches resource group location – just nice to have for governance!

So, with multiple policies to deploy, a controlled and accurate solution is to define these Policies via code, in my case, Bicep. How you manage this (i.e. deployment and repo management etc) is not for this blog post, but is achievable with this as your base Policy. Two elements are required for this to work correctly:

Bicep file to deploy our Policy resources
Parameters file for policy definitions IDs and regions required.

Item 1 is simple, I’ve included the code below, and will link off to a repo with all of this at the end too.



//params
param locations array
param allowedLocationsDefintion string
param rgLocationsDefinition string
param locationMatchDefinition string

//vars
var allowedLocations = 'Allowed locations'
var rgLocations = 'Allowed locations for resource groups'
var locationMatch = 'Audit resource location matches resource group location'


//deploy policy assignments
  
resource allowLocations 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
    name: 'allowed-locations'
    properties: {
      displayName: allowedLocations
      policyDefinitionId: allowedLocationsDefintion
      parameters: {
          listOfAllowedLocations: {
            value: locations
          }
        }
      }
    }
  
    resource allowRGLocations 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
    name: 'rg-locations'
    properties: {
      displayName: rgLocations
      policyDefinitionId: rgLocationsDefinition
      parameters: {
          listOfAllowedLocations: {
            value: locations
          }
        }
      }
    }
  
    resource resourceLocationMatch 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
    name: 'location-match'
    properties: {
      displayName: locationMatch
      policyDefinitionId: locationMatchDefinition
      }
    }

To explain the above:

We will pass an array of chosen regions/locations, and the strings of the built-in Policy definitions.
We use a variable to define the Policy names.
We deploy a resource object per policy, combining each of these into one Policy deployment.

The only real decision required here is which regions you want to allow. Some pointers from me, always include Global, otherwise some features like Traffic Manager, cannot be deployed. Only include the regions you need now, you can always update later.

How to decide on your regions? That’s probably a whole blog post by itself (adds idea to drafts) but my advice would be choose local, and choose as mature a region as possible. This should offer you the best mix of features, performance, and reliability. Once that is decided, also allow the paired region, so BCDR is possible when needed.

Once you have your list completed, that is now the detail we will use in the parameter file to pass our array of regions for deployment, note these must be in exact format required by ARM.

Now to deploy, simply pick your method! For this post, I am using PowerShell (as I am already logged in) and will complete a Subscription level deployment, as this is a Policy. I will pass both files as command parameters, Azure will do the rest! The below should work for you, and I will include a PS1 file in the repo too for reference, but adjust as per your files, tenant etc.

New-AzSubscriptionDeployment -Name 'az-region-policy-deploy' -Location northeurope -TemplateFile 'C:\folderthatexists\region-restrict-policy.bicep'
-TemplateParameterFile 'C:\folderthatexists\policy.parameters.json'

Once that runs successfully, you can verify all is correct via the Portal. Again, as this is Bicep, you can run this over and over and it will simply update the Policy if there are changes. Meaning all it requires is an update of your location parameters to add or remove regions from being allowed.

And that’s it! As promised, here is a repo with the files for reference. Please note – as always, all code is provided for reference only and should not be used on your environment without full understanding and testing. I cannot take responsibility for your environment and use of code. Please do reach out if you have questions.

This is the fear right? Or maybe it’s not a fear, and is a desire for some people, but it’s still not clear what the impact may be. What am I talking about? AI of course; specifically for this post, Azure OpenAI. Now, my idea here is to see what I think of the quality of responses it can give me based on specific prompts to try and tie together a simple blog post. I will pick a topic, an objective for the post, and I will be 100% transparent on what is AI written and what is me – just in case it is not obvious! I will also include the settings being used for my model at the end and whether I adjusted them during.

Ok, let’s get started. My topic is going to be Virtual Network Manager in my usual style of exploration.

What is Azure Virtual Network Manager? Write an opening paragraph for a blog post.

Azure Virtual Network Manager is an essential tool for managing and organizing your cloud-based virtual networks. With virtual networks, you can securely connect and isolate your Azure resources, control traffic flow, and expand your on-premises network into the cloud. However, managing virtual networks can be a challenging task, especially when you have multiple resources and services scattered across different regions. This is where the Azure Virtual Network Manager comes in, offering a centralized and user-friendly interface to help you efficiently manage and monitor your virtual networks. In this blog post, we will take a closer look at the Azure Virtual Network Manager and explore its features and benefits.

What are the top three use cases for Azure Virtual Network Manager? Write a detailed paragraph including bullet points and examples for each.

Azure Virtual Network Manager is a versatile tool that can support various use cases, depending on your organization’s needs. Here are the top three use cases for Azure Virtual Network Manager:

Hybrid Cloud Connectivity: Azure Virtual Network Manager can help organizations establish secure, high-speed connections between their on-premises datacenters and Azure resources. This allows companies to take advantage of the scalability and flexibility of the cloud while maintaining the security and control of their own infrastructure. With Azure Virtual Network Manager, organizations can easily configure VPN gateways, express routes, and other connectivity options to seamlessly integrate their on-premises networks with Azure.

Examples:

Connecting an on-premises Active Directory to Azure to manage identity and access for cloud resources.
Extending a corporate LAN to Azure to host applications and services in the cloud.
Using Azure as a backup and disaster recovery site for on-premises datacenters.

Multi-Tier Application Architecture: Azure Virtual Network Manager enables organizations to create complex multi-tier application architectures in the cloud, with the ability to isolate and secure different layers of the application. This is done by creating multiple virtual networks, each with its own subnets and security groups. This approach provides better control over network traffic and reduces the risk of security breaches by limiting the attack surface.

Examples:

Hosting a web application in Azure with a separate virtual network for the web server, application server, and database server.
Creating a DMZ in Azure to host public-facing services, with a separate virtual network for internal services.
Separating development, testing, and production environments into different virtual networks to ensure isolation and security.

Global Network Management: Azure Virtual Network Manager provides a centralized interface to manage virtual networks across different regions and subscriptions. This allows organizations to monitor network traffic, troubleshoot connectivity issues, and optimize network performance from a single location. With Azure Virtual Network Manager, organizations can also implement advanced networking features, such as traffic routing, load balancing, and network security groups.

Examples:

Creating a global load-balancing solution to distribute traffic across multiple regions and availability zones.
Implementing Azure Firewall to provide centralized network security management across multiple virtual networks.
Enabling Azure Traffic Manager to route traffic to the nearest endpoint based on geographic location or network latency.

What are the current limitations or known issues of Azure Virtual Network Manager? Write a paragraph in the blog post.

While Azure Virtual Network Manager is a powerful tool for managing virtual networks in the cloud, there are some limitations and known issues that organizations should be aware of. Some of the current limitations of Azure Virtual Network Manager include:

Limited support for hybrid networking configurations: Currently, Azure Virtual Network Manager has limited support for hybrid networking configurations, which can make it challenging to manage virtual networks that span multiple cloud providers or on-premises datacenters.
Limited visibility into network traffic: Azure Virtual Network Manager provides limited visibility into network traffic, which can make it difficult to troubleshoot connectivity issues or monitor network performance.
Limited integration with third-party tools: Azure Virtual Network Manager has limited integration with third-party tools, which can make it challenging to implement advanced networking features or security solutions.

Organizations should carefully evaluate their networking needs and consider these limitations before deploying Azure Virtual Network Manager. However, Microsoft is continually improving the tool and addressing these limitations through updates and new features.

Is there a tutorial or general steps that should be recommended as part of this blog post for people who are interested in now trying Azure Virtual Network Manager? Include high level steps and a link to the appropriate site if possible

Yes, Microsoft offers a comprehensive tutorial on how to set up and manage virtual networks using Azure Virtual Network Manager. Here are the high-level steps for getting started with Azure Virtual Network Manager:

Create a virtual network: The first step is to create a virtual network in Azure. This involves specifying the name, address space, and subnets for your network. You can also configure advanced network settings, such as DNS servers and network security groups.
Create a gateway subnet: If you plan to connect your virtual network to an on-premises network, you need to create a gateway subnet. This subnet is used to deploy a VPN gateway or an ExpressRoute gateway.
Configure VPN or ExpressRoute: Once you have created your virtual network and gateway subnet, you can configure a VPN or ExpressRoute connection to connect your on-premises network to Azure.
Set up network security: Azure Virtual Network Manager provides several tools for securing your virtual network, including network security groups, application security groups, and Azure Firewall. You can use these tools to control inbound and outbound traffic, restrict access to specific resources, and monitor network activity.
Monitor and troubleshoot your network: Azure Virtual Network Manager provides several tools for monitoring and troubleshooting your virtual network, including network performance monitoring, packet capture, and network watcher.

For more detailed instructions on how to use Azure Virtual Network Manager, check out the official Microsoft tutorial: https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-create-virtual-network.

Based on your previous responses do you think there is anything else that is important to know about Virtual Network Manager? Write a closing paragraph with a call to action to get in touch if you have any questions

In conclusion, Azure Virtual Network Manager is a powerful tool that can help organizations manage and secure their virtual networks in the cloud. With Azure Virtual Network Manager, organizations can establish secure connections between their on-premises and cloud-based resources, create complex multi-tier application architectures, and manage virtual networks across different regions and subscriptions. While there are some limitations and known issues with the tool, Microsoft is continually improving it with updates and new features.

If you have any questions about how to use Azure Virtual Network Manager or want to learn more about how it can support your organization’s networking needs, don’t hesitate to get in touch. Our team of experts is always available to help you navigate the complexities of cloud networking and find the best solutions for your business.

Let’s start with the settings used, I started with these and didn’t change them at all during the process:

engine="35t", (gpt35-turbo)
temperature=0.8,
max_tokens=800,
top_p=0.95,
frequency_penalty=0,
presence_penalty=0

Overall, I think it has the basics nearly correct. However, it has very little personalisation, it obviously speak to no real experience, and is essentially a modified read of the Docs pages. So I am pretty confident that at no point in near future could it be used to write an entire post that I would be happy with publishing. However, where a post calls for something more generic, like known issues, or intros, it could definitely be used as a starting point.

I am interest to see if a GPT4 model would make a huge difference, but for this style of work, I am not sure. Also, I could of course edit the temperature or top p, but I am unsure as to whether that impact again would be noticeable enough.

In conclusion, Azure OpenAI can definitely write a blog post – I am just not sure it’s a blog post I would be happy with!