azure-entra-id

Azure Mental Model Visualization

Azure Enterprise Scaffolding Model

This diagram illustrates a well-architected Azure environment, showing the relationship between billing, identity, governance, and resource deployment across different environments.

Billing Account

Top-level financial ownership and cost aggregation for the entire organization.

e.g., Enterprise Agreement or Microsoft Customer Agreement

Microsoft Entra ID Tenant

Single source of truth for identity and access management (IAM).

  • Users and Groups e.g., "Dev Team Group", "AKS Admins Group"
  • App Registrations / Service Principals Identities for automated processes and applications (scoped per environment).
    • -- CI/CD Pipeline --
    • app-cicd-prod: Pushes images to ACR & deploys to Prod AKS.
    • app-cicd-qa: Pushes images to ACR & deploys to QA AKS.
    • app-cicd-dev: Pushes images to ACR & deploys to Dev AKS.
    • -- Shared Workloads --
    • key-vault-api-prod: Used by Payment & Shipping APIs for Key Vaults & Service Bus.
    • key-vault-api-qa: QA identity for APIs.
    • key-vault-api-dev: Dev identity for APIs.
    • -- Payment Service --
    • app-sb-worker-prod: Prod Payment Service Bus Worker.
    • app-sb-worker-qa: QA Payment Service Bus Worker.
    • app-sb-worker-dev: Dev Payment Service Bus Worker.

Management Group Hierarchy

Organizes subscriptions and applies universal security policies (Azure Policy) and access controls (RBAC).

  • Management Group: "Production"
    Policy: Enforce strict security, logging, and disallow certain VM SKUs.
    • Subscription: "Prod Environment" Hosts all production resources. Highly restricted access.
      • Resource Group: "rg-prod-app-services"
        • AKS Cluster: "aks-prod-main"
          RBAC: Grant "app-cicd-prod" the Azure Kubernetes Service Cluster User Role.
          • Namespace: "ns-prod-payment"
            Policy: Restricted
            • Workload (API): Uses 'key-vault-api-prod' for Key Vault.
            • Workload (Worker): Uses 'app-sb-worker-prod' for Service Bus.
          • Namespace: "ns-prod-shipping"
            Policy: Restricted
            • Workload (API): Uses 'key-vault-api-prod' for Key Vault & Service Bus.
        • Azure Container Registry: "acr-prod-main"
          RBAC: Grant "app-cicd-prod" the AcrPush role.
        • Key Vault: "kv-prod-payment-secrets"
          RBAC: Grant "key-vault-api-prod" Secrets User role.
        • Key Vault: "kv-prod-shipping-secrets"
          RBAC: Grant "key-vault-api-prod" Secrets User role.
        • Service Bus: "sb-prod-main"
          • Queue: "order-processing"
          • Queue: "shipping-notifications"
          RBAC: Grant "app-sb-worker-prod" Data Receiver role.
          RBAC: Grant "key-vault-api-prod" Data Sender role.
  • Management Group: "Non-Production"
    Policy: More flexible policies for development and testing.
    • Subscription: "QA Environment" Hosts resources for quality assurance.
      • Resource Group: "rg-qa-app-services"
        • AKS Cluster: "aks-qa-main"
        • ACR: "acr-qa-main"
        • Key Vaults, Service Bus...
          RBAC: Assign roles to 'key-vault-api-qa', 'app-cicd-qa', etc.
    • Subscription: "Dev Environment" Sandbox for developers.
      • Resource Group: "rg-dev-user-a"
        • AKS Cluster: "aks-dev-user-a"
        • ACR: "acr-dev-user-a"
        • Key Vaults, Service Bus...
          RBAC: Assign roles to dev identities.

No comments:

Post a Comment