Best Practices

1. Organize Resources with Management Groups, Subscriptions, and Resource Groups

• Best Practice: Use management groups for policy enforcement, separate subscriptions for environments (dev, test, prod), and resource groups for logical grouping.

• Example:

az account management-group create --name platform
az account management-group create --name prod --parent platform
az group create --name rg-app-prod --location westeurope

2. Infrastructure as Code (IaC)

• Best Practice: Use Terraform or Bicep for declarative, version-controlled infrastructure.

• Terraform Example:

resource "azurerm_resource_group" "main" {
  name     = "rg-app-prod"
  location = "westeurope"
}

• Bicep Example:

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: 'rg-app-prod'
  location: 'westeurope'
}

• Common Pitfall: Manual changes in the portal can cause drift. Always use IaC for changes.

3. Secure Identity and Access

• Best Practice: Use Azure AD for identity, enable MFA, and apply least-privilege RBAC.

• Example:

az ad group create --display-name "DevOps Team" --mail-nickname devops
az role assignment create --assignee <user-or-group-id> --role "Contributor" --resource-group rg-app-prod

• Common Pitfall: Assigning Owner role too broadly. Use custom roles for fine-grained access.

4. Secrets Management

• Best Practice: Store secrets in Azure Key Vault, never in code or pipelines.

• Example:

az keyvault create --name my-keyvault --resource-group rg-app-prod --location westeurope
az keyvault secret set --vault-name my-keyvault --name "DbPassword" --value "SuperSecret123"

5. Automate Deployments with CI/CD

• Best Practice: Use GitHub Actions or Azure Pipelines for automated builds, tests, and deployments.

• GitHub Actions Example:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
      - run: az deployment group create --resource-group rg-app-prod --template-file main.bicep

• Azure Pipelines Example:

- task: AzureCLI@2
  inputs:
    azureSubscription: 'MyServiceConnection'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create --resource-group rg-app-prod --template-file main.bicep

6. Monitoring and Observability

• Best Practice: Enable Azure Monitor and Log Analytics for all resources. Set up alerts for critical metrics.

• Example:

az monitor log-analytics workspace create --resource-group rg-app-prod --workspace-name law-prod
az monitor diagnostic-settings create --resource-id <resource-id> --workspace law-prod --logs '[{"category": "AllLogs", "enabled": true}]'

7. Cost Management

• Best Practice: Use budgets and cost alerts. Tag resources for cost allocation.

• Example:

az consumption budget create --resource-group rg-app-prod --amount 1000 --time-grain monthly --name prod-budget
az tag create --resource-id <resource-id> --tags Environment=Prod Owner=DevOps

8. Common Pitfalls

• Not using IaC for all changes (leads to drift)

• Over-permissioned identities

• Ignoring monitoring and cost alerts

• Hardcoding secrets in code or pipelines

References

• Azure Well-Architected Framework

• Terraform Azure Provider Docs

• Bicep Documentation

Joke: Why did the Azure resource group break up with the VM? It needed more space!