Virtual Azure Gov Discovery Day

Put the cloud to work for you. Join us as we explore how your agency can achieve more while helping stay compliant and secure with Microsoft Azure Government. You’ll hear from industry leaders, analysts, and experts over the course of eight sessions designed to help you modernize your agency and kick off your digital transformation.

Don’t miss the Virtual Azure Gov Discovery Day on April 25th at 12:00 PM ET/9:00 PT.

Automating ARM Policies

In a previous post I discussed using Azure Resource Manager Policies for enhancing governance.  I mentioned that I had put together a simple Azure Automation demonstration that automatically applies policies to resource groups within a subscription.  I have made this sample PowerShell script available for download to demonstrate one possible option for applying ARM policies.  This is a demonstration script only and has not been fully reviewed for production use.  Use at your own risk.

This script is designed to be executed by Azure Automation on a scheduled basis.  It utilizes an AzureRunAsConnection that has been configured with ownership permissions over the subscription.  You will need to use the New-AzureRmRoleAssignment cmdlet to assign ownership permissions to the AzureRunAsConnection account.  The contributor role cannot  apply policies.

To use this script you need to setup an Azure Storage account which will hold the ARM JSON policy templates.  The storage account needs to provide anonymous access to the policy files.  Policies should be placed inside of a container named according to the resource group where the policies should be applied. For example, if you have a resource group named myRG you would create a container in the storage account called myrg and place all of the policies which should be assigned to the resource group in that container.

Inside of the script there are variables that need to be set for the AzureRunAsConnection name, subscription ID, storage account name, and storage account key.

Once the storage account is setup, script updated and Azure Automation configured the policies will be automatically applied on a scheduled basis.  This enables the addition, removal or change of policies by only making changes to the files in the storage account.  No additional steps are required.

vnet peering demo

Recently a new feature was released in the Azure US Government regions that enables the peering of multiple virtual networks within a region.  This features replaces the need to use site to site VPNs between virtual networks which are hosted in the same Azure region.  To explain a bit more about VNet peering, and to provide a demo, I have created this short 6 minute video.

For more information on VNet peering, please review the Azure documentation.

Azure Resource Manager Policies

Organizations that choose to utilize cloud computing can find that they are able to be more agile and deliver more services quicker.  Microsoft Azure can provide virtually unlimited access to compute, networking, storage and platform services which can be provisioned in a very short timeframe.   Many organizations find that it is often faster and cheaper to utilize cloud services than to go through a long hardware procurement cycle.  Unfortunately many organizations are not prepared for this new way of working.  Frequently I see organizations adopt cloud computing only to find that their outdated policies and procedures become the reason for slow cloud adoption.

How can IT organizations become a better enabler of agile cloud solution delivery?  One way is to provide a self-service model to agencies and departments where they can request and receive access to cloud resources in minutes instead of days.  Microsoft has many partners that offer comprehensive (and sometimes customized) solutions to enable self service of both Microsoft Azure and on-premises resources.  But what if you are just getting started?  Microsoft Azure provides many options in the management portal such as role based access control (RBAC) and Azure Resource Manager Policies which can help an organization enforce basic governance rules while enabling users from departments and agencies to create cloud resources.   In this post, I will be providing some insight into the often overlooked Azure Resource Manager Policies.

Azure Resource Manager Policies enables Azure subscription administrators the ability to attach specific governance policies to the subscription or to specific resource groups in a subscription.   With RBAC you are assigning roles which allow them to perform specific actions at different scopes within Azure.  For example an RBAC role may allow a user to create resources in a resource group but they cannot manage permissions for that resource group.   Policies, on the other hand, focuses on resource actions at a specific scope.   For example, a policy may require that resources created in a specific resource group can be only created in a specific region.  Other common policy scenarios include:

  • Requiring a CostCenter tag for each resource that is created, or automatically appending a CostCenter tag when a resource is created
  • Only allow a user to create resources from a predefined service catalog
  • Only allow the creation of storage accounts configured for  geographically redundant storage
  • Require that all storage accounts are configured for at rest encryption

Azure Resource Manager Policies are defined using JavaScript Object Notation (JSON).   These policy definitions include one or more conditions or logical operators that define the actions, and an effect that describes what happens when the condition is fulfilled.  Below is a sample policy definition that will deny the creation of a resource unless it has a costCenter tag defined.

"not" : {
     "field" : "tags",
     "containsKey" : "costCenter"
    "then" : {
      "effect" : "deny"

To create the policy definition in Azure you can use the New-AzureRMPolicyDefinition PowerShell cmdlet and pass in either the raw JSON or you can specify a local file that contains the JSON definition.   Once the policy definition has been added to Azure you can use the New-AzureRMPolicyAssignment cmdlet to assign the policy to a specific scope such as the subscription or a resource group.   For an in-depth look at how to create and assign policies, please review the Azure documentation article titled Use Policy to Manage Resources and Control Access.

Creating and deploying Azure Resource Manager Policies is quick and simple, but what happens when you need to manage a large number of polices which might be unique to different resource groups?   How can you ensure that the official policies are always in place and not drifting from the desired state?   The answers to both of these questions is automation.  

One option for automation and management is to use Visual Studio and Visual Studio Online to maintain all of your JSON police files under source control.  You can then utilize the build features of Visual Studio Online to move the JSON policy definition files into an Azure Storage account when a change has been checked in.  Once these files are in a storage account you can utilize PowerShell in Azure Automation runbooks to clear out existing policy assignments and then apply the updated policies.

I recently put together a simple Azure Automation demonstration that automatically applies policies to resource groups in my subscription.   This all starts with an Azure Storage account which is used only for my JSON policy files.   In the storage account I create containers which will hold the actual JSON policy files.  These containers are named exactly the same as the resource group where the policies should apply.    Once I have the storage account and containers in place I uploaded my JSON policy definition files to the appropriate containers.  The final step is to create an Azure Automation runbook that uses PowerShell to read the JSON definitions from each container and apply them to the related Azure Resource Group.   All of this took less than 2 hours to build from scratch.   Once I had everything in place and tested, I setup a recurring schedule to execute the runbook on an hourly basis.   This simple configuration allows me to easily add or remove policies to specific resource groups just by adding or removing JSON files from the containers in the storage account.  

By utilizing the built in RBAC and Policy features in Microsoft Azure you can quickly establish some basic governance which can enable you to empower more people within your organization to use Azure while still maintaining your standards.

Azure Resource Tagging for Charge-Back

Resource tagging in Microsoft Azure is a feature introduced with Azure Resource Manager (ARM).  Resource tagging enables you to attach multiple key/value pairs to resources for categorization and management.

In Microsoft Azure you can place tags on individual ARM based resources or you can place tags on the resource group level.   You cannot place tags on resources created under the Azure Service Manager (ASM / classic) model.

Tags are commonly used for charge-back purposes in large organizations.   In these cases, resources are tagged with a cost center or some other identifier that would relate the resource back to the entity which should be charged for the usage of the resource.    These tags will then show up in the enterprise Azure usage report.

Although there is a resource group field in the usage report, not all of the resource types return the resource group name to the Azure usage reporting system.   This means that you cannot rely on the resource group name field in the usage report as a way to monitor usage for all resources in that group.

When working with tagging it is import to remember:

  • You can only tag resources created through the Azure Resource Manager (ARM).  Classic resources created through Azure Service Manager (ASM) cannot be tagged.
  • If you place tags at the resource group level, those tags will not be automatically placed on all resources within that group.   There is no tag inheritance, however, you can use a scheduled PowerShell task to copy tags from the resource group to all ARM based resources in that group.
  • The Azure usage report does have a field for Resource Group Name.  It may be tempting to use a resource group name as a way to identify resources for charge-back.   This will not work because not all resources output their resource group to the Azure usage report.

Below are a few additional resources which I find valuable when working with resource tagging:

Azure Resource Tagging Best Practices
Using tags to organize your Azure resources – Tags and billing
Using Resource Groups and Tagging in Azure Government

Azure Marketplace with ISV Solutions in Azure US Government

Microsoft has just announced the general availability of the Azure Marketplace for Microsoft Azure US Government regions.

Microsoft has partnered with some of the top ISVs to provide Azure  US Government customers with more options for finding the right solutions and quickly spinning up applications that suit their needs. Azure Marketplace is your online store for Virtual Machine images, VM extensions, and more that enable ISVs to offer pre-configured, Azure certified software to customers on the Azure US Government cloud.

To find out how to provision an image, check out the Azure Marketplace for Government technical documentation, here. We are constantly adding new images and services, so check back often if you don’t see the solution you’re looking for! You can see the full list of images available in Azure Government here.

Over the past week the following solutions have been made available in the Azure Marketplace for US Government regions:

If you are an ISV or software partner that would like to publish your images, check out this blog post on the Azure Government blog.

Cisco CSR1000V in Azure US Government Regions

Microsoft recently announced that the Cisco CSR1000V is now available in the Azure US Government regions.

Cisco CSR1000v provides best in class routing capabilities that support full path encryption with the strongest cipher suites available in the market, L4-L7 firewall capabilities and L7 visibility and control. Using Cisco CSR1000v in concert with the Azure Government Cloud delivers on the value proposition of ensuring Government data receives the protection of Cisco’s security capabilities in the Azure cloud environment they trust.

Because Cisco CSR1000V runs full featured Cisco IOS-XE, management of CSR1000V simply becomes another location inside an already deployed Cisco based network and plugs in easily to existing management tools and operations.

How to Deploy Cisco CSR in Azure Government
Go to the solution templates for 2-NIC and 4-NIC Cisco CSR1000v in Azure QuickStart Repo on Github, found at the links below. They can be found by searching for Cisco CSR1000v, or clicking below. They can be found by searching for Cisco CSR1000v, or clicking below. For step by step deployment instructions for solution templates from Github in to Azure Government Cloud, see our technical documentation.

How Does Licensing the CSR 1000V Work on Azure Government Cloud?
If you want to connect your enterprise network to Azure the CSR 1000V supports Bring Your Own License (BYOL).  This means you buy a license from Cisco or a partner and install that license to the CSR 1000V running on Azure Government Cloud.

Read more on the Azure Government Blog

More goodness in Azure US Government

More great announcements have come out in the past couple days regarding Azure US Government.  Below are the highlights.

G-Series VMs
The G-Series provides more memory and more local solid state drive (SSD) storage than other Azure virtual machine sizes.  G-Series VMs provide up to 32 cores and 448GB of RAM!  In addition to massive memory and local SSD storage, the G-Series provides unparalleled computational performance by using the latest Intel Xeon processor E5 v3 family, ideal for your most demanding applications.  Find out more about G-Series VMs here.

F5 BIG-IP virtual appliance
F5 is pleased to announce the general availability of its BIG-IP Virtual Edition (VE) application delivery controller (ADC) solutions in the Microsoft Azure US Government Cloud. Customers who want to deploy mission-critical government applications in Microsoft-managed and physically-isolated datacenters within the continental United States can now take advantage of F5’s market-leading application services to make their applications faster, more available, and more secure.  Read more about this announcement here.

Red Hat VM Images in a Pay-as-you-go Model for Azure Government.
We are happy to announce that government customers can now deploy Red Hat Enterprise Linux 6.8 and 7.2 VM images in a Pay-As-You-Go model directly from the Azure Government Marketplace with per-minute billing.  This is following our partnership announcement with Red Hat in Azure Government on July 27th, 2016.  As more and more government customers move to the cloud, we realized that there was demand for a fully supported version of Linux with the agility that Azure Government. We’ve added this capability to meet this demand.   Read more about this announcement here.

Two new Azure US Government Regions Announced

Today Microsoft announced their intent to open new Azure US Government regions in Arizona and Texas.  Slated to be generally available in 2017, the new regions will add to their existing regions in Virginia and Iowa and are new additions beyond the Department of Defense regions recently announced. Now, Azure has a total of six dedicated regions for government customers – more than any other cloud provider.

You can learn more about this announcement from a recently blog post by Tom Keane, General manager for Microsoft Azure.

More new features in Azure Government

Today the Microsoft Azure engineering team has released several new features into the Azure US Government regions:

Azure Batch
Azure Batch is our job scheduling and compute pool management service that helps developers easily scale their compute-intensive workloads to tens, hundreds, or thousands of virtual machines without having to manage the infrastructure. As a managed service, Azure Batch handles the heavy lifting of provisioning, monitoring and scaling virtual machines.  Additional information on Azure Batch can be found here.

Redis Cache
Azure Redis Cache is a distributed, in-memory, managed cache that helps you build highly scalable and responsive applications, by providing you with fast access to your data. It’s based on the popular open-source Redis Cache, and it gives you access to a secured, dedicated Redis cache that’s managed by Microsoft.   Additional information on Redis Cache can be found here.

Service Fabric
Service Fabric is a mature, feature-rich microservices application platform with built-in support for lifecycle management, stateless and stateful services, performance at scale, 24×7 availability, and cost efficiency.  Service Fabric integrates with Azure features and services, making operations and management simpler, and leveraging the power of Azure cloud.  Service Fabric is available at no additional cost in Azure – you only pay for the underlying compute, network and storage used by your Service Fabric Cluster and microservices. Additional information on Service Fabric can be found here.

Virtual Machine Scale Sets (VMSS)
VM Scale Sets are a way to manage Azure VMs as a group, providing easy deployment and management options, and simple ways to integrate with Azure autoscale and load balancing. If your machines can all be configured the same, you can reduce the overhead of managing them individually, and elastically scale your VMs to match the workload. VM Scale Sets are available at no additional cost over the compute resources being used, and are available in all regions that support Azure Resource Manager.  Additional information on VMSS can be found here.

VM-series Expansion
The following VM series sizes are now available for Microsoft US Azure Government customers:

  • A1-A7 VM series for ARM
  • D/DS VM series for ARM
  • Dv2 VM series for ARM and Classic
  • F VM series for ARM

To keep up on the latest information on Microsoft Azure US Government, visit the official blog at:

Technology Blog