Topic

Standards

Naming Conventions 

Machine generated alternative text:pip-sharepoint-prod-westus-001 Resource Type Workload/ Environment Application Azure Region Instance

Define your naming convention - Cloud Adoption Framework | Microsoft Docs 

 

Examples: 

Landing Zones 

lz-panzura-prod 

Platform 

pl-connhub 

pl-identity 

pl-management 

Resource Group 

rg-cmg-prod-scus-001 

VNET 

vnet-hub-prod-scus-001 

Subnet 

snet-fwwan-prod-scus-001  

Firewall 

fw-hubfirewall-prod-scus-001 

Vnet Gateway 

vgw-toonprem-prod-scus-001 

Local Network Gateway 

lgw-onprem-prod-scus-001 

Public IP 

pip-hubfirewall-prod-scus-001 

Log Analytics 

log-azuresentinel 

VM 

AZ<WORKLOAD> 

Recovery Services Vault 

rsvlt-platform-prod-scus-001 

VM Storage Account 

stvmfw001 

Private Endpoint 

pvtep-stvmfw001-prod-scus-001 

 

Decide Region

Example: Central US

Using a central region is advantages for multiple reasons:

  • Reduce region-to-region bandwidth costs (especially for Log Analytics)
  • Simplify reporting
  • Setup region disaster recovery (paired regions)
  • Reduce human errors in deploying resources
          

Central Logging & Automation
    • Only use TWO Log Analytics workspaces total for the entire tenant to prevent sprawl:
      • Microsoft Sentinel + Log Analytics Workspace. Microsoft Sentinel does not support moving .
      • Log Analytics Workspace for all other logging
    • Saves costs, centralize retention management and provide a single pane of glass for operational and security queries.
    • Workspace: log-monitor-prd-cu 

 

Automation Account

Only one Automation Account can be linked to a Log Analytics Workspace. This Automation Account can be leveraged for services like Azure Automation Management .
  

Networking

Considerations: 

  • /21 will be the default recommended VNET size.  Do not make VNETs larger than /16 (Reference). 

 

  • Do not make subnets smaller than /28 (Reference). 

 

  • You can expand an existing VNET but you will have to recreate the VNET peering(s). 

 

  • Ensure ranges are sized appropriately and do not overlap with on-premises or cloud networks. 

 

  • Azure reserves the first four IP addresses in each range for its own management and routing.  Therefore, for a 10.0.0.0/16, you can set the first static IP address at 10.0.0.4. 

 

  • CIDR References 
    • /16 = 256 VNETs, 256 Subnets (/24), 65536 Addresses per VNET 
    • /21 = 2048 VNETs,  8 Subnets (/24), 2048 Addresses per VNET 
    • /24 = 256 Addresses 

 

Example:  10.192.X.X - 10.255.X.X/21 

  • Total VNETs:  504 
  • Subnets per VNET (/24):  8 
  • Addresses per VNET:  2048 

 

VNET CIDR 

Subnets 

10.192.0.0/21 

10.192.0 - 10.192.7 

10.192.8.0/21 

10.192.8 - 10.192.15 

10.192.16.0/21 

10.192.16 - 10.192.23 

10.192.24.0/21 

10.192.24 - 10.192.31 

 

Tagging

All Azure resources will tagged at a minimum with Owner, Environment, Workload and Business Unit. Examples are provided below.

  • Owner: John Doe
  • Environment: Production
  • Workload: Connectivity Hub
  • Business Unit: IT Ops and Architecture

Compliance Standards

Azure and specifically the Ecommerce workloads will adhere to CIS Benchmarks .

Resource Groups 

Generally, keep networking and compute resources (VMs) in separate resource groups.