Azure Platform Engineering Tools & Capabilities - Part 2

Stephen Tulp
December 6, 2024

12 minutes to read

Stay Right, Guidance, Governance and Policy Enforcement

In Part 1 we covered the left side of the infinity loop to get an understanding of tools such as GitHub, IaC and Azure Development Environments. In this blog post we address the right side and cover monitoring, security and governance.

As outlined in the Advent Calendar Overview, the focus for this Advent Calendar is Platform Engineering within Azure so we will skip the Infrastructure pillar and look at the capabilities within the Security & Governance and Observability & Insights pillars.

Azure Platform Engineering Advent Calendar 2024

Security & Governance

The Security & Governance pillar focuses on access controls, enforcing compliance, providing guidance and policy enforcement within Azure.

Microsoft Entra

Microsoft Entra is a comprehensive suite of identity and network access products designed to enhance security and governance in hybrid and multi-cloud environments. As the core identity provider (IdP) for the Microsoft ecosystem, there are key benefits and capabilities that complement platform engineering:

Unified Identity Management: Microsoft Entra provides a centralised platform for managing identities across environments, ensuring consistent identity policies and secure access to applications and resources.
Conditional Access: Entra enables conditional access policies to evaluate risk factors in real-time, ensuring only authorised users can access sensitive resources.
Identity Governance: With features like automated access reviews and lifecycle management, Entra simplifies the management of user permissions and ensures that access rights are appropriate and current.
Seamless Integration: Entra integrates with existing IT infrastructures, allowing platform engineers to enforce consistent security policies across different applications and services without disrupting workflows.
Enhanced User Experience: By providing secure, passwordless authentication and single sign-on (SSO) capabilities, Entra improves the user experience for both developers and end-users.
Secure Access to Resources: Entra ensures that only authenticated and authorised users can access critical resources.
Automated Compliance: Entra’s governance features help automate compliance with regulatory requirements, reducing the administrative burden on platform engineering teams.

To focus on a specific use case, our Platform Engineering team has moved all our key accelerators and assets to using OpenID Connect as an authentication mechanism for our GitHub Action workflows. As most are aware using the Azure Login action with Service Principals for GitHub Actions isn’t recommended as you need a secret for the SPN that needs to be securely stored and rotated. This also applies to Azure DevOps pipelines as well and requires a one time setup to configure the Workload Identity Federation for the Service Connection.

The diagram below shows the flow between the components.

Further reading on Microsoft Entra below;

Microsoft Entra Identity Platform Blog - Microsoft Dev blogs focused on Microsoft Entra.
OpenID Connect Overview - Overview of OpenID Connect
Configure OpenID Connect & GitHub - Microsoft learn article on configuring OpenID Connect for GitHub Actions.

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a comprehensive security management and threat protection service that enhances platform engineering by providing robust security measures and practices.

Enhanced Security Posture: Defender for Cloud continuously monitors workloads, providing real-time visibility into their security posture. This helps identify and resolve potential vulnerabilities, ensuring a strong security foundation.
DevSecOps Integration: Integrates with popular DevOps tools, including Azure DevOps, GitHub and GitLab and enables security practices to be incorporated early in the software development lifecycle. This ensures that security is built into the development process, reducing the risk of vulnerabilities in production.
Centralised Policy Management: Enables definition and enforcement of security policies across environments, ensuring consistent security standards and compliance with regulatory requirements.
Comprehensive Coverage: Defender for Cloud provides protection for a wide range of resources, including servers, containers, storage, databases, and more. This ensures that all aspects of the platform are covered.
Automated Compliance: Maintain compliance with industry standards by providing comprehensive reporting and enforcing security policies across cloud and on-premises workloads.
Security Recommendations: Provides actionable security recommendations and best practices to secure workloads before and after they are deployed.
Continuous Monitoring: Offers continuous security monitoring and real-time alerts to quickly detect and respond to potential threats.
Integration with SIEM and SOAR: Integrates with Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) systems to enhance threat detection and response capabilities.

Further reading on Microsoft Defender for Cloud below;

Defender for Cloud Overview - Defender for Cloud Overview.
Defender for Cloud DevOps Security Overview - Defender for Cloud DevOps Security Overview.
Code to Cloud using Defender for DevOps - Youtube video on Defender for DevOps.

Azure Policy

Azure Policy is a governance tool in Microsoft Azure that allows creation, assignment, and management of policies to enforce rules and ensure compliance across resources. It helps define policies to control resource properties, such as requiring specific tags or restricting deployment locations. These policies are continuously evaluated, and a compliance dashboard provides insights into the state of resources, helping to identify and remediate non-compliant items. Azure Policy includes a variety of built-in policies, and also create custom ones to meet specific needs.

Policy as Code

Policy as Code (PaC) is a practice where policies are defined, managed, and enforced using code. This approach allows policies to be version-controlled, tested, and automated, similar to how software code is handled. By representing policies as code, organisations can ensure consistency, repeatability, and transparency in policy enforcement.

Policy as Code helps with Platform Engineering by providing:

Automation: Policies are automatically enforced and validated, reducing manual intervention and errors.
Source Control: Policies live in source control, allowing for tracking changes, reviewing history, and collaborating through pull requests.
Testing: Policies are tested using automated frameworks to ensure they work as intended before deployment.
Consistency: Ensures that policies deployed uniformly across environments, reduce the risk of configuration drift.

To summarise, the approach to Policy as Code can be defined as..

Later in the month we will put this into practice across a 2 part series on Enterprise Policy as Code, this open-source solution provides a framework to managing Azure Policy.

GitHub Advanced Security

GitHub Advanced Security (GHAS) is a suite of security features designed to help improve and maintain the security of code. Key features of GHAS include:

Code Scanning: Uses CodeQL and other tools to identify potential security vulnerabilities and coding errors in code.
Secret Scanning: Detects secrets, such as API keys and tokens, that may have been accidentally committed to a repository.
Dependency Review: Provides insights into the impact of changes to dependencies, highlighting any vulnerable versions before merging pull requests.
Security Overview: Offers a comprehensive view of the security posture across all repositories.

By integrating these advanced security features, platform engineering teams can build more secure, compliant, and resilient platforms, ultimately accelerating the delivery of high-quality software.

Further reading on GitHub Advanced Security below;

GitHub Advanced Security Overview - GitHub Advanced Security Overview.
GitHub Advanced Security for Azure DevOps - GitHub Advanced Security for Azure DevOps.
Introduction to GitHub Advanced Security - Youtube video on GitHub Advanced Security.

Observability & Insights

Observability is crucial for platform engineering as it provides real-time insights into system behavior, helping teams proactively identify and address issues before they impact users.

Managed Grafana

Azure Managed Grafana is a fully managed service that enables Grafana natively within the Azure cloud platform. Grafana is a popular open-source tool for data visualisation and monitoring, and Azure Managed Grafana enhances its capabilities by integrating seamlessly with Azure services.

Key Features of Azure Managed Grafana:

Data Visualisation: Provides rich data visualisation capabilities, allowing creation and sharing of interactive dashboards that combine metrics, logs, and traces from various data sources.
Integration with Azure Services: Azure Managed Grafana is optimised for Azure, offering built-in support for Azure Monitor, Azure Data Explorer, and other Azure services. This makes it easier to visualise and analyse telemetry data from Azure environments.
High Availability and Security: As a managed service, it ensures high availability, SLA guarantees, and automatic software updates. It also integrates with Microsoft Entra ID for secure user authentication and access controls.
Ease of Use: You can quickly deploy Grafana dashboards with pre-built templates and import existing charts directly from the Azure portal. This simplifies the setup process and enables monitoring of applications and infrastructure immediately.

Further reading on Azure Managed Grafana below;

Azure Monitor

Azure Monitor is a robust cloud native monitoring solution designed to collect, analyse, and respond to data from both cloud and on-premises environments. It enhances the availability and performance of applications and services by providing insights into their performance and enabling both manual and automated responses to system events.

By aggregating data from every layer and component of systems, across multiple Azure and non-Azure subscriptions and tenants, Azure Monitor stores this information in a unified data platform. This platform supports a variety of tools for correlating, analysing, visualising, and responding to the data. Additionally, Azure Monitor integrates seamlessly with other Microsoft and third-party tools, offering a flexible and comprehensive monitoring solution.

Some key Azure Monitor features include:

Data Collection: Azure Monitor collects data from various sources, including Azure resources, on-premises environments, and other clouds. It gathers metrics, logs, and traces to provide a holistic view of an application or solution.
Real-time Monitoring: It offers real-time monitoring capabilities, allowing tracking the performance and health of an applications and infrastructure.
Advanced Analytics: With Azure Monitor uses Log Analytics and Application Insights to analyse data. This helps in diagnosing problems, understanding user behavior, and improving application performance.
Alerts and Automation: Set up alerts to notify of critical issues and automate responses to common problems. This ensures that issues are addressed promptly.
Visualisation: Azure Monitor provides various visualisation tools, including dashboards and workbooks, to help understand data better. You can create custom visualisations to meet specific needs.
Integration: It integrates seamlessly with other Azure services and third-party tools, allowing extensibility of its capabilities that can be incorporated into existing workflows.

Conclusion

With a clearer understanding of the products and toolsets in the Microsoft ecosystem, next week we will now delve deeper and select one from each capability pillars to implement within our environment.