Subscription Vending, Azure Landing Zones and Platform Engineering - Part 2

Stephen Tulp
December 13, 2024

10 minutes to read

Tags: azureiacPlatformEngineeringGitHub

Yesterday we covered the concepts of Azure Subscription Vending and how Platform Engineering teams provide the automation and assets to enable the creation of Application Landing Zones for consumers (generally application development teams).

Today we will look at two (2) examples of Subscription Vending. Each of these examples achieve the same outcome, which is a deployment of a curated, secure and governed Application Landing Zone. The differences are around post-deployment and day 2 activities which I will explain in each of the sections.

The links has the templates and IaC that you can use ti deploy these solutions.

1. Azure Subscription Vending using a pattern module from Azure Verified Modules (AVM)
2. Azure Subscription Vending using a custom deployment

Pre-requisite

A pre-requisite for Subscription Vending is to programmatically create the Azure Subscription (there is logic that enables an existing subscription Id to do the Landing Zones part of the deployment). There are some constraints on agreements support programmatic subscription creation, these include:

• Enterprise Agreement (EA)
• Microsoft Customer Agreement (MCA)
• Microsoft Partner Agreement (MPA)

The requirements and details to create subscriptions differ for different agreements and API versions, each of these are in the links above.

This is one time activity and can be a little fiddly the first time and understanding the different concepts and properties is key to getting the permissions right. Once you have this correct and working then the creation process becomes much easier. I don’t have access to these types of agreements so we will focus on the Landing Zones piece.

Azure Verified Module Subscription Vending

On Day 6 & 7 I talked about the Azure Verified Modules project and how these curated IaC modules will help with standardising and enforcing consistent deployments in Azure. Most of the focus was around the individual Resource Modules that align the resource providers in Azure. The other benefit of AVM is being able to consume Pattern Modules that stamp out a complete solution, like Subscription Vending.

The AVM Subscription Vending Pattern Module originally started out as a separate repo managed by Jack Tracey and the Microsoft Customer Architecture & Engineering (CAE) team. With AVM gaining traction this was one of the first pattern modules published to the Bicep Public Registry.

Navigating to the repo now presents the following on the main README page and explains the what and why the repo was archived.

Deploying the AVM Sub Vending Pattern Module

Breaking down the deployment includes two (2) files for deployment.

1. bicepparam parameter file
2. PowerShell script to invoke the deployment

Parameter File

The parameter file is using the Pattern Modules from the Bicep Public Registry, depending on what you are looking to achieve you can add, remove, change the parameters as needed (more details in the module consumption section)

using 'br/public:avm/ptn/lz/sub-vending:0.2.4'

var envPrefix = 'sbx'
var lzPrefix = 'sap'
var locPrefix = 'syd'
var argPrefix = 'arg'
var virtualNetworkPrefix = 'vnt'

param subscriptionAliasEnabled = false
param existingSubscriptionId = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' //Update Subscription ID
param resourceProviders = {}
param roleAssignmentEnabled = true
param roleAssignments = [
  {
    definition: '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' //owner GUID
    principalId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' // Update Principal ID
    relativeScope: '/' // Subscription Scope
  }
]
param subscriptionTags = {
    environment: envPrefix
    applicationName: 'SAP Landing Zone'
    owner: 'Platform Team'
    criticality: 'Tier2'
    costCenter: '1234'
    contactEmail: 'test@test.com'
    dataClassification: 'Internal'
    iac: 'Bicep'
}
param hubNetworkResourceId = '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/arg-syd-plat-conn-network/providers/Microsoft.Network/virtualNetworks/vnt-syd-plat-conn-10.52.0.0_24' //Update Hub Network Resource ID
param virtualNetworkEnabled = true
param virtualNetworkAddressSpace = [
  '10.52.1.0/24'
]
param virtualNetworkName = '${virtualNetworkPrefix}-${locPrefix}-${lzPrefix}-${envPrefix}-10.52.1.0_24'
param virtualNetworkPeeringEnabled = true
param virtualNetworkResourceGroupName = '${argPrefix}-${locPrefix}-${lzPrefix}-${envPrefix}-network'
param virtualNetworkUseRemoteGateways = false

PowerShell script

This is straight forward, note the use of the MCR and not needing the TemplateFile parameter.

New-AzManagementGroupDeployment `
    -ManagementGroupId 'mg-alz1' `
    -Location 'australiaeast' `
    -TemplateParameterFile 'lz.bicepparam' `
    -Verbose

AVM Sub Vending End Results

So the end result would be an Application Landing Zone that includes:

• Creation of the Azure Subscription
• Placement of the Azure Subscription into the appropriate Management Group
• Deployment of a Resource Group for network services
• Deployment of a Virtual Network, with optional connectivity to;
  • Hub & Spoke via virtual network peering
  • Virtual WAN via vWAN connection
• Link to existing DDoS Network Protection Plan if configured
• Azure Role assignment permissions
• Resource Tags
• Resource providers and resource providers features registration

Services and resources outside the subscription, including Azure RBAC permissions and Azure Policies will inherit to the Subscription.

AVM Sub Vending VS Code Deployment Output

AVM Sub Vending Azure Portal Deployment Output

AVM Sub Vending Resource Groups Output

The Landing Zone can be handover to the consumer to start building out their solution and services in the Landing Zone, the virtual network has no defined subnets so that address space will need to be carved up to accommodate the workloads.

AVM Module Consumption

The README for each AVM module has the following that can help understand how the module can be consumed.

• Resource Types: All the Resource providers and their API version
• Usage Examples: For the Subscription Vending there are options for Only Defaults, Hub and Spoke, vWAN Topology
• Parameters: Outlines all parameters that are available in the module, including if they’re required or optional, the type (String, Array, Boolean, Int, Object) and any default values.
• Outputs: Useful for output values by other modules.
• Cross-Referenced Modules: Other modules referenced in the pattern module

These are all available from the AVM Subscription Vending README

Azure Subscription Vending using a custom deployment

This Subscription Vending deployment aligns with the above to enhance and expand that solution. This custom deployment is a fork of the original Subscription Vending Repo and includes the following additions.

• Azure Budgets
• Action Group
• Microsoft Entra Privileged Identity Management Role Assignments
• Common Resource Groups
• Subnets array with associated Network Security Groups and Route Tables per subnet

As there is custom logic and deployments happening here, the modules and IaC templates are all hosted locally in the repo. The structure of the repo is outlined below.

• Configuration: The bicepparam file, shared configuration and shared User Defined Data Types
• Modules: custom modules in sub folders, these deploy within the main orchestration template
• Orchestration: The Main.bicep orchestration template file, used for the deployment

Deploying the Custom Sub Vending Solution

The main difference to the AVM Pattern Module is the subnet logic, this approach focuses on the centralised Platform Teams controlling the networking with the consumers having permissions to deploy into the virtual network but not to make changes to the networking resources.

Custom Deployment End Results

So the end result would be an Application Landing Zone that includes:

• Creation of the Azure Subscription
• Placement of the Azure Subscription into the appropriate Management Group
• Deployment of common Resource Groups for AlertsRG, NetworkWatcherRG
• Action Group for the Landing Zone with an array of email addresses
• Azure Budgets for both forecasted and Actual
• Deployment of a Resource Group for network services
• Deployment of a Virtual Network, with optional connectivity to;
  • Hub & Spoke via virtual network peering
  • Virtual WAN via vWAN connection
• Subnets array with associated NSGs and UDRs per subnet with common NSG Rules
• Link to existing DDoS Network Protection Plan if configured
• An array of Azure Role assignment permissions
• An array of Microsoft Entra Privileged Identity Management Role Assignments
• Resource Tags
• Resource providers and resource providers features registration

Services and resources outside the subscription, including Azure RBAC permissions and Azure Policies will inherit to the Subscription.

Custom Sub Vending Azure Portal Deployment Output

Custom Sub Vending Resource Groups Output

Custom Sub Vending Virtual Network Output

Conclusion

There’re many approaches to Subscription Vending that can stamp out Application Landing Zones for workload teams. If you want to understand the solution in more detail, please take a look at some of the official open source repos below that provide the IaC and workflows for either Bicep or Terraform.

• Subscription Vending - Bicep
• Subscription Vending - Terraform

Share on Twitter (X) Share on LinkedIn RSS Feed