Azure Enterprise Governance

🎯 Interactive Decision Guide:

Use references/naming-decision-guide.md for step-by-step guidance:

• Decision flowchart - Visual guide for choosing naming patterns
• Questionnaire - Answer questions to determine your needs
• Template library - Ready-to-use naming templates for common scenarios:
  • Lab/Experimental environments (for learning and POC)
  • Single application deployment (simple architectures)
  • Microservices architecture (distributed systems)
  • Multi-tenant SaaS (platform services)
• Interactive naming generator - Auto-generate naming schemes

📚 Detailed Reference:

See references/naming-conventions.md for:

• Microsoft-recommended naming format
• Resource type abbreviations from official CAF documentation
• Naming constraints and restrictions per resource type
• Multi-environment naming strategies
• Hierarchical resource organization patterns

Usage Pattern:

1. Start with decision guide: Run python scripts/generate_naming.py for interactive help
2. Review your organization structure (org, department, project)
3. Select naming template based on scenario (lab, app, microservices, multi-tenant)
4. Define abbreviations for resource types and environments
5. Validate naming scheme: python scripts/validate_naming.py --resource-group <name>
6. Apply naming scheme consistently across all resources

2. Security & Compliance Framework

Implement security controls across Azure infrastructure using:

• Zero Trust Architecture: Assume breach, verify everything
• NIST Cybersecurity Framework: Security standards and controls
• Azure Well-Architected Framework: Security pillar best practices
• Managed Identity: Eliminate shared credentials and key management

Reference references/security-best-practices.md for:

• Identity and access management (IAM) patterns
• Network security and isolation strategies
• Data protection and encryption requirements
• Compliance frameworks (NIST, SOC 2, PCI-DSS, HIPAA)
• Security assessment checklist
• Common security misconfigurations and fixes

Key Security Principles:

• Never use secrets in code (use Key Vault + Managed Identity)
• Implement defense in depth (network, application, data layers)
• Enable monitoring and alerting on all resources
• Enforce role-based access control (RBAC)
• Require multi-factor authentication (MFA)
• Use private endpoints for sensitive services
• Encrypt data in transit and at rest
• Regular security assessments and penetration testing

3. Automated Validation & Compliance Checking

Validate resource naming and security configurations using Python scripts in scripts/:

validate_naming.py

• Check resource names against CAF standards
• Verify naming constraints (length, characters, uniqueness)
• Detect naming pattern violations
• Generate compliance reports
• Usage: python scripts/validate_naming.py --resource-group mygroup --check-all

security_audit.py

• Audit Azure resources for security misconfigurations
• Check for managed identity usage
• Verify encryption settings (data, transport)
• Validate network isolation (NSGs, private endpoints)
• Identify overly permissive RBAC assignments
• Generate security assessment report
• Usage: python scripts/security_audit.py --resource-group mygroup --severity high

compliance_checker.py

• Verify compliance with organizational policies
• Check naming convention compliance
• Validate security controls alignment
• Generate audit trail for compliance documentation
• Support multiple compliance frameworks (NIST, SOC2, etc.)
• Usage: python scripts/compliance_checker.py --framework nist --resource-group mygroup

4. Organization Hierarchy & Governance

Structure Azure resources using hierarchies that support:

• Multi-tenant organizations: Separate by customer/tenant
• Environment management: dev, test, stg, prod isolation
• Cost allocation: Easy chargeback and cost center mapping
• Access control: Align resource hierarchy with RBAC
• Disaster recovery: Regional isolation and failover strategy

Hierarchy Template:

Subscription (billing boundary)
├── Resource Group: rg-{org}-{workload}-{env}
│   ├── Compute: asp-{org}-{workload}-{env}
│   ├── Storage: st{org}{env}001
│   ├── Database: sqldb-{org}-{workload}-{env}
│   └── Security: kv-{org}-{env}
├── Resource Group: rg-{org}-{workload}-{env}
└── Resource Group: rg-{org}-platform-{env}

Best Practices Checklist

Before Deployment

• Naming Validated: Run validate_naming.py against all resource names
• Security Review: Complete security-best-practices.md checklist
• RBAC Configured: Use managed identities, no shared credentials
• Encryption Enabled: Data at rest and in transit encrypted
• Monitoring Setup: Application Insights, Log Analytics configured
• Network Isolation: Private endpoints for sensitive services
• Compliance Check: Run compliance_checker.py for your framework
• Documentation: Resource hierarchy and naming documented
• Access Control: Principle of least privilege applied
• Backup Strategy: Automated backups configured and tested

Post-Deployment

• Audit Baseline: Run security_audit.py to establish baseline
• Monitoring Active: Alerts configured for security events
• Regular Reviews: Monthly compliance and security reviews
• Access Reviews: Quarterly RBAC access reviews
• Threat Analysis: Regular threat modeling and updates
• Incident Response: Runbooks documented and tested
• Disaster Recovery: DR procedures documented and practiced

Common Use Cases

Scenario 1: Migrate 100+ Resources to Compliant Naming

# Validate current resources
python scripts/validate_naming.py --resource-group oldgroup --check-all

# Identify violations
python scripts/validate_naming.py --resource-group oldgroup --report violations.json

# Create migration plan with new compliant names
# Use references/naming-conventions.md to determine new names

Scenario 2: Implement Zero Trust Security

1. Review references/security-best-practices.md section on Zero Trust
2. Audit current state: python scripts/security_audit.py --resource-group mygroup
3. Identify gaps compared to Zero Trust checklist
4. Implement controls: Managed Identity, Private Endpoints, NSGs
5. Re-audit and validate: python scripts/security_audit.py --resource-group mygroup

Scenario 3: Prepare for SOC 2 / HIPAA Compliance

1. Select compliance framework: python scripts/compliance_checker.py --framework soc2
2. Review required controls in references/security-best-practices.md
3. Generate gap analysis report
4. Implement required security controls
5. Document compliance evidence and controls
6. Schedule regular audits: python scripts/compliance_checker.py --framework soc2 --schedule monthly

Scenario 4: Design Multi-Tenant Naming Strategy

1. Review references/naming-conventions.md section on multi-tenant patterns
2. Define tenant/customer identifier (e.g., tenant ID, subdomain)
3. Create resource group naming pattern: rg-{tenant}-{workload}-{env}
4. Map resources to resource groups by tenant
5. Enforce access isolation using RBAC and subscriptions per tenant

Related Skills

• azure-expert: Comprehensive Azure service architecture and deployment
• skill-creator: Create and manage AI skills in VS Code

Additional Resources

• Microsoft Cloud Adoption Framework - Naming
• Microsoft Cloud Adoption Framework - Naming Abbreviations
• Azure Well-Architected Framework - Security Pillar
• Azure Security Best Practices
• NIST Cybersecurity Framework
• Zero Trust Principles - Microsoft