Banner Image: color picture of clouds and sky

Do More In Azure with cloudtamer.io

5 MINUTE READ

Microsoft Azure is a great choice for companies big and small who are looking to get into the cloud. Whether you’re excited by the offerings that this platform gives you or you're looking for cost savings over operating on-prem infrastructure, there’s a lot to love in Azure. However, operating in the cloud isn’t always easy and there are certainly challenges and limitations with any platform. I've helped build out the cloudtamer.io support for Azure over the past year. In this post, I'll share how cloudtamer.io helps you manage Azure roles, Policies, and resource deployment through ARM templates without breaking a sweat.

cloudtamer.io is Easy

cloudtamer.io helps you wrangle your cloud resources, keep them in compliance with any regulations you may need to abide by, and enable anyone in your organization to get the access they need with a few clicks. In cloudtamer.io, we align your cloud to how you do business. Our organization unit (OU) structure allows you to organize your cloud landscape down to the project level, where your subscriptions and resource groups live. We don't have a limit on how many nested OUs you can have, which helps you overcome the 6-level-deep limitation of management groups in Azure.

animated gif of drilling down in the cloudtamer org chart

Would you like to add a few resource groups and a separate subscription to a project in cloudtamer.io? We've got that covered.  cloudtamer.io can apply predefined sets of Azure roles and Policies at a granular level. Whenever you add new members to a team, just add them to a group that's assigned to a project and they'll be granted the same permissions through the Azure roles you’ve already assigned to the project. The same is true if you add other subscriptions or resource groups to the project: they’ll automatically have appropriate permissions and controls applied to them using the Azure tools you already know and love. Then, when a user wants to access the resources they need they can hop into their subscription or resource group from cloudtamer.io directly:

federation from cloudtamer into Azure

When moving a subscription into a project, cloudtamer.io automatically provisions any ARM templates specified on that project via cloud rules, making environment setup a breeze.

cloudtamer.io is Multi-Cloud and Multi-Tenant

cloudtamer.io does all of this across multiple Azure tenants and multiple clouds. Want to see your spend and governance posture across two different subscriptions in two Azure tenants? You got it. How about adding a resource group in Azure and an account in AWS to the same project?  That works too. cloudtamer.io even makes accessing subscriptions in Azure and Azure for Government (MAG) super easy: just click the subscription or resource group you want to log into and you’re good to go.

cloudtamer federating into multiple Azure sub

We currently support Azure with both CSP and EA subscriptions and MAG with EA subscriptions. Support for CSP subscriptions in MAG is coming soon.

If you have multiple Azure tenants and are used to seeing this screen, this should be a breath of fresh air:

Microsoft Azure pick an account screen

Because cloudtamer.io is multi-cloud, you can set up cloud rules for an entire OU (such as a specific business unit or a team) or a project (i.e., the resources for a single product) which apply the same permissions and restrictions across both your AWS and Azure clouds. Cloud rules can contain both Azure role definitions and Policies, as well as equivalent AWS IAM Policies, allowing you to grant all members of your organization the same access regardless of what Azure tenant they’re using, whether the subscriptions are in Azure or MAG, or even if you want to grant them access to AWS or AWS GovCloud accounts. Just set up your cloud rules and let cloudtamer.io take care of the rest. This works for provisioning too: you can define equivalent ARM templates and AWS CloudFormation templates and cloudtamer.io will provision your cloud, regardless of which one it is.

cloudtamer.io is Powerful

cloudtamer.io provides two powerful capabilities to proactively govern your cloud presence: the ability to deny certain permissions in your Azure role definitions and more powerful enforcements based on your cloud spend across all of your clouds.

In Azure, you have the ability to grant people roles in order to access resources on their subscriptions. However, there is presently no way to say “no one is allowed to perform X action on this subscription” through Azure roles. Additionally, roles are only additive by default. So, if someone gives you a limited-access role that only allows you to read data from virtual machines (VMs) and then you gain an Owner role on a subscription, the Owner role will override the limited-access role and allow you to do whatever you want with the VMs in a subscription. This is no longer the case with cloudtamer.io, as it performs role permission merging to allow you to say “everyone in this organizational unit is not allowed to perform X”, so even if they grant themselves the Owner role through cloudtamer.io they will not be allowed to perform the actions that you denied at a higher level.

For example, if you want to enforce read-only access on VMs for an entire OU, you might add an Azure Role on a cloud rule up at the top of your OU structure that looks like this:

{

      “actions”: [

      ],

      “notActions”: [

           “Microsoft.Compute/*/write”

      ]

}

 

Then, if someone gave themselves the owner role on a project, the role definitions’ permissions will be merged and end up looking like this, allowing you to do everything an owner can EXCEPT perform write operations on VM resources:

{

      “actions”: [

           “*”

      ],

      “notActions”: [

           “Microsoft.Compute/*/write”

      ]

}

 

Governance is preserved!  Within cloudtamer.io, if a project needs the ability to perform write operations on VMs they can request an exemption from the cloud rule so they can get done what they need to get done.

cloudtamer.io also allows you to perform powerful enforcements similarly to how you can with Azure budgets. But with cloudtamer.io, you can perform enforcements based on the spend coming out of two Azure tenants, a mix of resource groups and subscriptions, or even aggregate spend across your cloud just by importing their subscriptions or resource groups into cloudtamer.io. Like Azure budgets, cloudtamer.io supports notifying people and triggering webhooks when certain thresholds of your budget are exceeded, but cloudtamer.io helps make it easier to add your own logic to perform governance on your resources at any level!  You can make enforcements trigger the application of cloud rules and everything contained inside -- meaning you could have a couple of Azure Policies apply when your spend gets too high to prevent the creation of more expensive VMs or revoke some permissions from Azure roles to limit how much more spend can be accrued. This works across tenants and clouds as well!

cloudtamer.io and Azure are definitely better together! To learn more about any of these features and capabilities, contact our team.


Evan is a full stack engineer at cloudtamer.io.