\n\n\n\n
[en-us] Beyond The Cloud \u2013 Spin-Off | Chapter 06: Cloud Governance in Azure<\/h2>\n\n\n\n
Hey, what’s up folks!? \ud83c\udf39\u2764\ufe0f\ud83d\ude80<\/p>\n\n\n\n
Welcome to Chapter 06 of the Beyond The Cloud \u2013 Spin-Off series. It’s time to talk about something that makes many cloud engineers roll their eyes but secretly saves their jobs every day: Azure Governance.<\/p>\n\n\n\n
We’re diving into Management Groups, Tags, Resource Locks, Azure Policy, and Blueprints. If you think this is boring admin stuff, wait until someone accidentally deletes your production environment because you skipped this chapter. \ud83d\ude09<\/p>\n\n\n\n
\n\n\n\n
\ud83c\udfd7\ufe0f Azure Management Groups: Organizing Your Empire<\/h2>\n\n\n\n
Let’s start with a truth: as your cloud grows, so does the chaos. Management Groups are your hierarchical salvation.<\/p>\n\n\n\n
Think of it as a family tree for your Azure resources:<\/p>\n\n\n\n
Root Management Group\n\u2502\n\u251c\u2500\u2500 Marketing Group\n\u2502 \u251c\u2500\u2500 Social Media Sub\n\u2502 \u2514\u2500\u2500 Content Creation Sub\n\u2502\n\u2514\u2500\u2500 IT Group\n \u251c\u2500\u2500 Development Sub\n \u2514\u2500\u2500 Production Sub<\/code><\/pre>\n\n\n\nThese groups allow you to:<\/p>\n\n\n\n
\n- Apply policies at scale<\/li>\n\n\n\n
- Delegate access without losing sleep<\/li>\n\n\n\n
- Organize subscriptions logically<\/li>\n\n\n\n
- Inherit settings downward (the beauty of hierarchy)<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-133919-1024x575.png\")
<\/figure>\n\n\n\nThe structure supports up to 6 levels deep (excluding root), giving you flexibility for even the most complex organizations.<\/p>\n\n\n\n
Pro Tip<\/strong>: Design your hierarchy based on business units first, then refine by environment or geography. Start simple \u2013 you can always get more granular later.<\/p>\n\n\n\n
\n\n\n\n\ud83c\udff7\ufe0f Azure Tags: When Names Aren’t Enough<\/h2>\n\n\n\n
Ever tried finding a specific VM among hundreds? Without tags, it’s like finding a needle in a digital haystack.<\/p>\n\n\n\n
Tags are simple name-value pairs that make resources identifiable beyond their cryptic Azure-approved names:<\/p>\n\n\n\n
Tag NameTag ValueOwnerMagellaDepartmentCloud TeamEnvironmentProductionCostCenterIT-12345<\/pre>\n\n\n\nKey benefits:<\/p>\n\n\n\n
\n- Cost allocation<\/strong>: Track spending by team, project, or environment<\/li>\n\n\n\n
- Automation targeting<\/strong>: Run scripts against tagged resources<\/li>\n\n\n\n
- Lifecycle management<\/strong>: Find all “temporary” resources that somehow lived for 2 years<\/li>\n\n\n\n
- Access control<\/strong>: Apply permissions based on tags<\/li>\n<\/ul>\n\n\n\n
Azure allows up to 50 tags per resource, so go wild \u2013 but stay consistent!<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-133932-1024x573.png\")
<\/figure>\n\n\n\nReal Talk<\/strong>: Create a tagging policy before you deploy. Trying to retroactively tag hundreds of resources is like organizing your garage after 10 years of throwing stuff in randomly. Not fun.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udd12 Resource Locks: The “Don’t Touch This” Button<\/h2>\n\n\n\n
Picture this: A new admin accidentally deletes your production SQL cluster with one click. Resource Locks are your insurance policy against “Oh crap<\/em>” moments.<\/p>\n\n\n\nTwo types of locks:<\/p>\n\n\n\n
\n- CannotDelete<\/strong>: Users can read and modify, but not delete<\/li>\n\n\n\n
- ReadOnly<\/strong>: Users can read, but not modify or delete<\/li>\n<\/ul>\n\n\n\n
Apply them at three levels:<\/p>\n\n\n\n
\n- Subscription (the nuclear option)<\/li>\n\n\n\n
- Resource Group (ideal for production)<\/li>\n\n\n\n
- Individual Resource (targeted protection)<\/li>\n<\/ul>\n\n\n\n
Remember \u2013 these locks override RBAC permissions<\/strong>. You could be God-Emperor Owner of the entire Azure universe, and you’d still be blocked by a lock.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-133949-1024x572.png\")
<\/figure>\n\n\n\nBattle Story<\/strong>: I’ve seen clients lose production databases because someone thought “this SQL server doesn’t look important.” Five minutes to set up locks, weeks to recover data. Choose wisely.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udccf Azure Policy: Guardrails, Not Handcuffs<\/h2>\n\n\n\n
“Trust but verify” doesn’t work in the cloud. Azure Policy lets you enforce standards programmatically:<\/p>\n\n\n\n
\n- Restrict VM sizes to control costs<\/li>\n\n\n\n
- Ensure resources only deploy in approved regions<\/li>\n\n\n\n
- Require specific tags on all resources<\/li>\n\n\n\n
- Enforce encryption, backup, and security standards<\/li>\n<\/ul>\n\n\n\n
The policy engine has different effects:<\/p>\n\n\n\n
\n- Deny<\/strong>: Blocks non-compliant deployments (strict but effective)<\/li>\n\n\n\n
- Audit<\/strong>: Flags violations without blocking (start here)<\/li>\n\n\n\n
- Append<\/strong>: Automatically adds properties like tags (incredibly useful)<\/li>\n\n\n\n
- Modify<\/strong>: Changes properties during creation (powerful but test carefully)<\/li>\n\n\n\n
- Disabled<\/strong>: Just reports what would happen (training wheels)<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-134004-1024x571.png\")
<\/figure>\n\n\n\nPro Tips<\/strong>:<\/p>\n\n\n\n\n- Start with Audit before Deny<\/li>\n\n\n\n
- Use initiative definitions (policy groups) even for single policies<\/li>\n\n\n\n
- Apply at the highest scope possible (Management Group level is ideal)<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n\ud83d\udccb Azure Blueprints: Environment Templates on Steroids<\/h2>\n\n\n\n
Ever wished you could just click a button and deploy a compliant environment? That’s Blueprints.<\/p>\n\n\n\n
Think of Blueprints as environment recipes with:<\/p>\n\n\n\n
\n- ARM templates for resources<\/li>\n\n\n\n
- Resource Groups with proper naming<\/li>\n\n\n\n
- Policy assignments baked in<\/li>\n\n\n\n
- RBAC assignments pre-configured<\/li>\n\n\n\n
- Built-in version control<\/li>\n<\/ul>\n\n\n\n
Unlike ARM templates alone, Blueprints maintain relationships with deployed resources, track versions, and can be updated with controlled rollout.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-134018-1-1024x576.png\")
<\/figure>\n\n\n\nReal Use Case<\/strong>: Create a “Standard Workload Environment” blueprint with networking, storage, key vault, and backup policies. Each new project gets a consistent, secure foundation with one click.<\/p>\n\n\n\n
\n\n\n\n\ud83e\ude96 Practical Checklist<\/h2>\n\n\n\n
\u2705 Management Groups<\/strong>:<\/p>\n\n\n\n\n- Design hierarchy before creating (sketch it out first)<\/li>\n\n\n\n
- Limit direct assignments at root level (that’s governance debt)<\/li>\n\n\n\n
- Don’t go crazy with depth \u2013 3-4 levels is usually plenty (don’t turn it into inception)<\/li>\n<\/ul>\n\n\n\n
\u2705 Tags<\/strong>:<\/p>\n\n\n\n\n- Document your tagging schema (or nobody will follow it)<\/li>\n\n\n\n
- Consider auto-tagging with Azure Policy (humans forget)<\/li>\n\n\n\n
- Include at minimum: Owner, Environment, Project, CostCenter (the fab four)<\/li>\n\n\n\n
- Review untagged resources monthly (they multiply like rabbits)<\/li>\n<\/ul>\n\n\n\n
\u2705 Resource Locks<\/strong>:<\/p>\n\n\n\n\n- Always lock production RGs with CannotDelete (no excuses)<\/li>\n\n\n\n
- Lock critical infrastructure with ReadOnly (network, DNS, security)<\/li>\n\n\n\n
- Document your locks (or future you will curse past you)<\/li>\n\n\n\n
- Train your team on locks (or prepare for confused support tickets)<\/li>\n<\/ul>\n\n\n\n
\u2705 Azure Policy<\/strong>:<\/p>\n\n\n\n\n- Start with Audit mode (walk before you run)<\/li>\n\n\n\n
- Create custom initiatives for your compliance needs<\/li>\n\n\n\n
- Assign at Management Group level when possible (efficiency wins)<\/li>\n\n\n\n
- Review compliance state regularly (policies without review are just wishful thinking)<\/li>\n<\/ul>\n\n\n\n
\u2705 Blueprints<\/strong>:<\/p>\n\n\n\n\n- Version and document your blueprints<\/li>\n\n\n\n
- Test in non-production first (always)<\/li>\n\n\n\n
- Include governance artifacts (policies, RBAC, tags)<\/li>\n\n\n\n
- Update blueprints as standards evolve (they’re living documents)<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udcca My Tech Two Cents<\/h2>\n\n\n\n
\u2b50 Management Groups are your org chart for Azure.
\u2b50 Tags are your search system when everything looks the same.
\u2b50 Resource Locks are your safety net when someone says “I’m just going to clean up a bit.”
\u2b50 Azure Policy is your automated security guard that never sleeps.
\u2b50 Blueprints are your easy button for consistent deployments.<\/p>\n\n\n\n
Remember: Governance isn’t sexy until it saves your job. That day will come \u2013 be ready.<\/p>\n\n\n\n
\n\n\n\nNext up: Chapter 07 \u2013 We’ll tackle the Cloud Adoption Framework, service lifecycle in Azure, and what “Cloud by Design” really means.<\/p>\n\n\n\n
Much love and stay governance-compliant! \ud83c\udf39\u2764\ufe0f<\/p>\n\n\n\n
Gustavo Magella<\/p>\n\n\n\n
\n\n\n\n[pt-br] \u26a0\ufe0f Um aviso importante!<\/h1>\n\n\n\n
1\ufe0f\u20e3 H\u00e1 um tempo, eu gravei um curso de seguran\u00e7a em nuvem focado em ambientes Microsoft para uma universidade brasileira chamada IGTI. Esse curso fazia parte de um bootcamp de Cloud Computing e, na \u00e9poca, ajudou muitos alunos que estavam come\u00e7ando suas jornadas na \u00e1rea. (Com o fechamento da institui\u00e7\u00e3o, o conte\u00fado acabou ficando indispon\u00edvel.)<\/p>\n\n\n\n
\ud83c\udfaf Sendo assim, resolvi remasterizar, sanitizar e re-lan\u00e7ar esse conte\u00fado gratuitamente no YouTube, com o objetivo de continuar ajudando quem est\u00e1 come\u00e7ando na \u00e1rea de Cloud e Cloud Security.<\/p>\n\n\n\n
2\ufe0f\u20e3 O curso original est\u00e1 em portugu\u00eas (pt-BR), mas ao longo da s\u00e9rie vou publicar tamb\u00e9m artigos em ingl\u00eas (en-US), para que o conte\u00fado possa alcan\u00e7ar mais pessoas at\u00e9 que os novos cursos em ingl\u00eas estejam gravados e dispon\u00edveis.<\/p>\n\n\n\n
3\ufe0f\u20e3 Importante: essa s\u00e9rie n\u00e3o \u00e9 preparat\u00f3ria para certifica\u00e7\u00f5es e n\u00e3o \u00e9 uma bala de prata. A proposta aqui \u00e9 compartilhar conhecimento de forma estruturada, com uma pegada pr\u00e1tica e acess\u00edvel, voltada para:<\/p>\n\n\n\n
Iniciantes em Cloud, Entusiastas de seguran\u00e7a, e quem busca entender melhor como o Azure trata seguran\u00e7a de verdade.<\/p>\n\n\n\n
4\ufe0f\u20e3 A Microsoft renomeou alguns de seus produtos \u2014 por exemplo, o Azure Security Center agora se chama Defender for Cloud, e o Azure Active Directory virou Entra ID. Em algumas aulas, os nomes antigos ainda aparecem, mas foquem nos conceitos e fundamentos t\u00e9cnicos, que continuam v\u00e1lidos e extremamente relevantes.<\/p>\n\n\n\n
Espero que voc\u00eas gostem! Um forte Abra\u00e7o!<\/p>\n\n\n\n
Gustavo Magella<\/p>\n\n\n\n
\n\n\n\n\ud83c\udfac Assista o Cap\u00edtulo 06 \ud83d\udd17 Assista agora no YouTube<\/a> (E se inscreve no canal, sen\u00e3o vou saber que voc\u00ea pulou essa parte… rs)<\/h5>\n\n\n\n
\n\n\n\n[pt-br] Beyond The Cloud \u2013 Spin-Off | Cap\u00edtulo 06: Governan\u00e7a no Azure<\/h1>\n\n\n\n
E a\u00ed seus trens bonitows!? \ud83c\udf39\u2764\ufe0f\ud83d\ude80<\/p>\n\n\n\n
Seja bem-vindo ao Cap\u00edtulo 06 da s\u00e9rie Beyond The Cloud \u2013 Spin-Off. Hoje vamos falar sobre algo que faz muitos engenheiros de nuvem revirarem os olhos, mas que secretamente salva o emprego deles todos os dias: Governan\u00e7a no Azure.<\/p>\n\n\n\n
Vamos mergulhar em Management Groups, Tags, Resource Locks, Azure Policy e Blueprints. Se voc\u00ea acha que isso \u00e9 papo chato de administrador, espere at\u00e9 algu\u00e9m deletar acidentalmente seu ambiente de produ\u00e7\u00e3o porque voc\u00ea pulou este cap\u00edtulo. \ud83d\ude09<\/p>\n\n\n\n
\n\n\n\n\ud83c\udfd7\ufe0f Azure Management Groups: Organizando seu Imp\u00e9rio<\/h2>\n\n\n\n
Vamos come\u00e7ar com uma verdade: conforme sua nuvem cresce, o caos tamb\u00e9m cresce. Management Groups s\u00e3o sua salva\u00e7\u00e3o hier\u00e1rquica.<\/p>\n\n\n\n
Pense nisso como uma \u00e1rvore geneal\u00f3gica para seus recursos no Azure:<\/p>\n\n\n\n
Root Management Group\n\u2502\n\u251c\u2500\u2500 Grupo de Marketing\n\u2502 \u251c\u2500\u2500 Subscription de M\u00eddias Sociais\n\u2502 \u2514\u2500\u2500 Subscription de Cria\u00e7\u00e3o de Conte\u00fado\n\u2502\n\u2514\u2500\u2500 Grupo de TI\n \u251c\u2500\u2500 Subscription de Desenvolvimento\n \u2514\u2500\u2500 Subscription de Produ\u00e7\u00e3o\n<\/code><\/pre>\n\n\n\nEsses grupos permitem:<\/p>\n\n\n\n
\n- Aplicar pol\u00edticas em escala<\/li>\n\n\n\n
- Delegar acesso sem perder o sono<\/li>\n\n\n\n
- Organizar subscriptions de forma l\u00f3gica<\/li>\n\n\n\n
- Herdar configura\u00e7\u00f5es de cima para baixo (a beleza da hierarquia)<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-132305-1024x574.png\")
<\/figure>\n\n\n\nA estrutura suporta at\u00e9 6 n\u00edveis de profundidade (excluindo o root), dando flexibilidade at\u00e9 para as organiza\u00e7\u00f5es mais complexas.<\/p>\n\n\n\n
Dica Pro<\/strong>: Projete sua hierarquia baseada em unidades de neg\u00f3cio primeiro, depois refine por ambiente ou geografia. Comece simples \u2013 voc\u00ea sempre pode ficar mais granular depois.<\/p>\n\n\n\n
\n\n\n\n\ud83c\udff7\ufe0f Azure Tags: Quando Nomes N\u00e3o S\u00e3o Suficientes<\/h2>\n\n\n\n
J\u00e1 tentou encontrar uma VM espec\u00edfica entre centenas? Sem tags, \u00e9 como procurar agulha em palheiro digital.<\/p>\n\n\n\n
Tags s\u00e3o pares simples de nome-valor que tornam os recursos identific\u00e1veis al\u00e9m dos seus nomes criptografados aprovados pelo Azure:<\/p>\n\n\n\nNome da Tag<\/th> Valor da Tag<\/th><\/tr><\/thead> Propriet\u00e1rio<\/td> Magella<\/td><\/tr> Departamento<\/td> Time de Cloud<\/td><\/tr> Ambiente<\/td> Produ\u00e7\u00e3o<\/td><\/tr> CentroDeCusto<\/td> TI-12345<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nBenef\u00edcios principais:<\/p>\n\n\n\n
\n- Aloca\u00e7\u00e3o de custos<\/strong>: Rastreie gastos por time, projeto ou ambiente<\/li>\n\n\n\n
- Alvo de automa\u00e7\u00e3o<\/strong>: Execute scripts contra recursos com tags espec\u00edficas<\/li>\n\n\n\n
- Gerenciamento de ciclo de vida<\/strong>: Encontre todos os recursos “tempor\u00e1rios” que de alguma forma viveram por 2 anos<\/li>\n\n\n\n
- Controle de acesso<\/strong>: Aplique permiss\u00f5es baseadas em tags<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-132322-1024x574.png\")
<\/figure>\n\n\n\nO Azure permite at\u00e9 50 tags por recurso, ent\u00e3o vai fundo \u2013 mas mantenha a consist\u00eancia!<\/p>\n\n\n\n
Papo Reto<\/strong>: Crie uma pol\u00edtica de tagging antes de implantar. Tentar taguear retroativamente centenas de recursos \u00e9 como organizar sua garagem depois de 10 anos jogando coisas aleatoriamente l\u00e1 dentro. N\u00e3o \u00e9 divertido.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udd12 Resource Locks: O Bot\u00e3o “N\u00e3o Toque Nisso”<\/h2>\n\n\n\n
Imagine isso: Um novo administrador exclui acidentalmente seu cluster SQL de produ\u00e7\u00e3o com um clique. Resource Locks s\u00e3o sua ap\u00f3lice de seguro contra momentos “Eita p#%@<\/em>“.<\/p>\n\n\n\nDois tipos de locks:<\/p>\n\n\n\n
\n- CannotDelete<\/strong>: Usu\u00e1rios podem ler e modificar, mas n\u00e3o excluir<\/li>\n\n\n\n
- ReadOnly<\/strong>: Usu\u00e1rios podem ler, mas n\u00e3o modificar nem excluir<\/li>\n<\/ul>\n\n\n\n
Aplique-os em tr\u00eas n\u00edveis:<\/p>\n\n\n\n
\n- Subscription (a op\u00e7\u00e3o nuclear)<\/li>\n\n\n\n
- Resource Group (ideal para produ\u00e7\u00e3o)<\/li>\n\n\n\n
- Recurso Individual (prote\u00e7\u00e3o direcionada)<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-132335-1024x575.png\")
<\/figure>\n\n\n\nLembre-se \u2013 esses locks substituem permiss\u00f5es RBAC<\/strong>. Voc\u00ea pode ser o Dono Todo-Poderoso do universo Azure inteiro, e ainda assim seria bloqueado por um lock.<\/p>\n\n\n\nCaso de Guerra<\/strong>: J\u00e1 vi clientes perderem bancos de dados de produ\u00e7\u00e3o porque algu\u00e9m pensou “esse servidor SQL n\u00e3o parece importante”. Cinco minutos para configurar locks, semanas para recuperar dados. Escolha sabiamente.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udccf Azure Policy: Trilhos de Prote\u00e7\u00e3o, N\u00e3o Algemas<\/h2>\n\n\n\n
“Confie, mas verifique” n\u00e3o funciona na nuvem. O Azure Policy permite impor padr\u00f5es programaticamente:<\/p>\n\n\n\n
\n- Restringir tamanhos de VM para controlar custos<\/li>\n\n\n\n
- Garantir que recursos sejam implantados apenas em regi\u00f5es aprovadas<\/li>\n\n\n\n
- Exigir tags espec\u00edficas em todos os recursos<\/li>\n\n\n\n
- Impor criptografia, backup e padr\u00f5es de seguran\u00e7a<\/li>\n<\/ul>\n\n\n\n
O motor de pol\u00edtica tem efeitos diferentes:<\/p>\n\n\n\n
\n- Deny<\/strong>: Bloqueia implanta\u00e7\u00f5es n\u00e3o conformes (r\u00edgido, mas eficaz)<\/li>\n\n\n\n
- Audit<\/strong>: Sinaliza viola\u00e7\u00f5es sem bloquear (comece por aqui)<\/li>\n\n\n\n
- Append<\/strong>: Adiciona automaticamente propriedades como tags (incrivelmente \u00fatil)<\/li>\n\n\n\n
- Modify<\/strong>: Altera propriedades durante a cria\u00e7\u00e3o (poderoso, mas teste cuidadosamente)<\/li>\n\n\n\n
- Disabled<\/strong>: Apenas relata o que aconteceria (rodinhas de treinamento)<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-132349-1024x576.png\")
<\/figure>\n\n\n\nDicas Pro<\/strong>:<\/p>\n\n\n\n\n- Comece com Audit antes de Deny<\/li>\n\n\n\n
- Use defini\u00e7\u00f5es de iniciativa (grupos de pol\u00edticas) mesmo para pol\u00edticas \u00fanicas<\/li>\n\n\n\n
- Aplique no escopo mais alto poss\u00edvel (n\u00edvel de Management Group \u00e9 ideal)<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n\ud83d\udccb Azure Blueprints: Templates de Ambiente com Esteroides<\/h2>\n\n\n\n
J\u00e1 desejou poder simplesmente clicar em um bot\u00e3o e implantar um ambiente em conformidade? Isso s\u00e3o os Blueprints.<\/p>\n\n\n\n
Pense nos Blueprints como receitas de ambiente com:<\/p>\n\n\n\n
\n- Templates ARM para recursos<\/li>\n\n\n\n
- Resource Groups com nomenclatura adequada<\/li>\n\n\n\n
- Atribui\u00e7\u00f5es de pol\u00edtica incorporadas<\/li>\n\n\n\n
- Atribui\u00e7\u00f5es RBAC pr\u00e9-configuradas<\/li>\n\n\n\n
- Controle de vers\u00e3o integrado<\/li>\n<\/ul>\n\n\n\n
Diferente dos templates ARM sozinhos, os Blueprints mant\u00eam relacionamentos com recursos implantados, controlam vers\u00f5es e podem ser atualizados com implanta\u00e7\u00e3o controlada.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.gustavomagella.com\/wp-content\/uploads\/2025\/04\/Screenshot-2025-04-30-132413-1024x574.png\")
<\/figure>\n\n\n\nCaso de Uso Real<\/strong>: Crie um blueprint de “Ambiente de Carga de Trabalho Padr\u00e3o” com rede, armazenamento, key vault e pol\u00edticas de backup. Cada novo projeto recebe uma base consistente e segura com um clique.<\/p>\n\n\n\n
\n\n\n\n\ud83e\ude96 Checklist R\u00e1pido<\/h2>\n\n\n\n
\u2705 Management Groups<\/strong>:<\/p>\n\n\n\n\n- Projete a hierarquia antes de criar (fa\u00e7a um esbo\u00e7o primeiro)<\/li>\n\n\n\n
- Limite atribui\u00e7\u00f5es diretas no n\u00edvel raiz (isso \u00e9 d\u00edvida de governan\u00e7a)<\/li>\n\n\n\n
- N\u00e3o exagere na profundidade \u2013 3-4 n\u00edveis geralmente s\u00e3o suficientes (n\u00e3o transforme isso em inception)<\/li>\n<\/ul>\n\n\n\n
\u2705 Tags<\/strong>:<\/p>\n\n\n\n\n- Documente seu esquema de tagging (ou ningu\u00e9m vai seguir)<\/li>\n\n\n\n
- Considere auto-tagging com Azure Policy (humanos esquecem)<\/li>\n\n\n\n
- Inclua no m\u00ednimo: Propriet\u00e1rio, Ambiente, Projeto, CentroDeCusto (os quatro fant\u00e1sticos)<\/li>\n\n\n\n
- Revise recursos sem tag mensalmente (eles se multiplicam como coelhos)<\/li>\n<\/ul>\n\n\n\n
\u2705 Resource Locks<\/strong>:<\/p>\n\n\n\n\n- Sempre bloqueie RGs de produ\u00e7\u00e3o com CannotDelete (sem desculpas)<\/li>\n\n\n\n
- Bloqueie infraestrutura cr\u00edtica com ReadOnly (rede, DNS, seguran\u00e7a)<\/li>\n\n\n\n
- Documente seus locks (ou o voc\u00ea do futuro vai amaldi\u00e7oar o voc\u00ea do passado)<\/li>\n\n\n\n
- Treine sua equipe sobre locks (ou prepare-se para tickets de suporte confusos)<\/li>\n<\/ul>\n\n\n\n
\u2705 Azure Policy<\/strong>:<\/p>\n\n\n\n\n- Comece com modo Audit (ande antes de correr)<\/li>\n\n\n\n
- Crie iniciativas personalizadas para suas necessidades de conformidade<\/li>\n\n\n\n
- Atribua no n\u00edvel Management Group quando poss\u00edvel (efici\u00eancia ganha)<\/li>\n\n\n\n
- Revise o estado de conformidade regularmente (pol\u00edticas sem revis\u00e3o s\u00e3o apenas pensamento positivo)<\/li>\n<\/ul>\n\n\n\n
\u2705 Blueprints<\/strong>:<\/p>\n\n\n\n\n- Versione e documente seus blueprints<\/li>\n\n\n\n
- Teste em n\u00e3o-produ\u00e7\u00e3o primeiro (sempre)<\/li>\n\n\n\n
- Inclua artefatos de governan\u00e7a (pol\u00edticas, RBAC, tags)<\/li>\n\n\n\n
- Atualize blueprints conforme os padr\u00f5es evoluem (s\u00e3o documentos vivos)<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n\ud83d\udcca My Tech Two Cents<\/h2>\n\n\n\n
\u2b50 Management Groups s\u00e3o seu organograma para o Azure.
\u2b50 Tags s\u00e3o seu sistema de busca quando tudo parece igual.
\u2b50 Resource Locks s\u00e3o sua rede de seguran\u00e7a quando algu\u00e9m diz “vou s\u00f3 dar uma arrumadinha.”
\u2b50 Azure Policy \u00e9 seu seguran\u00e7a automatizado que nunca dorme.
\u2b50 Blueprints s\u00e3o seu bot\u00e3o f\u00e1cil para implanta\u00e7\u00f5es consistentes.<\/p>\n\n\n\n
Lembre-se: Governan\u00e7a n\u00e3o \u00e9 sexy (at\u00e9 salvar seu emprego – hahahaha). Esse dia vai chegar \u2013 esteja preparado.<\/p>\n\n\n\n
\n\n\n\nNo pr\u00f3ximo cap\u00edtulo: Cap\u00edtulo 07 \u2013 Vamos abordar o Cloud Adoption Framework, ciclo de vida de servi\u00e7os no Azure e o que “Cloud by Design” realmente significa.<\/p>\n\n\n\n
Um bjo no cora\u00e7\u00e3o e mantenha-se em conformidade com a governan\u00e7a! \ud83c\udf39\u2764\ufe0f<\/p>\n\n\n\n
Gustavo Magella<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
[en-gb] \u26a0\ufe0f Important Disclaimer! 1\ufe0f\u20e3 Some time ago, I recorded a course on cloud security in Microsoft environments for a Brazilian university called IGTI. This…<\/p>\n","protected":false},"author":2,"featured_media":1358,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[24,23],"class_list":["post-1355","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-01-my-tech-two-cents","tag-en-gb","tag-pt-br"],"menu_order":0,"_links":{"self":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/comments?post=1355"}],"version-history":[{"count":6,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1355\/revisions"}],"predecessor-version":[{"id":1379,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/posts\/1355\/revisions\/1379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media\/1358"}],"wp:attachment":[{"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/media?parent=1355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/categories?post=1355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gustavomagella.com\/index.php\/wp-json\/wp\/v2\/tags?post=1355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}