A Service Catalog for Microsoft Azure
In Part 1 of this blog post series, we identified four key features of a Service Catalog that are fundamental to establishing DevOps in an enterprise. Let us briefly talk about how AIS Service Catalog realizes these features using Microsoft Azure specific building blocks.
- Consistent authoring experience – A Service Catalog needs a common, consistent domain specific language that can be used to author and automate various DevOps toolchains. It turns out that ARM Template language offers the perfect DSL. The AIS Service Catalog takes full advantage of ARM while giving the user’s a nice and easy end-user experience.
- Self-Service – Ability to provision resources in a self-service manner without privileged access to the Azure subscription is another key tenet of a Service Catalog. Once again, Azure AD features like delegation and RBAC make it possible for users of the AIS Service Catalog to provision resources in a self-service manner.
- Workflow – Another important tenet of a Service Catalog is that self-service enablement goes hand in hand with IT governance. Turns out the ARM Policy Language provides IT with a robust way to enforce standards and at the same time, empowering the end-users to provision resources on their own.
- Extensibility – Given the cadence of releases in the cloud, it is imperative that a Service Catalog DSL be extensible. Fortunately ARM fits the bill perfectly. When new resources are released in Azure, they will automatically work within the AIS Service Catalog.
Now that we have reviewed the key features of a Service Catalog and how Azure platform building serves as key enablers, it is time to introduce the AIS Service Catalog!
Introducing AIS Service Catalog
The AIS Service Catalog is a self-service portal that allows developers to quickly provision Enterprise-approved resources in Azure. The key is that the IT Operations group has the ability to first approve any resource and its configuration before making it available in the self-service portal. The AIS Service Catalog is a SASS product where IT Admins can “enroll” their organization’s directory.
Self Service Portal
The end-user experience in the AIS Service Catalog enables a user to browse an Enterprise-approved product catalog. A “product” can be just about anything supported by Azure. For example, an Enterprise can set up a product that is just a simple Azure Storage Account of a certain SKU. Or a product can be much more complex – an individual product could consist of multiple Azure resources including deploying proprietary application code.
End-users can click on any product to view the details of that product and specific Azure resources included in that product.
Once the end-user decides on their product, they have the ability to easily and quickly provision that product in Azure, within the constraints established by the IT Operations administrative staff. Another critical component is the end-user does not have permission in the Azure Portal to provision whatever they want. By leveraging Azure Role Based Access Control (RBAC), an end-user that logs into the Azure portal can access only the resources that they (or their team) provisioned via the AIS Service Catalog – they will not have permission to see resources provisioned by other teams.
IT Operations in Control
For a Service Catalog implementation to succeed, it is important that the IT Operations group has full control over the resources that are included in the product catalog. The AIS Service Catalog is based in the Azure Resource Manager (ARM) technology. ARM is a critical technology for a number of reasons. ARM is the DSL (domain specific language) that brings consistency to the DevOps toolchain. ARM enables extreme control over the provisioning of resources. Additionally, when a new resource is released on Azure, ARM is supported for that resource from the beginning. Therefore, the AIS Service Catalog “just works” for brand new Azure resources with no delay for development time.
The AIS Service Catalog enables IT Operations to author ARM templates with their preferred method.
To get you started quickly, IT Operations has the option of using our drag/drop designer, enabling the creation of complex ARM templates at lightening speed.
If IT Operations already has a tool they prefer for authoring ARM templates (e.g., Visual Studio, VS Code, etc.), they can continue to use that tool and then upload the ARM templates to the AIS Service Catalog directly (where they can continue to edit it, if they so choose).
The AIS Service Catalog also provides the ability to get started quickly, by importing any of the pre-existing templates from the Azure Quick Start ARM templates. These templates are a great starting point before customizing the template per your organization’s standards.
Enforce Enterprise Policies
One of the most powerful features that IT Operations can employ to enforce Enterprise standards is Azure Policy. These policies prevent resources from being provisioned that are not in compliance with Enterprise standards. For example, an Enterprise might have policies such as:
- Enforce that all provisioned resources must have a “costCenter” tag (for chargebacks).
- Enforce that all provisioned resources have a “department” tag AND that tag must be one of a specific list of values.
- Enforce that all provisioned resources are in a particular data center.
- Enforce that only VMs of a certain size are allowed to be provisioned.
- Enforce an Enterprise-specific naming convention on all provisioned resources.
The sky is the limit when working with Azure Policies, however the current way of managing Azure Policies is through the Azure HTTP JSON API. The AIS Service Catalog provides a user-friendly editor so authoring Azure Policies is a simple process.
Not only does AIS Service Catalog make it easier to create/edit Policies, but we also pull values from those policies at deployment time, to ensure the end-user does not mistakenly select a value that is non-compliant with Policy!
End-users and admin staff can easily see basic spend information on the resources they previously provisioned. This enables departmental chargeback and better overall insight into spend management.
At AIS, we are very excited about the AIS Service Catalog and the increased efficiencies that it brings to an Enterprise’s DevOps journey. We provide a self-service end-user experience to easily provision resources in Azure without requiring elevated admin privileges – all while giving your IT Operations team full control over what those end-users can do. Consider enrolling for 30-day trial of the AIS Service Catalog by contacting us! The free trial includes Administrator access to the full product version with an unlimited number of users and cloud deployments in your cloud environments. After 30 days, contact us to learn how the open-source AIS Service Catalog can be installed in your cloud environment as part of an AIS service engagement!
If you’re interested in seeing more of the AIS Service Catalog, please check out our series of short videos on the AIS YouTube channel.