Governance and control best practices
Using a cloud marketplace to purchase and deploy cloud-based applications creates new paradigms for users and IT administrators. Azure Marketplace aligns with fundamental Azure governance and foundational concepts that facilitate the delivery of the right business and technical outcomes when deploying applications from Azure Marketplace. The concepts also implement the right controls to ensure proper governance operations. Understanding Azure fundamental concepts and becoming familiar with Azure terminology helps you govern and control using Azure Marketplace.
Roles and permissions
Assign the right roles and permissions to prevent errors during purchase. For more information about roles and permissions applicable to purchasing, see Roles and permissions.
Organize resources
When you deploy an application through Azure Marketplace, the resources are deployed into your Azure subscription just like any other Azure resource. Applications purchased through Azure Marketplace should be deployed in the proper area of the management group, subscription, and resource group hierarchy. Deploying resources from your Azure subscription into the proper resource group helps you organize your Azure Marketplace purchases and track costs that are related to your workloads. An example diagram follows:
Depending on the type of application you're purchasing, you have a collection of relevant properties to set before deployment including the resource group. The following image shows how to create a Linux virtual machine purchased through Azure Marketplace is deployed to a resource group:
All resources deployed from Azure Marketplace into your Azure subscription can be managed within the Azure portal, via PowerShell, or via command line just like any other Azure resource.
You can consult Microsoft's enterprise governance guide for best practices on how to add governance guardrails across your organization's Azure subscriptions as you purchase and deploy applications from Azure Marketplace. The governance guide for complex enterprises provides useful information on how to implement the resource organization, including geography and regional considerations.
Tags
Tagging is an effortless way to classify assets into a taxonomy, and tags are a crucial part of organizing your Azure resources, including those deployed from Azure Marketplace. Tags can be the basis for applying your business policies with Azure Policy or tracking Azure Marketplace costs using Microsoft Cost Management + Billing.
You can apply tags to resources deployed from the Azure Marketplace, resource groups, and subscriptions to logically organize them into a taxonomy, as you would when deploying any other Azure resource.
You can follow Microsoft's guidance for developing a tagging strategy, including defining a naming convention. Ensure all Azure Marketplace resources follow proper naming and tagging conventions and enforce tagging conventions using Azure Policy. This helps your centralized governance teams make wise cost management decisions when deploying apps from the Azure Marketplace. Tag policy is a way to enforce mandatory values based on what your project needs are. Like any good implementation of governance controls, the requirements should come from your business needs and be well understood before creating technical controls.