Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Workloads are logical groups of Azure resources that you define inside an Azure Enclave. You can link an Azure resource group to a workload resource to bring that resource group into the security and control boundary of the enclave (see the diagram). Community and enclave owners can create isolated mission-critical workloads then allow specific access as needed. When enclave owners deploy Azure resources and services into workloads, each workload automatically inherits the enclave's security posture and policies. You create your own Azure services in your workload resource groups and maintain those resources under the shared responsibility model in the cloud. By default, workloads can also use community services that are reachable from their enclave.
Why use a workload?
Workloads are a logical way to organize your Azure resource groups and create a link to your Azure Enclave environment. With workloads, you can separate groups of policies and exceptions scoped and applied to a workload and the resources in the linked workload resource groups. Workload resource groups have some restrictions, which are described in the Best Practices.
The alternative is to deploy an Azure resource group through the portal that isn't linked to a workload. Workload resource groups are equivalent to normal Azure resource groups with the added benefit of keeping the resources secured within the enclave boundary. Deploying a normal Azure resource group through the portal is still an option, but a normal Azure resource group wouldn't be secured within the enclave boundary.
Architecture of a workload
Workloads are linked as a child resource to enclaves and are linked as the parent resource to workload resource groups.
- Azure Enclave governance
- Enclave services and properties
- Well-Architected Framework workload guidance
- Well-Architected Framework Service Guides
This diagram shows two example workloads. The Shared Workload is linked to three workload resource groups and the AKS Workload is linked to one workload resource group. Resource groups are highlighted in green and Azure resources are highlighted in dark blue.
Workload resource group
When you create an Azure Enclave workload, you create linked workload resource groups where you can organize your Azure resources.
For more details regarding workload resource group best practices and guidelines, learn more about Best practices of workload resource groups.
What can I add to my workload?
The workload resource groups function like an Azure resource group and you can deploy Azure resources that are compliant with the workload policies. You can create new resources using the methods you're familiar with for your Azure resources. Additionally, you can create resources from the Portal through the service catalog: What is the service catalog