Transcript Considerations

Architecting Azure For an Enterprise
N. Raja – Cloud Solution Architect
[email protected]
ARC341A
Session Objectives And Takeaways
Session Objective(s):
 Understand the Azure Reference Architecture and how it can be used to streamline
your implementations and engagements
 Understand the AZRA models and the design patterns which can be used
 Understand the Azure design patterns and how to use these to develop high-level
Azure architectural designs
The nature of infrastructure engagements and skills required is
changing rapidly in an Azure world
Standard infrastructure models can be applied to Azure
implementations to accelerate Azure adoption
Why This Session - Reference Architecture
Customer Needs
•
•
•
Customers are seeking “enterprise grade” Azure subscription
and service planning from different viewpoints/scenarios
Customers lack institutional knowledge of public cloud
constructs and architecture as compared to that of on-premises
architectures
Bad choices are hard to undo – not taking the time to plan
requires rework and creates friction impeding Azure
consumption
Why This Session - Reference Architecture
Industry Needs
•
•
•
•
Industry resources need a “go to” location or starting point for
learning Azure architecture (beyond services and feature
descriptions)
Azure engagements are becoming mainstream and best practices
from the leading edge engagements we’ve done need to be
propagated
Azure evolves and improves rapidly, the industry needs an always
up to date resource
AZRA is the core for multiple Services offerings
What This Session is not about
•
•
Contents discussed in this session is just a Guidance and is NOT the
“one true or recommended way” to implement a given solution.
Azure is too large and diverse for ONE SINGLE architecture
Are NOT a finished design. AZRA is more like an encyclopedia with
a collection of best practices and guidance along with an
associated collection of modular design patterns which help you
rapidly create an architecture.
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-infrastructure-services-implementation-guidelines/
Considerations & Guidance
Architectural
Considerations
Planning
Guidance
Fast, Responsible
Consumption
• Azure Service areas in
Compute, Networking,
Storage, PaaS services given a
specific customer scenarios
• Azure Administrative areas
such as workload planning,
fault domain planning,
servicing windows, RBAC,
establishing naming
conventions, points of access,
etc.
• Robust design guidance and
considerations for common
services which change rapidly
within the service
• Azure service mapping to
existing organizational
processes and roles
• Designing with limits, costs
and standards in mind
(gotchas, quotas, triggers)
• Deliver reusable models for
common service areas to
drive rapid consumption
• Establish “starter dough”
model for core services which
has a low risk of re-work and
refactoring
• Enable larger scale and
sophisticated architectures
when required
Limits to Consider
https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/#subscription
Subscriptions, Services and Roles
Subscription Principles
Subscriptions are…
Considerations…
• Previously an
administrative security
boundary (changed with
ARM’s RBAC feature).
• A billing unit.
• A logical limit of scale by
which resources can be
allocated.
• A subscription on its own
doesn’t cost anything.
• A subscription has its own
administrators.
• A subscription is
accountable for its own
consumption and
standards.
Multiple Subscriptions = Complexity
On-premises networking and security infrastructures are typically shared resources
Patching, monitoring, auditing are frequently provided by dedicated organizations
and trained staff
Allowing Azure subscriptions to be based on project or team, could result in
having to:
•
•
•
•
•
Purchase dedicated network circuits arbitrarily rather than for bandwidth need
Support multiple Edge gateway devices
Increased management of IP address space allocation
Increased management of routing and firewall configurations
Duplicate services required including monitoring, patching, and Anti-Virus
Cohesive Approach for Subscription Models
SubscriptionsTechnical
are…
Business
• Previously anRequirements
Requirements
administrative security
• Availability
• Dedicated/Shared
boundary (changed with
Network
• Recoverability
ARM’s RBA feature).
Connectivity?
• Performance
• A billing unit.
• AD requirements,
• A logical limit of scale by
clustering,
which resources
can be
allocated. management
tools?
Considerations…
Security
Scalability
•Requirements
A subscription on its own
Requirements
doesn’t cost anything.
• Who are
• Growth Plans?
•subscription
A subscription has its own
• Limited Resources
administrators.
admins?
Allocation?
• A subscription is
• Least Privileged
• Additional Users,
accountable for its own
Model
Shared Access
consumption and
standards.
Subscription per Department
Each department contains different types of environments (e.g. Prod, Non-Prod). Virtual Networks
will wrap the different environments for traffic separation. Subnets will be created within each
environment to establish required security isolation zones
between applications.
Considerations…
HR Department
Services Consumed
Cloud Service Virtual machine
Azure
Automation
DocumentDB
Operational
Traffic Manager
Insights
Azure
• A subscription
on its own
Account
doesn’t cost anything.
• A subscription has its own
administrators.
Accounting /
Finance
• A subscription
is
Department
accountable for its own
Services Consumed
consumption
and
standards.
Marketing
Department
Services Consumed
Cloud Service Virtual machine
Azure
Automation
Cloud Service Virtual machine
Azure
Automation
DocumentDB
Operational
Traffic Manager
Insights
DocumentDB
Operational
Traffic Manager
Insights
Subscription per Environment
Each environment contains the different types of applications. Virtual Networks will wrap the
different applications for traffic separation. Subnets will be created within each environment to
establish required security isolation zones among application
tiers.
Considerations…
Pros
• Shared ExpressRoute circuit model
• Low VNet subscription limit issues (Limit Per
100th application)
• VNet address spaces can be tailored per
application
Cons
• New ExpressRoute circuit required per 10th
application
• Granulated Application RBAC model
• Requires medium capacity planning
• Max of 10 dedicated circuits per subscription,
max of 100 applications
• A subscription on its own
doesn’t cost anything.
• A subscription has its own
administrators.
• A subscription is
accountable for its own
consumption and
standards.
Subscription per Application
Each application contains the different tiers. Virtual Networks will wrap the different tiers for traffic
separation. Subnets will be created within each tier to establish required security isolation zones.
Considerations…
Azure
Account
LOB App A
Services Consumed
Cloud Service Virtual machine
Azure
Automation
DocumentDB
Operational
Traffic Manager
Insights
• A subscription on its own
doesn’t cost anything.
• A subscription has its own
administrators.
LOB App B
• A subscription is
accountable
for its own
Services Consumed
consumption and
standards.
LOB App C
Services Consumed
Cloud Service Virtual machine
Azure
Automation
Cloud Service Virtual machine
Azure
Automation
DocumentDB
Operational
Traffic Manager
Insights
DocumentDB
Operational
Traffic Manager
Insights
Correlating Azure Products and Regions
Features and Regions

Ensure your feature is available in
the region you wish to deploy
Preview and General
Availability (GA)

Understand differences in support,
costs and available geographies
Special Regions


MAG/China
Full suite of Azure services may not
be currently available and have
timelines for certification and
availability
Considerations…
• A subscription on its own
doesn’t cost anything.
• A subscription has its own
administrators.
• A subscription is
accountable for its own
consumption and
standards.
https://azure.microsoft.com/en-us/regions/#services
Common Divisions of Labor in IT
Storage
Network
Identity
Virtualization
Data Platform
App Dev
IT Budget
Operations
Role Considerations
In ARM a subscription now has two administrative models:
Classic
New
• Azure Service
Management (ASM)
• Azure Resource
Manager (ARM)
Cost
One of the primary considerations when constructing customer
solutions (other cloud providers pride themselves on saving the
customer money).
Cost factors
The high level cost model and measurement (e.g. Cost per hour for
virtual machines)
Cost drivers
The unit level costs and design decisions which impact costs (e.g. The number of
active virtual machines required, or the type of storage utilized.
Cost Considerations
Budgeting consumption vs. traditional IT investment
Customers struggle with the shift to consumption budget planning
Current IT spend does not consider this model
Azure IaaS migration is not always 1:1
Customers often “over-purchase” for on-premises solutions
Simplistic review of the existing infrastructure does not accurately reflect the expected Azure footprint
Consumption budgeting requires a shift in thinking
Shift thinking towards understanding utilization and scaling
Focus on initial deployment followed by incremental growth
Take advantage of the elasticity of Azure services as part of transition
Naming Considerations
Importance
Consideration
• Describes type of resource in
the subscription
• Places the naming pattern in
an order that allows easier
application level grouping
for potential chargeback
billing.
• Automation
• Some resource names are:
• constrained unique across entire
Azure.
• constrained by length
• constrained to alpha-numeric.
• constrained unique within
account
• cannot be upper characters
• cannot contain offensive or
forbidden substrings.
Requirements
• Ensure
• unique Azure naming
• case sensitivity
requirements
• application association
• environment association
• region association
• instance association
• object association
Naming Considerations - Example
Create abbreviations for environments
and resources (VMs and Objects)
Divide the naming into segments
Segment A
Segment B
Segment C
Segment D
Segment E
Segment F
Environments
VMs
Objects
3 chars –
Company
Identifier
Prefix plus
location
3 chars Application
or Area
Identifier
2-3 chars Target or
Resident
Environmen
t plus
optional
version
3 chars
Azure
Resource
Type: VM or
Object
Undefined Name for
Additional
Clarification
2-3 chars Numeric
Sequence for
Deployment
PD: Production
ADC: Azure Domain
Controller
CLS: Cloud Service
NP: Non-Production
SQL: Azure SQL
Database
ILB: Internal Load
Balancer
DV: Development
WER: Azure Web Role
STA: Storage Account
QA: Quality
Assurance
IVM: Generic IaaS VM
VNT: Virtual Network
Provide naming convention sample
Segment A: Contoso
CTW
Segment B:
Application Human
Resource
HRW
Segment C: NonProduction + Version
Segment D: VMAzure SQL Database
NP1
SQL
CTW-HRW-NP1-SQL-RDO-03
Segment E: VMAzure SQL Database
Read-Only
RDO
Segment F: VM-SQL
Deployment 3:
03
Demo - Subscription Automation
Get-SubscriptionLimit
Creates a list of all Azure Services with
current usage and Max Limit.
• Creates a more detailed list for Cloud
Services to give a better view of CS
and their current usage.
• Get Current Usage of any specific
Azure Service or All.
• Color coded output that matches how
close to limit the usage is.
•
Note: Depending on your Azure Services this script
might take some time to complete
Storage
Storage
Storage accounts have many variables
Establish a Storage “Stamp” model
•
•
Determine initial storage account footprint based on workload
requirements
Determine process and policy where a new stamp would be created or
extended
Typical “stamp” would include these storage accounts:
•
•
•
LRS
GRS
Premium Storage
Storage Protection
Service
• Exposed in one or more Storage
Accounts within each Azure subscription
• Data residing within Storage Accounts
does not reside on a single disk
• Microsoft protects the data stored within
each datacenter with a comprehensive
set of controls in alignment with the
security certifications outlined at the
Azure Trust Center
Subscription
• Several layers of protection including
ones that are provided by Microsoft
and ones that are controlled by the
Customer
• Differs by storage access type
• Uses both first party and third-party
mechanisms.
• Dependent on the workload type
Service
Subscription
IaaS
Service
Subscription
PaaS
Capability Considerations
Capability Decision Points
Different storage account types serve different
purposes
Each storage account should be allocated to a specific purpose and not be a generic, all-purpose
container.
Different storage services provide unique capabilities Understand the type of data and data flow that the storage account will serve, to determine the
storage service that the account will provide
The storage service offers two types of blobs - block Understand and decide on the use of either block blobs or page blobs when you create the blob.
blobs and page blobs
Microsoft Azure provides several ways to store and Deciding when to use Azure Blobs, Azure Files, or Azure Data Disks
access randomly access data in the cloud (blobs)
How data is replicated, its type, storage transactions, Total cost depends on how much you store, the volume of storage transactions and outbound data
and the use of Premium storage impacts cost
transfers, and which data redundancy option you choose.
Storage containers can be used to further organize
data in storage accounts
Concurrency settings can be modified on Azure
Storage accounts
Decide how you want to data in Azure storage to be organized.
Modern applications usually have multiple users viewing and updating data simultaneously. Three
main data concurrency strategies developers will typically consider:



Optimistic concurrency
Pessimistic concurrency
Last writer wins
There are storage account limitations that must be
understood and respected
Consider the throughput limitations of each account and design your storage accounts with those
in mind. You are more likely to hit the throughput limitations before you hit the size limitations.
Single or multiple storage accounts may be used
Consider how to design the IaaS or PaaS workloads to dynamically add accounts, in the event more
scale is needed for the solution in the future, beyond what a single storage account can provider
Networking
Azure Network Planning
Three main areas in Azure network planning
regardless of the application or service being hosted:
Connectivity
Topology
Security
Network Connectivity
Internal/
Administrative
End-User
Typically includes P2S, S2S, ExpressRoute or simply public endpoints to
administrative ports (rare)
Considerations:
• The type of teams requiring access
• Where they come from
• What monitoring/management tools which require access Azure
Typically includes S2S, ExpressRoute or public endpoints to published
services (think HTTP/HTTPS).
Considerations:
• Where their customer base is
• Whether to leverage the public Azure network infrastructure or
internally control of the network traffic (both flow and security)
Express Route
Understand the models
Difference between Network Service Providers (NSP) and Exchange Providers (IXP)
Understand what model the customer is using today to accelerate adoption
Understand the differences in available port speeds, locations and approach
Understand the limits that drive additional circuits
Understand the providers
Each offer a different experience based on ecosystem and capabilities
Some provide complete solutions and management
Understand the costs
Connection costs can be broken out by the service connection costs (Azure) and the authorized
carrier costs (telco partner)
Unlike other Azure services, look beyond the Azure pricing calculator
Network Topology
 How is the network infrastructure laid out in Azure
 How does it compliment (or counter) the infrastructure they have
built on-premises
VNet Models:-
Mesh
Hub and Spoke
Daisy Chain
Network Security
Key driver for Azure network implementation
Network security typically falls into two areas:
• Secure/manage traffic flow between applications, their tiers and other
services
• Secure/manage traffic flow between users and the application
Models include:
1. Customers driving all traffic using their existing network infrastructure
regardless of customer access (internal or external)
2. Leveraging native Azure connectivity
3. A combination of both
Demo - Network Automation
Get-AvailableIPs
• Creates a directory and exports your
Azure subscription Network
Configuration file (vnetconfig.xml)
• You may choose to retrieve IP addresses
for either one subnet or all subnets
• Parses through vnetconfig.xml and will
retrieve all available and non-available
IP addresses
• If IP address is taken by a Virtual
Machine the name of the VM will be
shown
• Color coded output
• Will export the output to a .csv file when
completed
Note: Depending on your network environment this script might take some time to complete
Demo - Network Automation
Get-NSGRules
• Retrieves NSG Rules for the following
•
•
•
•
•
•
All Subnets
All VMs
VM to VM
VM to Subnet
Subnet to Subnet
All NSG Rules
• Will output a NSG detailed Report to
a .txt file
• NSG report .txt file name will be time
stamped
Note: Depending on your NSG Rules this script might take some time to complete
Identity and Security
Azure Active Directory
Azure Active Directory (AD) interacts with the cloud in two ways – as
an enabler of the cloud, and as a consumer of the cloud.
Enabler of
the Cloud
• IT Professionals will mostly be
concerned with Azure AD as an enabler
of the cloud.
Consumer of
the Cloud
• Developers will mostly be concerned
with the identity services that Azure AD
provides as a consumer of the cloud.
Azure Active Directory
• Azure AD for Authentication :




AD Connect / ADFS
Single Sign ON
2000+ SaaS Application
Application Proxy
MFA
Federation Trust
Active Directory
Federation Service (AD FS)
1
Authenticate
2
• B2C and B2B
Users
• Azure AD Directory Services
Azure AD
Security Token
Means of Control (Federated Admin)
(Security Dependencies) Upstream Control
Downstream Control
Azure Subscription
Active Directory
Control of all
IaaS VMs
Federation and
Synchronizatio
n
Availability of all
tenant services
Admin Workstation(s)
Important: upstream control also includes hosts where upstream administrator credentials are used/
exposed.
Control of all
PaaS VM
Apps/Data
Compute
Compute – IaaS and PaaS
Organizations struggle to adopt a
fully outsourced model
• Lines of division between IaaS and
PaaS responsibilities are blurred in
applications which use both
constructs
• Understand where your customer’s
maturity is
• While PaaS is the goal, IaaS is a
current reality most customers both
require and understand
•
Cost
•
•
•
•
Size and number of Virtual Machines
Azure Virtual Machine Storage Requirements
Azure Virtual Network and VPN services
Network Traffic out of Azure
Network
•
•
•
•
Decide on Name resolution: Azure-based or own DNS solution
Virtual Network overlay for enhanced security and isolation
Extension of the on-premises network to the cloud
Number of persistent private IP addresses required
Limits
IaaS Considerations
•
•
•
•
AutoScaling for increased or decreased load is different than PaaS
VMs are not load balanced by default
VM density per Vnet (currently 2048)
Concurrent TCP connections for VMs roles (500K)
PaaS Considerations
Limits
Manage
Deploy
Understand Tradeoffs and decision points on the following:
•
•
•
•
Azure Websi
Upgrade Domains
Deployment Slots
Web Deploy
Continuous Integration
Understand the methods of monitoring PaaS workloads:
•
•
•
•
IIS Logs
Azure Diagnostics
IIS Failed Request Logs
Windows Event Logs
•
•
•
•
Performance Counters
Crash Dumps
Custom Error Logs
.NET EventSource
• Manifest based ETW
• Application Insights
• Auto Scaling: The application environment does not automatically increase or
decrease role instances for increase or decrease in load
• Load Balancing: Application instances not load balanced by default
• Density: Service Management total cloud services per subscription is 20
Cloud Platform Integration
Framework
Architecture Patterns
•
Load-Balanced Sets
TCP 80, 443
Cloud Service (Sec-CS2)
Cloud Service (Pri-CS1)
Availability Set (Sec-AS2)
ACL
Web Tier
Web Tier
Availability Set (Pri-AS1)
ACL
A2 (2 cores, 3.5 GB Memory)
3 (or more) Virtual Machines
(6 cores total)
A2 (2 cores, 3.5 GB Memory)
3 (or more) Virtual Machines
(6 cores total)
Virtual Network (Pri-VN1)
Virtual Network (Sec-VN2)
Storage Account (Pri-SA1)
Storage Account (Sec-SA2)
Primary
Affinity Group
Secondary: Europe North (example)
Affinity Group (Sec-AG2)
Load-Balanced Sets
TCP 80, 443
Failover
Affinity Group
Load-Balanced Sets
TCP 80, 1433
Cloud Service
Cloud Service
Availability Set
Availability Set
Presentation Tier
Search Pages
A3 (4 cores, 7 GB Memory)
(example)
A3 (4 cores, 7 GB Memory)
(example)
Additional virtual machines
as AG Secondary, Dedicated
Witness Node or File Share
Witness for Quorum
Secondary Region
•
Affinity Group (Pri-AG1)
Primary: US West (example)
•
Search Views
Other Modules
<<use>>
Storage Tier
Search Tier
1 VM (4 cores total)
2 VMs (8 cores total)
Content Processing Framework
Virtual Network
IPsec/IKE S2S VPN Tunnel
Virtual Network
Connectors
Item Processor
Containers
Storage Account
(Locally redundant)
Storage Account
(Locally redundant)
Storage Account
(Geo-redundant)
Storage Account
(Geo-redundant)
Primary
Facets
Blob Storage
Post Data
Provides a library of architecture patterns
that can be assembled into a solution
Pattern templates encourage architects to
consider new design dimensions such as
usage cost, SLAs
Enable easier updates as Azure features
and functionality change much more
frequently
When designing an architecture, you must
include Operations
Primary Region
•
Traffic Manager (TM01)
Failover
Azure Search
Compute
Failover
https://azure.microsoft.com/en-us/documentation/articles/architecture-overview/
Integration Framework
CPIF Functional Areas
Cloud Platform Integration Framework
Architecture
• Architecture
• Deployment (Provisioning and
Deprovisioning)
• Business Continuity and Disaster
Recovery
• Monitoring
• Maintenance
• Operations
Deployment
Business
Continuity
and Disaster
Recovery
Monitoring
Maintenance
Workloads (Applications and Services)
Automation and Orchestration
Identity
Security
Public, Private and Hybrid Cloud
Fabric and Fabric Management
Operations
Remember that Azure is
updated weekly
Real World Design
Azure Deployment Architecture
Azure Deployment Architecture
Azure Deployment Architecture
3rd party of Partner Security
Solutions
e.g. Alert Logic security
services, etc.
Azure Datacenter
Prod Subscription



UDR (User Defined Routes) with NVA is possible
NSG can be applied to VM as well but not shown for simplicity
NSG provides both inbound and outbound protection (stateful rules)
NSG
Azure ELB
(NAT Device)
Appliances Like
WAF, Firewall,
IDS/IPS, DLP, etc.
F5, Citrix, Cisco,
Barracuda, A10,
Checkpoint, Kemp,
Fortinet, Alert
Logic, DeyAll,
HAProxy,
Riverbed, etc.
Bastion Host /
Jump Server
Endpoint Rules & ACL
Host /OS/VM
based firewall.
and/or 3rd
Party/Partner
solution providing
anti-malware,
IDS/IPS
protection.
DMZ Subnet
192.168.1.0/24
Internet Users / Penetration
Tester
Protecting Against DDoS attack, Spoofing, etc.
NSG
DB Level
Encryption
Hardened Image
(BYO), Anti-virus,
Application based
security products,
etc.
<Extensions can
be pushed>
Web Subnet
192.168.2.0/24
NSG
Disk Level
Encryption
Bitlocker,
cloud link,
TrendMicro
App Subnet
192.168.3.0/24
NSG
DB Subnet
192.168.4.0/24
Management Server of Symantec, Mcafee, Syslog,
monitoring, configuration Manager, threat
protection/Analyzer from alert logic or Fortinet, etc.
NSG
Mgmt. Subnet
192.168.5.0/24
Only TCP & UDP
(No IP)
VNET (10.1.80.0/21)
https or secure
connection
Internet
Secure Access to Azure –
SSH, RDP, etc.
Site-to-Site VPN and/or
ExpressRoute
(Secure Connection)
Azure
Gateway
Developer / Internal Users /
Penetration Tester
Access Inheritance and Resource Hierarchy
R
RG
R
R
Subscription
RG
R
Role Assignment
RG
Role = ‘Reader’
Subject = AAD Group
Scope = Subscription
R
R
Role Assignment
Role = ‘Contributor’
Subject = AAD User
Scope = Resource Group
Role Assignment
Role = ‘Owner’
Subject = AAD User
Scope = Resource
Session Objectives And Takeaways
Session Objective(s):
• Understand the Azure Reference Architecture and how it can be used to streamline
your implementations and engagements
• Understand the AZRA models and the design patterns which can be used
• Understand the Azure design patterns and how to use these to develop high-level
Azure architectural designs
The nature of infrastructure engagements and skills required
is changing rapidly in an Azure world
Standard infrastructure models can be applied to Azure
implementations to accelerate Azure adoption
Complete your session evaluation on
My Ignite for your chance to win one
of many daily prizes.
Continue your Ignite learning path
Visit Microsoft Virtual Academy for free online training visit
https://www.microsoftvirtualacademy.com
Visit Channel 9 to access a wide range of Microsoft
training and event recordings https://channel9.msdn.com/
Head to the TechNet Eval Centre to download trials of the latest
Microsoft products http://Microsoft.com/en-us/evalcenter/
© 2015 Microsoft Corporation. All rights reserved.
Microsoft, Windows and other product names are or may be registered trademarks
and/or trademarks in the U.S. and/or other countries.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS PRESENTATION.