Post on 21-Jan-2018
Rest AzuredMICROSOFT CLOUD DEMYSTIFIED
About me:
Kenneth van Surksum
Managing Consultant at Insight24
Co-Founder + board member WMUG NL
ksurksum@insight24.nl
#azure,#sysctr,#configmgr,#opsmgr,#winsrv,#microsoft,#ems,#oms,#ARM,#AIP,#Intune
Thanks to our event sponsors
Silver
Gold
Agenda for this session
Birds eye view
Back to basics – Cloud Computing definition
Demos
Misconceptions and key take aways
bird's eye view on my IT experience so far
bird's eye view
Misconceptions
Misconception:Cloud is just another virtualization platform
Cloud versus VirtualizationVirtualization:
Hardware Consolidation
Server Availability
Hosting legacyapplications on modern hardware
Cloud:
Scalable
On-demand Capacity
Parallel and dynamicworkloads
Self Service
Key takeawaysCloud ≠ virtualization
Azure Stack ≠ Windows Azure Pack
Moving your VM workloads to Azure isn’t necessarily cheaper
We need developers to start developing on top of Cloud products
“Old” style applications will not disappear in the near future
Misconception:Cloud is secure by default
Forced Tunnelingorced Tunneling
Backend
10.3/16
Middle-tier
10.2/16
Front-end
10.1/16
VPNGW
Internet
On premises
Forced tunneled
via S2S VPNS2S
VPNs
Directly to
Internet
Virtual Network
Just in time VM Access
Best Practices for Locking Down Access1. Make sure people automatically lose access when they leave
2. Use multi-factor authentication for all Azure users
3. Use “break glass” accounts for Account & Service Admins
4. Give people minimum access needed for day to day work
5. Use Managed Service Identity to keep credentials out of code
Azure Role-Based Access Control (RBAC) Fine-grained access control to
Azure “control plane”
Grant access by assigning Security Principal a Role at a Scope Security Principal: User, group, or
service principal
Role: Built-in or custom role
Scope: Subscription, resource group, or resource
Assignments are inherited down the resource hierarchy
Subscription
Reader
Resource Group
Owner
Resource
Contributor
Key takeawaysSplit user and administrators – Use RBAC
Only connect IaaS VM’s to the internet when needed –use forced tunneling
Use Network Security Groups which serve as a basic FW
Use Just in Time access (Preview)
Additional Security has pricing
Misconception:We don’t use Cloud (yet)
Key takeawaysAlmost every company nowadays is using some kind of
Cloud solution
Shadow IT exists everywhere
Start measuring and act on the information
Misconception:Our developers can start right away
Azure Networking Components
DemoUSING POLICIES TO RESTRICT USE OF AZURE RESOURCES
Key takeawaysPlease do not hand over the keys to Developers, instead
assist them while staying in charge over the infrastructure
Use Resource Policies to restrict the use of certain Azure Resource Types
Use Naming Conventions
Misconception:Once we are in the cloud, we never ever have to migrate again
The tale of 2 Azures
Azure Service Manager (ASM)Version 1
Referred to as ASM or Classic
Management via Old Portal en New Portal (some exceptions)
Azure Resource Manager (ARM)Version 2
Referred to as ARM
Management via New Portal
https://www.petri.com/a-tale-of-two-azures
DemoINFRASTRUCTURE AS A CODE
Key takeawaysCloud evolves, make sure you are able to support
upgrades to “new products” or other products
Cloud products are announced fast, but also dismantled fast, make sure you are up to date (#azure)
Misconception:We can run any Microsoft workload in Azure, it’s all Microsoft after all.
Support for Microsoft appsMicrosoft Biztalk Server
Microsoft Dynamics AX
Microsoft Dynamics CRM
Microsoft Dynamics GP
Microsoft Dynamics NAV
Microsoft Exchange
Microsoft Forefront Identity Manager
Microsoft HPC Pack
Microsoft Project Server
Microsoft SharePoint Server
Microsoft SQL Server
Microsoft Team Foundation Server
Microsoft System CenterApp Controller
Configuration Manager
Data Protection Manager
Endpoint Protection
Operations Manager
Orchestrator
Server Application Virtualization
Service Manager
Windows ServerADCS
ADDS
ADFS
ADLDS
Application Server
DNS
Failover Clustering
SharePointSQL Server
Exchange
https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines
File ServicesHyper-VNPSPrint and Document ServicesRemote Desktop ServicesWeb ServerWindows Server Update Service
Key takeawaysIf you want to run Microsoft workloads, please check
first if it’s supported
Misconception:
Once migrated, my on-premise workloads are high available and can scale out when needed
Single Instance
CostLower Higher
Sce
nari
o
Building a Hyper-Available Solution: Journey
VM Backup & DR
Scheduled Events
Single Instance SLA
Planned Maintenance
Availability Sets\ VMSS
Managed Disks
HA SLA
Load Balancing
Zone spanning VM/VMSS
Sync Storage Replication
Traffic Manager
Async Storage Replication
VM BC/DR (ASR)
99,95% equals 4,38 hrs downtime
99,9% equals 8,76 hrs downtime
https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_6/
Availability sets (at VM creation)
Key takeawaysYou have to do something in order to make your VM
highly available and scalable (most of the time, requires rewriting the application)
Make sure you can also monitor your cloud resources (are they available?)
Moving to the cloud, doesn’t automatically transform your IT departments maturity
Misconception: Azure has no limitations, but subscription do!
Azure Subscription Limits
https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits
Key takeawaysBefore you start deploying Azure Resources, check the
subscription limits
Don’t make the same mistakes, we made years ago again!