Rest AzuredMICROSOFT CLOUD DEMYSTIFIED

About me:

Kenneth van Surksum

Managing Consultant at Insight24

Co-Founder + board member WMUG NL

ksurksum@insight24.nl

#azure,#sysctr,#configmgr,#opsmgr,#winsrv,#microsoft,#ems,#oms,#ARM,#AIP,#Intune

Thanks to our event sponsors

Silver

Gold

Agenda for this session

Birds eye view

Back to basics – Cloud Computing definition

Demos

Misconceptions and key take aways

bird's eye view on my IT experience so far

bird's eye view

Misconceptions

Misconception:Cloud is just another virtualization platform

Cloud versus VirtualizationVirtualization:

Hardware Consolidation

Server Availability

Hosting legacyapplications on modern hardware

Cloud:

Scalable

On-demand Capacity

Parallel and dynamicworkloads

Self Service

Key takeawaysCloud ≠ virtualization

Azure Stack ≠ Windows Azure Pack

Moving your VM workloads to Azure isn’t necessarily cheaper

We need developers to start developing on top of Cloud products

“Old” style applications will not disappear in the near future

Misconception:Cloud is secure by default

Forced Tunnelingorced Tunneling

Backend

10.3/16

Middle-tier

10.2/16

Front-end

10.1/16

VPNGW

Internet

On premises

Forced tunneled

via S2S VPNS2S

VPNs

Directly to

Internet

Virtual Network

Just in time VM Access

Best Practices for Locking Down Access1. Make sure people automatically lose access when they leave

2. Use multi-factor authentication for all Azure users

3. Use “break glass” accounts for Account & Service Admins

4. Give people minimum access needed for day to day work

5. Use Managed Service Identity to keep credentials out of code

Azure Role-Based Access Control (RBAC) Fine-grained access control to

Azure “control plane”

Grant access by assigning Security Principal a Role at a Scope Security Principal: User, group, or

service principal

Role: Built-in or custom role

Scope: Subscription, resource group, or resource

Assignments are inherited down the resource hierarchy

Subscription

Reader

Resource Group

Owner

Resource

Contributor

Key takeawaysSplit user and administrators – Use RBAC

Only connect IaaS VM’s to the internet when needed –use forced tunneling

Use Network Security Groups which serve as a basic FW

Use Just in Time access (Preview)

Additional Security has pricing

Misconception:We don’t use Cloud (yet)

Key takeawaysAlmost every company nowadays is using some kind of

Cloud solution

Shadow IT exists everywhere

Start measuring and act on the information

Misconception:Our developers can start right away

Azure Networking Components

DemoUSING POLICIES TO RESTRICT USE OF AZURE RESOURCES

Key takeawaysPlease do not hand over the keys to Developers, instead

assist them while staying in charge over the infrastructure

Use Resource Policies to restrict the use of certain Azure Resource Types

Use Naming Conventions

Misconception:Once we are in the cloud, we never ever have to migrate again

The tale of 2 Azures

Azure Service Manager (ASM)Version 1

Referred to as ASM or Classic

Management via Old Portal en New Portal (some exceptions)

Azure Resource Manager (ARM)Version 2

Referred to as ARM

Management via New Portal

https://www.petri.com/a-tale-of-two-azures

DemoINFRASTRUCTURE AS A CODE

Key takeawaysCloud evolves, make sure you are able to support

upgrades to “new products” or other products

Cloud products are announced fast, but also dismantled fast, make sure you are up to date (#azure)

Misconception:We can run any Microsoft workload in Azure, it’s all Microsoft after all.

Support for Microsoft appsMicrosoft Biztalk Server

Microsoft Dynamics AX

Microsoft Dynamics CRM

Microsoft Dynamics GP

Microsoft Dynamics NAV

Microsoft Exchange

Microsoft Forefront Identity Manager

Microsoft HPC Pack

Microsoft Project Server

Microsoft SharePoint Server

Microsoft SQL Server

Microsoft Team Foundation Server

Microsoft System CenterApp Controller

Configuration Manager

Data Protection Manager

Endpoint Protection

Operations Manager

Orchestrator

Server Application Virtualization

Service Manager

Windows ServerADCS

ADDS

ADFS

ADLDS

Application Server

DNS

Failover Clustering

SharePointSQL Server

Exchange

https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines

File ServicesHyper-VNPSPrint and Document ServicesRemote Desktop ServicesWeb ServerWindows Server Update Service

Key takeawaysIf you want to run Microsoft workloads, please check

first if it’s supported

Misconception:

Once migrated, my on-premise workloads are high available and can scale out when needed

Single Instance

CostLower Higher

Sce

nari

o

Building a Hyper-Available Solution: Journey

VM Backup & DR

Scheduled Events

Single Instance SLA

Planned Maintenance

Availability Sets\ VMSS

Managed Disks

HA SLA

Load Balancing

Zone spanning VM/VMSS

Sync Storage Replication

Traffic Manager

Async Storage Replication

VM BC/DR (ASR)

99,95% equals 4,38 hrs downtime

99,9% equals 8,76 hrs downtime

https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_6/

Availability sets (at VM creation)

Key takeawaysYou have to do something in order to make your VM

highly available and scalable (most of the time, requires rewriting the application)

Make sure you can also monitor your cloud resources (are they available?)

Moving to the cloud, doesn’t automatically transform your IT departments maturity

Misconception: Azure has no limitations, but subscription do!

Azure Subscription Limits

https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits

Key takeawaysBefore you start deploying Azure Resources, check the

subscription limits

Don’t make the same mistakes, we made years ago again!