Hybrid environment consists of on-premises
and cloud-based services. Good reasons for enterprises to move to the cloud is
greater business agility, keeping track with the speed of innovation, and cost
savings. Despite the benefits of cloud computing, companies face numerous
challenges including the integration of cloud services into the enterprise
architecture, security and compliance of corporate data. Therefore, IT are
looking to put in place policies and processes so that employees and business
departments can take advantage of cloud services that drive business growth
without compromising the security, compliance, and governance of corporate
data. There are multiple potential destinations for any application like
Private cloud, IAAS, PAAS, SAAS or can be mixture of them (hybrid cloud).
Private Cloud Microsoft Azure Stack is a product that enables
organizations to deliver Azure services from their own datacentre. It helps you
build and deploy your applications the same way regardless of whether it runs
on Azure or Azure Stack.
Infrastructure as a Service (IaaS) IaaS services allow you to build and run
server-based IT workloads in the cloud, rather than in your on-premises datacentre.
IaaS services typically consist of an IT workload that runs on virtual machines
that is transparently connected to your on-premises network.
Platform as a
Service (PaaS) Platform as a
Service delivers application execution services, such as application runtime,
storage, and integration for application. In a PaaS deployment model,
enterprises are focusing on deploying their application code into PaaS services.
Software as a Service (SaaS) Software as a Service delivers business processes
and applications, such as CRM, collaboration, and email, as standardized
capabilities for a usage-based cost at an agreed, business-relevant service
level.
Hybrid Cloud A hybrid is created when these two independent
systems like private and on premises are joined through encrypted connections
using technology specifically designed to facilitate the portability of data
and applications.
Many enterprise organizations take a three-step approach to cloud
adoption. The first approach is to take advantage of SaaS productive workloads
such as Office 365. The second approach is to base new modern cloud
applications on PaaS (Azure SQL databases, Azure Web Apps, Logic Apps, Mobile
Apps, etc.). The third approach is moving existing applications to IaaS virtual
machines by using one of the two approaches:
·
Lift and Shift:
Existing virtual machines are shifted to the cloud.
·
Build in the
cloud: applications are prebuilt in Azure, and traditional methods are used to
back up and restore data.
|
Pros
|
|
Capacity expansion When the incremental cost of adding capacity on-premises is
high – think upgrading power and cooling in a data center to accommodate
additional racks or building a whole new data center – a hybrid approach is a
viable alternative.
|
|
Dev/test Dev/test
workloads are highly elastic; they are regularly stood up and torn down, and
the number of instances at any one time varies widely based on the
development phase. Placing these workloads on the hosted cloud allows you to
scale capacity to match demand and pay only for what is used.
|
|
Planned temporary need Most needs are known in advance, such as new product launches,
holidays, peak season and so forth. When given time to plan and execute, most
applications can be scaled
|
|
Network optimization Hosted cloud provides the opportunity to shift the heavy
lifting of the network off-premises and, in the process, improves the
availability, scalability and reliability of the connection by leveraging the
provider’s network investment.
|
|
Cons
|
|
Cost While
the public cloud can offer an attractive option for its flexibility and
relatively low cost to operate, building a private enterprise cloud requires
significant expenditure and can become expensive very quickly with all the
physical hardware necessary.
|
|
Security The
proper precautions must be taken to ensure data is properly protected and
that control is maintained by the right people.
|
|
Data and application integration if an application lives in a private cloud and its data lives
in an on-premise data center, is the application built to access the data
remotely? Technologies like copy data virtualization can decouple
data from infrastructure
|
|
Compatibility With
dual levels of infrastructure, a private cloud the company controls and a
public one that it doesn’t, the chances are that they will be running
different stacks
|
|
Networking Will
very active applications be living in the cloud? It’s necessary to consider
the bandwidth usage they could take up on the network and whether it could
cause problems in bottlenecking other applications.
|
To
understand what applications should be moved, when and how, it’s important to
create a well-attributed catalog of applications managed by IT. Then, the
relative importance of each attribute (say, business criticality or amount of
system integration) can be weighted and the prioritized list can be built.
You
should set priorities within your migration plan based on a combination of
business factors, hardware/software factors, and other technical factors. For
sequencing the migration of your workloads, you should begin with less-complex
projects and gradually increase the complexity after the less-complex projects
have been migrated.
You
must account for the following elements when planning and implementing hybrid
cloud scenarios.
·
Networking for hybrid cloud scenarios includes the
connectivity to Microsoft cloud platforms and services and enough bandwidth to
be performant under peak loads.
·
Identity for SaaS and Azure PaaS hybrid scenarios
can include Azure AD as a common identity provider, which can be synchronized
with your on-premises Windows Server AD, or federated with Windows Server AD or
other identity providers. You can also extend your on-premises Identity
infrastructure to Azure IaaS.
·
Security for hybrid cloud scenarios includes protection
and management for your identities, data protection, administrative privilege
management, threat awareness, and the implementation of governance and security
policies.
You must develop competencies with cloud technologies and services even
as those services evolve and change. Practically, this means that staff must
have time to explore new technologies and that you may need to increase your
investment in IT staff training.
Rethink your IT service management and disaster recovery practices, as
well as how a given cloud service integrates with your existing in-house
technology infrastructure. Consider the usage of cloud-based IT service
management solutions.
Invest in core capabilities within your organization that lead to secure
environments:
·
Governance & Security Policy
·
Administrative Privilege Management
·
Identity Systems and Identity Management
·
Threat Awareness
·
Data Protection
·
Examine the set of systems at
your edge network to ensure that they are current, provide high availability,
and have sufficient capacity to meet peak loads.
·
For a high SLA use ExpressRoute
·
Analyze your client computers
and optimize for network hardware, software drivers, protocol settings, and
Internet browsers.
·
Analyze you’re on-premises
network for traffic latency and optimal routing to the Internet edge device.
·
Analyze the capacity and
performance of your Internet edge device and optimize for higher levels of
traffic.
·
Analyze the latency between your
Internet edge device (such as your external firewall) and the regional
locations of the Microsoft cloud service to which you are connecting.
·
Analyze the capacity and
utilization of your current Internet connection and add capacity if needed.
Alternately, add an ExpressRoute connection.
·
Prepare your intranet for
Microsoft cloud services.
·
Optimize your Internet
bandwidth.
·
Determine the type of VNet
(cloud-only or cross-premises).
·
Determine the address space of
the VNet.
·
Determine the subnets within the
VNet and the address spaces assigned to each.
·
Determine the DNS server
configuration and the addresses of the DNS servers to assign to VMs in the
VNet.
·
Determine the load balancing
configuration (Internet-facing or internal).
·
Determine the use of virtual
appliances and user-defined routes.
·
Determine how computers from the
Internet will connect to virtual machines.
·
For multiple VNets, determine
the VNet-to-VNet connection topology.
·
Determine the on-premises
connection to the VNet (S2S VPN or ExpressRoute).
·
Determine the on-premises VPN
device or router.
·
Add routes to make the address
space of the VNet reachable.
·
For ExpressRoute, plan for the
new connection with your provider.
·
Determine the Local Network
address space for the Azure gateway.
·
Configure on-premises DNS
servers for DNS replication with DNS servers hosted in Azure.
·
Determine the use of forced
tunneling and user-defined routes.
·
Create a unique Active Directory
site object for each Azure region where virtual machines reside, and associate
all the virtual networks in that region with the Active Directory site.
·
Place two domain controllers
within an availability set in all Azure regions where virtual machines reside.
·
Make all domain controllers in
Azure Global Catalog servers.
·
Make sure that domain
controllers are pointing to a DNS server in Windows that hosts the Active
Directory zones, rather than the default DNS servers in Azure.
·
Do not set a static IP address
on the network adapter in the operating system for virtual domain controllers
in Azure. Doing so will isolate the virtual machines and prevent them from
communicating on the virtual network.
·
To give a domain controller the
IP address that you want and prevent it from changing if the virtual machine is
de-provisioned, provide the virtual machine with a static virtual network IP
address.
·
Make sure that you place the
Active Directory database and SYSVOL on a data disk. If you use the operating
system disk or a temporary disk, the database may get corrupted or purged
during an outage.
·
Monitoring and logging Centralized monitoring, correlation, and analysis systems manage
the large amount of information generated by devices within the Azure
environment, providing continuous visibility and timely alerts to the teams
that manage the service.
·
Update management Security update management helps protect systems from known
vulnerabilities. Azure uses integrated deployment systems to manage the
distribution and installation of security updates for Microsoft software.
·
Antivirus and antimalware Azure software components must go through a virus scan prior to
deployment. Code is not moved to production without a clean and successful
virus scan.
·
DDoS protection Azure has a defense system against Distributed Denial-of-Service
(DDoS) attacks on Azure platform services. It uses standard detection and
mitigation techniques.
·
Network isolation Azure is a multitenant service, meaning that multiple customers’
deployments and VMs are stored on the same physical hardware. Azure uses
logical isolation to segregate each customer’s data from that of others.
·
Virtual networks A customer can assign multiple deployments within a subscription
to a virtual network and allow those deployments to communicate with each other
through private IP addresses. Each virtual network is isolated from other
virtual networks.
·
VPN and ExpressRoute For even better performance, customers can use an optional
ExpressRoute, a private fiber link into Azure datacenters that keeps their
traffic off the Internet.
·
Encrypting communications Built-in cryptographic technology enables customers to encrypt
communications within and between deployments, between Azure regions, and from
Azure to on-premises datacenters.
·
Data isolation Azure is a multitenant service, meaning that multiple customers’
deployments and virtual machines are stored on the same physical hardware.
·
Protecting data at rest Azure Disk Encryption is a capability that lets you encrypt your
Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages
the industry-standard BitLocker feature of Windows and the DM-Crypt feature of
Linux to provide volume encryption for the OS and the data disks. The solution
is integrated with Azure Key Vault to help you control and manage the disk
encryption keys and secrets in your key vault subscription, while ensuring that
all data in the virtual machine disks are encrypted at rest in your Azure
storage.
SQL Database TDE is based on SQL Server’s
TDE technology, which encrypts the storage of an entire database by using an industry-standard
AES-256 symmetric key called the database encryption key.
·
Protecting data in transit For data in transit, Azure uses industry-standard transport
protocols such as TLS between devices and Microsoft datacenters, and within
datacenters themselves.
·
Data redundancy Data may be replicated within a selected geographic area for
redundancy.
·
Enterprise cloud directory. It combines core directory services, advanced identity
governance, security, and application access management. Azure Active Directory
makes it easy for developers to build policy-based identity management into
their applications. Azure Active Directory enables a single identity management
capability across on-premises, cloud, and mobile solutions.
·
Multi-Factor Authentication Microsoft Azure provides Multi-Factor Authentication (MFA). It
delivers strong authentication via a range of easy verification options—phone
call, text message, or mobile app notification—allowing users to choose the
method they prefer.
·
Access monitoring and logging Security reports are used to monitor access patterns and to
proactively identify and mitigate potential threats. Microsoft administrative
operations, including system access, are logged to provide an audit trail if
unauthorized or accidental changes are made.
·
Least privilege admin model
o
Limit the number of
administrators or members of privileged groups.
o
Delegate fewer privileges to
accounts.
o
Provide privileges on demand.
o
Have existing administrators
perform tasks instead of adding additional administrators.
o
Provide processes for emergency
access and rare use scenarios.
