Saturday, May 19, 2018

Best Practice for Hybrid Applications


Introduction


Hybrid environment consists of on-premises and cloud-based services. Good reasons for enterprises to move to the cloud is greater business agility, keeping track with the speed of innovation, and cost savings. Despite the benefits of cloud computing, companies face numerous challenges including the integration of cloud services into the enterprise architecture, security and compliance of corporate data. Therefore, IT are looking to put in place policies and processes so that employees and business departments can take advantage of cloud services that drive business growth without compromising the security, compliance, and governance of corporate data. There are multiple potential destinations for any application like Private cloud, IAAS, PAAS, SAAS or can be mixture of them (hybrid cloud).



Private Cloud Microsoft Azure Stack is a product that enables organizations to deliver Azure services from their own datacentre. It helps you build and deploy your applications the same way regardless of whether it runs on Azure or Azure Stack.

Infrastructure as a Service (IaaS) IaaS services allow you to build and run server-based IT workloads in the cloud, rather than in your on-premises datacentre. IaaS services typically consist of an IT workload that runs on virtual machines that is transparently connected to your on-premises network.



Platform as a Service (PaaS) Platform as a Service delivers application execution services, such as application runtime, storage, and integration for application. In a PaaS deployment model, enterprises are focusing on deploying their application code into PaaS services.

Software as a Service (SaaS) Software as a Service delivers business processes and applications, such as CRM, collaboration, and email, as standardized capabilities for a usage-based cost at an agreed, business-relevant service level.



Hybrid Cloud A hybrid is created when these two independent systems like private and on premises are joined through encrypted connections using technology specifically designed to facilitate the portability of data and applications.

Scope


Many enterprise organizations take a three-step approach to cloud adoption. The first approach is to take advantage of SaaS productive workloads such as Office 365. The second approach is to base new modern cloud applications on PaaS (Azure SQL databases, Azure Web Apps, Logic Apps, Mobile Apps, etc.). The third approach is moving existing applications to IaaS virtual machines by using one of the two approaches:

·         Lift and Shift: Existing virtual machines are shifted to the cloud.

·         Build in the cloud: applications are prebuilt in Azure, and traditional methods are used to back up and restore data.







Pros and Cons of the Hybrid Cloud




Pros
Capacity expansion When the incremental cost of adding capacity on-premises is high – think upgrading power and cooling in a data center to accommodate additional racks or building a whole new data center – a hybrid approach is a viable alternative.
Dev/test Dev/test workloads are highly elastic; they are regularly stood up and torn down, and the number of instances at any one time varies widely based on the development phase. Placing these workloads on the hosted cloud allows you to scale capacity to match demand and pay only for what is used.
Planned temporary need Most needs are known in advance, such as new product launches, holidays, peak season and so forth. When given time to plan and execute, most applications can be scaled
Network optimization Hosted cloud provides the opportunity to shift the heavy lifting of the network off-premises and, in the process, improves the availability, scalability and reliability of the connection by leveraging the provider’s network investment.
Cons
Cost While the public cloud can offer an attractive option for its flexibility and relatively low cost to operate, building a private enterprise cloud requires significant expenditure and can become expensive very quickly with all the physical hardware necessary.
Security The proper precautions must be taken to ensure data is properly protected and that control is maintained by the right people.
Data and application integration if an application lives in a private cloud and its data lives in an on-premise data center, is the application built to access the data remotely? Technologies like copy data virtualization can decouple data from infrastructure
Compatibility With dual levels of infrastructure, a private cloud the company controls and a public one that it doesn’t, the chances are that they will be running different stacks
Networking Will very active applications be living in the cloud? It’s necessary to consider the bandwidth usage they could take up on the network and whether it could cause problems in bottlenecking other applications.

Best Practices for moving to the cloud


Catalog existing applications


To understand what applications should be moved, when and how, it’s important to create a well-attributed catalog of applications managed by IT. Then, the relative importance of each attribute (say, business criticality or amount of system integration) can be weighted and the prioritized list can be built.



Define criteria for moving to or starting applications in the cloud


You should set priorities within your migration plan based on a combination of business factors, hardware/software factors, and other technical factors. For sequencing the migration of your workloads, you should begin with less-complex projects and gradually increase the complexity after the less-complex projects have been migrated.

Architect core infrastructure components for cloud integration


You must account for the following elements when planning and implementing hybrid cloud scenarios.

·         Networking for hybrid cloud scenarios includes the connectivity to Microsoft cloud platforms and services and enough bandwidth to be performant under peak loads.

·         Identity for SaaS and Azure PaaS hybrid scenarios can include Azure AD as a common identity provider, which can be synchronized with your on-premises Windows Server AD, or federated with Windows Server AD or other identity providers. You can also extend your on-premises Identity infrastructure to Azure IaaS.

·         Security for hybrid cloud scenarios includes protection and management for your identities, data protection, administrative privilege management, threat awareness, and the implementation of governance and security policies.

Acquire cloud development skills


You must develop competencies with cloud technologies and services even as those services evolve and change. Practically, this means that staff must have time to explore new technologies and that you may need to increase your investment in IT staff training.

Retool for adoption and change management


Rethink your IT service management and disaster recovery practices, as well as how a given cloud service integrates with your existing in-house technology infrastructure. Consider the usage of cloud-based IT service management solutions.

Take a systematic and disciplined approach to Security, Governance, Compliance


Invest in core capabilities within your organization that lead to secure environments:

·         Governance & Security Policy

·         Administrative Privilege Management

·         Identity Systems and Identity Management

·         Threat Awareness

·         Data Protection



Best Practices for cloud connectivity


·         Examine the set of systems at your edge network to ensure that they are current, provide high availability, and have sufficient capacity to meet peak loads.

·         For a high SLA use ExpressRoute

·         Analyze your client computers and optimize for network hardware, software drivers, protocol settings, and Internet browsers.

·         Analyze you’re on-premises network for traffic latency and optimal routing to the Internet edge device.

·         Analyze the capacity and performance of your Internet edge device and optimize for higher levels of traffic.

·         Analyze the latency between your Internet edge device (such as your external firewall) and the regional locations of the Microsoft cloud service to which you are connecting.

·         Analyze the capacity and utilization of your current Internet connection and add capacity if needed. Alternately, add an ExpressRoute connection.

·         Prepare your intranet for Microsoft cloud services.

·         Optimize your Internet bandwidth.

·         Determine the type of VNet (cloud-only or cross-premises).

·         Determine the address space of the VNet.

·         Determine the subnets within the VNet and the address spaces assigned to each.

·         Determine the DNS server configuration and the addresses of the DNS servers to assign to VMs in the VNet.

·         Determine the load balancing configuration (Internet-facing or internal).

·         Determine the use of virtual appliances and user-defined routes.

·         Determine how computers from the Internet will connect to virtual machines.

·         For multiple VNets, determine the VNet-to-VNet connection topology.

·         Determine the on-premises connection to the VNet (S2S VPN or ExpressRoute).

·         Determine the on-premises VPN device or router.

·         Add routes to make the address space of the VNet reachable.

·         For ExpressRoute, plan for the new connection with your provider.

·         Determine the Local Network address space for the Azure gateway.

·         Configure on-premises DNS servers for DNS replication with DNS servers hosted in Azure.

·         Determine the use of forced tunneling and user-defined routes.

Best Practices for using Azure Active Directory


·         Create a unique Active Directory site object for each Azure region where virtual machines reside, and associate all the virtual networks in that region with the Active Directory site.

·         Place two domain controllers within an availability set in all Azure regions where virtual machines reside.

·         Make all domain controllers in Azure Global Catalog servers.

·         Make sure that domain controllers are pointing to a DNS server in Windows that hosts the Active Directory zones, rather than the default DNS servers in Azure.

·         Do not set a static IP address on the network adapter in the operating system for virtual domain controllers in Azure. Doing so will isolate the virtual machines and prevent them from communicating on the virtual network.

·         To give a domain controller the IP address that you want and prevent it from changing if the virtual machine is de-provisioned, provide the virtual machine with a static virtual network IP address.

·         Make sure that you place the Active Directory database and SYSVOL on a data disk. If you use the operating system disk or a temporary disk, the database may get corrupted or purged during an outage.



Managing security, compliance and data privacy


Infrastructure protection


·         Monitoring and logging Centralized monitoring, correlation, and analysis systems manage the large amount of information generated by devices within the Azure environment, providing continuous visibility and timely alerts to the teams that manage the service.

·         Update management Security update management helps protect systems from known vulnerabilities. Azure uses integrated deployment systems to manage the distribution and installation of security updates for Microsoft software.

·         Antivirus and antimalware Azure software components must go through a virus scan prior to deployment. Code is not moved to production without a clean and successful virus scan.

·         DDoS protection Azure has a defense system against Distributed Denial-of-Service (DDoS) attacks on Azure platform services. It uses standard detection and mitigation techniques.

 Network protection


·         Network isolation Azure is a multitenant service, meaning that multiple customers’ deployments and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from that of others.

·         Virtual networks A customer can assign multiple deployments within a subscription to a virtual network and allow those deployments to communicate with each other through private IP addresses. Each virtual network is isolated from other virtual networks.

·         VPN and ExpressRoute For even better performance, customers can use an optional ExpressRoute, a private fiber link into Azure datacenters that keeps their traffic off the Internet.

·         Encrypting communications Built-in cryptographic technology enables customers to encrypt communications within and between deployments, between Azure regions, and from Azure to on-premises datacenters.

Data protection


·         Data isolation Azure is a multitenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware.

·         Protecting data at rest Azure Disk Encryption is a capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

SQL Database TDE is based on SQL Server’s TDE technology, which encrypts the storage of an entire database by using an industry-standard AES-256 symmetric key called the database encryption key.

·         Protecting data in transit For data in transit, Azure uses industry-standard transport protocols such as TLS between devices and Microsoft datacenters, and within datacenters themselves.

·         Data redundancy Data may be replicated within a selected geographic area for redundancy.

Identity and access


·         Enterprise cloud directory. It combines core directory services, advanced identity governance, security, and application access management. Azure Active Directory makes it easy for developers to build policy-based identity management into their applications. Azure Active Directory enables a single identity management capability across on-premises, cloud, and mobile solutions.

·         Multi-Factor Authentication Microsoft Azure provides Multi-Factor Authentication (MFA). It delivers strong authentication via a range of easy verification options—phone call, text message, or mobile app notification—allowing users to choose the method they prefer.

·         Access monitoring and logging Security reports are used to monitor access patterns and to proactively identify and mitigate potential threats. Microsoft administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.

·         Least privilege admin model

o    Limit the number of administrators or members of privileged groups.

o    Delegate fewer privileges to accounts.

o    Provide privileges on demand.

o    Have existing administrators perform tasks instead of adding additional administrators.

o    Provide processes for emergency access and rare use scenarios.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)