CTP’s Minimum Viable Cloud (MVC) methodology is core to how we build production-grade public cloud environments with baseline security and automation. Keeping up with contemporary industry best practices and the latest cloud services from CSPs are key to delivering a successful cloud foundation. This article will review several recent announcements and enhancements from Microsoft, and explore how they impact future iterations of one’s Azure infrastructure.
The key announcements and updates discussed in this article can be categorized according to these aspects of the MVC:
- Governance: helping accelerate the consistent set of standards and tooling required to deploy and manage secure Azure environments across multiple regions and subscriptions.
- Security: measures and solutions in place that address controls, technology and governance to deliver a secure cloud, and enable compliance with any regulatory needs or concerns.
- Networking: building upon the recommended hub-and-spoke networking model to enable on-premises-to-Azure connectivity; recent Microsoft announcements help simplify branch office connectivity and globally improve service delivery.
- Management Group and Azure Policies provide a solid approach to govern the Azure environment without interrupting the work of developers and operations. Now, the custom or ready-made resource policies, RBAC (role-based access control) policies and cost management that are applied at the management group level are inherited across all the subscriptions grouped inside a management group.
- Azure Blueprints enable the definition of a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns and requirements with respect to identity and access management (IAM), networks policies, etc. This speeds up development and delivery across multiple subscriptions and environments.
- Azure Policy for DevOps: Azure Policy has been a key component of our Security and Governance tenet, ensuring standards and compliance across the environment in which it is deployed. Azure Policy now integrates with Azure’s CI/CD platform (Azure DevOps), ensuring that the policies created are executed pre-deployment. This reduces the number of reactive actions Security and Governance teams would need to carry over to ensure compliance within the environment.
- Building the hardened OS images that meet your organization or industry standards, such as CIS (Center for Internet Security), and sharing the custom images within an organization globally is a key part of cloud operations. In the past, it was a challenge to build a VM image and publish across multiple subscriptions. But now, Microsoft offers a new service to accelerate identity lifecycle management (ILM) – Shared Image Gallery. This service helps you manage custom images with ease, by building the hierarchy of image-definitions with versioning support, scaling to different replicas and sharing them across multiple subscriptions or regions.
- Azure Deployment Manager simplifies the deployment of services in a scalable fashion. Many enterprise applications comprise of complex services across multiple interlinked resource groups . Azure Deployment Manager helps to define a topology for such services, and provides greater control on the product rollouts by managing dependencies between the services.
- Azure Cost Monitor provides a single pane of glass solution for cost management, combining functionalities from the Enterprise and Cloudyn portals. Cost monitoring and other governance controls, such as management groups, resource tagging and Power BI reports, provide comprehensive controls to set budgets or slice and dice cost data for various BUs and groups.
- Azure Resource Graph is a service in Azure designed to extend Azure Resource Management by providing efficient and performant resource exploration to effectively govern your environment. Azure Resource Graph has the ability to query resources with complex filtering, grouping and sorting by resource properties from resource groups, subscriptions or management groups, with the resulting expression feeding into a policy definition.
- Secure DevOps Kit for Azure (AzSK) is a collection of scripts, tools, extensions, automation, etc., that addresses end-to-end Azure subscription and resource security needs by integrating security into native DevOps workflows. AzSK focuses on key security controls, such as subscription level security, security integration to CI/CD, continuous assurance, etc., by running security validation tests (SVTs) with deployment pipelines.
- Service EndPoints provides a direct connection from virtual networks (vnets) to Azure services. Endpoints allow you to secure your critical Azure service resources to only your virtual networks with private IP ranges. Today Azure supports service endpoints to most of the Azure data services such as Azure Storage, Azure Key Vault, Azure SQL, Service Bus, Event Hubs etc.,
- Azure Security Center (ASC) has been enhanced to provide functionalities to protect workloads at scale. These include: security score; regulatory dashboards to meet compliance standards, such as CIS, PCI, SO and ISO; advanced threat detection; JIT VM access; and APIs to manage ASC. Today, you can even enable automatic provisioning monitoring agents on all the Azure VMs.
- Cloud Access Service Broker (CASB) is a service that acts as an access broker for all cloud services. This can be connected to all Azure AD-integrated SAAS applications, such as Salesforce, Box, Jira, etc., as well as PAAS applications with Azure AD integration.
- Azure Virtual WAN provides optimized and automated branch-to-branch connectivity through Azure. Virtual WAN lets you simplify connectivity and the configuration of branch devices, and provisions an Azure Virtual WAN hub to terminate on-premises connectivity and to host all the common services, such as AD/DS, DNS, NVAs, etc., that are shared across spoke networks. This is compatible with site-to-site, point-to-site or ExpressRoute connections. The Azure WAN built-in dashboard provides instant troubleshooting insights to save you time, and gives you an easy way to view large-scale connectivity.
- Azure ExpressRoute Direct gives you the ability to enable up to 100 Gbps connectivity directly into Microsoft’s global network at strategically distributed peering locations. This supports massive data ingestion scenarios into Azure storage and other big data services.
- Azure Firewall: Up until now, securing the traffic flows and control of one’s Azure environment would usually require the deployment of network virtual appliances (NVAs) using third-party solution providers, such as Barracuda, Fortinet, Palo Alto, etc. However, these NVAs would follow a traditional IaaS-based deployment, with scaling and availability being the key considerations to ensure adequate security SLAs. Azure Firewall is a managed, cloud-based network security service with built-in high availability and scalability. Additionally, this service will expand out to third-party vendors to provide SaaS-based security policy management capabilities across Azure.
- Azure Front Door Service: We often work with customers to deploy highly available web-based applications on Azure on a global scale, with key requirements, such as low application loading times and global load balancing, without compromising on security. In the past, one would need to use three Azure services to meet these requirements: a combination of Azure Traffic Manager, Content Delivery Manager (CDN) and Web Application Firewall. Delivering this functionality can now be simplified by using Azure Front Door Service, which delivers all those Azure services into one unified solution. This provides a scalable and secure entry point for fast delivery of your global web applications.
- Public IP prefix: Networking and IP addressing of resources is by far one of the most challenging aspects that traditional operational teams have to get used to when either integrating public cloud environments with their existing on-premises networks, or using a public cloud environment as a stand-alone instance. The specific challenge in question is the inability to choose and select a subset of Public IPs against which networking teams need firewall rules, and instead, having to resort to FQDN-based traffic rules. Now, Public IP prefixes provide a contiguous range of IP addresses for Azure public endpoints that enable you to associate Azure resources with public IP addresses from a known fixed range. This simplifies firewall rules, as IP addresses are assigned to new resources.
- VNet for Containers simplifies a key requirement for container-based workloads — namely, the need for a mature CNI-based (container networking interface) overlay to administer and manage communications across pods and to access additional services provided by the cloud provider. Azure VNet for Containers extends the existing software-defined networking stack to Kubernetes, removing the need for third-party networking overlays, such as calico.
- VTAP appliances: One of the biggest asks from networking and security professionals has been for the ability to collect and analyze network traffic on Azure, beyond what the Azure Network Monitor provides. Now, within developer preview, Azure virtual network TAP (Terminal Access Point) provides continuous mirroring of virtual machine network traffic to a packet collector or analytics tool (provided by a third-party network virtual appliance), without having to use agents.
To use public cloud services at scale, an organization must constantly evolve, adapt and integrate new services based on their internal organizational structures and enterprise architecture standards. This constant evolution can help organizations accelerate their move from pilot projects to production, improve and enhance operational processes and onboard modern application architectures and development techniques, or simplify the architectures of their public cloud environments. Is your organization constantly evolving?