Contents
What’s New in Azure Resource Manager (ARM Model) 2
Resource Groups 2
JSON–Based ARM Templates 2
Role-Based Access Control 3
IaaS Compute Services 3
Virtual Machines 4
DevTest Labs 16
Features and Provisioning 16
Secure Storage of Credentials 18
Configuration and Policies 18
Storage in IaaS 22
Unmanaged Disks 23
Managed Disks 23
Standard and Premium Storage 24
VM Disks 25
General-Purpose v2 Storage 30
Azure Networking 31
Default Segmentation Using VNet 31
Configure Hybrid Connectivity 34
Routing in VNets 37
Summary 38
Migrating Compute Workloads to Azure 39
Analyze 40
Evaluate 40
Migrate 41
Physical Servers 41
Migration Option 1: Upload VHD 42
Migration Option 2: Azure Site Recovery (ASR) 43
VMware Virtualization 61
The Configuration Server 61
Azure Migrate 62
Hyper-V Virtualization 69
Migration Using ASR 69
Other Platforms 76
Summary 77
Traditional Storage vs Storage in Azure 79
RAID Configuration 80
Storage Replication in Azure 81
Storage Spaces Configuration 81
Storage for Compute 89
File Services 90
Hybrid Storage: StorSimple 91
Third-Party Solutions 97
Designing Secure Networks 97
VLANs and VNets 97
IPAM, DHCP, and DNS 106
User-Defined Routing 108
Network Security Groups 109
On-Prem vs Azure: Sample Architecture Comparison 109
Summary 110
Scale up vs Scale Out 111
Scale up Azure Virtual Machines 112
Scale up Using Automation Runbooks 116
Scale out Using VMSS 121
Create VMSS 122
Configure VMSS 125
Scalability at Storage and Networking Layers 134
Summary 134
Storage Layer Resiliency 135
Azure Availability Zones 138
Azure Backup Service for VMs, Files, and Applications 141
Azure Backup Service Options 143
Azure Backup Initial Configuration 144
Azure Site Recovery for IaaS (Preview) 157
Summary 162
Availability Sets 163
Fault Domains and Update Domains 164
Availability Set Configuration 165
Load Balancing Client Requests 166
Azure Load Balancer 166
Azure Standard Load Balancer 168
Azure Application Gateway 169
Azure Traffic Manager 171
Design Hybrid Connections for HA 174
Active-Active VPN Configuration 174
Active-Active Dual Redundancy 175
Sample Use Case and Implementation 175
Azure Load Balancer Configuration 176
Azure Application Gateway Configuration 184
Azure Traffic Manager Configuration 188
Summary 190
Fine-Tuning 191
Azure ARM Template Deployment 191
ARM Template: Infrastructure As Code Deployment 207
Configuration 207
Build Configuration 208
Release Configuration 212
Azure Automation 221
Infrastructure Configuration Management 223
Integration with OMS 227
Performance Metrics Monitoring 228
Alerts and Auto Remediation 229
Summary 230
Azure Resource Access Control 231
Resource Group Segregation 232
Role-Based Access Control 235
Resource Locks 239
Access Audit 241
Azure VM Security 243
Azure Networking Security Boundaries 243
Forced Tunneling 256
Storage Security 256
Protecting Data in Motion 256
Disk Encryption Using Key Vault 257
Storage Service Encryption 267
OMS Security Solutions 268
Azure Security Center 270
Summary 275
Extending On-Premise Active Directory to Azure 277
Implementation Guidelines 279
VPN Setup 279
Configure the Azure VNet for Extending Domain 286
Network Hub and Spoke Topology 290
Prerequisites 291
VNet Peering Configuration 291
The N-tier Application in Azure 293
Other Reference Architectures 296
Multiregion N-tier Application 297
ExpressRoute with VPN failover 298
Summary 298
Index 299
Introduction
Infrastructure as a service (IaaS) is the most common cloud deployment model, and it is most preferred by enterprises adopting a hybrid cloud strategy. This book is designed to be a hands-on guide for organizations planning to adopt Azure IaaS and to migrate their on-premise infrastructure partially or fully to Azure. The important design factors to be considered during this process are explained in this book, starting from assessment, planning, identifying, and mapping services and best practice implementations.
Chapter 1 introduces the basic compute, storage, and networking components in Azure IaaS.
Chapter 2 explores the different options available for migrating compute workloads from on-premise datacenters hosted in physical or virtualization platforms like VMware and Hyper-V.
Chapter 3 covers Azure IaaS storage and network components and configuration scenarios during migration.
Chapter 4 focuses on the different options available to build environments at scale in Azure.
Chapter 5 explains how to build resilient environments in Azure by leveraging various platform components.
Chapter 6 discusses deploying highly available environments in Azure using features and tools such as availability sets, load balancers, and application gateways.
Chapter 7 showcases some of the monitoring and automation tools available in Azure to optimize deployments.
Chapter 8 explains Azure security best practices and provides a walkthrough of the different security configurations at platform level and resource level.
Chapter 9 focuses on sample IaaS architectures and related implementation best practices.
Introduction to Azure IaaS
Since the dawn of public clouds, vast pools of compute, storage, and networking resources are now available and at the disposal of users who want to leverage them on a pay-as-you-go basis. The ease of implementation and usage becomes one of the key differentiators for organizations while they select their preferred cloud service provider.
Built on top of reliable Microsoft server and virtualization technologies, Azure accelerates the adoption journey of enterprises, whether they are interested in purely cloud-based environments or in a hybrid setup.
Infrastructure as a service (IaaS) is usually the first step for any organization planning to move from legacy on-premise systems to the cloud. Changing from traditional on-premise design standards to the more evolved and complex Microsoft Azure cloud standards can be daunting for infrastructure architects. Design practicality and adherence to stringent design guidelines should be kept in mind. Selecting the right resource types lays the foundation of an IaaS architecture. This chapter helps with building this foundation and introduces the basic components of Azure IaaS.
What’s New in Azure Resource Manager (ARM Model)
There are two deployment models available in Azure: classic and Azure Resource Manager (ARM). The first one was a monolithic deployment model with little or no flexibility to group together or manage resources in a subscription. It followed a flat structure in terms of identity and access management; the co-admin role provided at the subscription level had full access to all resources. The Azure Resource Manager model (ARM) was introduced in 2014 and brought several enhancements over the classic model. Let’s look at some of the key changes introduced with the ARM architecture.
Resource Groups
Resource groups are logical containers used to group resources that share the same lifecycle. Entities that were interdependent or related are now managed as a single unit in terms of deployment, access control, and so forth.
JSON–Based ARM Templates
JavaScript Object Notation (JSON)–based ARM templates brought in a new revolution in automation. Multitiered applications and their dependencies are easily deployed using ARM templates. The public ARM repository holds templates contributed by the community, as well as Microsoft product teams, which cover most of the common deployment use cases. If not, users can easily tweak the available templates to meet their requirements.
Role-Based Access Control
Role-based access control (RBAC) replaces the flat identity structure of the classic model. RBAC provides fine-grained access control to resources deployed using ARM. The basic roles are owner, contributor, and reader.
The owner role has full access to all resources in the assigned scope; for example, users that are assigned the owner role of the subscription have full access to all resources in the subscription. (You can also give other users access to the subscription.)
The contributor role also has full access at the assigned scope; however, you cannot give other users access to the assigned scope.
The reader role has only read access to resources. Other than the basic roles, there are built-in roles that provide specific access to resources; for example, backup operator and backup reader roles only provide access in the scope of backup services. You can also create your own custom roles if none of the built-in roles meets your requirements.
IaaS Compute Services
Compute services form the backbone of any infrastructure, whether on-premise or in the cloud. When it comes to hosting environments on-premise, the scalability of compute resources is a major challenge. It is this problem, along with many others, that IaaS is trying to resolve. Microsoft Azure provides a variety of compute offerings that cater to multiple workload types and use cases. Let’s start by learning about the features and use cases of the major Azure IaaS compute components.
Virtual Machines
Virtual machines (VMs) are the basic building blocks of Azure IaaS compute. Considering the great number of workloads being migrated to Microsoft Azure, there are many VM instance types or SKUs to choose from.
VM Pricing Tiers
Before we take a deep dive into the instance types/SKUs, let’s look at the three VM pricing tiers: basic, standard, and low-priority.
Basic Tier
The basic tier VMs are for non-production workloads largely targeting test/dev environments or crash-and-burn scenarios. Although you can put VMs in availability sets, you cannot connect them to a load balancer to ensure high availability. The number of instance types available under this tier is limited. Moreover, these instances do not support SSD-based hard disks for improved disk performance. Typically, organizations getting started with Azure prefer this tier for the initial testing phase, after which they can be upgraded to the standard tier.
Standard Tier
The standard tier is for production workloads. It supports all production-ready features, such as load balancing, solid-state drive (SSD) hard disks, and so forth. It also provides a wide variety of VM instance types. The standard tier supports specialized workloads that need memory/CPU/storage intensive VMs or VMs with graphical cards.
