10 Steps to get started with Azure for partners. #8

#8 Building and securing Virtual Machines

By Christopher Melendez

Deploy and manage compute resources for Azure administrators

Finally, we’re getting to the business end of the 10 steps to get started with Azure for partners.  We touched on Azure Migrate earlier, but that was only for customers that are looking to migrate existing workloads into the cloud.  What about your customers that are looking for a “greenfield” deployment?  Where do you go to spin up their virtual infrastructure?  Luckily, building virtual machines (VM) can be quick and painless.  There are a few ways to build out your environment. You can leverage the Azure portal, or if you’re more of a command line guy or need to deploy at scale, you could go with Azure CLI, Azure PowerShell, or Azure ARM Templates.  Any of the options you choose allow you to deploy virtual machines from scratch. The Azure Marketplace also provides virtual machine operating system images that can include SQL Servers, Web Servers, and Application Servers.  Another option is to deploy a virtual machine from an existing VHD image. This can be a virtual machine that was created on-premises in your Hyper-V environment or created in Azure to be used as a template for a large-scale deployment.

Linux on Azure

Azure Virtual Machines are used when customers need more control over their workloads. They provide the Infrastructure as a Service model for on-demand, scalable computing resources. This means you will need to maintain the VM by performing management tasks, such as configuring, patching, and installing necessary software.  Azure VMs can be provisioned with different operating systems, sizes, and features.  Linux is supported in Azure, so you can choose from many distributions available out on the market, such as SUSE, Red Hat, Ubuntu, Debian, Docker, FreeBSD, and CentOS to name a few. There’s no surprise that Microsoft Operating Systems are also supported.  The supported Windows OSs include Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 10 Pro, and even Windows 7.

Availability options for Azure Virtual Machines

Now that you have your Operating System determined, you can think about scaling and resiliency. Virtual machine scaling is accomplished with Azure virtual machine scale sets.  This technology provides the means to create and manage a group of virtual machines that are load balanced. The VM instance count can automatically increase or decrease depending on the load or defined by a schedule. Scale sets give you the option for high availability to applications, and they provide a control plane to centrally manage, configure, and update a large cluster of VMs.  Resiliency in Azure is handled by availability sets and availability zones. An availability set is a logical grouping of VMs. You create the availability set when you’re deploying the virtual machine. It’s recommended that you build out two or more VMs within an availability set to provide for highly available application to meet the 99.95% Azure SLA.  Availability sets consist of update domains and fault domains.  Update domains are groups of virtual machines and the underlying physical hardware that can be rebooted whenever Microsoft needs to patch the infrastructure. Fault domains define a group of VMs that share a common power source and network switch in a rack. Availability sets protect your infrastructure from rack failures, where availability zones protect from datacenter failures.

Sizes for virtual machines in Azure

It’s a good idea to plan and gather the necessary information needed to deploy a virtual environment in Azure. These considerations generally present themselves in the portal or command line options.  For example, how will you organize your environment?  Will you organize your resource groups by functions such as a web servers resource group and a database resource group, or will you organize your resource groups by production and testing environments?  Another big decision that needs to be planned out is the virtual network, which we covered in step #7.  The most important thing is to understand that you will need to create a VNet to deploy any virtual machines in your Azure environment. The good thing is, creating a virtual network is part of the virtual machine deployment process. You will have to either select an existing virtual network, or you will have to create one during the deployment process.  Keep in mind, as discussed in our previous step, virtual machines in different subnets under the same VNet can communicate with each other, provided there are no NSG rules specifically blocking it.  VNets however, cannot communicate with each by default. Also, you must keep in mind connectivity through the VPN Gateway if you do setup a hybrid IT solution.

Implement virtual machine host security in Azure

Some other security considerations that might be difficult to implement later, would be virtual machine disk encryption.  This is a very important feature that often gets overlooked, but it could be a deal breaker for some customers that have compliance demands that enforce the need to have encrypted data at rest. Leveraging Azure Key Vault as a key management solution for your disk encryption, can make the process painless.  Another security related feature that could be a huge benefit for your customers would be enabling diagnostics logging, implementing an Azure Log Analytics Workspace, and integrating it with Azure Security Center, Azure Monitor, and Azure Policy.   Adopting these Azure feature sets can give you the visibility and clarity that can take your customer’s Azure experience to the next level.  If done correctly, implementing these tools can turn your MSP from a reactive shop to a proactive well-oiled machine.

10 Steps to get started with Azure for partners. #7

#7 Networking in Azure

By Christopher Melendez

Configure and manage virtual networks for Azure administrators

You can imagine how big a topic networking in Azure is. Microsoft does us a favor by breaking Azure networking services into 4 “buckets,” the first being connectivity services. Connectivity services is what I would consider the backbone of networking fundamentals, providing the functionality to connect Azure resources and on-premises resources together. At the heart of it all is Azure Virtual Networks or VNets.

What is Azure Virtual Network?

Azure Virtual Network (VNet) enables many Azure resources, such as Virtual Machines, to securely communicate with each other. It also provides connectivity to the internet, as well as on-premises networks. VNets provide a similar set of services like traditional networks with a network/subnet configuration, but they allow you to scale, and provide additional availability and isolation compared to traditional Datacenter networking.  All outbound traffic is allowed by default in Azure VNets. You can assign a public IP address or a public Load Balancer and implement Network Security Groups or leverage Azure Firewall to create rules allowing inbound traffic to a resource.

Virtual network peering

There are other services, some of them we’ve already covered in our 10 steps, like Azure Virtual WAN, ExpressRoute, VPN Gateway, but there’s also VNet Peering service. By default, VNet to VNet traffic is blocked, but subnets under the same VNet can communicate freely.  VNet Peering provides the ability to connect virtual networks together, enabling Azure resources in either VNet to communicate with each other.  This provides the ability to transfer data between VNets across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions.

Architect network infrastructure in Azure

Network Security Groups

Application protection services is the second “bucket” Microsoft provides. It includes services like DDoS protection, Azure Firewall, Network Security Groups, and Web Application Firewall, to name a few. These services allow you to protect your applications and workloads utilizing a combination of services. Network Security Groups (NSGs) are like access control lists (ACLs), they can contain multiple inbound and outbound security rules that filter traffic to and from resources by source and destination IP address, port, and protocol. They can be applied to subnets and virtual network interface cards. Azure Firewall is a network security service that provides a single location for you to manage and apply all your NSGs.

What is Azure Front Door?

Application delivery services are the features that help you deliver applications in Azure networks, they include Content Delivery Networks (CDN), Azure Front Door Service, Traffic Manager, Application Gateway, Load Balancer, and Internet Analyzer. Azure Front Door service provides the platform to define, manage, and monitor the global routing for your web traffic. It optimizes for best networking performance as well as provides instant global failover to achieve high availability. Implementing Front Door allows you to transform an application to a robust enterprise grade high-performing modern application that can reach a global audience.

What is Azure Network Watcher?

The last group of networking services is Network monitoring. As the name suggests, these features provide the platform to monitor your network resources using any combination of services such as Network Watcher, ExpressRoute Monitor, Azure Monitor, or VNet Terminal Access Point (TAP). Network Watcher is definitely a good tool for Partners that are going to market with Azure. It provides tools to monitor, diagnose, view metrics, and enable or disable logging for resources in an Azure VNet. Network Watcher was designed to monitor and repair the network health of IaaS workloads, but It’s not intended for PaaS monitoring or Web analytics.

Plan virtual networks

10 Steps to get started with Azure for partners. #6

#6 Active Directory

By Christopher Melendez

Compare Active Directory to Azure Active Directory

We touched on Azure AD earlier while discussing RBAC, Custom Domains, and extending Active Directory identities into the Cloud. Now we must take a deeper look at the different types of Active Directory to understand what they offer. Active Directory is a huge topic to tackle and identity is now at the forefront of almost all security conversations, so I’m just going to touch on some of the most important concepts. 

The 3 “flavors” of Active Directory are self-managed Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD), and Azure Active Directory Domain Services (Azure AD DS).  Even though the names are very similar, they are designed with different organizational needs in mind.

Active Directory Domain Services

Active Directory Domain Services Overview

Deploy and manage Azure IaaS Active Directory domain controllers in Azure

Self-managed Active Directory Domain Services is your traditional Windows Server that you’ve had laying around your server closet for years.  It provides services including domain join, group policy, LDAP, NTLM / Kerberos authentication, and trusts. Active Directory stores information about user accounts, computer accounts, passwords, and even email details. The directory, also referred to as a data store, contains information about all the objects that exist in the schema. Some of the objects include resources on file servers, printers, and line of business applications.

Azure Active Directory

What is Azure Active Directory?

Manage identity and access in Azure Active Directory

Azure Active Directory (Azure AD) is the Cloud-based identity platform that provides the authentication services for the Microsoft SaaS suite including Office 365 and the Azure portal. The platform also provides mobile device management and resource management leveraging features like Conditional Access and Azure AD device join.  Azure Active Directory does not provide the traditional services of LDAP, NTLM / Kerberos, group policy, Sites and Services, etc. Although it provides device identity with Azure AD Device Join, Azure Active Directory does not include server domain join capabilities.

Azure Active Directory Domain Services

What is Azure Active Directory Domain Services?

Tutorial: Create and configure an Azure Active Directory Domain Services managed domain

Azure Active Directory Domain Service (Azure AD DS) is a PaaS version of the original AD DS.  It provides a managed domain services offering, with a subset of the traditional AD DS features. Like the original self-managed Active Directory Domain Services, Azure AD DS includes features like domain join, group policy, LDAP, and Kerberos / NTLM authentication, but it does not provide a full domain forest hierarchy.  Azure AD Domain Services is not an extension of your existing on-premises domain/forest infrastructure. It provides synchronization of on-premises infrastructure leveraging a one-way outbound forest trust model.  When Azure AD DS is deployed, Microsoft creates 2 virtual machines in replica set for resiliency.  The two virtual machines are managed by Microsoft so there is no need to worry about patching and monitoring of the infrastructure and OS.   

Azure AD Connect

Define a hybrid identity adoption strategy

Both Azure Active Directory Domain Services (Azure AD DS) and traditional Active Directory Domain Services (AD DS) can integrate with Azure AD using Azure AD Connect.  Azure AD Connect is a tool that can be installed on a virtual machine that handles all the operations related to synchronization of identity data between your existing on-premises domain controller environment and Azure AD.  This type of deployment is referred to as hybrid identity. Hybrid IT is a mixture of on-premises and cloud workloads. Traditionally, users would only access workloads on-premises, but things have change and users access applications in on and off premises now. Managing users in these scenes provides challenges, so Microsoft’s solution was to create a common user identity for authentication and authorization for all resources, regardless of location.  This type of technology is known as single sign-on or SSO for short.

Comparison

Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services

I would have to say the biggest takeaways are: If your customer is going to be born in the cloud or is looking for 100% Microsoft cloud adoption and minimal IaaS, Azure AD with Azure AD DS for virtual machine and mobile device join is probably the best solution for you.  If you’re working with a customer that has an existing on-premises or datacenter environment and probably won’t ever fully deprecate it, extending Active Directory with traditional self-managed Virtual Machine promoted to a Domain Controller could be your best option. I try to keep in mind growth, it would add additional complexity if your customer had to go through a large M&A and were limited to one-way outbound forest trusts.  This is something that might be easier to overcome if it’s a small Azure footprint.

10 Steps to get started with Azure for partners. #5

#5 VPN with Azure

By Christopher Melendez

What is Azure Virtual WAN?

Now that we know what our migration strategy is for our customer, what about connectivity to existing workloads that just aren’t cloud ready and need to stay on-premises?  What about extending their existing Active Directory?  What if your customer’s end users located at the corporate office need to access data that has been migrated to Azure?  What if your customer has multiple sites that all need to connect to their data that will now be living in Azure?  The solution for this is setting up a site-to-site VPN between your end users and Azure. 

Hybrid connectivity

What is Azure VPN Gateway?

Site-to-site VPN tunnels can be created in Azure using two methods. One option is a VPN gateway.  A VPN gateway is a virtual network gateway that can send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. They can also be used to encrypt traffic between two Azure VNets, but that’s outside of the scope of your on-ramp into Azure.  The second option to create a site-to-site VPN is by using Azure Virtual WAN.  Azure Virtual WAN differs from the standard VPN gateway because it’s a networking service that combines several networking, security, and routing functionalities together in a single UI. Some of the features include branch connectivity (via Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity, private (ExpressRoute) connectivity, Azure Firewall, and encryption for private connectivity.

Azure VPN Gateway Topology

Tutorial: Create a Site-to-Site connection in the Azure portal

When deploying a virtual network gateway, the Azure platform deploys two or more VMs to a subnet that you create called the gateway subnet.  The virtual network gateway VMs hold the routing tables and run the gateway services.  The process of deploying a site-to-site VPN also includes configuring your local network gateway as well as the connection between those two points in Azure.  The local network gateway represents the device that will terminate the VPN in your on-premises environment.  Customers generally go with hardware firewalls or VPN devices.  Microsoft provides configuration templates for some of industry leaders in that space. This will speed up your configuration of hardware devices and allow you to turn up these connections with minimal effort.

Azure Virtual WAN Topology

Tutorial: Create a Site-to-Site connection using Azure Virtual WAN

The Virtual WAN architecture is different than the VPN gateway. Virtual WAN is a hub and spoke design with scale and performance included for branches (VPN/SD-WAN devices), users (Azure VPN/OpenVPN/IKEv2 clients), ExpressRoute clients, and virtual networks. AVW enables global transit network architecture by leveraging a cloud hosted network ‘hub’ that enables transitive connectivity between endpoints that may be distributed across ‘spokes’ of different types. One of the best features in Azure Virtual WAN is that you don’t have to build out all of these use cases to start using the feature, you can get started with just one business case, and then adjust as your network evolves.

Virtual WAN partners and virtual hub locations

Introduction to Azure Virtual WAN site with NetFoundry

Partners and customers aren’t locked into using Microsoft Azure features for CPE, they can leverage third-party virtual network appliances such as Fortinet, Palo Alto, or NetFoundry. Some of these vendors can be purchased directly from the Azure Marketplace but require customers to BYOL. When leveraging a 3rd party security device for VPN or SD-WAN termination, the device is considered a NVA or Network Virtual Appliance. For Azure Virtual WAN spoke connectivity with SD-WAN/VPN devices, companies can either manually set it up using Microsoft native services or use the Virtual WAN CPE (SD-WAN/VPN) partner solution to setup connectivity to Azure. Microsoft provides a list of partners that support connectivity automation, which is the ability to export the device info into Azure, download the Azure config and then establish connectivity with AVW.

Tutorial: Create an ExpressRoute association using Azure Virtual WAN

Lastly, I mentioned Azure ExpressRoute earlier.  ExpressRoute is a dedicated connection between your datacenter or on-premises network. It provides for a better experience than VPN because it’s not going over the Internet.  This type of connectivity is suggested for larger Azure deployments where a lot of traffic is expected to be traversing the link daily and there is little tolerance for latency and poor performance to end users or applications that communicate with other dependencies.

10 Steps to get started with Azure for partners. #4

#4 Azure Migrate

By Christopher Melendez

Prepare VMware VMs for assessment and migration to Azure

Next, we’re going to start thinking about what your customer’s need.  Where are they in their journey into the world of public cloud with Microsoft Azure?  Are they looking to be “born in the cloud,” or are they looking to migrate their existing on-premise workloads?  This step focuses on the latter.  Azure Migrate is a great first step into the world of migrating existing workloads from your customer’s premises or datacenter environments.  In some cases, migrations can occur from one public cloud to another as well.

Discovery

Assess VMware VMs for migration to Azure VMs

Microsoft created Azure Migrate, it’s a free tool that provides a central hub to assess and migrate on-premises services, infrastructure, applications, and most importantly your data, into Azure.  It performs a discovery, assessment, and migration of environments including VMware, Hyper-V, bare metal servers, and AWS/GCP instances.  Azure Migrate provides tools for assessment and migration, but also works with third-party software vendor offerings such as Cloudamize, Corent, and Turbonomics.

Assessment

Migrate VMware VMs to Azure

If you’re an MSP that is focusing only on Azure, Azure Migrate could be the perfect tool for you. If you’re an MSP that is considering supporting other Public Clouds, maybe a third-party tool that allows you to target other clouds, would be a better option. Some of the major features that make Azure Migrate a good option include its unified platform or “single pane of glass.”  The single portal that allows you to start, run, and track your migration. Also, the range of tools that are included, as well as the integration and partnership with 3rd party vendors. The assessment and migration feature set allow you to perform those actions on Servers, Databases, Web applications, Virtual desktops, and large amounts of data with Azure Data Box.

Migration

Azure Learn – Migrate application workloads and data to Azure

10 Steps to get started with Azure for partners. #3

#3 Custom Domain

By Christopher Melendez

Add your custom domain name

So, I added this one to the list because I feel it’s something that can be easily overlooked or misunderstood, but it’s one of the first things you’ll need to think about and configure before you move workloads to the Azure platform.

When a new tenant is created in Microsoft Azure, Microsoft creates a domain with the “.onmicrosoft.com” domain name by default.  This probably won’t align with your customer’s existing domain name. They are probably looking for something like contoso.com, not contoso.onmicrosoft.com.  This can be resolved through the Custom Domain feature under the Azure AD blade in the Azure portal. If your customer doesn’t have a domain name already, you’ll first need to purchase a public domain name for them. You will then be able to bind your customer’s domain name to your new Azure AD tenant.  If they already have an existing domain name, the next step would be to configure custom domain in the Azure portal.

Once you have entered that information in the Azure portal, Azure will provide you with TXT and MX records that you will use to update your public Domain Registrar.

The last step is to verify your custom domain is properly registered and is valid in Azure AD. This step is performed in the Azure portal. Once your custom domain name is verified, you have confirmed that your customer’s Azure Tenant is in line with the rest of their domain naming convention.

10 Steps to get started with Azure for partners. #2

#2 Azure Lighthouse

By Christopher Melendez

Use Azure Lighthouse for your managed service business to manage your customers at scale

Next up on the list of the 10 steps to get started with Azure for partners is Azure Lighthouse.  So, you’re an MSP and have your subscription setup with your RBAC roles and role assignments configured accordingly, now what?  Azure Lighthouse is a Microsoft Azure native solution that gives Managed Service Providers the ability to manage resources in their customer’s tenant without the need for each customer to create dedicated user accounts in their own Azure Active Directory tenant. This feature allows MSPs to perform management tasks on behalf of their customers without having to sign into each customer tenant individually.

Onboard a customer to Azure Lighthouse

Delegated resource management is the feature that allows resources from one tenant to be logically projected onto another tenant. Some of the benefits of Azure Lighthouse are management at scale, which is the ability to take actions on groups of customers at one time with tools like Azure Automation or Azure Policy. Another benefit is providing that single pane of glass to view all your customers in one location. Greater visibility for customers through Lighthouse lets them audit the provider’s actions in the Activity Log. Lighthouse also Improves governance by allowing customers better control over the scope of permissions. There are no additional costs for Azure Lighthouse, so MSPs do not have to worry about any additional costs cutting into their margin.

Azure built-in roles

Azure Lighthouse can be deployed in two methods. The first method involves deploying Azure Resource Manager templates into the customer’s tenant. These templates are created by the Managed Service Provider. They contain information such as offer name, description, and delegated permissions. The second method to onboard new customers is leveraging Microsoft Partner Center to publish your service offering in the Azure Marketplace. This allows you to publish your offering either publicly to grow your business, or privately to setup existing customers. This deployment model improves the experience for both parties, allowing MSPs to cast a wider net, and for customers to accept service provider offers with a click of a button.

Create a Managed Service offer

Azure Cost Management + Billing, Azure Security Center, and Azure Advisor – An intro to managing Azure spend and security hygiene.

If you’ve been in the industry for a while you are probably already familiar with the traditional IT billing model. A company purchases all its hardware and possibly its software from a major vendor or distributor.  They would reference their monthly bill from the vendor or reseller and would generally be able to predict what cost would be in the future, due to IT department’s typically slow-moving purchasing process and most of the costs being Capex. Since the advent of the public cloud, this model has changed significantly.

Get started with Azure Cost Management for partners

IT departments that are migrating to the cloud no longer have huge upfront capital expenditures and are now adopting a metered service model. Couple these changes with speed to market and ability to rapidly purchase new workloads instantly, makes managing budgets and keeping track of spend a whole new ball game.  This is where tools like Azure Cost Management + Billing come in. Azure Cost Management + Billing is a free tool built into the Azure Portal. It is your single source of truth when it comes to Azure spend.

Azure Cost Management + Billing or ACM for short, provides visibility into where your Azure costs are going. How will you be able to control, predict, and optimize your spend, if you don’t understand where these costs are originating?  Leveraging ACM’s cost analysis allows you to view the accumulated costs at different billing account scopes, subscription or even the resource group level.  You will then understand where your costs occur over time, helping you understand spending trends. You can see historical breakdowns of Azure spend filtered by tags, meter, location, or customer. You will be able to see what services you are spending money on, track it against a budget, and predict with a forecast. You can set alerts based on those budgets, as well as export schedule reports to analyze costs leveraging tools like PowerBI.

This information allows you to obtain a deeper understanding of where your Azure deployments may be inefficient from a cost perspective.  In addition to ACM, using Azure Security Center and Azure Advisor provides a larger picture of your costs, security hygiene, performance, and reliability.  Azure Advisor is a great place to start when you are looking to optimize spend and governance in your Azure environment.

Quickstart: Explore and analyze costs with cost analysis

I put this blog together to cover these topics in a little more detail and provide a visual demonstration for hands-on exposure. I touch on Azure Cost Management + Billing, Azure Advisor, and Azure Security Center. These three features provide most of the functionality you’ll see on some of the major 3rd-party cloud spend tools out on the market. I hope this information helps you stay on top of your Azure spend, making IT more efficient, as well as making your CFO happy. 

10 Steps to get started with Azure for partners. #1

#1 Azure role-based access control (RBAC)

By Christopher Melendez

Starting a business can be a daunting task, never mind building a business on bleeding edge technology.  Managed Service Providers are unique in the aspect that their businesses are built on technology that is not yet widely adopted as a culture.  This can be a problem with finding skilled workers that are knowledgeable in the platform, as well as finding good resources to help architect your practice and build good operational habits.  With all this in mind, I felt it would be of help to come up with a starting point for any brave souls looking to go to market with Microsoft Azure.  So, here’s my list of the first 10 steps or concepts you should be thinking about, once you’ve procured your Azure CSP subscription.  This article goes over the concepts at high-level, so I’ve provided links to labs and documents that will help you begin your journey on the right step.

Manage access to your Azure Subscription with RBAC

The first thing that is critical when deploying and operating an Azure environment, is identity management and governance.  Identity management is the creation, deletion, and granting, removing of permissions to Azure resources.  These Azure resources will be deployed into your Azure Subscription leveraging the Microsoft Azure Portal. Each Azure subscription is tied to a single Azure AD directory. Users, groups, and applications that are granted the appropriate permissions, can manage resources in that subscription. Azure AD is the identity provider for this subscription and provides sign-on (SSO) and access management.  Azure resources and Azure Active Directory have independent permissions.  Azure role-based access control (RBAC) roles are used to managed access to Azure resources like virtual machines, and storage.  Azure AD roles are used to managed Azure AD resources, such as users, groups, and passwords.

Role-based access control (RBAC) provides the access management needed to adjust permissions to Azure resources with granularity.  This allows you to grant the exact access needed for the user to perform their business functions.  For an MSP, this could be delegating access to a group of users to manage Azure Virtual Machines across 5 different subscriptions, while another group of users cannot manage VMs, but can view all Cost Management and Billing.  Azure provides a lot of built-in roles, and you can create custom roles if needed.  Here are 4 built-in roles, Owner, Contributor, Reader, and Billing Administrator.

Some of the main terms that you’ll have to become very familiar with are Scope, security principal, role definition and role assignment. The Scope is at what level you’re granting the access. It could be at the Subscription level, where you’re granting access to all resources under the subscription, or it can be at the specific resource level, say a storage account. A Security principal is a fancy term for a user, group, or application that you want to grant the permissions to.  Role definition is the collection of permissions that you will be granting to the user.  A role for short, can consist of read, write, delete; they can also be higher level, like Owner, or more granular, like Billing Reader. The combination of the role definition and the security principal is role assignment.  It’s the actual process of binding the permissions to the user, group, or application.