Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/6/2019 1:27 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.

Published byศักดิ์ทิพย์ บราวน์ Modified over 5 years ago

Similar presentations

Presentation on theme: "4/6/2019 1:27 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS."— Presentation transcript:

1 4/6/2019 1:27 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Best Practices to build, deploy and manage solutions on Azure
4/6/2019 1:27 PM BRK2069 Best Practices to build, deploy and manage solutions on Azure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 FastTrack for Azure Move to the cloud with confidence Benefits
4/6/2019 1:27 PM FastTrack for Azure Move to the cloud with confidence Quickly Build Solutions Successfully Deploy to Production Achieve Business Objectives Benefits Direct assistance from Azure engineers Hand-in-hand with partners Best practices and tools from real customer experiences Key Phases Plan: Develop a vision and plan for customer-specific need Test: Setup Azure platform and a proof-of-concept Use: Deploy Azure solutions in production Azure.com/FastTrack © Microsoft Corporation. All rights reserved.

4 Session Objectives and Takeaways
Know what questions to ask Understand key elements around governance How to setup environment through a methodical process

5 Setting the Stage

6 FastTrack for Azure Service
4/6/2019 1:27 PM FastTrack for Azure Service Considerations for Typical LOB Applications LOB application A set of servers that performs some sort of meaningful Business or IT function Virtual Network Web front end Availability Set Azure load balancer SQL Server Always On Availability Group Majority node Distributed cache Application Search VPN Gateway Management Windows Server Active Directory AD DS server subnet On - premises network AD DS trust relationship AD server Jumpbox NSG © Microsoft Corporation. All rights reserved.

7 1 2 3 Considerations for Typical LOB Applications
Vendor Considerations Topology Minimum Requirements Vendor Supportability Business Considerations 2 Availability Reliability Performance Durability Regulatory/Compliance Cost IT Considerations 3 Recoverability Scalability Ease in Deployment Integration Accountability Security Long term sustainment Manageability Accrued Technical Debt

8 Design Steps

9 Major Design Steps Azure Governance Naming Convention Resource Groups
1 Naming Convention 2 Resource Groups 3 Connectivity 4 Storage 5 Identity 6 Security 7 Virtual Machines 8

10 Account/Enterprise Agreement
4/6/2019 1:27 PM 1 | Azure Governance Considerations Azure Scaffold CORE Azure Policy & Audit Naming Standards Account/Enterprise Agreement Resource Tags Resource Groups Roles Based Access Controls Resource Locks Azure Automation Azure Security Center Cost Accountability Security Manageability Compliance Flexible © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Subscriptions Considerations Cost Accountability Security
4/6/2019 1:27 PM Subscriptions Considerations Cost Accountability Security Manageability Compliance Flexible The functional pattern The business unit pattern The geographic pattern © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Subscription management
Recommendation: Naming Conventions Considerations Use only the metadata required to identify WHAT an object is and WHERE it is located and what it’s ROLE is Examples: vm-uat-iis-23 vm-prod-ad-04 vnet-prod-mel-core vnet-prod-syd-shared Remember that some resources types such as Storage Accounts need to be unique and URL encoding safe with may break your naming standards Avoid creating verbose documentation on every resource or you will find yourself constantly updating/creating documentation. Accountability Flexible Manageability

13 Subscription management
3 | Design Your Resource Groups Considerations Resource groups are management containers for Azure infrastructure elements Manage an element set as a group Tagging RBAC for secure access with granular permissions Use locks to prevent large scale deletion of resource groups and infrastructure Accountability Manageability Security Flexible

14 Recommendation: Use Multiple Resource Groups
4/6/2019 1:27 PM Recommendation: Use Multiple Resource Groups Considerations Accountability Security Manageability Compliance Flexible © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Subscription management
Recommendations Considerations Apply tags to resource groups to document metadata Apply RBAC to resource groups to enable least privileged access Apply locks to resource groups to prevent deletion Apply policies to resource groups to prevent creation of unwanted resource types and locations Accountability Security Manageability Compliance Flexible

16 Subscription management
4 | Design Your Connectivity Considerations VNETs Address space DNS (Azure, External, BYO) Connectivity Subnets Subnet sizing Subnet address fragmentation NSG/UDR What traffic to block/allow What traffic to route Cost Security Manageability Compliance Flexible Availability Reliability Performance

17 Subscription management
Recommendations: VNet Patterns Considerations Addressing Ensure Address space for the VNET and each subnet doesn’t overlap within connected network(s) Use a VNET address space large enough for current and future capacity Plan for enough address space for all of the VMs on all of your subnets (gateway, management, VM-hosting) Cost Security Manageability Compliance Flexible Availability Reliability Performance

18 Subscription management
Recommendations: VNet Peering Considerations Cost Accountability Security Manageability Compliance Flexible Availability Reliability Performance High Bandwidth Low Latency Cross Subscription Hub and Spoke Configuration

19 Subscription management
Recommendations: Subnet Patterns Considerations Subnet Use a separate subnet for each tier or role A subnet-specific network security group can provide subnet isolation Use a Gateway subnet of at least a /27 and place it at the end of the VNet IP range Cost Security Manageability Compliance Flexible Availability Reliability Performance

20 Subscription management
Recommendations: NSG/UDR Patterns Considerations NSG Generally speaking, you should create your specific “Allow” rules first, followed by the more generic “Deny” rules Priority dictates which rules are evaluated first UDR Be careful with Forced Tunneling. It comes at a cost in terms of egress traffic and performance Be careful with using UDR on gateway subnets, it is possible to block or stop traffic flow inadvertently Cost Security Manageability Compliance Flexible Availability Reliability Performance

21 Subscription management
Recommendations Considerations Remember that VNets, Subnets and NSGs are software defined Your choice to use one over another is not a security decision, it’s a manageability, flexibility and compliance decision Defense-in-depth is still relevant. Consider using DMZ, Perimeter subnets and trusted zones Cost Security Manageability Compliance Flexible Availability Reliability Performance

22 Subscription management
5 | Design Your Storage Considerations Managed Disks vs Unmanaged Don't assign VMs a public IP address unless needed Use a jumpbox VM for remote desktop connections Use a network appliance to scan incoming traffic Storage Types: Standard vs. Premium Azure Product Group recommendation: ALL production workloads should use premium storage whenever possible Data Replication Use LRS for VMs Extra Disks for Installing Apps and Data on VMs Disk Caching Read/Only for data disks and Read/Write for OS disks Cost Manageability Recoverability Security Availability Reliability Performance

23 Subscription management
Recommendation: Managed Disks Considerations Unmanaged ARM Availability Set Unmanaged Storage Unit 1 / Storage Stamp 1 FD0 FD3 FD1 Storage account 1 Storage account 2 Storage account 3 Disks susceptible to single point of failure vs Managed ARM Availability Set Managed Storage Unit 1 Unit 2 Unit 3 FD1 FD2 FD3 Isolated Managed Disks Cost Security Manageability Flexible Availability Reliability Performance

24 Subscription management
Recommendations Considerations Temporary drive is temporary Avoid remapping D drive Use storage spaces for volumes larger than 4TB (max vhd size) Protect storage using Azure Recovery Services Vault Use ASR for DR to another region (Preview) Cost Security Manageability Flexible Availability Reliability Performance

25 Subscription management
6 | Design Your Identity Tier Considerations Authentication Provider and Methods Windows Server Active Directory (AD) or other Client authentication Server-to-server authentication Integrated with Azure AD instance for the subscription Integration/replication with an on-premises identity provider (cross-premises VNets Accountability Security Manageability Flexible Availability Reliability Performance Compliance

26 Subscription management
Recommendations Considerations Consider alternatives to ADDS Avoid high latency calls to on-premises for authR/authN calls (deploy Domain Controllers in vnet/region) Create a new AD Site specifically for your vnet address range Monitor identity infrastructure as this can often become the bottleneck Secure your DCs Accountability Security Manageability Flexible Availability Reliability Performance Compliance

27 Subscription management
7 | Design for Security Considerations Minimizing Exposure to the Internet Don't assign VMs a public IP address unless needed Use a jumpbox VM for remote desktop connections Use a network appliance to scan incoming traffic Inbound and Outbound Traffic Flows Stateful, host-based firewalls Network security groups End-to-end encryption with IPsec policies Disk Encryption Anti-malware Agents running on virtual machines Accountability Security Manageability Flexible Availability Reliability Compliance

28 Subscription management
Recommendations: Security Considerations Don’t put passwords in strings. Use SecureString and/or KeyVault Use Role based Access and Control to enable least privilege Reuse existing RBAC rules before creating custom rules. Use locks to prevent deletion of infrastructure Use Network Security Groups for subnet isolation Azure Key Vault for encryption keys Use policies to prevent the creation of: Resources in untrusted regions and geographies Public IP address on NICs in secure zones Run regular Penetration tests and external audits on your solution Use Disk Encryption Use Azure Active Directory with MFA and Privileged Identity Management Audit administrative access to Azure resources DO NOT DDoS your solution. It’s against the ROE terms and conditions and won’t end well for your account Accountability Security Manageability Flexible Availability Reliability Compliance

29 Subscription management
8 | Design Your VMs Considerations Sizing Use MAP tool or ASR to profile your application and choose the equivalent SKU Make sure minimum vendor requirements are met Availability Use availability sets with Managed Disks Address for Each VM Private addresses assigned from the subnet address space Public addresses and associated DNS names Cost Performance Requirements Supportability Availability

30 Subscription management
Considerations for Each VM Considerations Azure Environment Settings Location Resource group Storage account vs Managed Disks VNet/Subnet Member of an availability set Member of a load balancer instance VM-Specific Settings Name Image (Publisher, Offer, Sku) Size (VM series) Extra disks w/host caching setting Addresses (static private addresses, public addresses) Cost Performance Requirements Supportability

31 Subscription management
Recommendations: Deployment Considerations Don’t deploy VMs via portal Automate as much as possible Deploy VMs via PowerShell, CLI or ARM templates for testability and repeatability Consider using DCS or Chef/Puppet to configure VMs Consider using Microsoft images and not your own unless you can keep your images patched Cost Performance Requirements Supportability

32 Know your service limits
Recommendation Know your service limits Azure.com/FastTrack

33 In Review: Session Objectives and Takeaways
Know what questions to ask Understand key elements around governance How to setup environment through a methodical process

34 Q&A

35 4/6/2019 1:27 PM Appendix © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Resources for Connectivity Design
TechReady 23 4/6/2019 1:27 PM Resources for Connectivity Design Microsoft Cloud Networking for Enterprise Architects Implementing a Hybrid Network Architecture with Azure and On-premises VPN Implementing a Hybrid Network Architecture with Azure ExpressRoute Running VMs for an N-tier architecture Azure identity management Virtual Machines-Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 4/6/2019 1:27 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "4/6/2019 1:27 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS."

Similar presentations

Windows Azure for SharePoint people Dennis – Solution Architect Microsoft Windows Azure.

Windows Azure for SharePoint people Dennis – Solution Architect Microsoft Windows Azure.
Module 11: Implementing ISA Server 2004 Enterprise Edition.

Module 11: Implementing ISA Server 2004 Enterprise Edition.
Implement Storage Implement Blobs and Azure Files Manage Access Configure Diagnostics, Monitoring & Analytics Implement SQL Databases Implement Recovery.

Implement Storage Implement Blobs and Azure Files Manage Access Configure Diagnostics, Monitoring & Analytics Implement SQL Databases Implement Recovery.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Clouding with Microsoft Azure

Clouding with Microsoft Azure
Kurt Jung – Sr. Research Analyst KEMP Technologies

Kurt Jung – Sr. Research Analyst KEMP Technologies
Azure.

Azure.
Mastering Azure Connectivity to the Microsoft Cloud

Mastering Azure Connectivity to the Microsoft Cloud
Microsoft Azure networking: Sve što trebate znati

Microsoft Azure networking: Sve što trebate znati
Microsoft Azure Speed >> Economics Scale. Microsoft Azure Speed >> Economics Scale.

Microsoft Azure Speed >> Economics Scale. Microsoft Azure Speed >> Economics Scale.
Dev and Test Solution reference architecture.

Dev and Test Solution reference architecture.
1/26/2018 Hosting Windows Desktops and Applications Using Remote Desktop Services and Azure Windows Server 2016 + Azure Resource Manager © 2014 Microsoft.

1/26/2018 Hosting Windows Desktops and Applications Using Remote Desktop Services and Azure Windows Server Azure Resource Manager © 2014 Microsoft.
Building AD-SQL-APP Server on AZURE

Building AD-SQL-APP Server on AZURE
TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.

TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.
Deploying Complex and Large Scale Azure Environments –

Deploying Complex and Large Scale Azure Environments –
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
5/5/2018 11:05 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

5/5/ :05 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Optimize your network for the cloud

Optimize your network for the cloud
Dev and Test Solution reference architecture.

Dev and Test Solution reference architecture.
Enterprise Security in Practice

Enterprise Security in Practice

Similar presentations

Ads by Google