Azure DDoS Protection Standard

Azure DDoS Protection Standard is a service that enables AI-based protection of your cloud applications. Below is the list of resources of our webinar aired on 19th September 2019.

As a quick reminder, below is the set of network protections in front of your Azure instances. DDoS protection exists in a free tier which is present by default on all resources you publish using a public IP address. In this session we discuss about the addition of the “Standard” edition of the Azure DDos protection.

azuresecurityarchitecture

On demand session

https://info.microsoft.com/AP-AzureINFRA-WBNR-FY20-09Sep-19-AzureDDoSProtectionStandard-SRDEM4832_LP01Registration-ForminBody.html \

Slides

Demo

Additionnal links:

As usual, feel free to send your feedbacks and suggestions!

Arnaud

Azure landing zones using Terraform: Getting started

Cloud Adoption Framework for Azure has a great set of recommendations to accelerate deployment of Azure for entreprises who seek to consolidate their IT environment in the cloud and innovate on their applications.

CAF introduces landing zones as a concept that describes all the elements that must be in place to deploy a production-grade quality deployment (ie, that includes a minimal set of auditing, controls, policies, etc).

In order to accelerate that, let’s review how to deploy our first landing zone for Azure based on Terraform! We assume that you know Terraform and Azure already, if thats not the case, spend some time on my previous post.

We have published and will keep on updating a repository on GitHub: http://aka.ms/tf-landingzones

Getting started

The fastest way is to use Azure Cloud Shell:

  1. Open https://shell.azure.com
  2. Go to the clouddrive directory: cd clouddrive
  3. Clone the GitHub repo from http://aka.ms/tf-landingzones git clone https://github.com/aztfmod/blueprints.git
  4. Initialize the environment – this will create the fundamentals for the Terraform state, like Storage Account, Azure Key Vault, and the managed identities: ./launchpad.sh
  5. Deploy your first tranquility blueprint: ./launchpad.sh landingzone_vdc_level1 plan
  6. Review the configuration and if you are ok with it, deploy it by running: ./launchpad.sh landingzone_vdc_level1 apply

Below is a quick demo of doing that:

Customization

In order to ease your first contact with the landing zone, we created a sample configuration file proto.landing_zone_vdc_level1.auto.tfvars. As any .auto.tfvars file, it is going to be picked up automatically by Terraform when running. This file automatically configures all variables needed to get started:

  • Retention period for Activity logs, and operations logs.
  • Names of the resource groups to be created.
  • Location of the resources to be deployed.
  • Tags for the resources.
  • Name of log analytics and list of solutions to be deployed.
  • Security center contact details.

You can tune it to match your criteria, we hope the syntax is self explanatory, feel free to provide feedback on it!

Screenshot 2019-09-17 at 3.09.49 PM

Quick tour of the architecture:

Currently the solution is composed of 3 main components:

1. Launchpad.sh

Is a shell script, it initiates the Terraform state locally, uploads it to the Azure storage account, manages the environment variables and communication accross landing zones and other components.

2. Level0_launchpad

Creates a Key Vault, an Azure managed identity a storage account that is used to create store the Terraform state of our environment. It also creates a serie of service principals to be used to access the Terraform state and to integrate with Azure DevOps (in a future release). For full documentation, refer to the readme file.

3. Landingzone_vdc_level1

This vdc level1 landing zones leverages one blueprint (called tranquility) that sets the foundation for everything accounting and operations logs in your Azure subscription:

  • Resource groups
  • Activity Logging
  • Diagnostics Logging
  • Log Analytics
  • Security Center

Each of those features deployments are accomplished by a respective module, which is also on the GitHub, which Terraform download when it needs it (at the plan stage).

A diagram of landingzone_vdc_level1 would look something like that:

Screenshot 2019-09-17 at 3.32.02 PM.png

For full documentation, refer to the readme file.

That’s it for now, it should be enough for you to get started on the Azure Landing Zones using Terraform. Keep in mind there is much more to come on the Landing Zones, we will keep on publishing more and we will have a couple of webinars to go deep dive on the subject!

Happy landing landing zones crafting!

Arnaud Lheureux

Introduction to Terraform on Azure

As much as we love ARM templates and Json syntax for deploying resources on Azure, Terraform is another great way to accelerate and standardize your deployments. In this post, are the materials we use for the online webinar, available on demand here: https://info.microsoft.com/AP-AzureINFRA-WBNR-FY20-08Aug-29-AzureAdoption-SRDEM4141_LP02OnDemandRegistration-ForminBody.html

Slides:

Reference Links:

Tips to get started with Visual Studio Code:

Install the Terraform extension, you may notice that the 0.12 type of syntax is not recognized by default as its still under development. You can enable preview version running Terraform: Enable/Disable Language Server in the palette.

Azure Cloud Adoption Framework in Terraform samples:

If you want to kick-start your Azure deployment based on Cloud Adoption Framework Landing Zones, here are some Terraform examples of it (more webinars on this coming soon): http://aka.ms/tf-landingzones

Have fun with this!

Demos

Demo 1: Getting started with your environment

Demo 2: First deployment

Demo 3: States and outputs

Demo 4: Modules

As usual, feel free to send your feedbacks.

Arnaud

Cloud Adoption Framework, Scaffolding and Azure Virtual Datacenter

<Updated 11th July 2019>

Since we started to help customers of all sizes to deploy cloud technologies, we have developed many frameworks which all evolved in parallel over time. You may have heard about: Cloud Adoption Framework, Cloud Operations Model, Entreprise Cloud Strategy, Entreprise Scaffolding and maybe a couple more.

The CAF is dead, long live the CAF!

A couple of weeks ago, we published a new version of CAF – Cloud Adoption Framework for Azure, which consolidates all of our engineering and field best practices, as well as patterns that we’ve seen from big entreprises going to the cloud.

CAF has now five main sections which guide you throughout the whole circle:

cloud-adoption-framework-overview

  1. Plan
  2. Ready
  3. Migrate
  4. Manage
  5. Govern

This model is very realistic and field inspired, including some discussions around adoption with one or more cloud providers.

Governance

One of the most intimidating aspects of cloud adoption is the governance: how to manage new risks that are involved with cloud deployments and how to accompany that with entreprise processes and policies (and how does it remain current).

It is of course an iterative process that will evolve as you add new services into your environment: from dev/test to prod, and from legacy 3-tiers application to a brand new cloud-native application.

We distinguish 5 disciplines in governance:

  1. Cost management
  2. Security baseline
  3. Resource consistency
  4. Identity baseline
  5. Deployment Acceleration

But the difficulty is the first step: how do I get a minimal viable product (MVP) for my first cloud deployment?

incremental-governance-example

Actions: In order to avoid you the blank page syndrome, we have prepared you some actions:

  1. Determine your immediate objectives with cloud, and the readiness of your organization. Cloud Assessment Tool: https://aka.ms/CAF/gov/assess 
  2. Establish your governance MVP:
    1. Small to Medium Entreprises
    2. Large Entreprises

For all those journey we document a minimum viable product across the five disciplines, we explain the design decisions we took for you, the discussion points and alternative design considerations.

When we define governance, we also think about compliance to the rules, and automatic remediation methods for it: this is called Azure Policy.

Along the way, if you are going for ongoing compliance, why not going to continuous integration and continuous deployment for your infrastructure?

cicd

If you want to have a look at all of that in action, check at:

Azure Scaffolding

We used to talk a lot of  “scaffolding” as it is an excellent checklist, or set of mandatory technical implentation details for a good cloud deployment. It is being replaced by the “landing zone” construct (see next section).

Here is a refresher picture about what scaffolding includes:

scaffoldv2

Important readings on Azure Scaffolding:

Azure Landing Zones

Landing Zone is our new construct to describe a good deployment, its replacing the scaffolding idea but takes all of its good ideas.

landing-zone-considerations-2

It has the idea of primitives which includes all mandatory decisions:

  • Management Groups
  • Resource Groups
  • Naming Standards
  • Number of subscriptions

On the technical implementations of Governance it includes all of:

  • Policies
  • Cost
  • Monitoring
  • Identity

Moreover, it comes with all set of decision trees in order to help you when it comes to implementation with your customers/partners:

 

Azure Virtual Datacenter

Azure VDC is a set of concepts, implentation guidance and automation scripts that allows you to build a highly available and highly secure datacenter, based on Microsoft Azure services.

vdc_example

You can find all the materials here: https://docs.microsoft.com/en-gb/azure/architecture/vdc/ 

Check at the automation scripts and all the archetypes that allow you to deploy a VDC environment fast – based on Docker and Python : https://github.com/Azure/vdc

As last reference, as usual, our Azure Architecture Center

That’s it, now you will have a very well architected Azure deployment!

Arnaud 

Getting Started with Azure Network Monitoring

Getting knowledge and control on the network aspects of cloud is vital. In this post, lets recap the different options available for you in Microsoft Azure.

This is a webinar that we had on March 21, which is now available on demand here: https://info.microsoft.com/AP-AzureINFRA-WBNR-FY19-03Mar-21-AzureNetworkMonitoring-MCW0012270_02OnDemandRegistration-ForminBody.html  

Slides

Demos

Overview of network monitoring solutions: https://docs.microsoft.com/en-us/azure/networking/network-monitoring-overview

Monitoring VM

Virtual machine network bandwidth: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-machine-network-throughput

Azure Monitor for Networking

Analysis of network connection data with Azure Monitor for virtual machines: https://azure.microsoft.com/en-us/blog/analysis-of-network-connection-data-with-azure-monitor-for-virtual-machines/ 

Azure Connection Monitor

Monitor network communication: https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor

Azure Packet Capture

Manage packet captures with Azure Network Watcher: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-manage-portal

Azure NSG Flow Logs

Reading NSG flow logs: https://docs.microsoft.com/en-gb/azure/network-watcher/network-watcher-read-nsg-flow-logs

Azure Traffic Analytics

Introduction to Traffic Analytics: https://aka.ms/trafficanalyticsdocs 

Azure Virtual Network Tap

Virtual network TAP: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview

Enjoy the fun and lets catchup on @arnaudlheureux