Technology Blog

Deep-Dive on Azure Edge Zones in 5G Network !


Introduction

Last month, I have published my below two articles on Azure Virtual WAN and SD-WAN and both describes on how a cloud hosted and migrated application effectively can be accessed by business through an optimized network with a greater performance and with a low latency even from remote sites:

During this discussion, I also touched based on how business can access their cloud hosted application through a nearby available POP/Edge presence and these Edge/POPs are not only available from major cloud service providers such as Microsoft, Amazon and Google but also from a large number of Telcos to align their current and future digital transformation need of edge computing in a 5G network.

In this article, we will discuss on currently how major cloud services providers and telecom operators are jointly working on edge computing services in their 5G network roadmap and then finally will cover the use cases and benefits of Microsoft released edge computing services.

With the rise of 5G network connectivity, there are n numbers of possibilities to deliver immersive, real-time experiences that needs ultra-low latency, and connectivity requirements. 5G sets a new paradigm shift in telecom industry with enhanced mobile broadband up to 10x faster, reliable low-latency communication

Telecom providers partnering with CSP’s for 5G Edge

A large number of telecom operators i.e. AT&T, CenturyLink, Etisalat, NTT Communications, Proximus, Rogers, SK Telecom, Telefónica, Telstra, Vodafone and others have partnered with Microsoft on their effort and plan to make these Azure Edge Zones available to customers for 5G edge networks.

On the other side, SK Telecom, KDDI, Verizon, Vodafone Group and few others operators are also partnered with Amazon Web Services (AWS) to develop its edge computing services through AWS Wavelength on 5G networks. An AWS wavelength will be deployed by its operator partners to provide ability to developers for building applications that serve end-users with single-digit millisecond latencies over the 5G network.

Google is in the same move and partnering with telecom providers such as AT&T, Vodafone and others to harness 5G as a business services platform. To meet this goal, Google Cloud recently announced its Global Mobile Edge Cloud (GMEC) strategy, which will deliver a portfolio and marketplace of 5G solutions built jointly with telecom companies which is an open cloud platform for developing these network-centric applications and a global distributed edge for optimally deploying these solutions. 

Google Cloud also announced Anthos for Telecom, which will bring its Anthos cloud platform to the network edge, allowing telecom companies to run their applications wherever it makes the most sense.

Microsoft Edge Computing Services ‘Azure Edge Zones’

In the end of Mar’2020, Microsoft has announced their edge computing services called “Azure Edge Zones” (currently available in preview), which are designed to provide the cloud resources quickly at carrier’s 5G network and enables data processing very close to end user. With this, business developers now can deploy cloud resources such VMs, containers, and other selected Azure services into Edge Zones to address the low latency and high throughput requirements of applications near to their business locations/sites.

Azure has not released just one service but there are three types of edge zones and these referred to as Azure Edge Zones, Azure Edge Zones with Carrier and Azure Private Edge Zones respectively. Each Edge Zones are connected to Azure’s own network and runs in existing Microsoft network POP/Edge locations where Azure CDNs, Azure Front Door’s and other services are running with an appropriate security control.

With Azure edge zones, Microsoft is gearing up towards to an important telecom industry space which blends the cloud computing with mobile networks and making strength of 5G edge computing for enterprises, IoT, and applications which operates on a very low latency.

In simple terminology, an Azure edge zones are local extensions of Azure services to enterprises which are ideal for solving compute, storage, and service availability problems by allowing business to provide experience-driven resources closer to their locations/sites. Azure edge zones are available through Azure (Azure Edge Zones), with select carriers and telecom operators (Azure Edge Zones with carriers), or as private customer zones (Azure Private Edge Zones).

Azure edge zones overall benefits

As per Microsoft, Azure edge zones provides a rich, seamless customer experience in real time with ultra-low-latency edge compute capabilities. Below are the major benefits of Azure edge zones but not limited to:

Solve edge latency problems with 5G network – Accelerate a quick application and virtualized network function (VNF) deployment to provide a seamless compute, storage, IoT, and container services to business. The low edge latency and high bandwidth of Azure edge zones and 5G networks virtually eliminates the latency concern.

Better application performance and data control – Azure edge zones enable faster access to local Azure services to get granular control of data and better performance by deploying apps at the edge and these apps are such as critical industrial IoT and media services workloads. Development of distributed applications across cloud, on-premises, and edge using the same Azure Portal, APIs, development, and security tools.

Deliver better mobile experiences with 5G network – Provide a better real-time experience for businesses and developers by deploying reliable, latency-sensitive applications, high-density graphics gaming’s on wireless networks with “Azure edge zones with carriers”. An acceleration of IoT, artificial intelligence (AI), and real-time analytics by optimizing, building, and innovating for robotics, automation, and mixed reality.

Boost private edge performance with 5G network – Get the lowest latency possible for any industrial use case through a fully automated service-delivery experience with Azure private edge zones.

Extend your on-premises to Azure by using SD-WAN appliances – By using SD-WAN appliance on the same private edge zone appliance, customer can extend their on-premises networks across multiple branches to Azure. SD-WAN provides seamless branch office connectivity that’s orchestrated from redundant central controllers at lower cost of ownership.

Use Case & Scenarios

It becomes important to understand the specific use cases of each types of released Azure edge zones and for that we will talk about all the use cases on each edge zones separately. Azure Edge Zones and Azure Private Edge Zones deliver consistent Azure services, applications platform, and management to the edge with 5G network by unlocking new scenarios.

As per below Microsoft article – https://docs.microsoft.com/en-us/azure/networking/edge-zones-overview, the typical use case & scenarios for edge zones are available as below:

  • Real-time command, control in robotics,
  • Real-time analytics and inferencing through artificial intelligence & machine learning.
  • Machine vision.
  • Media streaming and content delivery.
  • Surveillance and security.
  • Remote rendering for mixed reality and VDI scenarios.
  • Immersive multiplayer gaming.

Azure Edge Zones

Common applications include distributed apps and public cloud-based business and consumer platforms in industries like retail, media, financial services so typical use cases of Azure edge zones include as below:

  • Gaming and game streaming.
  • Media streaming and content delivery.
  • Real-time analytics and inferencing via artificial intelligence and machine learning.
  • Rendering for mixed reality.

Below figure-1: Azure Edge Zones represents the scenarios of above said use cases by using the Kubernetes, IoT, Azure edge zones services.

Figure-1: Azure Edge Zones

Azure Edge Zones with carrier

5G speed and bandwidth makes ingesting, delivering, and processing data faster and ideal for connected vehicles, mobile platforms and interactive games, high-bandwidth video streaming, and other business-critical scenarios.

Typical use cases of Azure edge zones with carrier include all 4 use cases of Azure edge zones plus two more as below:

  • Connected automobiles.
  • Tele-medicine.

Below figure-2: Azure Edge Zones with Carrier represents the scenarios of above said use cases by using the Kubernetes, IoT, Azure edge zones services, 5G mobile carrier and connected vehicles.

Figure-2: Azure Edge Zones with Carrier

Azure Edge Private Zones

Azure Private edge zones are small-footprint extensions of Azure which are based on the “Azure Stack Edge” platform and are placed on-premises. It enables low latency access to computing and storage services deployed on-premises

With private LTE and 5G speed, high bandwidth, and ultra-lower latency, Azure Private edge zones are ideal for optimizing the performance of connected robotics, big data analytics, mixed reality, and other automation-driven applications.

SD-WAN on Private edge zones also let customer to move from a capex-centric model to a software-as-a-service (SaaS) model to reduce IT budgets.

Private mobile networks enable ultra-low latency, high capacity, and a reliable and secure wireless network that is required for business-critical applications. Private mobile networks enable scenarios such as command and control of automated guided vehicles (AGV) in a warehouse, real-time communication between robots in a smart factory and augmented reality, and virtual reality edge applications.

Typical use cases of Azure edge private zones include as below, all use cases for this service is different except one ‘Real-time analytics and inferencing with AI and ML’.

  • Real-time command and control in robotics.
  • Real-time analytics and inferencing with artificial intelligence and machine learning.
  • Machine vision.
  • Remote rendering for mixed reality and VDI scenarios.
  • Surveillance and security.

Below figure-3: Azure Private Edge Zones represents the scenarios such as command and control of automated guided vehicles (AGV) in a warehouse, real-time communication between robots in a smart factory (industry robotics), augmented reality and surveillance security.

Figure-3: Azure Private Edge Zones

Azure Private edge zone also lets developers to develop and deploy applications on-premises by using the same familiar tools that customer use to build and deploy applications in Azure. Azure also lets customer to below:

  • Run private mobile networks (private 5G, private LTE).
  • Implement security functions like firewalls from various technology partners such as Affirmed, Mavenir, Metaswitch, Nuage Networks from Nokia, Palo Alto Networks, and VeloCloud from VMware.
  • An evolving platform building with customers, carriers, and industry-partners to allow seamless integration and wide selection of Virtual Network Functions (VNFs), including 5G software and SD-WAN

As this Azure Service is new and running under Preview currently, we will have more further use cases and in depth discussion once this service is in ‘general availability’ release.

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-3 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-2 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution provides seamless SSO and MFA solution for SaaS and on-premises apps. Apart from that, we also discussed on how an Azure AD collaborates with B2B and B2C scenarios and then finally we talk about the use cases of Azure AD application proxy for accessing on-premises hosted applications.

In this article, we will talk about specific industry use cases scenarios such as identity authentication & authorization for applications hosted in IaaS cloud platform. Here we will discuss on how on-premises Active Directory Domain Services (generally called corporate or enterprise AD DS) and Active directory Federation Services (AD FS) are getting extended into IaaS platform and provides authentication and authorization to applications/workloads hosted in Infrastructure as a Service (IaaS).

In case of customer does not have the on-premises AD DS or AD FS exist into their corporate landscape then customer can leverage the Microsoft managed Azure Active Directory Domain Services (Azure AD DS) for providing authentication and authorization to applications or workloads hosted in Infrastructure as a Service (IaaS).

These are most common scenario used in industry for legacy and modern apps which are either migrated from on-premises into IaaS or directly hosted in IaaS as a fresh build.

Azure AD domain service (Azure AD DS)

Azure AD domain service is a cloud-based domain services that’s completely managed by Microsoft and provide below features:

  • This cloud-based domain services provide certain features of on-premises AD such as domain join, group policy, LDAP & Kerberos/NTLM authentication in Azure laaS
  • Remember that Azure AD DS has certain limitations as compare to on-Premises AD
  • Customer can join their Azure VMs to a domain without deploying DC’s because Azure AD DS is part of customer existing Azure AD tenant and users can login using the same credentials, they use for Azure AD.

Note: This Azure AD managed domain is a standalone domain and is not an extension of on-premises AD domain/forest infra. However, all user accounts, group memberships, and credentials from on-premises AD are available in this via Azure AD tenant

Below figure shows how an Azure AD domain services provides the authentication and other domain services to customer line of business applications running under Azure infrastructure as a service (IaaS)

Figure-1: Azure AD Domain Services

Synchronize on-premises AD accounts to Azure AD

This solution provides access to all of Microsoft SaaS and cloud-based identity options for Azure PaaS & laaS apps, two below approaches are recommended, choose either one

A. Directory & password synchronization

B. Identity federation

Directory and password synchronization
This is a simplest and recommended option for most enterprise organizations, below figure shows how an Azure AD directory, password sync and MFA can be achieved Azure AD connect tool:

  • User accounts are synchronized from customer’s on premises directory to their Azure AD tenant. The on promises directory remains the authoritative source for accounts
Figure-2: Azure AD Connect (directory and password sync)
  • Azure AD performs all authentication for cloud-based services and applications
  • Supports multi-forest synchronization

Note: Using cloud-only accounts is not recommended for enterprise-scale customer unless Windows AD is not already used on premises

Password synchronization: Users enter the same password for cloud services as they do on-premises. user’s passwords are never sent to Azure AD instead a hash of each password is synchronized

Multi-factor authentication (MFA): Apps in Azure can take advantage of the Azure MFA service whereas directory sync does not provide integration with on-premises MFA solutions

Identity federation

Federation provides additional enterprise capabilities, but It is also more complex & introduces more dependencies for access to cloud services as shown in figure below:

  • All authentication to Azure AD is performed against the on-premises directory via Active Directory federation services (AD FS) or another federated identity provider
  • Works with non-Microsoft identity providers
  • Password hash sync adds the capability to act as a sign-in backup for federated sign-in (f the federation solution fails)
Figure-3: Azure AD identity federation

Use identity federation if
AD FS s already deployed or using a third-party identity provider

Having an on-premises integrated smart card or other MFA solution

Require sign-in audit and/or disablement of accounts

Compliance with Federal Information Processing Standards (FIPS)

Federated authentication requires a greater investment in infrastructure on premises

  • The on-premises servers must be Internet-accessible through a corporate firewall Microsoft recommends the use of federated proxy servers deployed in a perimeter network, screened subnet, or DMZ
  • Requires hardware, licenses, and operations for AD FS servers, AD FS proxy or web application proxy servers, firewalls, and load balancers
  • Availability and performance are important to ensure users can access cloud applications

Placing directory components in Azure IaaS

Consider the benefits of deploying directory components i.e. AAD Connect/AD DS/AD FS to Azure laaS, as shown in figure, especially if customer plan to extend their on-premises AD to Azure virtual machines for their line of business apps

If customer hasn’t already deployed AD FS on-premises, consider whether the benefits of deploying this workload to Azure makes sense for the organization –

  • Provides autonomy for authentication to cloud services (no on-premises dependencies) and reduces servers and tools hosted on-premises
  • Use a S2S VPN gateway on a two-node duster or ExpressRoute to connect Azure
  • Uses ACLs to ensure that Web App Proxy servers can only communicate with AD FS, not AD DCs or others server directly
Figure-4: Placement of on-premises AD components in Azure IaaS

Extending On-premises AD to virtual machines into Azure IaaS

Refer to the figure which shows the configuration of hybrid deployment on-Premises AD extension to Azure AD and It requires:

  • A virtual network (VNet) in Azure laaS
  • A S2S VPN or ExpressRoute connection.
  • Extending customer on-premises to virtual machines in the virtual network
  • Deploying one or more DC in Azure VNet designated as a GC to reduces egress traffic

When to use this solution?

  • Schema extensibility and need to write to existing directory identities.
  • Support for apps in Azure VNet where network isolation is a requirement
  • Support across multiple Azure subscriptions.
  • Certificate or smartcard-based authentication for apps
Figure-5: on-premises AD extension to Azure IaaS

Note: On-Premises AD extension covers lots of limitation of Azure AD DS Below Microsoft FAQ covers features and limitations of Azure AD DS as compare to on premises AD DS: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs

To have further more insight on my previous articles on “Microsoft Azure AD Identity Solution – Part-1 & 2!!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Microsoft Azure AD Identity Solution – Part-2 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-2 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-1 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution effectively address the challenges on seamless access & integration with a wide range of legacy apps and modern SaaS services in a multi-hybrid cloud environment such as AWS, Azure and Google cloud.

In this article, we will focus on some more industry use cases of Azure identify solution and its integration capabilities. These industry use cases are such as seamless solution on single sign-on (SSO) and multifactor authentication (MFA), Azure AD collaboration with business-to-business (B2B) partners and business-to-consumer (B2C) and then finally talk about Azure AD application proxy

Seamless SSO and MFA solution to SaaS and on-premise applications

An Azure AD integration with hybrid cloud provides a seamless single sign-on (SSO) and multi-factor authentication (MFA) capability to SaaS and on-premises apps. Refer to the below figure on how Azure AD tenant connects to Azure SaaS apps such as office365, ServiceNow and others apps: 

Figure-1: Azure AD tenant connecting with SaaS

The seamless single sign-on of Azure AD tenant is the following:

  • An emerging need of unified application access and single sign-on to all types of SaaS applications
  • Consistent user experience with single sign-on across all SaaS services and on-premises apps by using below SSO methods:
    • Cloud SaaS apps can user Open-ID Connect, OAuth, SAML, password-based, linked or disabled methods for SSO
    • On-Premises applications can use password-based, integrated windows authentication (IWA), header-based, linked or disabled methods for SSO. The on-premises choice works when applications are configured with application proxy

The following flowchart help Identity Architect to decide on which Azure AD single sign-on method is best for their business apps and fits in their business scenario: 

Figure-2: Azure AD single sign-on methods

A traditional enterprise SSO solution such as on-premises corporate AD can extend to SaaS services by using Active Directory Federation Services (ADFS).

The seamless multi-factor authentication (MFA) of Azure AD tenant covers below:

  • A process where a user is prompted during the sign-in for an additional form of identification, such as to enter a code from their mobile phone or to provide a fingerprint scan.
  • Customer on-premises applications or SaaS services don’t require to make any changes to use Azure MFA. The verification prompt is part of Azure AD sign-in event, that automatically request and processes the MFA challenge when needed.
  • Azure MFA generally works by needing two or more methods:
    • Password
    • Trusted devices that is not easily duplicated (a phone or hardware key)
    • Biometrics (a fingerprint or face scan)

Azure AD B2B and B2C collaboration

Azure AD B2B collaboration enables secure integration between business to business partners

These new capabilities make it easy for businesses to create advanced trust relationships with Azure AD tenants so they can easily share their business apps (such as ServiceNow, Salesforce etc.) across companies/customers without hassle of managing additional directories or having the overhead of managing partner’s identity solution.

Below figure shows how an Azure AD B2B collaborates with SaaS applications between customer’s and partner’s Azure AD tenant:

Figure-3: Azure AD B2B collaboration

An Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.

An Azure AD B2C easily integrates across mobile and web platforms, through this consumers login to all their apps through fully customizable experience by using their existing social accounts such as Google, Facebook, Linked-In or by creating new credentials. Below figure shows how an enterprise Azure AD B2C collaborates with Azure PaaS through consumers social identities:

Figure-4: Azure AD B2C collaboration

Azure AD application proxy

Microsoft Azure AD application proxy lets customer publishes their web-based apps inside their private network and provides secure access to users outside world as below:

  • Employees can log into their apps from home on their own devices and authenticate through this Azure AD cloud-based proxy
  • By using Azure AD proxy customer also can protect their on-premises apps with the same requirements as other cloud-based apps with MFA, and other conditional access.
  • Application proxy works by installing a slim Windows service called “Connector” inside a private network and that maintains an outbound connection from within private network to this Azure AD proxy service

Below figure shows how an on-premises application can be accessed through an Azure AD application proxy.

Figure-5: Azure AD application proxy

To have further more insight on my previous article on “Microsoft Azure AD Identity Solution – Part-1 !!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-1 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Introduction

Cloud computing and mobile devices have transformed the modern digital workplace and Identity is the key foundation of our digital transformation journey today. Most of the businesses today are following a “cloud first” strategy, with lifting & shifting their existing infra and business applications into hybrid cloud, modernizing their business apps and opting in as-a-service models.

While cloud services are easy to deploy and commonly come with modern end users experience but this shift to digital transformation also introduces the new challenges (such as security risk, administrative burden and poor end users experience). Even, it becomes more challenging during the current covid-19 pandemic situation where most of businesses are opting in “work from home” to access their hosting applications in hybrid clouds.

Due to the nature of the business (i.e. manufacturing, utility, infrastructure, automotive etc.) and its gradual transition, the reality of most businesses will remain hybrid for many years, even if the enterprise’s workloads are moved into partners dc called “private cloud”, it’s still about running their legacy IT landscape and business apps on on-premises, alongside all the new SaaS services deployed in multi-tenant public clouds.

From the end user’s experience and IT/IS perspective, users must access their applications in both on-premises and cloud, and IT/IS must manage and protect applications in both places. Altogether with the shift to new way of working such as “work from home”, there is a need for providing a consistent end users experience, safeguarding the end users’ identities and management of hybrid cloud environment.

Providing seamless access and integration with wide range of legacy apps and modern SaaS service is the biggest challenge. So, enabling the single sign-on to modern SaaS services is just a simple part but the real challenge is supporting full range of services within multi-cloud hybrid environments. Even though various vendors offer their respective identity as service solution (such as Oracle, IBM, Google, Octa, CA, Ping Identity and so on.) but we will focus on Microsoft identity solution in this article in more detail.

Microsoft offers Azure AD – cloud-based Identity as a Service (IDaaS) and that comes with a comprehensive approach and single control pane of providing seamless access to users for all types of apps – SaaS, on-premises and custom-built apps.

The below figure depicts the detailed features of Azure Active Directory and their functionalities such as on-premises infra integration, user accounts, devices, partner collaboration with customer account management, application integration and administration.

Figure-1: Azure AD Identity as a Service (IDaaS) Solution

Integrating Azure AD identity with Azure, AWS and GCP Hybrid Cloud

Azure AD integration with hybrid cloud provides a broad range of capabilities for business, the capabilities include but not limited to the following:

Azure identity solutions address challenges like safeguarding identities, improve user experience accessing applications seamlessly across platforms, and increasing administrative efficiency

One identity for all applications across cloud services (SaaS, PaaS, IaaS) across all cloud platforms such as Azure, AWS, Google etc.

Collaboration with partners by using Azure AD B2B and B2C

Synchronization or federation with on-premises directory through Azure AD connect

Enables single sign-on and multi-factor authentication

Integration with web-based applications located on-premises through application proxy

Use either Azure AD domain services (Azure AD DS) for authenticating to line of business (LOB) applications hosted on virtual machines in Azure IaaS or extend on-premises active directory domain service (AD DS) to Azure IaaS

Azure identity provides cloud apps discovery and management through Azure AD ‘MyApps’ panel as single control pane

Below figure shows the Azure AD integration with hybrid cloud respectively Azure, AWS and Google:

Figure-2: Azure AD integration with Azure hybrid cloud
Figure-3: Azure AD IdP Federation with AWS Cloud Apps
Figure-4: Azure AD Federation with GCP Cloud

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.

The Deep Dive on ‘Well-Architected Framework’ of AWS, Azure & Google Cloud !


Brief Summary:

In this article today, I will draw some insights of cloud’s well-architected framework of all three major cloud service providers. Firstly you will get some idea and background on why these well-architected framework and it’s pillars/principles is really needed for any business in their digital transformation journey and then I will slightly focus on life-cycle of well-architected framework from all three cloud services providers along with similarities/dissimilarities and then finally I will draw some attention on some sorts of approach each provider is following and how they are getting benefitted to their partners and business.         

Real need and importance of cloud well-architected framework in today’s digital transformation:

In today digital world, every cloud service provider in their digital transformation journey offers a large number of services and these are be it on cloud infrastructure | IoT | edge computing | software defined | data science | 5G | Networking | cyber security and so on, these services are growing/will grow very rapidly in future.  A business may consume one or more these services in various ways and each one can be configured in different ways. On the other side, what is important to understand that how on-premise hosted application (legacy, custom or inhouse, COTS, Open Source) is currently operating and how it’s can be transformed/migrated into public or private cloud.

Well this is not new, based on the cloud assessment or application rationalization through R-LANE (for example, Gartner has five R strategies model – rehost, replatform, refactor, rebuild, replace), the  application modernization and it’s migration methodologies for any on-premise hosted application can be decided whether this is either to be lift and shift (rehost) or retire the legacy application and replace it with cloud-native (replace) or with some modification in the application (replatform) or rearchitected the application (re-factor) or rebuild (rewrite the application from scratch) prior migrating them to the cloud. Each application is different and therefore deploying an application to the cloud is usually not a trivial task.

So, based on cloud assessment and rationalization results, the roadmap of any application’s modernization strategy and its cloud migration methodology are usually defined. To host or migrate these various kinds of applications in public/private/hybrid cloud and even to consume large number of cloud services along with, each cloud service provides a set of well-defined architecture, design principles and best practices those are precisely to be followed by practitioner. These set of standard architecture are to ensure that these applications are migrated smoothly, well optimized and secured, managed their operations effectively in a respective cloud.

Well-architected framework life-cycle from all three major cloud service providers:

Several years back, all major cloud service providers (such as Amazon, Microsoft and Google) has released their well-architected framework or architecture framework, they are revisiting and improving these on a regular basis. AWS has very recently announced their eighth version of the Framework since 2012.

https://aws.amazon.com/blogs/architecture/announcing-the-new-version-of-the-well-architected-framework/

In the similar way, Microsoft has also announced their revised Azure well-architected framework

https://azure.microsoft.com/en-us/blog/introducing-the-microsoft-azure-wellarchitected-framework/

Google has also released recently their updated/revised architecture framework guide:

https://cloud.google.com/blog/products/gcp/new-google-cloud-architecture-framework-guide

Well-architected framework pillars or design principles:

So, we talk little bit on the life cycle of their architecture framework and now let’s have a detail understanding on these set of well-defined architecture pillars or design principles

Amazon’s AWS and Microsoft Azure exactly follow the similar naming conventions so called “5 pillars of well-architected framework” where as Google Cloud’s architecture framework covers the same all in their 4 key architecture principles/pillars.

Amazon AWS 5-pillars of well-architected framework

As per Amazon, AWS well-architected framework helps cloud architects to build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads for their business. Based on five pillars AWS provides a consistent approach for customers and partners to evaluate their cloud architectures, and implement designs that can scale over time.

Below are the five pillars of AWS well-architected framework and their purpose: 

  • Operational Excellence – focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures
  • Security – focuses on protecting information and systems
  • Reliability – focuses on ensuring a workload performs its intended function correctly and consistently when it’s expected to
  • Performance Efficiency – focuses on using IT and computing resources efficiently
  • Cost Optimization – focuses on avoiding unnecessary costs

Below figure represents high-level pictorial view of AWS 5-pillars of well-architected framework

Figure-1: AWS 5-Pillars of ‘Well-Architected Framework’

Microsoft Azure 5-pillars of well-architected framework

As per Microsoft, the Azure Well-Architected Framework provides a set of technical guidance that can be used to improve the quality of a workload wherein partners can leverage this guidance to enable customers to design well-architected and high-quality workloads on Azure. The framework consists of below five pillars of Azure well-architected framework and their purpose: 

  • Cost Optimization – managing costs to maximize the value delivered to business.
  • Reliability – the ability of a system to recover from failures and continue to function
  • Security – protecting applications and data from threats.
  • Performance Efficiency – the ability of a system to adapt to changes in load.
  • Operational Excellence – operations processes that keep a system running in production.

Below figure represents high-level pictorial view of Azure 5-pillars of well-architected framework

Figure-2: Azure 5-Pillars of ‘Well-Architected Framework’

Google GCP 4-key architecture principles/pillars

Likewise, Amazon and Microsoft, the Google too have 4-key architecture principles/pillars those covers all 5 similar pillars of what Amazon and Microsoft is having.

Google cloud’s architecture framework provides a set of best practices and implementation guidance to architects on their products and services to aid application design choices based on their unique business needs. The framework provides a foundation for building and improving their Google cloud deployments to ensure standardization and achieve consistency.

The Google 4 key architecture principles/pillars and their purpose are as below:

  • Operational excellence – guidance on how systems efficiently running, managing, and monitoring that deliver business value
  • Security, privacy, and compliance – guidance on appropriate security controls, approach privacy, and meet compliance levels and standards
  • Reliability – guidance on how to build reliable and highly available solutions
  • Performance and cost optimization – suggestions on various available tools to tune your applications for a better end-user experience and analyze the cost of operation while maintaining an acceptable level of service

Below figure represents high-level pictorial view of 4-key architecture principles/pillars of Google cloud’s architecture framework.

Figure-3: 4-Principles of ‘Google Cloud Platform Architecture Framework’

Cloud provider’s approach and benefits of each their well-architected framework:

In previous section, I have brief explanation on each well-architected framework (pillars/principles), their purpose and pictorial view from all three cloud providers and you might have observed the purpose of each is very similar but what may be differ from each that’s their approach, each service provider has slightly different approach to implement their framework.

Amazon AWS Approach: Apart from dedicated focused training to build the internal distributed decision-making capabilities in architected framework, below are the approach which Amazon follows usually:  

  • The AWS WA (well-architected) tool, available at no cost in the AWS Management Console, provides a mechanism for regularly evaluating customer workloads, identifying high risk issues, and recording their improvements.  
  • AWS well-architected partner program members have in-depth training on the well-architected framework that can help partners architect to implement best practices, measure the state of customer workloads, and make improvements where assistance is required.
  • The Lenses extend the guidance offered by AWS well-architected to specific industry and technology domains, such as machine learning, analytics, serverless, high performance computing (HPC), IoT (Internet of Things), and financial services. to fully evaluate the specific industry and technology domain workloads, use applicable lenses together with the AWS well-architected framework and it’s five pillars.

Microsoft Azure Approach: Similar to Amazon, Microsoft does also carry a focused and detailed approach for their well-architected framework by using five pillars, below are the approach which Microsoft follows:  

  • Detailed study on framework content, reference material, and samples those are available in the Azure Architecture Center
  • Taking a deep-dive Azure well-architected review on Microsoft assessments through an online tool
  • Building a great (secure, scalable, high-performing) solution with Microsoft Azure well-architected framework on Microsoft learn.
  • A cloud adoption framework which is a collection of artifacts, implementation guidance & tools from Microsoft to accelerate customers cloud adoption journey and managing their cloud portfolio
  • By providing technical guidance and best practices to architect workloads, Microsoft partners enables business to define, deploy and manage well architected workloads on Azure.

Google Cloud Approach: Google’s framework recommends reviewing their “System Design Considerations” first then follow their 4-key architecture principles/pillars and then enters into a deep-dive into others process below such as discover, evaluate and review based on business needs. This framework is modular so customer can pick and choose process which is most relevant to them

  • Discover: Use the framework as a discovery guide for Google Cloud Platform offerings and learn how the various pieces fit together to build solutions.  
  • Evaluate:  Use the design questions outlined with a detailed thought process while business is thinking about their system design. If they are unable to answer the design question, then they can review the highlighted Google Cloud services and features to address them.
  • Review:  If customer is already on Google Cloud, use the recommendations process to verify if customer is following best practices or as a pulse check to review before deploying to production.

Conclusion:

So, finally we are able to cover the below topics on well-architected framework from all three major services providers

  • Why a cloud well-architected framework and its pillars is needed for business
  • Life cycle of a well-architected framework, its purpose and a pictorial representation for each service providers
  • Similarities /dissimilarities of each well-architected framework from each
  • Some sorts of approach that each cloud service provider is following and how they are getting benefitted to their partners and businesses.

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

HCX Migration Known Issues and Solution-Lessons Learnt !


Problem StatementReasonSolution
Failed to create the replica placeholder disks at the target site. Unable to create dummy disk at target siteTarget is having the folder with the same nameSearch the folder with VM name in datastore and delete before starting the replication
VM power off task status failed during VR migrationServer did not powered off during the cutoverSelect forced power off option before migrating the server
Failed to enable replication. Enable replication on HBR manager failedServer is having RDM or Source ESXi is not in healthy stateConvert RDM into VMDK or change the compatibility mode physical to virtual
Replication stuck at any pointDisk is added or removed during the replicationDo not do any hardware changes during replication
Fleet applaince is not found for the serverMigration service is not deployed for clusterIncluded that cluster in any existing migration service or deploy new CGW for that cluster
Cutover failed due to reserver MAC addressVM is having vCenter reserve MAC addressDo not select option ‘retain MAC address’
Table: HCX Migration Lessons Learnt

Dhiraj Dhall has more than 15 years of transformation delivery experience in cloud computing, infrastructure, dev-ops, microservices and container with larger global customers. He is a senior Architect and successfully delivered various kind of global project delivery such as greenfield, consolidation, SDDC and migration. 

Addressing Latency Issues in HCX-Network Extension !


Brief Summary:

When we configure Network extension in HCX to extend the L2 between Source and Target Datacentre, HCX deploy Network extension appliance in both Datacentres. Once successfully deployed, VLAN will be extended.

In HCX, when we migrate VM (using L2 extension) from Source to target Datacentre, VM will communicate back to source Datacentre for inter Datacentre VLAN, outside datacenter and other required communication because gateway still exist at source Datacentre.

Problem Statement:

The problem you may face If you have many network intensive virtual workloads (from one of particular VLAN) to migrate to target datacentre then Network extension could be a bottleneck and workloads may experience latency issue.

Solution Detail:

It is always better to migrate all one respective VLAN (Lets VLAN ID-10) as quickly as possible and cutover that VLAN to start routing the traffic from Target Datacentre instead of source. Due to unavoidable circumstances, if you are not in position to migrate all VMs in limited timeframe and even experiencing latency issue then you must plan to extend the VLAN through physical switches by using OTV or similar extension method.

Another factors to be considered:

  • Sufficient Migration link availability
  • At least 10 G network speed (VMNIC) for both Source and Target Hypervisors
Figure-1: HCX Layer-2 Extension

Dhiraj Dhall has more than 15 years of transformation delivery experience in cloud computing, infrastructure, dev-ops, microservices and container with larger global customers. He is a senior Architect and successfully delivered various kind of global project delivery such as greenfield, consolidation, SDDC and migration. 

Microsoft Azure Virtual WAN – How it’s getting closer to Business!


Introduction:

This article in the continuous to my previous article ‘Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation’.

Today let’s have discussion on how the Azure Virtual WAN is getting closer to business and how effectively business can plan & transform their enterprise landscape into public and private cloud (hybrid cloud) that will be an another remarkable step into their digital transformation journey, along with that we will also touch based upon various use cases and real benefits that Business is getting as an overall while adopting Azure Virtual WAN solution.

This kind of transformation journey has bit changed now the way in which value is created by business and extends itself to other activities of a customer such as value monetization or value communication.

Below are major outlines which I will be getting covered throughout in this article:

  • Traditional way of using Azure Virtual WAN and global transit network
  • Using Azure Virtual WAN with multiple Azure regions through Azure Global Network
  • Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices
  • Real benefits to Business while adopting the Azure Virtual WAN

Traditional way of using Azure Virtual WAN and global transit network:

You might have observed that AWS has released the transit gateway that simplifying the process of network routing between VPCs and customer on-premises network. By using that customer can use transit gateway to connect various VPC with each other and with on-premises seamlessly by using the optimal routing.

Microsoft has also similar kind of approach by using Azure Hub-Spoke VNets Model where Hub VNet act as interface between on-premises and spoke VNets where Prod and Non-Prod Apps are hosted/configured. This hub VNet does also offer the common services like security infra (firewall, Proxy WAF etc.) and AD/DNS and foundation tools, so this hub VNet is even acting as internet gateway and provide the perimeter security protection for applications hosted in spoke VNets.

An Azure Virtual WAN is even more simplified version of Azure Hub-Spoke VNet Model. This is now more centralized, secure and well connected through Azure backbone by using global transit network. Below design architecture of Azure Virtual WAN describes how a business can communicate/connect seamlessly from their branch offices/remote sites to access their enterprise applications hosted in spokes VNets (5 different spokes vNets are shown in below figure).

Azure Virtual WAN acts a central Hub and will offer the optimize routing between on-premise headquarters/DC’s, branch-offices and spoke VNets seamlessly with appropriate security. The headquarters/DC can still connect to Azure backbone through ExpressRoute whereas branch offices through Site-to-Site VPN but now branch office can reach to On-Premises DC via Azure Virtual WAN without reaching through MPLS corporate network. Now all branch offices can communicate with each other via Azure Virtual Network. This below use case describes only about the specific one Azure region and communications of various business branch offices and data centers

Figure-1: Azure Virtual WAN (Traditional)

Using Azure Virtual WAN with multiple Azure regions through Azure Global Network:

Business does not restrict to any region or country or even does not have any boundary and that’s where Azure Virtual WAN play an important role by utilizing Microsoft largest Azure Global Network and its PoPs/Edges presence. Now business can connect to its closer available PoPs/Edges with appropriate bandwidth and low latency. Approx. 130 PoPs locations are available across globe and in various geographies. Below KB covers the current list of PoPs/Edge availability:

https://docs.microsoft.com/en-us/azure/cdn/cdn-pop-locations

Below Azure Virtual WAN design architecture describes how a business can connect to their closer PoPs location and then PoPs will communicate further through Azure Backbone with higher bandwidth and low latency. In this use case, if Business need to access their hosted applicated from branch office into Azure spoke VNet (let’s say VNet1) then communication flow will be drawn as below:

Branch Office ->Site-to-Site VPN-> Closure PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1

In case of the same enterprise application to accessed through headquarter DC (for any reason) then then communication flow will be drawn as below:

Headquarter/DC-> ExpressRoute -> Closer PoPs/Edges -> Secure Virtual Hub 1 (Azure Region West US) -> Spoke vNet1

Another major improvement for Office 365 service and that can be also accessed through a closer availablePoPs/Edges but will have different and direct communication as below:

Branch Office ->Site-to-Site VPN-> Closer PoPs/Edges -> Office 365 service. Now, the local break-out for office 365 service will also be available to business.

Figure-2: Azure Virtual WAN using Global Network (Evolving)

Using Azure Virtual WAN with third party SDWAN or vCPE NVA devices:

The evolution of Azure Virtual WAN does not here. Microsoft offers SD-WAN services from a large number of SD-WAN vendors including Citrix, Cisco Meraki, Fortinet, Barracuda Networks, Check Point and others (the list is increasing day by day) as part of the overall virtual WAN offering.

As per Microsoft, “Although Azure Virtual WAN itself is a Software Defined WAN (SD-WAN), it is also designed to enable seamless interconnection with the on-premises-based SD-WAN technologies and services. Many such services are offered by Microsost Virtual WAN ecosystem and Azure Networking Managed Services partners (MSPs)”.

Businesses that are transforming their private MPLS WAN to SD-WAN have now options to interconnect their private SD-WAN with Azure Virtual WAN. Businesses can choose from these options:

Direct Interconnect Model: In this kind of architecture model, the SD-WAN branch customer-premises equipment (CPE) device can be directly connected to Virtual WAN hubs via IPsec connection. This branch CPE device may also be connected to other branches via the private SD-WAN, or leverage Azure Virtual WAN for branch to branch connectivity.

Indirect Interconnect Model: In this architecture model, SD-WAN branch CPEs are indirectly (via v-CPE NVA) connected to Virtual WAN hubs. In this model an SD-WAN virtual CPE (v-CPE NVA) is deployed in one of the Business VNet. This v-CPE NVA is, in turn connected to the Virtual WAN hub using IPsec. The virtual CPE act as an SD-WAN gateway into Azure. Branches that need to access their applications/workloads in Azure will be able access them via the v-CPE gateway.

Managed Hybrid WAN Model: In this architecture model, enterprises can leverage a managed SD-WAN service offered by a Managed Service Provider (MSP) partner. This model is similar to the direct or indirect models described earlier. However, in this model, the SD-WAN design, orchestration, and operations are delivered by the SD-WAN Provider. Below architecture diagram covers the managed hybrid virtual WAN model.

Figure-3: Azure Virtual WAN with SD-WAN (Managed Hybrid Model)

Real benefits to Business while adopting the Azure Virtual WAN:

As I explained in my previous article, the MPLS corporate WAN has its own challenges and limitation but Azure Virtual WAN along with SD-WAN is leading towards to address all these and providing a large number of benefits to business as below but not limited to:

  • Optimized and seamless integrated connectivity solutions for branch to branch, branch to hubs/spokes, branch to DC, hub to hub and hub to spokes
  • Automate site-to-site configuration and connectivity between on-premises sites and an Azure hub
  • A global reach through azure global transit network and its associated PoPs/Edges
  • Automated spoke setup and configuration with optimal routing through VNet connections
  • Centralized secured policy enforcement and firewall protection
  • Provides on-demand high bandwidth with low latency
  • Cost optimizations
  • Ready for quick deployment
  • Offers the capability to use partner SD-WAN devices
  • Enables seamless and secured connectivity to office 365
  • Intuitive way of operational troubleshooting

To have further more insight on my previous blog on “Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation” , Refer to below article:

Co-existence between Azure Virtual WAN and SD-WAN is shifting a gear in the digital transformation

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

%d bloggers like this: