Technology Blog

Home » Home

Category Archives: Home

The Deep Dive on ‘Well-Architected Framework’ of AWS, Azure & Google Cloud !


Brief Summary:

In this article today, I will draw some insights of cloud’s well-architected framework of all three major cloud service providers. Firstly you will get some idea and background on why these well-architected framework and it’s pillars/principles is really needed for any business in their digital transformation journey and then I will slightly focus on life-cycle of well-architected framework from all three cloud services providers along with similarities/dissimilarities and then finally I will draw some attention on some sorts of approach each provider is following and how they are getting benefitted to their partners and business.         

Real need and importance of cloud well-architected framework in today’s digital transformation:

In today digital world, every cloud service provider in their digital transformation journey offers a large number of services and these are be it on cloud infrastructure | IoT | edge computing | software defined | data science | 5G | Networking | cyber security and so on, these services are growing/will grow very rapidly in future.  A business may consume one or more these services in various ways and each one can be configured in different ways. On the other side, what is important to understand that how on-premise hosted application (legacy, custom or inhouse, COTS, Open Source) is currently operating and how it’s can be transformed/migrated into public or private cloud.

Well this is not new, based on the cloud assessment or application rationalization through R-LANE (for example, Gartner has five R strategies model – rehost, replatform, refactor, rebuild, replace), the  application modernization and it’s migration methodologies for any on-premise hosted application can be decided whether this is either to be lift and shift (rehost) or retire the legacy application and replace it with cloud-native (replace) or with some modification in the application (replatform) or rearchitected the application (re-factor) or rebuild (rewrite the application from scratch) prior migrating them to the cloud. Each application is different and therefore deploying an application to the cloud is usually not a trivial task.

So, based on cloud assessment and rationalization results, the roadmap of any application’s modernization strategy and its cloud migration methodology are usually defined. To host or migrate these various kinds of applications in public/private/hybrid cloud and even to consume large number of cloud services along with, each cloud service provides a set of well-defined architecture, design principles and best practices those are precisely to be followed by practitioner. These set of standard architecture are to ensure that these applications are migrated smoothly, well optimized and secured, managed their operations effectively in a respective cloud.

Well-architected framework life-cycle from all three major cloud service providers:

Several years back, all major cloud service providers (such as Amazon, Microsoft and Google) has released their well-architected framework or architecture framework, they are revisiting and improving these on a regular basis. AWS has very recently announced their eighth version of the Framework since 2012.

https://aws.amazon.com/blogs/architecture/announcing-the-new-version-of-the-well-architected-framework/

In the similar way, Microsoft has also announced their revised Azure well-architected framework

https://azure.microsoft.com/en-us/blog/introducing-the-microsoft-azure-wellarchitected-framework/

Google has also released recently their updated/revised architecture framework guide:

https://cloud.google.com/blog/products/gcp/new-google-cloud-architecture-framework-guide

Well-architected framework pillars or design principles:

So, we talk little bit on the life cycle of their architecture framework and now let’s have a detail understanding on these set of well-defined architecture pillars or design principles

Amazon’s AWS and Microsoft Azure exactly follow the similar naming conventions so called “5 pillars of well-architected framework” where as Google Cloud’s architecture framework covers the same all in their 4 key architecture principles/pillars.

Amazon AWS 5-pillars of well-architected framework

As per Amazon, AWS well-architected framework helps cloud architects to build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads for their business. Based on five pillars AWS provides a consistent approach for customers and partners to evaluate their cloud architectures, and implement designs that can scale over time.

Below are the five pillars of AWS well-architected framework and their purpose: 

  • Operational Excellence – focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures
  • Security – focuses on protecting information and systems
  • Reliability – focuses on ensuring a workload performs its intended function correctly and consistently when it’s expected to
  • Performance Efficiency – focuses on using IT and computing resources efficiently
  • Cost Optimization – focuses on avoiding unnecessary costs

Below figure represents high-level pictorial view of AWS 5-pillars of well-architected framework

Figure-1: AWS 5-Pillars of ‘Well-Architected Framework’

Microsoft Azure 5-pillars of well-architected framework

As per Microsoft, the Azure Well-Architected Framework provides a set of technical guidance that can be used to improve the quality of a workload wherein partners can leverage this guidance to enable customers to design well-architected and high-quality workloads on Azure. The framework consists of below five pillars of Azure well-architected framework and their purpose: 

  • Cost Optimization – managing costs to maximize the value delivered to business.
  • Reliability – the ability of a system to recover from failures and continue to function
  • Security – protecting applications and data from threats.
  • Performance Efficiency – the ability of a system to adapt to changes in load.
  • Operational Excellence – operations processes that keep a system running in production.

Below figure represents high-level pictorial view of Azure 5-pillars of well-architected framework

Figure-2: Azure 5-Pillars of ‘Well-Architected Framework’

Google GCP 4-key architecture principles/pillars

Likewise, Amazon and Microsoft, the Google too have 4-key architecture principles/pillars those covers all 5 similar pillars of what Amazon and Microsoft is having.

Google cloud’s architecture framework provides a set of best practices and implementation guidance to architects on their products and services to aid application design choices based on their unique business needs. The framework provides a foundation for building and improving their Google cloud deployments to ensure standardization and achieve consistency.

The Google 4 key architecture principles/pillars and their purpose are as below:

  • Operational excellence – guidance on how systems efficiently running, managing, and monitoring that deliver business value
  • Security, privacy, and compliance – guidance on appropriate security controls, approach privacy, and meet compliance levels and standards
  • Reliability – guidance on how to build reliable and highly available solutions
  • Performance and cost optimization – suggestions on various available tools to tune your applications for a better end-user experience and analyze the cost of operation while maintaining an acceptable level of service

Below figure represents high-level pictorial view of 4-key architecture principles/pillars of Google cloud’s architecture framework.

Figure-3: 4-Principles of ‘Google Cloud Platform Architecture Framework’

Cloud provider’s approach and benefits of each their well-architected framework:

In previous section, I have brief explanation on each well-architected framework (pillars/principles), their purpose and pictorial view from all three cloud providers and you might have observed the purpose of each is very similar but what may be differ from each that’s their approach, each service provider has slightly different approach to implement their framework.

Amazon AWS Approach: Apart from dedicated focused training to build the internal distributed decision-making capabilities in architected framework, below are the approach which Amazon follows usually:  

  • The AWS WA (well-architected) tool, available at no cost in the AWS Management Console, provides a mechanism for regularly evaluating customer workloads, identifying high risk issues, and recording their improvements.  
  • AWS well-architected partner program members have in-depth training on the well-architected framework that can help partners architect to implement best practices, measure the state of customer workloads, and make improvements where assistance is required.
  • The Lenses extend the guidance offered by AWS well-architected to specific industry and technology domains, such as machine learning, analytics, serverless, high performance computing (HPC), IoT (Internet of Things), and financial services. to fully evaluate the specific industry and technology domain workloads, use applicable lenses together with the AWS well-architected framework and it’s five pillars.

Microsoft Azure Approach: Similar to Amazon, Microsoft does also carry a focused and detailed approach for their well-architected framework by using five pillars, below are the approach which Microsoft follows:  

  • Detailed study on framework content, reference material, and samples those are available in the Azure Architecture Center
  • Taking a deep-dive Azure well-architected review on Microsoft assessments through an online tool
  • Building a great (secure, scalable, high-performing) solution with Microsoft Azure well-architected framework on Microsoft learn.
  • A cloud adoption framework which is a collection of artifacts, implementation guidance & tools from Microsoft to accelerate customers cloud adoption journey and managing their cloud portfolio
  • By providing technical guidance and best practices to architect workloads, Microsoft partners enables business to define, deploy and manage well architected workloads on Azure.

Google Cloud Approach: Google’s framework recommends reviewing their “System Design Considerations” first then follow their 4-key architecture principles/pillars and then enters into a deep-dive into others process below such as discover, evaluate and review based on business needs. This framework is modular so customer can pick and choose process which is most relevant to them

  • Discover: Use the framework as a discovery guide for Google Cloud Platform offerings and learn how the various pieces fit together to build solutions.  
  • Evaluate:  Use the design questions outlined with a detailed thought process while business is thinking about their system design. If they are unable to answer the design question, then they can review the highlighted Google Cloud services and features to address them.
  • Review:  If customer is already on Google Cloud, use the recommendations process to verify if customer is following best practices or as a pulse check to review before deploying to production.

Conclusion:

So, finally we are able to cover the below topics on well-architected framework from all three major services providers

  • Why a cloud well-architected framework and its pillars is needed for business
  • Life cycle of a well-architected framework, its purpose and a pictorial representation for each service providers
  • Similarities /dissimilarities of each well-architected framework from each
  • Some sorts of approach that each cloud service provider is following and how they are getting benefitted to their partners and businesses.

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Deep-Dive on Azure Edge Zones in 5G Network !


Introduction

Last month, I have published my below two articles on Azure Virtual WAN and SD-WAN and both describes on how a cloud hosted and migrated application effectively can be accessed by business through an optimized network with a greater performance and with a low latency even from remote sites:

During this discussion, I also touched based on how business can access their cloud hosted application through a nearby available POP/Edge presence and these Edge/POPs are not only available from major cloud service providers such as Microsoft, Amazon and Google but also from a large number of Telcos to align their current and future digital transformation need of edge computing in a 5G network.

In this article, we will discuss on currently how major cloud services providers and telecom operators are jointly working on edge computing services in their 5G network roadmap and then finally will cover the use cases and benefits of Microsoft released edge computing services.

With the rise of 5G network connectivity, there are n numbers of possibilities to deliver immersive, real-time experiences that needs ultra-low latency, and connectivity requirements. 5G sets a new paradigm shift in telecom industry with enhanced mobile broadband up to 10x faster, reliable low-latency communication

Telecom providers partnering with CSP’s for 5G Edge

A large number of telecom operators i.e. AT&T, CenturyLink, Etisalat, NTT Communications, Proximus, Rogers, SK Telecom, Telefónica, Telstra, Vodafone and others have partnered with Microsoft on their effort and plan to make these Azure Edge Zones available to customers for 5G edge networks.

On the other side, SK Telecom, KDDI, Verizon, Vodafone Group and few others operators are also partnered with Amazon Web Services (AWS) to develop its edge computing services through AWS Wavelength on 5G networks. An AWS wavelength will be deployed by its operator partners to provide ability to developers for building applications that serve end-users with single-digit millisecond latencies over the 5G network.

Google is in the same move and partnering with telecom providers such as AT&T, Vodafone and others to harness 5G as a business services platform. To meet this goal, Google Cloud recently announced its Global Mobile Edge Cloud (GMEC) strategy, which will deliver a portfolio and marketplace of 5G solutions built jointly with telecom companies which is an open cloud platform for developing these network-centric applications and a global distributed edge for optimally deploying these solutions. 

Google Cloud also announced Anthos for Telecom, which will bring its Anthos cloud platform to the network edge, allowing telecom companies to run their applications wherever it makes the most sense.

Microsoft Edge Computing Services ‘Azure Edge Zones’

In the end of Mar’2020, Microsoft has announced their edge computing services called “Azure Edge Zones” (currently available in preview), which are designed to provide the cloud resources quickly at carrier’s 5G network and enables data processing very close to end user. With this, business developers now can deploy cloud resources such VMs, containers, and other selected Azure services into Edge Zones to address the low latency and high throughput requirements of applications near to their business locations/sites.

Azure has not released just one service but there are three types of edge zones and these referred to as Azure Edge Zones, Azure Edge Zones with Carrier and Azure Private Edge Zones respectively. Each Edge Zones are connected to Azure’s own network and runs in existing Microsoft network POP/Edge locations where Azure CDNs, Azure Front Door’s and other services are running with an appropriate security control.

With Azure edge zones, Microsoft is gearing up towards to an important telecom industry space which blends the cloud computing with mobile networks and making strength of 5G edge computing for enterprises, IoT, and applications which operates on a very low latency.

In simple terminology, an Azure edge zones are local extensions of Azure services to enterprises which are ideal for solving compute, storage, and service availability problems by allowing business to provide experience-driven resources closer to their locations/sites. Azure edge zones are available through Azure (Azure Edge Zones), with select carriers and telecom operators (Azure Edge Zones with carriers), or as private customer zones (Azure Private Edge Zones).

Azure edge zones overall benefits

As per Microsoft, Azure edge zones provides a rich, seamless customer experience in real time with ultra-low-latency edge compute capabilities. Below are the major benefits of Azure edge zones but not limited to:

Solve edge latency problems with 5G network – Accelerate a quick application and virtualized network function (VNF) deployment to provide a seamless compute, storage, IoT, and container services to business. The low edge latency and high bandwidth of Azure edge zones and 5G networks virtually eliminates the latency concern.

Better application performance and data control – Azure edge zones enable faster access to local Azure services to get granular control of data and better performance by deploying apps at the edge and these apps are such as critical industrial IoT and media services workloads. Development of distributed applications across cloud, on-premises, and edge using the same Azure Portal, APIs, development, and security tools.

Deliver better mobile experiences with 5G network – Provide a better real-time experience for businesses and developers by deploying reliable, latency-sensitive applications, high-density graphics gaming’s on wireless networks with “Azure edge zones with carriers”. An acceleration of IoT, artificial intelligence (AI), and real-time analytics by optimizing, building, and innovating for robotics, automation, and mixed reality.

Boost private edge performance with 5G network – Get the lowest latency possible for any industrial use case through a fully automated service-delivery experience with Azure private edge zones.

Extend your on-premises to Azure by using SD-WAN appliances – By using SD-WAN appliance on the same private edge zone appliance, customer can extend their on-premises networks across multiple branches to Azure. SD-WAN provides seamless branch office connectivity that’s orchestrated from redundant central controllers at lower cost of ownership.

Use Case & Scenarios

It becomes important to understand the specific use cases of each types of released Azure edge zones and for that we will talk about all the use cases on each edge zones separately. Azure Edge Zones and Azure Private Edge Zones deliver consistent Azure services, applications platform, and management to the edge with 5G network by unlocking new scenarios.

As per below Microsoft article – https://docs.microsoft.com/en-us/azure/networking/edge-zones-overview, the typical use case & scenarios for edge zones are available as below:

  • Real-time command, control in robotics,
  • Real-time analytics and inferencing through artificial intelligence & machine learning.
  • Machine vision.
  • Media streaming and content delivery.
  • Surveillance and security.
  • Remote rendering for mixed reality and VDI scenarios.
  • Immersive multiplayer gaming.

Azure Edge Zones

Common applications include distributed apps and public cloud-based business and consumer platforms in industries like retail, media, financial services so typical use cases of Azure edge zones include as below:

  • Gaming and game streaming.
  • Media streaming and content delivery.
  • Real-time analytics and inferencing via artificial intelligence and machine learning.
  • Rendering for mixed reality.

Below figure-1: Azure Edge Zones represents the scenarios of above said use cases by using the Kubernetes, IoT, Azure edge zones services.

Figure-1: Azure Edge Zones

Azure Edge Zones with carrier

5G speed and bandwidth makes ingesting, delivering, and processing data faster and ideal for connected vehicles, mobile platforms and interactive games, high-bandwidth video streaming, and other business-critical scenarios.

Typical use cases of Azure edge zones with carrier include all 4 use cases of Azure edge zones plus two more as below:

  • Connected automobiles.
  • Tele-medicine.

Below figure-2: Azure Edge Zones with Carrier represents the scenarios of above said use cases by using the Kubernetes, IoT, Azure edge zones services, 5G mobile carrier and connected vehicles.

Figure-2: Azure Edge Zones with Carrier

Azure Edge Private Zones

Azure Private edge zones are small-footprint extensions of Azure which are based on the “Azure Stack Edge” platform and are placed on-premises. It enables low latency access to computing and storage services deployed on-premises

With private LTE and 5G speed, high bandwidth, and ultra-lower latency, Azure Private edge zones are ideal for optimizing the performance of connected robotics, big data analytics, mixed reality, and other automation-driven applications.

SD-WAN on Private edge zones also let customer to move from a capex-centric model to a software-as-a-service (SaaS) model to reduce IT budgets.

Private mobile networks enable ultra-low latency, high capacity, and a reliable and secure wireless network that is required for business-critical applications. Private mobile networks enable scenarios such as command and control of automated guided vehicles (AGV) in a warehouse, real-time communication between robots in a smart factory and augmented reality, and virtual reality edge applications.

Typical use cases of Azure edge private zones include as below, all use cases for this service is different except one ‘Real-time analytics and inferencing with AI and ML’.

  • Real-time command and control in robotics.
  • Real-time analytics and inferencing with artificial intelligence and machine learning.
  • Machine vision.
  • Remote rendering for mixed reality and VDI scenarios.
  • Surveillance and security.

Below figure-3: Azure Private Edge Zones represents the scenarios such as command and control of automated guided vehicles (AGV) in a warehouse, real-time communication between robots in a smart factory (industry robotics), augmented reality and surveillance security.

Figure-3: Azure Private Edge Zones

Azure Private edge zone also lets developers to develop and deploy applications on-premises by using the same familiar tools that customer use to build and deploy applications in Azure. Azure also lets customer to below:

  • Run private mobile networks (private 5G, private LTE).
  • Implement security functions like firewalls from various technology partners such as Affirmed, Mavenir, Metaswitch, Nuage Networks from Nokia, Palo Alto Networks, and VeloCloud from VMware.
  • An evolving platform building with customers, carriers, and industry-partners to allow seamless integration and wide selection of Virtual Network Functions (VNFs), including 5G software and SD-WAN

As this Azure Service is new and running under Preview currently, we will have more further use cases and in depth discussion once this service is in ‘general availability’ release.

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-3 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-2 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution provides seamless SSO and MFA solution for SaaS and on-premises apps. Apart from that, we also discussed on how an Azure AD collaborates with B2B and B2C scenarios and then finally we talk about the use cases of Azure AD application proxy for accessing on-premises hosted applications.

In this article, we will talk about specific industry use cases scenarios such as identity authentication & authorization for applications hosted in IaaS cloud platform. Here we will discuss on how on-premises Active Directory Domain Services (generally called corporate or enterprise AD DS) and Active directory Federation Services (AD FS) are getting extended into IaaS platform and provides authentication and authorization to applications/workloads hosted in Infrastructure as a Service (IaaS).

In case of customer does not have the on-premises AD DS or AD FS exist into their corporate landscape then customer can leverage the Microsoft managed Azure Active Directory Domain Services (Azure AD DS) for providing authentication and authorization to applications or workloads hosted in Infrastructure as a Service (IaaS).

These are most common scenario used in industry for legacy and modern apps which are either migrated from on-premises into IaaS or directly hosted in IaaS as a fresh build.

Azure AD domain service (Azure AD DS)

Azure AD domain service is a cloud-based domain services that’s completely managed by Microsoft and provide below features:

  • This cloud-based domain services provide certain features of on-premises AD such as domain join, group policy, LDAP & Kerberos/NTLM authentication in Azure laaS
  • Remember that Azure AD DS has certain limitations as compare to on-Premises AD
  • Customer can join their Azure VMs to a domain without deploying DC’s because Azure AD DS is part of customer existing Azure AD tenant and users can login using the same credentials, they use for Azure AD.

Note: This Azure AD managed domain is a standalone domain and is not an extension of on-premises AD domain/forest infra. However, all user accounts, group memberships, and credentials from on-premises AD are available in this via Azure AD tenant

Below figure shows how an Azure AD domain services provides the authentication and other domain services to customer line of business applications running under Azure infrastructure as a service (IaaS)

Figure-1: Azure AD Domain Services

Synchronize on-premises AD accounts to Azure AD

This solution provides access to all of Microsoft SaaS and cloud-based identity options for Azure PaaS & laaS apps, two below approaches are recommended, choose either one

A. Directory & password synchronization

B. Identity federation

Directory and password synchronization
This is a simplest and recommended option for most enterprise organizations, below figure shows how an Azure AD directory, password sync and MFA can be achieved Azure AD connect tool:

  • User accounts are synchronized from customer’s on premises directory to their Azure AD tenant. The on promises directory remains the authoritative source for accounts
Figure-2: Azure AD Connect (directory and password sync)
  • Azure AD performs all authentication for cloud-based services and applications
  • Supports multi-forest synchronization

Note: Using cloud-only accounts is not recommended for enterprise-scale customer unless Windows AD is not already used on premises

Password synchronization: Users enter the same password for cloud services as they do on-premises. user’s passwords are never sent to Azure AD instead a hash of each password is synchronized

Multi-factor authentication (MFA): Apps in Azure can take advantage of the Azure MFA service whereas directory sync does not provide integration with on-premises MFA solutions

Identity federation

Federation provides additional enterprise capabilities, but It is also more complex & introduces more dependencies for access to cloud services as shown in figure below:

  • All authentication to Azure AD is performed against the on-premises directory via Active Directory federation services (AD FS) or another federated identity provider
  • Works with non-Microsoft identity providers
  • Password hash sync adds the capability to act as a sign-in backup for federated sign-in (f the federation solution fails)
Figure-3: Azure AD identity federation

Use identity federation if
AD FS s already deployed or using a third-party identity provider

Having an on-premises integrated smart card or other MFA solution

Require sign-in audit and/or disablement of accounts

Compliance with Federal Information Processing Standards (FIPS)

Federated authentication requires a greater investment in infrastructure on premises

  • The on-premises servers must be Internet-accessible through a corporate firewall Microsoft recommends the use of federated proxy servers deployed in a perimeter network, screened subnet, or DMZ
  • Requires hardware, licenses, and operations for AD FS servers, AD FS proxy or web application proxy servers, firewalls, and load balancers
  • Availability and performance are important to ensure users can access cloud applications

Placing directory components in Azure IaaS

Consider the benefits of deploying directory components i.e. AAD Connect/AD DS/AD FS to Azure laaS, as shown in figure, especially if customer plan to extend their on-premises AD to Azure virtual machines for their line of business apps

If customer hasn’t already deployed AD FS on-premises, consider whether the benefits of deploying this workload to Azure makes sense for the organization –

  • Provides autonomy for authentication to cloud services (no on-premises dependencies) and reduces servers and tools hosted on-premises
  • Use a S2S VPN gateway on a two-node duster or ExpressRoute to connect Azure
  • Uses ACLs to ensure that Web App Proxy servers can only communicate with AD FS, not AD DCs or others server directly
Figure-4: Placement of on-premises AD components in Azure IaaS

Extending On-premises AD to virtual machines into Azure IaaS

Refer to the figure which shows the configuration of hybrid deployment on-Premises AD extension to Azure AD and It requires:

  • A virtual network (VNet) in Azure laaS
  • A S2S VPN or ExpressRoute connection.
  • Extending customer on-premises to virtual machines in the virtual network
  • Deploying one or more DC in Azure VNet designated as a GC to reduces egress traffic

When to use this solution?

  • Schema extensibility and need to write to existing directory identities.
  • Support for apps in Azure VNet where network isolation is a requirement
  • Support across multiple Azure subscriptions.
  • Certificate or smartcard-based authentication for apps
Figure-5: on-premises AD extension to Azure IaaS

Note: On-Premises AD extension covers lots of limitation of Azure AD DS Below Microsoft FAQ covers features and limitations of Azure AD DS as compare to on premises AD DS: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs

To have further more insight on my previous articles on “Microsoft Azure AD Identity Solution – Part-1 & 2!!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Microsoft Azure AD Identity Solution – Part-2 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-2 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Brief Introduction

In my previous article “Microsoft Azure AD Identity Solution – Part-1 !!!”, we discussed about Microsoft Azure AD as an identity solution in detail and how Azure identity (IDaaS) solution effectively address the challenges on seamless access & integration with a wide range of legacy apps and modern SaaS services in a multi-hybrid cloud environment such as AWS, Azure and Google cloud.

In this article, we will focus on some more industry use cases of Azure identify solution and its integration capabilities. These industry use cases are such as seamless solution on single sign-on (SSO) and multifactor authentication (MFA), Azure AD collaboration with business-to-business (B2B) partners and business-to-consumer (B2C) and then finally talk about Azure AD application proxy

Seamless SSO and MFA solution to SaaS and on-premise applications

An Azure AD integration with hybrid cloud provides a seamless single sign-on (SSO) and multi-factor authentication (MFA) capability to SaaS and on-premises apps. Refer to the below figure on how Azure AD tenant connects to Azure SaaS apps such as office365, ServiceNow and others apps: 

Figure-1: Azure AD tenant connecting with SaaS

The seamless single sign-on of Azure AD tenant is the following:

  • An emerging need of unified application access and single sign-on to all types of SaaS applications
  • Consistent user experience with single sign-on across all SaaS services and on-premises apps by using below SSO methods:
    • Cloud SaaS apps can user Open-ID Connect, OAuth, SAML, password-based, linked or disabled methods for SSO
    • On-Premises applications can use password-based, integrated windows authentication (IWA), header-based, linked or disabled methods for SSO. The on-premises choice works when applications are configured with application proxy

The following flowchart help Identity Architect to decide on which Azure AD single sign-on method is best for their business apps and fits in their business scenario: 

Figure-2: Azure AD single sign-on methods

A traditional enterprise SSO solution such as on-premises corporate AD can extend to SaaS services by using Active Directory Federation Services (ADFS).

The seamless multi-factor authentication (MFA) of Azure AD tenant covers below:

  • A process where a user is prompted during the sign-in for an additional form of identification, such as to enter a code from their mobile phone or to provide a fingerprint scan.
  • Customer on-premises applications or SaaS services don’t require to make any changes to use Azure MFA. The verification prompt is part of Azure AD sign-in event, that automatically request and processes the MFA challenge when needed.
  • Azure MFA generally works by needing two or more methods:
    • Password
    • Trusted devices that is not easily duplicated (a phone or hardware key)
    • Biometrics (a fingerprint or face scan)

Azure AD B2B and B2C collaboration

Azure AD B2B collaboration enables secure integration between business to business partners

These new capabilities make it easy for businesses to create advanced trust relationships with Azure AD tenants so they can easily share their business apps (such as ServiceNow, Salesforce etc.) across companies/customers without hassle of managing additional directories or having the overhead of managing partner’s identity solution.

Below figure shows how an Azure AD B2B collaborates with SaaS applications between customer’s and partner’s Azure AD tenant:

Figure-3: Azure AD B2B collaboration

An Azure AD B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities.

An Azure AD B2C easily integrates across mobile and web platforms, through this consumers login to all their apps through fully customizable experience by using their existing social accounts such as Google, Facebook, Linked-In or by creating new credentials. Below figure shows how an enterprise Azure AD B2C collaborates with Azure PaaS through consumers social identities:

Figure-4: Azure AD B2C collaboration

Azure AD application proxy

Microsoft Azure AD application proxy lets customer publishes their web-based apps inside their private network and provides secure access to users outside world as below:

  • Employees can log into their apps from home on their own devices and authenticate through this Azure AD cloud-based proxy
  • By using Azure AD proxy customer also can protect their on-premises apps with the same requirements as other cloud-based apps with MFA, and other conditional access.
  • Application proxy works by installing a slim Windows service called “Connector” inside a private network and that maintains an outbound connection from within private network to this Azure AD proxy service

Below figure shows how an on-premises application can be accessed through an Azure AD application proxy.

Figure-5: Azure AD application proxy

To have further more insight on my previous article on “Microsoft Azure AD Identity Solution – Part-1 !!!” , Refer to below article:

Microsoft Azure AD Identity Solution – Part-1 !!!

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration. 

Microsoft Azure AD Identity Solution – Part-1 !!!


Microsoft Identity as a Service (IDaaS) for Enterprise Architects

What IT architects need to know about designing Microsoft identity solution for customer while they deployed any public and private cloud (hybrid) with all types of cloud services such as IaaS, PaaS and SaaS

Introduction

Cloud computing and mobile devices have transformed the modern digital workplace and Identity is the key foundation of our digital transformation journey today. Most of the businesses today are following a “cloud first” strategy, with lifting & shifting their existing infra and business applications into hybrid cloud, modernizing their business apps and opting in as-a-service models.

While cloud services are easy to deploy and commonly come with modern end users experience but this shift to digital transformation also introduces the new challenges (such as security risk, administrative burden and poor end users experience). Even, it becomes more challenging during the current covid-19 pandemic situation where most of businesses are opting in “work from home” to access their hosting applications in hybrid clouds.

Due to the nature of the business (i.e. manufacturing, utility, infrastructure, automotive etc.) and its gradual transition, the reality of most businesses will remain hybrid for many years, even if the enterprise’s workloads are moved into partners dc called “private cloud”, it’s still about running their legacy IT landscape and business apps on on-premises, alongside all the new SaaS services deployed in multi-tenant public clouds.

From the end user’s experience and IT/IS perspective, users must access their applications in both on-premises and cloud, and IT/IS must manage and protect applications in both places. Altogether with the shift to new way of working such as “work from home”, there is a need for providing a consistent end users experience, safeguarding the end users’ identities and management of hybrid cloud environment.

Providing seamless access and integration with wide range of legacy apps and modern SaaS service is the biggest challenge. So, enabling the single sign-on to modern SaaS services is just a simple part but the real challenge is supporting full range of services within multi-cloud hybrid environments. Even though various vendors offer their respective identity as service solution (such as Oracle, IBM, Google, Octa, CA, Ping Identity and so on.) but we will focus on Microsoft identity solution in this article in more detail.

Microsoft offers Azure AD – cloud-based Identity as a Service (IDaaS) and that comes with a comprehensive approach and single control pane of providing seamless access to users for all types of apps – SaaS, on-premises and custom-built apps.

The below figure depicts the detailed features of Azure Active Directory and their functionalities such as on-premises infra integration, user accounts, devices, partner collaboration with customer account management, application integration and administration.

Figure-1: Azure AD Identity as a Service (IDaaS) Solution

Integrating Azure AD identity with Azure, AWS and GCP Hybrid Cloud

Azure AD integration with hybrid cloud provides a broad range of capabilities for business, the capabilities include but not limited to the following:

Azure identity solutions address challenges like safeguarding identities, improve user experience accessing applications seamlessly across platforms, and increasing administrative efficiency

One identity for all applications across cloud services (SaaS, PaaS, IaaS) across all cloud platforms such as Azure, AWS, Google etc.

Collaboration with partners by using Azure AD B2B and B2C

Synchronization or federation with on-premises directory through Azure AD connect

Enables single sign-on and multi-factor authentication

Integration with web-based applications located on-premises through application proxy

Use either Azure AD domain services (Azure AD DS) for authenticating to line of business (LOB) applications hosted on virtual machines in Azure IaaS or extend on-premises active directory domain service (AD DS) to Azure IaaS

Azure identity provides cloud apps discovery and management through Azure AD ‘MyApps’ panel as single control pane

Below figure shows the Azure AD integration with hybrid cloud respectively Azure, AWS and Google:

Figure-2: Azure AD integration with Azure hybrid cloud
Figure-3: Azure AD IdP Federation with AWS Cloud Apps
Figure-4: Azure AD Federation with GCP Cloud

Rajeev Ujjwal has more than 18 years of transformation delivery experience in cloud computing, infrastructure, directory service, and cyber security with larger global customers. He is a senior cloud consultant and successfully delivered various kind of global project delivery such as greenfield, consolidation, separation and migration.