As enterprise adoption of public cloud increases, accessing the resources and expertise to handle architecture design, security and operations can be daunting. Once live, many organisations experience problems and discover that they aren’t making the cost-savings they anticipated or experience issues such as latency. Optimising cloud post-migration can be complex and costly, so it is crucial to take time to plan and architect for the desired outcome.
Here’s the process Fordway uses to design, migrate and optimise to ensure our customer a successful migration to cloud to meet their business needs.
Work out the Azure services needed based on your current usage and business requirements.
Before you start cloud migration it is important to understand and map out your existing environment and clearly define your business objectives. Not all workloads are candidates for public cloud migration. We like to run a discovery workshop to perform a high-level review of your current environment and identify suitable workloads and services appropriate for Azure. Our architects analyse the current baseline and produce high-level target architectures optimised to make the best use of Azure; minimising prospective costs and maximising utility, to meet your technical and business objectives. We present our findings and options analysis to provide recommendations to customers. This information is used to create a High-Level Design (HLD) for the organisation.
Minimise costs by understanding your service requirements and data transfer.
One of the common drivers to move to the cloud is cost optimisation. If you have cyclical busy periods incorporating services like Azure Job Scheduler and Azure Automation, to automatically resize VMs based on day or month or year, to provide extra capacity can save money. This allows you to pay only for what you need when you need it. Azure Automation can also be sued to shut instances, service groups or environments down overnight and at weekends, or at quiet periods, to reduce spending.
Architecting your Azure tenancy correctly for your workloads and selecting only the features you need up-front is, however, the most effective way to ensure you control your costs.
Create a detailed plan of the services and functionalities needed.
With the HLD agreed we produce a detailed plan. Creating a virtual environment in Azure requires informed planning to minimise costs. Azure Reserved Instances and Azure Hybrid Benefit can provide big savings to customers if planned correctly but need careful consideration to ensure they meet long-term service availability and flexibility requirements. Storage type (SSD or HDD), storage performance (IOPS) and storage availability (LRS, ZRS, and GRS) are all factors that need to be considered in the design phase. Magnetic storage will be more suitable for high volume, low response data applications. Then you need to consider whether to apply data encryption at rest.
Service resilience needs to be designed to meet your desired service availability targets. You need to consider whether resilience options are within or between availability zones (AZ) within a region or between regions which could be an issue if data sovereignty is important to you. Replicating between AZs will incur data transfer charges, so you need to consider how much replication traffic will there be, and do you need that level of resilience? These and myriad other decisions will affect the solution design, connectivity, security and ongoing cost.
Using pre-configured service offerings within Operations Management Suite, allows tracking, monitoring, and reporting on change and environment health. Other features in OMS such as Network Watcher allow network health monitoring and will report when network segments go down and track the source of the problem (e.g. VPN down, router offline, firewall block). Fordway can use the Service Map feature of OMS to record application and service dependencies to map connectivity between service components to better understand application and solution architectures and secure them.
Architect with security at the forefront
There is a general misconception that public cloud is insecure, however by leveraging Azure features like Network Security Groups (NSGs), User Defined Routes (UDRs), Web Application Firewall (WAF), and more it is possible to deliver a highly secure environment hosted in Azure. These can be purely cloud hosted or integrated with your on-premises environment using traditional VPNs or using ExpressRoute creating a hybrid solution.
Azure Security Centre provides security best practice and recommendations such as whether insecure network configurations or services are enabled and open on VMs that are exploitable. Add-ons to Azure Security Centre provides warning about missing patches at a VM-level as well as providing in-depth insights into potential attacks such as Remote Desktop, password attacks, and more which can be used to remediate vulnerabilities.
When designing your Azure Active Directory (Azure AD), we consider features like Hybrid Identity, Password Sync, Pass-through Authentication and federation with on-premises AD (ADFS). Where required we can integrate third-party federation using Azure AD as an identity management solution. This can encompass paid-for SKUs such as Azure AD Premium and Azure Multi-Factor Authentication (MFA) which Fordway can manage through our Microsoft CSP (Cloud Solution Provider) accreditation, Fordway are an accredited Tier 1 CSP.
Backups are also a crucial consideration during the design phase. Developing the correct backup strategy requires an understanding of how the appropriate technologies work. Azure Backup has a few more options than Azure Site Recovery (ASR) such as whether to use direct backup, Data Protection Manager (DPM) or Azure Backup Server (ABS) in the middle. Data type and source will influence the final technology selection.
Use a project manager to increase the likelihood of a successful transition
We use a dedicated project manager to manage all aspects of the planning, migration and service initiation on Azure. Using industry-standard PRINCE2 project controls for the project governance and documentation, we deliver work packages in Agile sprints within the defined project controls. The project manager will provide reports and other project updates through an agreed shared communications plan.
Monitor and improve to realise your cloud objectives.
Once the migration is completed we move into the realisation phase. Whilst your physical migration is complete this is in fact, the most important phase. We always work with customers to ensure that their desired outcome is achieved, and the business benefits are realised.
Here we either help the customer’s internal staff to achieve the benefits, or take responsibility for service delivery, assurance and management on their behalf. To assist an in-house team we provide comprehensive documentation and perform detailed knowledge transfer workshops to ensure the teams are equipped to support all aspects going forward.
If Fordway are responsible for managing the service our service delivery and management teams will be primed to ensure the transition to steady run state is as frictionless as possible. All our service delivery processes are run to ITIL, certified to ISO20001 and ISO9001, and secured to ISO27001 and Cyber Essentials PLUS.
We can also manage Azure billing and cost control. Whilst Azure provides Azure Advisor to help provide advice on how to optimise costs and services, we know from experience that the advice given is not always applicable for certain workloads so you need to check carefully before acting on it.
We always review the configuration to ensure that the service is fit for purpose and that custom alerting is implemented allowing reporting and management on key performance criteria and thresholds.
Azure Resource Manager Tags and Azure Resource Manager Resource Groups enable Fordway to manage billing. Where needed we can provide cost-breakdown per service, per environment, and more reflecting how Resource Groups and Tags are deployed. Depending on organisational structure and to manage cost there may be a case for more than one subscription, however, typically, we help customers manage most situations with a single subscription by leveraging the proper use of the Resource Manager model for RBAC on Resource Groups and resources.
You might also want to read our blog Three things to remember on your cloud journey