While Microsoft Azure offers an open and flexible platform for PaaS solutions, customers and partners usually take a “Lift and Shift” approach to moving their existing apps to Azure, that is, they try to keep and run the systems “as-is” or with minimal changes. The reason why they take the approach is rather obvious, whether it is for a proof of concept (POC), pilot or full migration. Most of these on-prem systems have some dependencies on other internal or external systems and any change to the infrastructure configuration, not to mention source code change, require further testing, which can take time and people resources. With the approach, they are also interested to evaluate the overall cost as compared to on-prem hosting. Working from several ISV partners I have discovered and learned 12 important lessons, most of which are related to manageability and security and should be applicable to hybrid migration and cloud-only migration, and would like to share them here.
Working with Azure Resource Group
Resource group is container that holds related resources for an application and role-based access controls. It’s up to you to determine how many resource groups you want to have as you create VMs, networks, etc. to support one or many apps on Azure. While it is not wrong to create multiple resource groups for your apps, with one VNET within each resource group, you will discover very quickly that doing so requires fairly amount of configuration if you have to enable communications between these VNETs.
It is common, however, that you create one dedicated resource group for Azure networking, that is, Azure VNET and subnets, and that you can grant read-only, contributor or custom role permissions to the group of people who are responsible for managing the networking at your organization.
Creating Windows Active Directory AD Domain
When you have multiple Windows Active Directory AD domains, you may be thinking whether or not you should consolidate the domains to simplify AD management. On the other side, you may be wondering if making such change would break existing administrative boundaries among teams. The general rule of thumb is that you make no or little change during the initial phase of “lift and shift” unless the benefits of making changes overweigh the no change option.
It is worth noting that when Windows AD domains must be deployed on Azure data disks, the same or separate data disks and that the host cache preference setting on the Azure data disk is set for NONE. Here is why. Active Directory Domain Services (AD DS) uses update sequence numbers (USNs) to keep track of replication of data between domain controllers. Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering objects and other problems. For more info, read the AD documentation.
To further protect your AD identity systems, you can implement the Tier model.
Considering Custom AD Domain with Azure DNS
You can use Azure DNS or your own DNS. If you use custom domains or subdomains, e.g. mycompanydomain.com, for public accessible URLs, you
You can choose to have one or many VNETs. My colleague Igor has put together a nice blog post explaining how to configure communications between these VNETs. It is not uncommon that you go with one VNET with multiple subnets and place them in one separate resource group. You then grant appropriate permissions to users from other resource groups.
Leveraging Network Security Group and User Defined Routes
To protect your resources in Azure, you can use NSG to set up access controls and UDR to route traffic flows.
Adding Virtual Appliances to meet network requirements
Virtual appliances are typically Linux or FreeBSD-based VMs on Azure that perform specific network functions including security (Firewall, IDS , IPS), Router/VPN, application delivery controller and WAN optimization. They are available through partner solution on the Azure Marketplace and can be used to meet on-prem network requirements.
Setting up jump box for secure remote access
Despite different views on their benefits, as mentioned in this skyport blog post, Jump boxes are used today to provide secure remote access to administrators. In conjunction with Azure NSG and UDF and virtual appliances, jump boxes (two for high availability) can be configured behind the virtual appliances (two for high availability) with no public IP. This way, only authorized administrators can get on the jump box through the virtual appliance and then RDP to internal resources.
Providing multi-factor authentication on remote access
You can easily enable MFA through Azure AD premium. In addition, you can add MFA to RDP servers. For more info on the latter, read the white paper "Secure RDP Connection to on premise servers using Azure MFA - Step by Step Guide".
Storing keys and secrets in Key Vault
You can use Azure Key Vault to create and store keys and passwords using PowerShell or CLI. There is no portal UI at the moment but will be added. Also, there are no notifications/alerts for keys due to expire at this time but this is a known common feature request.
Dealing with backup and DR issues
You can use Azure Backup service to back up files. For Bitlocker protected volume, the volume must be unlocked before the backup can occur. More info at Azure Backup service- FAQ
You can use Azure Site Recovery Service (ASR) to migrate an on-prem system to a secondary site or to Azure. However, site to site within Azure is not supported currently.
Working around the Linux cluster issue
Linux cluster requires shared access to a shared disk, which is not currently supported on Azure. There are some workarounds that you can find from the Linux community. For example, this blog post, "Step-By-Step: How to configure a Linux failover cluster in Microsoft Azure IaaS without shared storage #azure #sanless" walks you through all steps required to configure a highly available, 2-node MySQL cluster (plus witness server) on Azure VMs.
Monitoring your Azure environments with OMS
Azure Operations Management Suite (OMS) is your best bet when it comes to monitor the health of your systems on Azure. Keep in mind that services such as backup that are not available today are being added to the suite very rapidly.