3. I help companies move securely to the cloud.
Hey there, I’m Jussi!
@JussiRoine
4. But I love virtual machines! Also, where is my
C:Inetpub?
Understanding
Microsoft Azure
Essential services
Security
Where to go from here?
You don’t need to use them all
I don’t trust the cloud
Survival guide
Topics
6. Onsight
We ❤ SharePoint farms!
Load balancing & DNS
App Servers and CA
Distributed Cache
Backend:
AD, Databases, MIM
Web frontends
Workflow
Manager
Customizations
Office Online
Server
10. Platform Services
Infrastructure Services
Compute Storage
Datacenter Infrastructure
Application Platform
Web
Apps
Mobile
Apps
API
Apps
Notification
Hubs
Hybrid
Cloud
Backup
StorSimple
Azure Site
Recovery
Import/Export
Networking
Data
SQL
Database DocumentDB
Redis
Cache
Azure
Search
Storage
Tables
SQL Data
Warehouse
Azure AD
Health Monitoring
Virtual
Network
Express
Route
Blob Files DisksVirtual Machines
AD Privileged
Identity
Management
Traffic
Manager
App
Gateway
Operational
Analytics
Compute Services
Cloud
Services
Batch
RemoteApp
Service
Fabric
Developer Services
Visual Studio
Application
Insights
VS Team Services
Containers DNS
VPN
Gateway
Load
Balancer
Domain Services
Analytics & IoT
HDInsight Machine
Learning Stream Analytics
Data
Factory
Event
Hubs
Data Lake
Analytics Service
IoT Hub
Data
Catalog
Security &
Management
Azure Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Store/
Marketplace
VM Image Gallery
& VM Depot
Azure AD
B2C
Scheduler
Xamarin
HockeyApp
Power BI
Embedded
SQL Server
Stretch Database
Mobile
Engagement
Functions
Intelligence
Cognitive Services Bot Framework Cortana
Security Center
Container
Service
Queues
VM
Scale Sets
Data Lake Store
Dev/Test Lab
Integration
BizTalk
Services
Service Bus
Logic
Apps
API
Management
Media & CDN
Content
Delivery
Network
Media
Services
Media
Analytics
11. Real-world example
Migrate existing public-facing website + extranet to PaaS
Schedule: 1 month
Old infrastructure
5 Linux VMs, god knows what distro and
services
Websites running Django and ”some” custom
PHP and Python
Project team decided that no technology
change is needed, just a facelift for UI
Some notable challenges:
12. So, how do I actually get started with Microsoft Azure?
Azure Pass
Free activation, granting you with 130 € for testing over a 30 day period
Requires Microsoft Account
Activate through https://www.microsoftazurepass.com/
Free trial
Free activation, granting you 12 months or 170 € for testing, depending whichever comes
first)
Requires a credit card for 0,01 € charge for verification
Activate through https://azure.microsoft.com/en-gb/offers/ms-azr-0044p/
Pay as you go
Normal registration with a credit card
Pay as you go, and set monthly limits
Other options: CSP and EA, special activation codes
Get a subscription – it brings Azure AD with it
13. Required skills for an IT Pro in 2000
Install Windows XP
Install Windows 2000 Server
Install IIS
Install SQL Server 2000
Install & configure Active Directory
Install hotfixes and service packs
Install other business software
14. Required skills in 2018
Microsoft Azure: IaaS, PaaS
ARM templates
PowerShell
Docker and Containers and Kubernetes and basically everything
Windows Server
Active Directory and Azure Active Directory
Windows 10 management
System Center and Intune and co-management
Office 365: Exchange Online, SharePoint Online, Skype for Business etc.
Security *.*
Networking
Browsers & Office clients
15. This is too often the reality
”Let me quickly build your datacenter”
Start
service
Format
☁️
16. Real-world example:
Create a website that scales indefinitely
Schedule: 3 months
Build a website that scales indefinitely
Customer wanted ”five 9’s” of SLA
Pages must load in <1 second, at all times
”Do what you must to make it so”
Great project, great challenges:
17. Web App (Windows)
prod-web
Node.js API App (Linux)
prod-api
API Management
apimgmt
Git Push
Developers
CSV Export,
FTP UploadMaster data WebJob
Parse CSV, upload to staging
DB, upload to prod DB
Mongo DB
Staging
prod-stagingdb
Mongo DB
(Mongo API): Production
prod-backenddb
OMS
prod-mon
End users
App Insights
prod-api
App Insights
prod-web
VSTS
Memcached
Analytics & monitoring
19. Customers expect a lot
Microsoft put it rather bluntly (in a different context, but still relevant)
“We’ve been putting this
off for 10 years but have
to do it over the weekend
now”
“The cloud? No, it
doesn’t work for us as
we have SPECIAL
needs”
“Everything has to
remain the same”
“There was a new service
released in Azure last
night..”
21. A traditional approach to employing Azure
This is the common, kind-of hybrid architecture model.
Office 365
Site-to Site
VPN
Azure AD Connect
ADFS
Proxy
On-premises
22. The heart of everything: Azure Active Directory
The core of each Azure subscription
You can have multiple AAD tenants,
and you have multiple Azure
subscriptions
Users, groups, licenses, permissions,
apps, app proxies, domains.. all
here!
Managed through Azure Portal
It’s important to understand the
difference between AAD, AD and
AAD Connect (and AAD DS)
Identities, management and security
30. Real-world example:
Hybrid cloud with ExpressRoute
Schedule: 1 year
ExpressRoute required
Global VNet Peering required
50-100 Azure subscriptions planned
ALL activities for admins and users logged
and analyzed
One amazing architect
Some interesting challenges:
32. Secure site-to-site
VPN connectivity
• Connect to Azure compute
from on-premises or another
Azure region
Secure point-to-site
connectivity
• POC Efforts
• Small scale deployments
• Connect from anywhere
ExpressRoute private
connectivity
• Private connectivity from your
on-premises data center to
Azure virtual networks and
PaaS Services
VNet Peering
within region
• In-region VNet-to-VNet connectivity
• Direct VM-to-VM connectivity
• Peer VNets for routing and transit
33. Real-world example:
Move 70 virtual machines to the cloud
Schedule: 2 months
~30 VMs running Windows Server 2003,
on VMware
No permissions to Azure subscriptions
10 Mbps uplink, which is saturated
A few, tiny challenges:
37. Active Directory
Advanced Threat Analytics
Firewall, proxy, VLANs etc.
Microsoft Identity Manager
Data Loss Prevention
Threat Intelligence
Secure Score
Compliance Manager
Connect Health
Cloud App Security
Network Security Group
Cloud App Security
Identity Protection
Privileged Identity Management
Azure Active Directory
Conditional Access
Log Analytics
Security Center
Azure MFA
Azure Information Protection
Intune
Customer Key
Advanced Threat Protection
38. We will migrate everything
to Office 365 and Microsoft Azure..
but not mailboxes as we do not
trust Microsoft
39.
40. Getting rid of static admin roles with Azure AD Privileged
Identity Management (PIM)
Instead of granting permanent admin privileges, PIM
allows ad-hoc & just-in-time admin roles
Users can request for new privileges for predefined duration
Scans for fixed admin roles and changes them to temporary
roles
Admin roles become non-permanent
Duration can be set from 1 hour to 72 hours
Can enforce MFA during role grant
Approval workflows for new privilege requests
Central view & management for all admins roles
throughout Azure and Office 365
”Just-in-time” administration privileges for users on request
43. 2
3
4
5
6
Understand Azure Active Directory
Features, licenses, limitations and
capabilities.
Work with ease in both PaaS and IaaS
You often might need both.
Be vigilant with security, but keep it
reasonable
Utilize good practices, employ security
services and make an effort.
Make hybrid possible, but drive towards the
cloud
Many companies still need on-premises, like it or not.
Create proof of concepts and use preview
features
You need to see and anticipate for the future.
Unlearn when needed; stick to legacy when it
makes more sense.
No need to change your framework every week. But do
not stick with Visual Basic 6 and Windows NT just
because you know them well.
1
Survival guide
44. Get the book: http://bit.ly/azurestrategy
Reference architectures: http://bit.ly/azurearc
Updates: http://bit.ly/azureupdates
Some great resources
Azure also provides infrastructure services which allow for more hands on configuration and management similar the servers you have today. However, they’re hosted in Microsoft datacenters letting you use Azure as if you were operating your own datacenter in the Cloud. For example, you can provision VMs, give them private IP addresses, and connect to them using a VPN from your on-premises environment. Most importantly, this lets Windows Azure mimic your on-premises datacenter and run your current apps with little or no change without the expense of having to own servers of racks, cooling and building costs. Furthermore, you can connect the “datacenter” you build in the Cloud to your on-premises datacenter so the datacenter in the Cloud becomes an extension to your on-premises infrastructure.
These “building blocks” lets Azure to be used as an Infrastructure-a- a-service.
So, you see Azure offers IaaS +PaaS in one platform. IaaS provides flexibility, PaaS eliminates complexity. Use PaaS where you can, use IaaS where you need. With Azure, you can use both together or independently, and build apps of the future. That uniquely differentiates us.
When to use? For whom?
2. IaaS is for current investments, and future-proofing, current market dynamics, why we did IaaS
(Lock in)
Saving tons of money
Forced to
Higher Agility
Here is your transition your work (Business Enabler, changes), optimize services, value to the business is much greater (IT Pro)
Infrastructure as a Service:
Control, flexibility, familiarity
Existing apps
Starting point; On-ramp to public cloud
4. Platform as a Service
More benefits (cost, scale, speed)
Differentiation
New app development
Cloud-native apps
Why this Slide:
It shows we have a very broad platform. It about BOTH IaaS and PaaS, that these work together. It shows that we continue to lead in world class IT capabilities and that there’s really nothing missing.
Key Points:
We have already seen how the Azure Platform is IaaS + Pass – but I want you to understand that this is a huge number of capabilities – IT building blocks if you will.
Every one of these blocks you provision anytime, self-service anywhere in the world 24x7. You pay for what you use, you can get more or less anytime and you can fully automate everything…
DON’T spent too much time on this slide – you are going to DEMO (aren’t you!!!)… DON’T go through each block…
Transition to NEXT Slide: Make the build go backwards to show JUST IaaS and then you will go to the demo to show it.
Joonas
Joonas
Joonas
Joonas
Joonas
Taking a deeper look at some of the key services that constitute Azure IaaS. We will go into a little bit more detail into each of these services
The four core technologies are Compute, Network, Storage and Management
Compute:
Virtual Machines is no different from the Virtual Machines you run on premise
We will go into the concept of Availability sets that provides you better availability on the platform. Create available solutions. 99.95%
- VM Scale sets, for autoscaling. VM extensions – custom run scripts
Network:
Virtual network similar to on-prem allow VMs to connect on a private network in the cloud. It provides an isolated and secure environment for your applications.
We have different types of connectivity – IPSec VPN or ExpressRoute (private network on a telecom provider, highest level of security)
Bring your own network to Azure, most of the networking technologies you are familiar with are available on Azure
There are different ways to connect to Azure such as VPN, ExpressRoute that we will talk about
We will also talk about features like Load balancing, DNS
What does Traffic manager do – distribute traffic
Storage:
Azure Storage offers different sets of storage services for various business needs. Some of them being disks connecting to a VM or Blob storage for unstructured data
VMs connect to Disks – there are different options Standard or Premium disks based on whether you want higher throughput and lower latency
We have object storage for your storage needs. We recently launched also Cool storage if you don’t need frequent access
Management
Management across the these various foundational services. Some of the services including portal, AD, MFA, Keyvault, marketplace.
Security
AD for identity management
ARM management, powerful - templatized
Compute Options
VM with resources per workload
Series of compute to solve different problems
Series designed for problem solving
Entry Level: A – dev/test, try it out: Ideal for testing and development,
Burstable: B – workloads are unpredictable workloads (burstable), credits based
General Purpose: D – GP and mix of CPU vs Storage, DB, webservers. Balanced CPU-to-memory ratio. small to medium databases, and low to medium traffic web servers.
Compute Optimised: F-ratios are optimised: More CPU than memory. High CPU-to-memory ratio. Good for medium traffic web servers, network appliances, batch processes, and application servers.
Memory Optimised: High memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics.
G – memory optimised, more memory up to 32 Proc
Storage optimised: L – storage: local SSD and local IO, persistent SSD
Graphics Intensive: N- Graphics processing Nvidia
HPC: H- HPC, Genomes, lots of compute power
Hana – SAP workloads for appliances
Availability
Single VM – backed by premium: 99.9% SLA
Availability Sets – intra data center availability, 2 or more VMs are distributed across multiple racks in a DC. 99.95%
Availabiltiy Zone – physical replication in each DC. 99.99%
Region Pairing – multi region, eg: patch to one region, one region brought up in a pair during recovery. Self build. Not
Data stored in a storage service
For apps: Tables and Queues. Table – large amounts of data more for developers
For infra: Blobs, Files, disks
Blobs – VM. Blob storage supports both standard and premium storage, with premium storage using only SSDs for the fastest performance possible.
Disks – managed disk with access control, premium SSD or standard. VHDs in containers like folders
Files – file share as a service. Azure File Sync – local to Auze file share. Azure file sync.
Tables - schemaless key/value store
Queues - Azure Queue service is used to store and retrieve messages
Virtual network
Azure virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure.
Azure Virtual Network provides an isolated and secure environment to run your virtual machines and applications. You can use your private IP addresses and define subnets, access control policies, and more. With Virtual Networks, you can treat Azure just as you would your own datacenter.
Traffic between Azure resources, whether in a single region, or in multiple regions, stays in the Azure network. Intra-Azure traffic does not flow over the Internet. For example, within Azure, traffic for VM-to-VM, storage, and SQL communication traverses only the Azure network, regardless of the source and destination Azure region
With Virtual Network, you can easily extend your on-premises IT environment into the cloud, much the way that you can set up and connect to a remote branch office. You have multiple options to securely connect to a Virtual Network—you can choose an IPSec VPN or a private connection using the Azure ExpressRoute service.
Within a virtual network, you can choose to run a variety of network virtual appliances—WAN optimizers, load balancers, and application firewalls—and define traffic flows, allowing you to design the network with a greater degree of control.
Azure VPN Gateway connects your on-premises networks to Azure through site-to-site VPNs, much the way you’d set up and connect to a remote branch office. The connectivity is secure, using industry standard protocols: Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
Point-to-site VPN lets you connect to your virtual machines on Azure virtual networks from anywhere, whether you are on the road or working from your favorite café, managing your deployment, or doing a demo for your customers.
With Azure DNS, you can host your DNS domains in Azure. Manage your DNS records using the same credentials and billing and support contract as your other Azure services. Seamlessly integrate Azure-based services with corresponding DNS updates, streamlining the end-to-end deployment process.
Azure ExpressRoute lets you create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. ExpressRoute connections don't go over the public Internet. They offer more reliability, faster speeds, and lower latencies, and higher security than typical Internet connections.
It is your private network isolated from other virtual networks in the Azure cloud infrastructure. You can launch VMs, select its IP range, create subnets, network setting and security groups
Subnet is a range of addresses assigned to your Virtual network
Connectivity:
You can connect your virtual network to your own corporate data center using an IPSec hardware VPN connection. It is a secure bridge between your existing IT infra and Azure cloud using an encrypted VPN connection
All communications for VMs running within your virtual network and outside is routed through the VPN connection
With user defined routes and VPN gateways– you can route all traffic to and from the internet and VPN gateway
Network ACLs (Access control list) – allow and deny rules, full control of traffic
You can reserved IP addresses
Load balancing for higher availability
We let you privately connect with our datacenters using the ExpressRoute service.
Up to 10Gbps b/w and less than 5ms latency connections.
24 ExpressRoute locations worldwide, and a massive partner ecosystem supporting us
This lets you put Azure datacenters on your own private networks
Joonas
LB – Layer 4: TCP/UDP, diagnostics, GP, health
Web Application Firewall – stateful LB (round robin), or user goes back to same server for state, block attacks if VMs behind
ATM – DNS distribution system, multiple endpoints to distribute DNS resolution to endpoints, closest endpoint by number of hops
Third party solutions for LB and FW (eg: F5)
Joonas
STATIC SLIDE VERSION (No Animations)
The Microsoft Cybersecurity Reference Architecture (https://aka.ms/MCRA) describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it.
How to use it
We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbors :-)
Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, many clouds, and IoT / Operational Technology.
Comparison reference for security capabilities - We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don't know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need.
Learn about Microsoft capabilities - In presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation on that capability to learn more.
Learn about Microsoft's integration investments - The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more).
Learn about Cybersecurity - We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change.
As you can see, Microsoft has been investing heavily in security for many years to secure our products and services as well as provide the capabilities our customers need to secure their assets. In many ways, this diagram reflects Microsoft massive ongoing investment into cyber security research and development, currently over $1 billion annually (not including acquisitions).
What has changed and why
We made quite a few changes in v2 and wanted to share a few highlights on what's changed as well as the underlying philosophy of how this document was built.
New visual style - The most obvious change for those familiar with the first version is the simplified visual style. While some may miss the "visual assault on the senses" effect from the bold colors in v1, we think this format works better for most people.
Interactivity instructions - Many people did not notice that each capability on the architecture has a quick description and link to more information, so we added instructions to call that out (and updated the descriptions themselves).
Complementary Content - Microsoft has invested in creating cybersecurity reference strategies (success criteria, recommended approaches, how our technology maps to them) as well as prescriptive guidance for addressing top customer challenges like Petya/WannaCrypt, Securing Privileged Access, and Securing Office 365. This content is now easier to find with links at the top of the document.
Added Section headers for each grouping of technology areas to make it easier to navigate, understand, and discuss as a focus area.
Added Foundational Elements - We added descriptions of some core foundational capabilities that are deeply integrated into how we secure our cloud services and build our cybersecurity capabilities that have been added to the bottom. These include
Trust Center - This is where describe how we secure our cloud and includes links to various compliance documents such as 3rd party auditor reports.
Compliance Manager is a powerful (new) capability to help you report on your compliance status for Azure, Office 365, and Dynamics 365 for General Data Protection Regulation (GDPR), NIST 800-53 and 800-171, ISO 27001 and 27018, and others.
Intelligent Security Graph is Microsoft threat intelligence system that we use to protect our cloud, our IT environment, and our customers. The graph is composed of trillions of signals, advanced analytics, and teams of experts hunting for malicious activities and is integrated into our threat detection and response capabilities.
Security Development Lifecycle (SDL) is foundational to how we develop software at Microsoft and has been published to help you secure your applications. Because of our early and deep commitment to secure development, we were able to quickly conform to ISO 27034 after it was released.
Moved Devices/Clients together - As device form factors and operating systems continue to expand and evolve, we are seeing security organizations view devices through the lens of trustworthiness/integrity vs. any other attribute.
We also re-organized the Windows 10 and Windows Defender ATP capabilities around outcomes vs. feature names for clarity.
We also reorganized windows security icons and text to reflect that Windows Defender ATP describes all the platform capabilities working together to prevent, detect, and (automatically) respond and recover to attacks. We also added icons to show the cross-platform support for Endpoint Detection and Response (EDR) capabilities that now extend across Windows 10, Windows 7/8.1, Windows Server, Mac OS, Linux, iOS, and Android platforms.
We also faded the intranet border around these devices because of the ongoing success of phishing, watering hole, and other techniques that have weakened the network boundary.
Updated SOC section - We moved several capabilities from their previous locations around the architecture into the Security Operations Center (SOC) as this is where they are primarily used. This move enabled us to show a clearer vision of a modern SOC that can monitor and protect the hybrid of everything estate. We also added the Graph Security API (in public preview) as this API is designed to help you integrate existing SOC components and Microsoft capabilities.
Simplified server/datacenter view - We simplified the datacenter section to recover the space being taken up by duplicate server icons. We retained the visual of extranets and intranets spanning on-premises datacenters and multiple cloud provider(s). Organizations see Infrastructure as a Service (IaaS) cloud providers as another datacenter for the intranet generation of applications, though they find Azure is much easier to manage and secure than physical datacenters. We also added Azure Stack capability that allows customers to securely operate Azure services in their datacenter.
New IoT/OT section - IoT is on the rise on many enterprises due to digital transformation initiatives. While the attacks and defenses for this area are still evolving quickly, Microsoft continues to invest deeply to provide security for existing and new deployments of Internet of Things (IoT) and Operational Technology (OT). Microsoft has announced $5 billion of investment over the next four years for IoT and has also recently announced an end to end certification for a secure IoT platform from MCU to the cloud called Azure Sphere.
Updated Azure Security Center - Azure Security Center grew to protect Windows and Linux operating system across Azure, on-premises datacenters, and other IaaS providers. Security Center has also added powerful new features like Just in Time access to VMs and applied machine learning to creating application whitelisting rules and North-South Network Security Group (NSG) network rules.
Added Azure capabilities including Azure Policy, Confidential Computing, and the new DDoS protection options.
Added Azure AD B2B and B2C - Many Security departments have found these capabilities useful in reducing risk by moving partner and customer accounts out of enterprise identity systems to leverage existing enterprise and consumer identity providers.
Added information protection capabilities for Office 365 as well as SQL Information Protection (preview).
Updated integration points - Microsoft invests heavily to integrate our capabilities together as well as to ensure use our technology with your existing security capabilities. This is a quick summary of some key integration points depicted in the reference architecture:
Conditional Access connecting info protection and threat protection with identity to ensure that authentications are coming from a secure/compliant device before accessing sensitive data.
Advanced Threat Protection integration across our SOC capabilities to streamline detection and response processes across Devices, Office 365, Azure, SaaS applications, and on Premises Active Directory.
Azure Information Protection discovering and protecting data on SaaS applications via Cloud App Security.
Data Loss Protection (DLP) integration with Cloud App Security to leverage existing DLP engines and with Azure Information Protection to consume labels on sensitive data.
Alert and Log Integration across Microsoft capabilities to help integrate with existing Security Information and Event Management (SIEM) solution investments.
Feedback
We are always trying to improve everything we do at Microsoft and we need your feedback to do it! You can contact the primary author (Mark Simos) directly on LinkedIn (https://aka.ms/markslist) with any feedback on how to improve it or how you use it, how it helps you, or any other thoughts you have.