Cloud-enabled businesses are putting their efforts and investments to go “Global, Scalable and Available”. Right from small startups to big enterprises, everyone has understood the importance of Cloud and some of these businesses are now taking a step ahead with Artificial Intelligence (AI) by using Intelligent services offered by Cloud providers like Microsoft Azure.
However, there are huge gaps in the following areas:
- Adoption of Azure as a cloud platform,
- Migration to Azure from on-premise or competing cloud provider,
- Lack of awareness about migration tools,
- Services offered by Azure at a large scale.
This tutorial attempts to address these gaps and concerns, and share some advice, best practices to educate you to make your Microsoft Azure journey meaningful and profitable.
Building a Cloud Roadmap with Microsoft Azure
As a case study, we’ll take the fictitious “Foo Solutions Ltd.” as a reference.
The CXO board, IT Head and the Technical and Solutions Architect group of Foo Solutions have decided to adopt Microsoft Azure as their cloud platform on the following basis:
1. They have a large .NET based application portfolio
2. Their current Datacenter contract is on the verge of expiring
3. They recently acquired a small firm who has a large Open Source Applications portfolio
4. They want to go global and reach out to their customers in different geographies
However, they don’t have any Microsoft Azure experts or Architects who can guide them through the process.
So now, let us discuss a few things the team of Foo Solutions should know about and consider while migrating their existing applications to Azure, and build new Cloud First applications in their due course of adopting Microsoft Azure.
Building a Migration Roadmap for Microsoft Azure
First, the decision makers should do an extensive exercise of bucketing their applications into the following categories.
1. Low business impact, sizable userbase and with no critical or sensitive data and public facing.
2. Legacy Web applications (maybe some Classic ASP apps).
3. Applications which are stable, critical, having impact on business, public facing and handles sensitive or critical data.
4. Applications which are on the verge of EOL a.k.a. end-of-life (like Silverlight apps which needs to be migrated or .NET 2.0 apps which needs to be moved to the latest .NET framework)
5. Applications which needs to be scrapped and re-written again. Potential “Cloud First” apps with minimum reusability of existing app and tending towards a new design. Applications which need to embrace Microsoft Azure Services.
There are many assessment and migration tools offered by Microsoft and 3rd Party Partners/Vendors of Microsoft. Ideally, the technical group at Foo Solutions should do a detailed analysis of the tool, accounting the challenges they might face during migration, cost impact, business risks and downtimes etc.
Accordingly, a migration roadmap can be built. To ease this activity of assessment and migration, let us discuss a few commonly used tools which will ease your initial assessment work and also help in the actual migration to Microsoft Azure.
Many customers are still running Classic ASP based apps live on production, running their business as usual with certain number of sizable users. If such customers are re-writing their apps and wish to continue with the legacy platform, they can leverage the Azure IaaS platform to host their applications. Note that there is no out-of-the-box tool from Microsoft Azure which will give you assurance of migration, so you may have to do some configuration changes.
Azure PaaS does not support Classis ASP/Legacy workloads.
Azure App Service Migration Assistant
Many a times, people who are aware of the differences between Azure IaaS vs Azure PaaS can’t make the direct decision as what to opt for, and most importantly can’t validate the approach.
It is sometimes a difficult and challenging situation if the migrations need to be performed in a short time span. Hence some quick automated assessment is required which will rule out the risk of choosing Azure IaaS or PaaS decision.
Microsoft addresses these concerns for their customers by a quick, handy and easy to use tool. In order to check whether your existing on-premise hosted or any other datacenter hosted application is suitable for moving to Azure PaaS or not, Microsoft has a App Service Migration tool, which helps you to do the primary assessment and gives you insights about all the technologies used and whether they can be ported on Azure as an Azure App Service (which is Azure PaaS). This is a FREE tool available at https://appmigration.microsoft.com/ and you can also install this on your existing on-premise environment.
Figure 1: Azure App Service Migration Tool
It will scan your end point (URL of your application or in case if you install then your on-premise environment) and it will build a detailed report for you.
Figure 2: Azure PaaS ASP Migration Report
This is however currently available for .NET Applications and soon Microsoft will support other applications as well. The assessment report is not just a Boolean result stating whether Application can be migrated or not, but it does a detailed readiness check for the following points:
- Port Bindings
- Location Tags
- ISAPI Filters
- Application Pools
- Application Identity
- Authentication Type
- Application Settings
- Connection Strings
- Configuration Error
- Virtual Directories
For more details, you can refer to the detailed metadata information mentioned here https://appmigration.microsoft.com/readinesschecks
Migrate your SQL database to Microsoft Azure with Microsoft Data Migration Assistant
This is one of the popular tools (also known as “DMA Tool”) to migrate your on-premise SQL database instance to Azure SQL Server or SQL instance on Azure VM, accessible from an on-premise network.
Like the App Service Migration Tool mentioned earlier, this tool also does an assessment and gives details of blocking issues and enlists the unsupported features. It also accounts for breaking changes and deprecated features.
In order to run this tool, you need to have the sysadmin role assigned to you. This is also a FREE Tool and can be downloaded from here – https://www.microsoft.com/en-us/download/details.aspx?id=53595
Figure 3: Azure Data Migration Assistant Tool
Besides assessment, it allows you to migrate from your instance located on-premise – to Azure SQL, Azure SQL Managed instance or SQL on Azure VM.
Note: If you are running SQL Server 2008 for your applications/business, kindly check the end of life (EOL) announcement for SQL Server 2008 and the newly announced “Azure Hybrid Benefit” offer from Microsoft for SQL Server 2008 migration. More details here – https://azure.microsoft.com/en-us/pricing/hybrid-benefit/
Migrating to Cosmos DB
Microsoft Azure Cosmos DB is a revamped version of the previously available DocumentDB with many more new features and enhancements.
Cosmos DB is a truly globally distributed, multi-model database service available in an Azure PaaS flavor. Cosmos DB is schema agnostic and no additional efforts are required to maintain indexing. It is highly scalable and available with low latency and enterprise grade SLAs.
Cosmos DB is also mainly used in apps leveraging schema agnostic model like various IoT and e-Commerce solutions. Cosmos DB has its own use cases. Now in order to migrate to Cosmos DB, Microsoft provides another tool like DMA which is known as Azure Cosmos DB Data Migration Tool.
Figure 4: Azure Cosmos DB Data Migration Tool
Azure Cosmos DB Data Migration Tool is an Open Source Project from Microsoft https://github.com/azure/azure-documentdb-datamigrationtool and you can download it from here
Azure Cosmos DB Data Migration Tool enables enterprises to move their collection/schemas in JSON, Mongo DB, Azure Table, SQL and few other data sources. Cosmos DB provides a rich set of APIs for SQL, Graph, Table and Gremlin. So, in case you want to replace your current Azure Table Storage with Cosmos DB, you don’t have to make much efforts as most of your code remains as-is. This is because the Table API provides the same set of method signatures. So, with minimum configuration changes, you can swiftly move to Azure Cosmos DB. This is again a FREE tool from Microsoft.
Migrating with “Azure Migration” Service
This is a managed service hosted in Azure and is responsible for doing assessment of your on-premise environment/datacenter.
Figure 5: Azure Migration Service for VMware
This however currently supports only the VMware environment. Hyper-V support is not made generally available yet. It is an “agentless” discovery mechanism and it works by having a collector VM inside your on-premise environment. Although this is a FREE service, the components getting provisioned using this service will be charged as per their respective pricing.
Figure 6: Migration Discovery Collector
Post assessment, you can then perform the actual migration using different Azure Services. For SQL databases, we have already discussed about DMA and you can also explore Azure Database Migration service on the same lines.
Migrating SQL databases with “Azure Database Migration Service”
Azure Database Migration Service is a fully managed online service which enables migration of multiple databases. This still requires you to install DMA (Data Migration Assistance) to carry forward the migration from on-premise, to Azure SQL Server.
Figure 7: Azure Database Migration Service
Beside these tools and services mentioned above, you can always create a new infrastructure using Azure CLI or PowerShell and can also try some popular 3rd party tools like Movere.
Securing your Azure workload
One very common question we all face during customer meetings and conversations with IT and Compliance experts is Is Azure secure?
Although it may look like a very simple question and the obvious answer is “Yes”, you still need to have a detailed conversation with customers or stakeholders to understand their requirements for Security.
Governance and Security always go hand in hand. So along with security, having governance is equally important. Mechanisms like Role Based Access Control (RBAC) and Azure Policy will allow you to customize these governance policies. Let us quickly go through the most common security challenges you face on any cloud.
- Lack of Monitoring services
- Data movement in in-secure way
- Application Vulnerabilities
- Lack of Patch and Update management
- Lack of Security specific education
- Compromised users
- Lack of Role Based Access Control (RBAC)
- Lack of security specific education
- Wrong security assumptions
Security is a broader topic and has different flavors. In Microsoft Azure, we can bucket “Security” into two parts – One is Application Security and the other is Environment Security (regardless of using IaaS or PaaS). Data Security is also a subset of this conversation.
In Azure, data in transit is encrypted and hence it is secure. Stored Data is partially secure with the assumption that your data stores are not compromised. Example – Data in Azure Storage is secured as long as Keys/SAS tokens are taken care of, and not compromised. Data on VMs is secured, as long as it is not getting accessed by unwanted users in public domain, and even within organizations.
Azure Security Center
Many customers who don’t have any cybersecurity experts or security experts on their board, always have a concern of choosing the best security services and applying them to their organizations.
The most generic, very powerful but highly underestimated service unknown to many customers is the Azure Security Center.
It comes with two pricing models – “Free” and “Standard”. Check what features are covered under each pricing model here.
Many customers have a perception that it just shows the status of VM updates and patches and puts recommendations on top of them. However today, “Azure Security Center” is one of the very powerful single dashboard services for your entire Azure workload which closely monitors your Azure components and gives you a real time feed of the current status of your workloads. It also gives you compliance score using which you can ensure whether your workload and services configurations are aligned with your IT policies and standards, or not.
Besides being a Security Dashboard of the entire subscription, it covers five major aspects –
- Policy and Compliance – Scoring against standard compliances like PCI, SOC, ISO etc.
- Resource Secure Hygiene – Recommendations at Resource level (Compute, Identity, Networking etc.)
- Advance Cloud Defense – Recommendations at VM and VNET level by providing Just in time VM Access and Adaptive Network hardening
- Threat Protection – Setting up custom alert rules
- Automation & Orchestration – Creating playbooks and integrating logic apps
Figure 8: Azure Security Center Dashboard
Figure 9: Security Center Regulatory Compliance
Azure Security Center pricing is based on the pricing model tier you choose i.e. Free and Standard. Once you enable Azure Security Center, it starts collecting the necessary data from your Azure components. To know more about Data Privacy and data collection policies, do read Azure Security Center documentation before opting.
Web Application Firewall (WAF)
You can configure Web Application Firewall (WAF) inside your application gateway. This enables you to validate your application against OWASP Top 10/Mod Security Rules (ver. 2.2.9 and 3.0). This web application firewall also works for workload deployed with Classic mode deployment along with ARM.
Figure 10: WAF Dashboard
It also prevents your application from DDoS attacks. We already have Azure DDoS as a separate service in Azure, but it is expensive compared to WAF. WAF provides you with real time protection with Detection and Prevention mode. Detection Mode is usually turned on in Dev/Test phase and if we keep logs on, we can capture more details. Prevention mode is usually turned on for production phase. In case of any attack, it throws a 403 error.
Azure Front Doors Service (aka AFD)
Azure Front Door (AFD) service has built-in WAF and DDoS Protection.
Note: There is a separate “Web Application Firewall” managed service for Azure Front Door, so avoid the name conflict of WAF built inside Application Gateway, against managed service of Web Application Firewall for Front Door. AFD also has traffic manager capabilities with low latency features. So based on latency, it automatically manages these requests. Also note that AFD has a dedicated designer, unlike WAF.
Figure 11: Azure Front Door Designer
In the frontend host, you can configure your app, and in backend pool, the requests are routed based on latency by AFD.
You can configure routing rules as per your business requirements. Traffic Manager and AFD can run in parallel and you can also replace Traffic Manager with AFD for web apps.
Note that AFD can route to only public endpoints, so while designing the architecture, you need to make a call of what to opt out of WAF, Front Door and Traffic Manager based on what scenarios you are dealing with. AFD can certainly be a good choice when you have multiple region origins or globally distributed users, and performance is key.
Azure Sentinel (Currently in “Preview”)
Azure Sentinel is a cloud native Security Information and Event Management (SIEM) tool by Microsoft.
It provides state of art analytics with minute details of different Azure service components by allowing set of different rich connectors. It has a small built-in Case Management board (very small flavor of ticketing systems like Zen Desk) which allows you to investigate the security incidences and issues by assigning them to respective users.
Figure 12: Sentinel Dashboard
With different data connectors, it captures and displays all the data as single point dashboard or SIEM dashboard.
Figure 13: Sentinel Data Connectors
If you are familiar with Log Analytics – OMS (Operational Management Suite), the dashboard of connectors is pretty much the same visually. It provides built-in queries and gives detailed RCA in case of any threats. Figure 14 shows an example of Security Threats detected by Sentinel from a country and you can also see the attack details and attempt description along with the IP in Figure 15.
Figure 14: Sentinel showing malicious attacks
Figure 15: IP Address and other details of the attack
The Case management allows you to assign a particular incident to your Users (Users of Azure Portal with appropriate Roles in place). To hunt down the issue, the Hunting option gives you a decent number of built-in queries which you can run.
Figure 16: Azure Sentinel Case Management
So along with other Monitoring tools like Log Analytics (OMS) and Application Insights, the Azure Sentinel tool serves the purpose of true cloud native SIEM tool.
General security guidance for Azure hosted workload
Azure VMs (IaaS) can be protected by the following measures –
- Applying NSGs (Network Security Group) on Subnet or at VM level to control Inbound and Outbound traffic by providing IP range and rules
- Installing Antimalware and Antivirus and regularly patching them
- Blocking Ports which can be a threat and not needed to be exposed to other Azure Services or public traffic. RDP can be blocked and if someone still needs to do RDP on VM for any administrative work, then make use of Jump Server
- Use of appropriate DMZ and making use of 3rd party firewalls like Barracuda
- Azure RBAC and Policies in place for better control and governance
Azure PaaS (mostly App Service Model) hosted apps can be protected by the following measures –
- Applying WAF (Web Application Firewall) to protect your applications
- Enable Threat Protection for Azure SQL DBs
- Manage SAS Tokens and Keys effectively for Azure Storage and keys of other APIs
- Implement Multi-Factor Authentication for applications
- Implement AD Authentication to enforce policies
- Ensure to classify your data (Public Vs Confidential) and accordingly choose appropriate data source and protect the same
- Use Azure Key Vault to store secret keys (including passwords of Azure VMs)
- Ensure to run OWASP Top 10 testing for your application and align as per OWASP Top 10 policies
- Restrict IP address by adding your resources to Virtual Network
- User Azure DDoS protection and Azure Pen Test to ensure highest level of security for your application
With this, we have covered the major items for Foo Solution Ltd. and provided guidance for their Migration approach, Security of the applications and cloud components.
Now let us discuss some reasons why organizations fail in their Cloud Migration journey, and how it impacts adoption.
Common reasons of Failures and Extra Costs Incurred during Azure Adoption and how to avoid these mistakes
Let us quickly understand some high-level points due to which enterprises/companies going on Microsoft Azure fail to get maximum Return on Investment (ROI) from the platform or even take the decision to opt out.
Moving to the Cloud is not an easy decision and thus opting out is equally painful. But to avoid such painful acts, I will enlist some preventive measures and points to consider in order to illustrate an ROI on your Cloud investment.
We will basically bucket them into two categories (Technical and Non-Technical).
- Assuming Azure IaaS is the final solution and burning out – By not designing appropriate High Availability/Availability Zones, moving everything on Azure IaaS can be a disaster. We have discussed couple of assessment tools in this article. Enterprises/companies should first do a thorough analysis using the tools available, and then make a clear choice of IaaS or PaaS. Usually PaaS is cheaper and flexible, easy to deploy, and for maintaining the overall environment.
- Lack of awareness of Azure Services and Tooling – Microsoft Azure is a dynamic cloud platform and is continuously evolving with new features. Microsoft keeps adding and updating their value-added services. After doing an assessment, Architects and Decision makers need to map Azure Services with their existing apps and see what is best suitable for them to achieve their business goals, as well as customer satisfaction.
- Blindly Mapping Services with Competing Cloud Providers (eg: Amazon AWS) – Many customers while moving from Amazon AWS or while having a multi-cloud strategy, always tend to map head to head services and assume it will work hassle free. Well, I recommend to do a quick assessment especially for Microsoft Azure where there is a plethora of services and wider choices available. For example – In case of mapping for AWS Lambda, off course, the equivalent choice is Azure Functions since both are serverless offerings. But then do revisit the requirement once since it may happen that what you are looking for, can be served using Azure API Apps as well. This is just a high-level example but besides this, “Cost” is also a factor, so ensure you are not blindly mapping services, but rather evaluating it for a better optimized use.
- Wrong Technical assumptions and SLA assumptions – Enterprises/companies are first required to understand the different SLAs for different services in Azure. They also need to understand the terms and conditions to achieve those SLAs and ensure the steps to be taken to fulfill them. “High Availability” and “Maintenance of VMs” (especially in Azure IaaS) are the most misunderstood terminologies. For Azure IaaS, do understand the “Shared Responsibilities” concept before opting for it.
- Wrong assumptions about Security – In an earlier section of the article, I mentioned that customers often ask “Is Azure Secure?” Do feel free to have a conversation with the customer and ask her/him a few questions of your own like “Is your application secure in its current environment and what measures have been take to ensure its security?”.
While this may open up Pandora’s box, you will get the opportunity to showcase some of the built-in security measures or cloud native security services, Microsoft offers. This should lead to a good value proposition. You need to understand and help the customer understand the following:
- Data Classification – Difference between Public Data and Private Data. How Microsoft treats data hosted in Azure. What are the Microsoft policies for the same (Check Microsoft Trust Center for more details – https://www.microsoft.com/en-us/trustcenter/cloudservices/azure).
- Help customer to educate how Microsoft ensures enterprise grade security to its Data centers across the world and compliances they have.
- Educate customer to differentiate between Application Security and Cloud Security and the different measures and services associated with it.
- Encourage Customers to opt for Monitoring services (many customers bypass this recommendation to save few $ in the monthly bills)
Non-Technical Challenges (Sales / Pre-Sales phase)
- Wrong mapping of services or service choices for saving the cost in proposals/RFPs
- Lack of tools/questionnaire to capture the requirements for Azure (capturing Business goals, high level details of current application/infrastructure etc.)
- Poor understanding of Security and Compliance offerings from Azure
- Poor knowledge of Azure cost calculator and different pricing models like:
- Cloud Solution Provider (CSP)
- Enterprise Agreement (EA)
- Pay-As-You-Go (PAYG) etc.
- Missing out non-functional requirements (NFRs)
- Lack of knowledge and wrong assumptions about 3rd Party Services integration in Azure
- Lack of knowledge of different Support Model Microsoft offers for Azure
- Poor knowledge of different product licensing especially in Hybrid or Lift and Shift migration scenarios in Azure. Lack of knowledge of license reusability.
- Poor communication with ground Sales and Partner teams of Microsoft who can frequently share publicly available value-added updates, and can share more insights.
Value added Services and Tools
We detailed out the Migration and Security aspects along with common challenges and reasons for failure on Microsoft Azure. Now once you embrace Microsoft Azure, in order to illustrate a better ROI, here are some services and tools which will not only ease your Azure journey, but will also add value to your customers.
App Configurator Service (Currently in “Preview”)
Many large enterprise applications have complex and huge configurations settings which play a key role in running these apps successfully. Maintaining them is a complex task and it is a challenge when overriding these settings.
Being an enterprise friendly organization, Microsoft understood this aspect and to resolve this problem, they have introduced the “App Configurator Service” which is single stop repository to store all your key values and configurations securely. Like you read your configuration files, similarly you can read these settings with a set of APIs.
Figure 17: Azure App Configuration Explorer for storing Keys
You can also Import and Export them any time, and it is quite easy to manage them from the Azure Portal too.
Cloudockit is a multi-cloud third party solution to document your Cloud workload with in-depth details. This tool produces in-depth Technical documentation and works where you may have any compliance rules to share the documents with customers, or maintain them for customers for audit purpose. It is a quick tool which will save you time which you would otherwise spend on building manual documentation.
Figure 18: Cloudockit Tool
Cloudockit supports Microsoft Azure (including multiple subscriptions).
This is a paid tool and you can take a free trial at cloudockit.com.
Choosing the right compute type and size
This is a complex and critical area and requires lot of exercise and extensive experience. There is no documentation which selectively states that for 1 million users, use this VM type or for a pick load of 50 million expected users, use a different class of VM to get a good performance.
The number of cores and memory usually can be picked with the following parameters:
- Nature of the business and availability in the multiple regions
- SLAs committed to end customers/consumers
- Ballpark number of users
- Data heavy or media heavy application
- Ballpark number of concurrent users
Although this is not a clear measure to define, but at an initial level, it is good enough to pick the VM type and size. You always have scaling mechanisms like VM Scale Sets which can scale on demand.
Usually I have seen that many people do a Proof of Concept (PoC) followed by a Load Test and check the overall performance before choosing the VM specs. Here is a quick chart which can help you choose a series of VMs based on the nature of your business:
How to check/validate Website is accessible and running from multiple locations
Many a times, we hear customers complaining about the availability issues of a site from their geography. For Example – Let us say a company hosts a site for their UK and APAC customers. Now the UK consumers complain that the site is not accessible for them and raise a ticket.
Now how do you validate this?
If it is a partner/dev team, you may ask to share the screen over Skype or Microsoft Teams and check or have a screenshot sent over email. But for a production environment and for a large customer base where users are consumers, it is not possible to do so. Traditionally, people would provision VMs in those regions or manipulate the geo/time to test.
Figure 19: App Insight Availability
This is not a standard or proven technique especially in the Cloud era. Hence if you have Application Insight applied to your application, you can check this with the “Availability” feature as shown in Figure 19, and can check or run the test from different regions.
If at all you are considering a Microservices based design or architecture, then just make a note of the following offerings which will help you to pick the correct service in Azure –
ACR – Azure Container Registry (Deprecated Service – Kubernetes is now Industry standard hence AKS is the new alternative)
AKS – Azure Kubernetes Service. Good for Linux/Open Source Workloads
ASF – Azure Service Fabric. Good for Windows Workloads. Ideal for Non containerized and Stateful apps
ASFM – Azure Service Fabric Mesh – Manages Service offering for ASF
VSTS (Visual Studio Team Services) is now branded as Azure DevOps with many more new capabilities and services. Azure DevOps enables you to build different dashboards, build CI-CD and CT pipelines with many open source version controls and tools like Maven, Jenkins etc.
If you are new to Azure DevOps, the best way to get hands-on experience is to try out the FREE step by step labs from Microsoft here – https://azuredevopslabs.com as well as check out some tutorials at www.dotnetcurry.com/tutorials/devops.
Microsoft Azure is one of the top leading Public Cloud Platform with unique offerings and true hybrid, secure and enterprise grade SLA offerings.
Azure gives good ROIs provided you align your migration and new application development strategy to it. I hope this tutorial has helped you get over common misconceptions about Microsoft Azure.
The suggestions described in this tutorial will also help you avoid mistakes, illustrate a better ROI and enable you to take decisions and build a long term, sustainable, profitable and secure Cloud roadmap for your organization, to serve your customers and consumers better!
This article was technically reviewed by Tim Sommer.
This article has been editorially reviewed by Suprotim Agarwal.
C# and .NET have been around for a very long time, but their constant growth means there’s always more to learn.
We at DotNetCurry are very excited to announce The Absolutely Awesome Book on C# and .NET. This is a 500 pages concise technical eBook available in PDF, ePub (iPad), and Mobi (Kindle).
Organized around concepts, this Book aims to provide a concise, yet solid foundation in C# and .NET, covering C# 6.0, C# 7.0 and .NET Core, with chapters on the latest .NET Core 3.0, .NET Standard and C# 8.0 (final release) too. Use these concepts to deepen your existing knowledge of C# and .NET, to have a solid grasp of the latest in C# and .NET OR to crack your next .NET Interview.
Click here to Explore the Table of Contents or Download Sample Chapters!