Conf42 Cloud Native 2024 - Online

Enterprise flight off Azure Landing Zone

Abstract

Azure Landing Zone should be a mandate in any organization’s Cloud Program. It exemplifies design principles to launch a Cloud environment to drive business while adhering to best practices of security and governance. This talk provides guidance on implementing Landing Zone at the enterprise level.

Summary

  • Only a third of enterprises are realizing their current ambitions. Cloud Reduction Framework is a comprehensive lifecycle framework to guide organizations to success in their cloud journey. The best practices aid organization in aligning technical strategies with the business value.
  • Azure learning zone delivers an environment that adheres to key principles across eight design areas. Azure billing and entertainent is a first design area and deals with the top two levels of alignment. For the last design area, platform automation and DevOps the cloud platform team drives automation.
  • There are actually two types of landing zone. Platform landing zone centralizes the shared services. Application Landing zone is where subscriptions for application workloads reside. To take the conceptual architecture of Azure landing zone to reality, Microsoft provides accelerators.
  • For the landing zone, the execution has been done how the landscape looks like. Notice the four high level management groups, platform, application decommission and sandbox. The subject of cloud reduction framework and azure landing zone on an enterprise scale is an expensive topic.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Only a third of enterprises are realizing their current ambitions. This pessimistic but unsurprising number was published by HFS Research in their market vision paper. These results came from serving over 500 senior executives across the largest companies in the world. Welcome to Conf 42 Cloud Native Conference and thank you for attending the session. I'm Ashu Siddiqui, senior principal software engineer at Silicon Valley bank, division of First Citizens bank. This talk will be split over three sessions, starting off with cloud reduction framework and why it has to be a starting point for every cloud journey in Azure. Next section will be azure Landing zone and the key role it plays in a robust foundation. The third and last session will be about deployment strategy and how to realize this goal. Cloud Reduction Framework is a comprehensive lifecycle framework to guide organizations to success in their cloud journey. The best practices aid organization in aligning their technical strategies with the business value. The framework provides distinct phases with specific goals, solutions and benefits. Strategy starts with the question, why are we moving to cloud? The multiple motivations vary from to, but it is imperative that motivations are tightly coupled with the business outcomes. On a broader level, there are three categories of motivations. Number one, critical business events, such as being on the hook to exit data centers or for example, dealing with mergers and acquisitions. Second category of motivation is migration, such as pursuit of cost savings or raising business agility. The third category is innovation, such as scaling to meet market or geographic demands. Client phase is about transforming strategy into an actionable plan. The application portfolio needs to be analyzed to determine which apps are suitable for migration or modernization. In addition, this phase also brings personnel together. Alignment, in my mind, is one of the most underrated elements of the framework. This is because the program's success is contingent on a vision that must be shared by all the stakeholders. Another key component of this phase is determining skill readiness. For the people in the trenches to be successful, assessment of the skill set is a requisite to find their gaps. The identified gaps can be bridged by training and upskilling, which brings the necessary expertise into the organization. Ready phase requires defining operational models from the three choices of decentralized, centralized or distributed operations. This phase also includes the highlight of the stock Azure landing zone and its implementation. Migrate phase provides the best practices for migrating workloads to Azure based on workload assessment. There are choices to consider rehost aka lift and shift versus refactor versus replatform. Since a salient purpose of innovation is to drive business value, what is business value? Needs to be formally and mutually defined by the stakeholders. Building the first minimum viable product MVP and measuring the customer impact are also considerations within the innovation phase. The significance of secure phase should require no introduction. It is an area that industry trends repeatedly remind requires more and more focus to be able to safeguard enterprise data and intellectual property. While Adafil focuses on getting you into the cloud, online operations is what draws out the business deliverables. Every workload needs to be managed by its business criticality which focus both on cost and SLAs. Governed phase is an iterative process to ensure application portfolio complies with the corporate and as applicable, any regulatory compliance requirements. In the cloud space, it seems enterprises struggle with the dual challenge of harnessing innovation while maintaining a robust security posture. Azure learning zone is the antidote to this enterprise challenge. It delivers an environment that adheres to key principles across eight design areas. Azure billing and entertainent is a first design area and deals with the top two levels of alignment. As depicted on the slide, it deals with billing and the entertainer that it is encompassed by. Identity and access management is another critical area that establishes secure access controls. In addition to the focus on authentication and authorization, it also caters to separation of duties. A significant number of enterprises have their own data center, which means hybrid connectivity will be a requirement, resource organization plans for how resource will be organized, and the use of consistent patterns in regard to resource naming, tagging and sufficient designs. Scope of security transcends into all areas of the Azure ecosystem, including network and workloads. In addition to industry standards such as NIST, Microsoft provides its own security benchmarks and attestation. Management is a design area led by cloud Ops team. It focuses on business alignment and cloud management through engagements with business stakeholders. SLAs such as RTO and RPO can be agreed upon. Governance is an iterative process. The team plays an overarching role to focus on enforcement of compliance security requirements. For the last design area, platform automation and DevOps the cloud platform team drives automation should lead the way for the adoption of infrastructure as code options. One piece of information that will help up to this point is that on a higher level, there are actually two types of landing zone. Platform landing zone centralizes the shared services that are generally considered foundational example, networking and identity. Application Landing zone is the second type of landing zone and this is where subscriptions for application workloads reside. To create isolation between Internet facing and internal workloads, Microsoft recommends subcategories. They've chosen the name online for public and corporate. For private workloads, this slide provides visual insight into how Microsoft advocates architecture for landing zone at the highest level. There are four management groups aside from the first two, platform and application that I've already talked about. The third management group is for subscriptions that are intended to be retired or decommissioned. The fourth management group is sandbox. The primary reason for having a dedicated management group is to isolate sandbox subscription from all other types of subscriptions. To take the conceptual architecture of Azure landing zone to reality, Microsoft provides accelerators. The accelerator is the most efficient way to implement the landing zone. There are actually three ways to perform the execution azure portal bicep, which is Microsoft's own domain specific declarative language and the third option being Hashicorp's terraform. Out of the three implementation options, I'll focus in on terraform because as infrastructure as code tool, it is a huge presence in enterprise, among other reasons. Because enterprises are increasingly heading towards a multi cloud strategy. To Microsoft credit, they have published modules for the landing zone in Terraform's public registry as well as in GitHub. There is detailed documentation that provides guidance from simple to advanced use cases. For the landing zone, the execution has been done how the landscape looks like I realize this is a busy diagram, so let's focus in on few areas that kind of ties back to the stock. Notice the four high level management groups, platform, application decommission and sandbox. Then within platform you have those three shared services, identity management and connectivity. For example, in this case, connectivity is doing the hub and spoke model and then you have the identity subscription here. Similarly, your application workloads reside under this management group. As depicted here, the subject of cloud reduction framework and azure landing zone on an enterprise scale is an expensive topic. Given the breadth of this topic, I hope I've been able to give you a condensed flavor.
...

Atif Siddiqui

Senior Principal Software Engineer @ Silicon Valley Bank

Atif Siddiqui's LinkedIn account



Awesome tech events for

Priority access to all content

Video hallway track

Community chat

Exclusive promotions and giveaways