From the Ground to the Cloud – Moving Applications to Azure

Transcript

1. BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF HAMBURG

   KOPENHAGEN LAUSANNE MÜNCHEN STUTTGART WIEN ZÜRICH Ms Azure Zürich User Groupe From Ground to Cloud – Moving Applications to Azure Florian van Keulen, Principle Consultant Cloud & Security 24.01.2017

2. Weiteres:  Zertifizierter IT-Sicherheitsbeauftragter  IT Grundschutz und Informations- sicherheitsmanagement

   (ISO27001)  Security by Design (OWASP, NIST & Enisa)  IAM  Identity Federation  Role Based Access Control (RBAC)  SAML, OAuth & Open ID Connect Florian van Keulen 2 8.11.2016 Principal Consultant - Cloud & Security  Über 15 Jahre IT Erfahrung  Trivadis Sicherheitsbeauftragter (SiBe)  Disziplin Manager “Infrastructure Security”  Program Manager “Cloud Computing“ Spezialgebiet:  Cloud- und Infrastructure Security  Identity- und Access Management  Remote Access Lösungen  Cloud Sicherheitsberatung  Datenschutz, Governance und Informationssicherheitsmanagement  Sicherheitskonzeption und Analysen  Microsoft Azure Security Solutions Erfahrung:  Security Konzept & Review, Azure Private Cloud Infrastructure & RemoteApp Services (Axpo Trading)  Securing Azure IoT Infrastructure & Azure deployment Automation (IWB)  Security Konzept Cloud Collaboration Platform Im Gesundheitswesen  Cloud Governance Concept - Pensionskasse …Neue Umgebungen bergen nicht nur Risiken, sondern auch Sicherheits- opportunitäten, wenn man damit richtig umzugehen weiss. Kritisch Hinterfragen, Umdenken, Verstehen und Adaptieren – Cloud “sicher” nutzen! Florian v. Keulen

3. Agenda 3 Before you begin Azure IaaS Project Example ©

   Trivadis – MS Azure Zürich User Group

4. 4 Before you begin © Trivadis – MS Azure Zürich

   User Group

5. What is your Goal? © Trivadis – MS Azure Zürich

   User Group 5 Cloud is not the goal! Cloud is a solution to achive the goal! The goal is agility, functionality, scalability und cost- saving for the digitale business transformation

6. What is your Goal? © Trivadis – MS Azure Zürich

   User Group 6 Move Applications out of own datacenter? Making an application better accessible from remote? Saving Operational Costs? Gain Better Scalability? Gain new functionality? Consider your goal during Planning and Design!

7. Different Approaches to bring a Application to Azure © Trivadis

   – MS Azure Zürich User Group 7 1:1 Transition – extending OnPrem datacenter using Azure IaaS – Connect with OnPrem (Hybrid) – No modernization or adoption – Move application 1:1 Migrate to Azure IaaS stand alone – Extract Application from OnPrem – Deploy in seperate environment – Own IAM and Network environment Modernize Application to use Azure Iaas and PaaS resources (mixed Services) – Make use of specific Azure PaaS services (app servcies, storage, IAM, DB, Service bus, etc...) – Core SaaS Modernize Application to be fully PaaS (SaaS)

8. Cloud Models © Trivadis – MS Azure Zürich User Group

   8 Self managed Provider managed

9. Different Approaches to bring a Application to Azure © Trivadis

   – MS Azure Zürich User Group 9 Stepwise approach Move application to cloud using mainly IaaS – Less changes, – Consistency Application – Legacy Technologies Start modernizing application – Start Integrating PaaS Services Start using new technologies – Move data – Makes old applikation (components) obsolete

10. 10 Azure IaaS © Trivadis – MS Azure Zürich User

    Group

11. Azure Cloud - IaaS © Trivadis – MS Azure Zürich

    User Group 11 Self managed Provider managed Microsoft Azure Resource Group VNet: 10.0.0.0/8 Storage Account Subnet 1 10.1.0.0/16 Subnet 2 10.2.0.0/16 VM VM Gateway Routing

12. Azure Cloud - IaaS © Trivadis – MS Azure Zürich

    User Group 12 Microsoft Azure Resource Group VNet: 10.0.0.0/8 Storage Account Subnet 1 10.1.0.0/16 Subnet 2 10.2.0.0/16 VM VM Gateway Routing Resource Group 2 VNet: 10.0.0.0/8 VM VM VM VM Storage Account Self managed Provider managed

13. Azure Cloud – Management © Trivadis – MS Azure Zürich

    User Group 13 Microsoft Azure Azure AD Management Portal Azure PowerShell Azure Cross Platform Command Line Interface (Azure CLI) Service Management REST API Authentication: – Managment certificate (X.509 v3) – Azure AD Account MFA – Multi Factor Authentication

14. Azure Cloud – Resource Manager © Trivadis – MS Azure

    Zürich User Group 14 Microsoft Azure Azure AD Resource Group 1 Resource Group 2 Resource Group 3 Admins Users Admins Users Admins Users Group Azure components into Resource Groups Seperate Role Based Access Control for each resource group (RBAC) Resource Manager Template for fast deployments of Resource Groups Billing summery per Resource Group

15. Azure Cloud – IaaS Authentication © Trivadis – MS Azure

    Zürich User Group 15 Microsoft Azure Azure AD VMs in IaaS cannot authenticate against Azure Active Directory directly Deploy AD Domain Controler in IaaS Use Azure AD Directory Domain Services: – LDAP, Kerberos, NTLM – Read Only – Uses Azure AD VNet Azure AD Domain Services DC

16. Azure Cloud – Federated Identities © Trivadis – MS Azure

    Zürich User Group 16 AD Connent – Sync Identities – Specify Attributes – Based on domain, OU, attribute and groups ADFS Server – Authentication / SSO – Supports SAML, Oauth, WS- Federation, etc... – Farm infrastructure for High Availibility – Web Application Proxy (ADFS Proxy) Microsoft Azure OnPremise Azure AD DC DMZ AD Connect ADFS WAP Sync Log-in Authentication

17. Azure Cloud – Federated Identities © Trivadis – MS Azure

    Zürich User Group 17 Single Sign-On – Azure SaaS – OnPremise – 3rd Party SaaS Multiple Domains Azure Active Directory B2C – For 3rd Party Accounts (Google, Facebook, etc...) Azure Active Directory Domain Services Microsoft Azure OnPremise Azure AD DC DMZ AD Connect ADFS WAP Sync Log-in Authentication

18. Azure Cloud – WAF & WAP © Trivadis – MS

    Azure Zürich User Group 18 Microsoft Azure Azure AD Azure Web Application Firewall (Preview) Azure Web Application Proxy – Proxy Service – Pre-Authentication (Azure AD) or pass-through – Agent Based VNet WAP Agent DC Azure WAF Azure WAP

19. Azure Cloud - Cross-Premise Connections © Trivadis – MS Azure

    Zürich User Group 19 Azure VPN Gateway – Per VNet Only One Gateway – Static or Dynamic routing – Max 10 S2S connections (High-Performance GW: up to 30) Site-2-Site (S2S) / Point-2-Site (P2S) – IPSec/IKE – P2S: max 128 connections per GW Express Route – MPLS – SLA Microsoft Azure OnPremise VNet 1 VPN Gateway Site-2-Site VPN Or Express Route Point-2-Site VPN Point-2-Site VPN Remote User Individual Computer

20. Azure Cloud – Network Security Groups © Trivadis – MS

    Azure Zürich User Group 20 Microsoft Azure Azure AD Enables network segmentation & DMZ scenarios Access Control List – Filter conditions with allow/deny – Individual addresses, address prefixes, wildcards Associate with VMs or subnets ACLs can be updated independent of VMs VNet Backend Mid-Tier Frontend VPN Gateway WWW Unternehmen

21. 21 Project Example © Trivadis – MS Azure Zürich User

    Group

22. Example: Spin-off from an Enterprise © Trivadis – MS Azure

    Zürich User Group 22 Strategical consulting with regards to IT environments and cloud – Consideration: own Data Center, Hybrid, Private and Public Cloud – Cloud Provider: Microsoft (Office 365, Azure, Azure germany), Oracle Cloud, AWS – Service Models: IaaS, PaaS und SaaS Conception of IT environment using cloud Decision: Office365, Microsoft Azure germany Extraction and migration of the Oracle business application in Azure Germany IaaS Modernization of Oracle application towards a SaaS Model for customers System Care / Operation of the environment

23. Employees Office365 Microsoft Azure Germany Business Application User & Identity

    Partner Customers Employees Support Readingstation s Example: Spin-off from an Enterprise © Trivadis – MS Azure Zürich User Group 23 System Care Service Desk

24. Example: Spin-off from an Enterprise © Trivadis – MS Azure

    Zürich User Group 24 1. Prepare IaaS Environment 2. Deploy Services 3. Configure Connectivity 4. Establish security 5. Create Templates 6. Migrate Data 7. Deploy Test and Development environment based on Templates 8. Start Modernizing

25. Example: Spin-off from an Enterprise 25 Microsoft Azure Germany SFTP

    Server Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Subnet 1 Subnet 2 © Trivadis – MS Azure Zürich User Group

26. Example: Spin-off from an Enterprise Microsoft Azure Germany SFTP Server

    Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 2 © Trivadis – MS Azure Zürich User Group 26

27. Example: Spin-off from an Enterprise Microsoft Azure Germany SFTP Server

    Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 2 SFTP Client Reading Stations LOB System SFTP Server 1st Level Support Azure AD Azure AD Domain Services © Trivadis – MS Azure Zürich User Group 27 Azure WAF

28. Example: Spin-off from an Enterprise 28 Microsoft Azure Germany Admin

    Terminal Admin Terminal SFTP Server Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 3 Subnet 2 VPN Gateway SFTP Client Reading Stations LOB Systems Admins SFTP Server 1st Level Support VPN RDP Azure AD Azure AD Domain Services © Trivadis – MS Azure Zürich User Group Azure WAF

29. On the way utilizing cloud with Trivadis ... © Trivadis

    – MS Azure Zürich User Group 29 ... comprehensive or just selective Consulting - Strategic - Technologic - solution-oriented Planning Implementati on Training Operation - Project - Development - Integration - SytemCare - SLA - Service & Support - Assessments - Cloud Readiness - Modernization - Solutions - Courses - Workshops - dedicated trainings

30. Contact Florian van Keulen Principle Consultant, Cloud & Security [email protected]

    30 © Trivadis – MS Azure Zürich User Group