Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From the Ground to the Cloud – Moving Applications to Azure

From the Ground to the Cloud – Moving Applications to Azure

-- Principal Consultant, Cloud Solution Architect, Cloud Security, Security Officer --

Within the Business Development Department at Trivadis in Zürich I intensively focus on Cloud Solutions and Cloud Security, support the CSO as Information security officer and hold the position as Program manager for Cloud Computing.

Also support Pre-Sales for Microsoft Azure and Office 365 solutions as well as Oracle IaaS and Bare Metal Cloud Services, especially in security, privacy and Business solutions.

Practicing and developing Cloud Assessments, Cloud TCO and ROI analysis combined with Cloud Governance and Transition models.

I'm passionate about Identity management, Information security and new possibilities in cloud computing.

Open minded and always looking for interesting discussions around Cloud.

Azure Zurich User Group
PRO

January 24, 2017
Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENF HAMBURG

    KOPENHAGEN LAUSANNE MÜNCHEN STUTTGART WIEN ZÜRICH Ms Azure Zürich User Groupe From Ground to Cloud – Moving Applications to Azure Florian van Keulen, Principle Consultant Cloud & Security 24.01.2017
  2. Weiteres:  Zertifizierter IT-Sicherheitsbeauftragter  IT Grundschutz und Informations- sicherheitsmanagement

    (ISO27001)  Security by Design (OWASP, NIST & Enisa)  IAM  Identity Federation  Role Based Access Control (RBAC)  SAML, OAuth & Open ID Connect Florian van Keulen 2 8.11.2016 Principal Consultant - Cloud & Security  Über 15 Jahre IT Erfahrung  Trivadis Sicherheitsbeauftragter (SiBe)  Disziplin Manager “Infrastructure Security”  Program Manager “Cloud Computing“ Spezialgebiet:  Cloud- und Infrastructure Security  Identity- und Access Management  Remote Access Lösungen  Cloud Sicherheitsberatung  Datenschutz, Governance und Informationssicherheitsmanagement  Sicherheitskonzeption und Analysen  Microsoft Azure Security Solutions Erfahrung:  Security Konzept & Review, Azure Private Cloud Infrastructure & RemoteApp Services (Axpo Trading)  Securing Azure IoT Infrastructure & Azure deployment Automation (IWB)  Security Konzept Cloud Collaboration Platform Im Gesundheitswesen  Cloud Governance Concept - Pensionskasse …Neue Umgebungen bergen nicht nur Risiken, sondern auch Sicherheits- opportunitäten, wenn man damit richtig umzugehen weiss. Kritisch Hinterfragen, Umdenken, Verstehen und Adaptieren – Cloud “sicher” nutzen! Florian v. Keulen
  3. Agenda 3 Before you begin Azure IaaS Project Example ©

    Trivadis – MS Azure Zürich User Group
  4. 4 Before you begin © Trivadis – MS Azure Zürich

    User Group
  5. What is your Goal? © Trivadis – MS Azure Zürich

    User Group 5 Cloud is not the goal! Cloud is a solution to achive the goal! The goal is agility, functionality, scalability und cost- saving for the digitale business transformation
  6. What is your Goal? © Trivadis – MS Azure Zürich

    User Group 6 Move Applications out of own datacenter? Making an application better accessible from remote? Saving Operational Costs? Gain Better Scalability? Gain new functionality? Consider your goal during Planning and Design!
  7. Different Approaches to bring a Application to Azure © Trivadis

    – MS Azure Zürich User Group 7 1:1 Transition – extending OnPrem datacenter using Azure IaaS – Connect with OnPrem (Hybrid) – No modernization or adoption – Move application 1:1 Migrate to Azure IaaS stand alone – Extract Application from OnPrem – Deploy in seperate environment – Own IAM and Network environment Modernize Application to use Azure Iaas and PaaS resources (mixed Services) – Make use of specific Azure PaaS services (app servcies, storage, IAM, DB, Service bus, etc...) – Core SaaS Modernize Application to be fully PaaS (SaaS)
  8. Cloud Models © Trivadis – MS Azure Zürich User Group

    8 Self managed Provider managed
  9. Different Approaches to bring a Application to Azure © Trivadis

    – MS Azure Zürich User Group 9 Stepwise approach Move application to cloud using mainly IaaS – Less changes, – Consistency Application – Legacy Technologies Start modernizing application – Start Integrating PaaS Services Start using new technologies – Move data – Makes old applikation (components) obsolete
  10. 10 Azure IaaS © Trivadis – MS Azure Zürich User

    Group
  11. Azure Cloud - IaaS © Trivadis – MS Azure Zürich

    User Group 11 Self managed Provider managed Microsoft Azure Resource Group VNet: 10.0.0.0/8 Storage Account Subnet 1 10.1.0.0/16 Subnet 2 10.2.0.0/16 VM VM Gateway Routing
  12. Azure Cloud - IaaS © Trivadis – MS Azure Zürich

    User Group 12 Microsoft Azure Resource Group VNet: 10.0.0.0/8 Storage Account Subnet 1 10.1.0.0/16 Subnet 2 10.2.0.0/16 VM VM Gateway Routing Resource Group 2 VNet: 10.0.0.0/8 VM VM VM VM Storage Account Self managed Provider managed
  13. Azure Cloud – Management © Trivadis – MS Azure Zürich

    User Group 13 Microsoft Azure Azure AD Management Portal Azure PowerShell Azure Cross Platform Command Line Interface (Azure CLI) Service Management REST API Authentication: – Managment certificate (X.509 v3) – Azure AD Account MFA – Multi Factor Authentication
  14. Azure Cloud – Resource Manager © Trivadis – MS Azure

    Zürich User Group 14 Microsoft Azure Azure AD Resource Group 1 Resource Group 2 Resource Group 3 Admins Users Admins Users Admins Users Group Azure components into Resource Groups Seperate Role Based Access Control for each resource group (RBAC) Resource Manager Template for fast deployments of Resource Groups Billing summery per Resource Group
  15. Azure Cloud – IaaS Authentication © Trivadis – MS Azure

    Zürich User Group 15 Microsoft Azure Azure AD VMs in IaaS cannot authenticate against Azure Active Directory directly Deploy AD Domain Controler in IaaS Use Azure AD Directory Domain Services: – LDAP, Kerberos, NTLM – Read Only – Uses Azure AD VNet Azure AD Domain Services DC
  16. Azure Cloud – Federated Identities © Trivadis – MS Azure

    Zürich User Group 16 AD Connent – Sync Identities – Specify Attributes – Based on domain, OU, attribute and groups ADFS Server – Authentication / SSO – Supports SAML, Oauth, WS- Federation, etc... – Farm infrastructure for High Availibility – Web Application Proxy (ADFS Proxy) Microsoft Azure OnPremise Azure AD DC DMZ AD Connect ADFS WAP Sync Log-in Authentication
  17. Azure Cloud – Federated Identities © Trivadis – MS Azure

    Zürich User Group 17 Single Sign-On – Azure SaaS – OnPremise – 3rd Party SaaS Multiple Domains Azure Active Directory B2C – For 3rd Party Accounts (Google, Facebook, etc...) Azure Active Directory Domain Services Microsoft Azure OnPremise Azure AD DC DMZ AD Connect ADFS WAP Sync Log-in Authentication
  18. Azure Cloud – WAF & WAP © Trivadis – MS

    Azure Zürich User Group 18 Microsoft Azure Azure AD Azure Web Application Firewall (Preview) Azure Web Application Proxy – Proxy Service – Pre-Authentication (Azure AD) or pass-through – Agent Based VNet WAP Agent DC Azure WAF Azure WAP
  19. Azure Cloud - Cross-Premise Connections © Trivadis – MS Azure

    Zürich User Group 19 Azure VPN Gateway – Per VNet Only One Gateway – Static or Dynamic routing – Max 10 S2S connections (High-Performance GW: up to 30) Site-2-Site (S2S) / Point-2-Site (P2S) – IPSec/IKE – P2S: max 128 connections per GW Express Route – MPLS – SLA Microsoft Azure OnPremise VNet 1 VPN Gateway Site-2-Site VPN Or Express Route Point-2-Site VPN Point-2-Site VPN Remote User Individual Computer
  20. Azure Cloud – Network Security Groups © Trivadis – MS

    Azure Zürich User Group 20 Microsoft Azure Azure AD Enables network segmentation & DMZ scenarios Access Control List – Filter conditions with allow/deny – Individual addresses, address prefixes, wildcards Associate with VMs or subnets ACLs can be updated independent of VMs VNet Backend Mid-Tier Frontend VPN Gateway WWW Unternehmen
  21. 21 Project Example © Trivadis – MS Azure Zürich User

    Group
  22. Example: Spin-off from an Enterprise © Trivadis – MS Azure

    Zürich User Group 22 Strategical consulting with regards to IT environments and cloud – Consideration: own Data Center, Hybrid, Private and Public Cloud – Cloud Provider: Microsoft (Office 365, Azure, Azure germany), Oracle Cloud, AWS – Service Models: IaaS, PaaS und SaaS Conception of IT environment using cloud Decision: Office365, Microsoft Azure germany Extraction and migration of the Oracle business application in Azure Germany IaaS Modernization of Oracle application towards a SaaS Model for customers System Care / Operation of the environment
  23. Employees Office365 Microsoft Azure Germany Business Application User & Identity

    Partner Customers Employees Support Readingstation s Example: Spin-off from an Enterprise © Trivadis – MS Azure Zürich User Group 23 System Care Service Desk
  24. Example: Spin-off from an Enterprise © Trivadis – MS Azure

    Zürich User Group 24 1. Prepare IaaS Environment 2. Deploy Services 3. Configure Connectivity 4. Establish security 5. Create Templates 6. Migrate Data 7. Deploy Test and Development environment based on Templates 8. Start Modernizing
  25. Example: Spin-off from an Enterprise 25 Microsoft Azure Germany SFTP

    Server Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Subnet 1 Subnet 2 © Trivadis – MS Azure Zürich User Group
  26. Example: Spin-off from an Enterprise Microsoft Azure Germany SFTP Server

    Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 2 © Trivadis – MS Azure Zürich User Group 26
  27. Example: Spin-off from an Enterprise Microsoft Azure Germany SFTP Server

    Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 2 SFTP Client Reading Stations LOB System SFTP Server 1st Level Support Azure AD Azure AD Domain Services © Trivadis – MS Azure Zürich User Group 27 Azure WAF
  28. Example: Spin-off from an Enterprise 28 Microsoft Azure Germany Admin

    Terminal Admin Terminal SFTP Server Weblogic OFM Forms / Reports Job, Task Server SFTP client DB Server (Oracle DB) Storage Account File Storage File Storage File Storage Subnet 1 Subnet 3 Subnet 2 VPN Gateway SFTP Client Reading Stations LOB Systems Admins SFTP Server 1st Level Support VPN RDP Azure AD Azure AD Domain Services © Trivadis – MS Azure Zürich User Group Azure WAF
  29. On the way utilizing cloud with Trivadis ... © Trivadis

    – MS Azure Zürich User Group 29 ... comprehensive or just selective Consulting - Strategic - Technologic - solution-oriented Planning Implementati on Training Operation - Project - Development - Integration - SytemCare - SLA - Service & Support - Assessments - Cloud Readiness - Modernization - Solutions - Courses - Workshops - dedicated trainings
  30. Contact Florian van Keulen Principle Consultant, Cloud & Security [email protected]

    30 © Trivadis – MS Azure Zürich User Group