Tuesday, January 21, 2020

My top pros and cons of Azure IAAS

Azure, Microsoft’s public cloud computing platform as it promises provides a wide range of cloud services including those for computing, analytics, storage and networking. There are a lot written about the offerings from Azure including  IAAS, PAAS and SAAS solutions, and how to pick and choose the best offerings that suites your problem domain.
I’ve initially considered tweeting about this content as a series of small tweets, but I also wanted to keep this as an educational or informative content for other fellow developers and architects who would also be using IAAS for similar scenarios. So this is about my experiences with a lift and shift scenario, where our focus was to move the on-prem customer solution to a hybrid cloud infra. I have to say that with the wide range of tools and solutions from Azure, it was not only effortless but also to a much advanced, secure and better infrastructure. But there are some obvious things that I missed during this migration phase.

Below are my top pros and cons of Azure IAAS

Updating the virtual machines that don’t have outgoing internet access is a pain.

For confidentiality and data integrity purposes we had to prevent incoming and outgoing internet access from our virtual networks. We achieved this by configuring network security groups and defining allow/ deny rules for all incoming and outgoing traffic within the subnets. Now Microsoft provides something called as service tags which represents a group of IP address prefixes from a given Azure service to the virtual networks. You can make use of these service tags to create exception rules to the NSGs. For e.g you can block all incoming traffic to the VMs except from the Azure Storage services or Vault.
It is a very good service from MS and by making use of these service tags you don’t have to worry about the changes in the IP address of the Azure data center or any other services provided by Microsoft.
The problem was with windows updates on the VMs. With outgoing internet blocked from the virtual machines, our VMs were not able to contact update center to download critical updates/ patches to be applied. This creates a security issue and there is no information on the internet or from Microsoft support on the IP addresses to whitelist for allowing automatic updates. When the Azure support was contacted for this issue, they point you to a planned task to implement this feature which is in progress from 2017.
Now you are left with 2 options, either to create and configure a WSUS server on Azure or make use of the new Update Management feature (which you have to pay for 😊)

Azure monitoring needs access to a storage account in South Central US, or else it will not receive heartbeats from your Virtual machines.

This again relates to the previous scenario, were we need to block traffic to all external locations except West Europe to ensure that our data does not leave Europe. But there is a mysterious storage account created in our subscription which even the subscription owner cannot see (this we were aware only after contacting the MS support via CSP), that needs to be contacted to properly run the Health Service on the VMs. You need to explicitly allow access to the IP address of the domain “scadvisorcontent.blob.core.windows.net” for monitoring to work properly.
Till now Azure Support or Microsoft does not have an answer to this suspicious storage account!!

Virtual machines with private IP address that are in the backend pool of a private load balancer cannot access internet.

To summarize, if you want internet access from a virtual machine without a public IP address, you need to associate the VM that is behind a Standard ILB, to a Public IP. The dirty workaround is to create a dummy load balancer with a public IP address and use the VMs in the backend pool of this load balancer.

AzureDevOps does not have a service tag.

We use Azure DevOps extensively at work for planning, coding, building, testing and releasing software on all our environments, and I have to say that this is one of the best products from Microsoft. It is easy to customize, user friendly and have loads of features for all stages of your application development life cycle management.
Unfortunately Azure still doesn’t provide a service tag for Azure DevOps services and you have to go through the painful process of finding out the IP address ranges of these services and adding custom rules to the NSGs.
Not too bad as the update servers, Microsoft atleast has some documentation on these IP addresses. (https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops)

Azure monitoring is a great solution, but can be improved.

Azure Monitor helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. It’s an umbrella of services that gives you a way to collect, analyze, and act on all the telemetry from your cloud and on-premises environments. Even though it’s very easy to setup and configure compared to the other services, the visualizations and UI can be improved a lot. I do miss the drill down capabilities from the widgets and graphs added to the dashboard. You can get this working by making use of Power BI or workbooks in the dashboards, but that brings the additional complexities into the service.

Now that we have seen the negatives, I’d like to end this post with the reasons why I’m choosing Azure for my next project as well.

Azure support is great.

They are just fantastic. Fast to respond, always willing to help, trying to find out solutions, providing detailed and updated documentation, free and practical learning paths, hands-on-labs. Contact the support anytime, and you’ll not be disappointed. I’ve noticed that the maximum response time in 2 minutes in Twitter for any queries. That’s simply amazing. Kudos to the spirit and passion @AzureSupport.

Security Center is a complete perfected platform.

Azure Security Center provides unified infrastructure security management that strengthens security posture and provides advanced threat protection across your workloads running in Azure, on-premises, and in other clouds. It is an incredible tool to manage all aspects of security in the Azure Cloud. It’s very easy to create and configure policies, connect to the SIEM solution (Azure Sentinel) and protect your workloads from all kind of attacks and vulnerabilities. You don’t need to be a security expert to effectively configure your infrastructure.
As a CTO/ CIO of a company the tool provides all kind of information and trust that you need from a security solution.

Simple, extensive and up-to-date documentation

The best documentation on any cloud service provider you can find in the internet. Do I need to say more 😊

1 comment:

Alfred Avina said...

The article is so appealing. You should read this article before choosing the Google Cloud Big Data Services you want to learn.