Azure, Microsoft’s public cloud
computing platform as it promises provides a wide range of cloud services
including those for computing, analytics, storage and networking. There are a
lot written about the offerings from Azure including IAAS, PAAS and SAAS solutions, and how to pick
and choose the best offerings that suites your problem domain.
I’ve initially considered
tweeting about this content as a series of small tweets, but I also wanted to
keep this as an educational or informative content for other fellow developers
and architects who would also be using IAAS for similar scenarios. So this is
about my experiences with a lift and shift scenario, where our focus was to
move the on-prem customer solution to a hybrid cloud infra. I have to say that
with the wide range of tools and solutions from Azure, it was not only effortless
but also to a much advanced, secure and better infrastructure. But there are some
obvious things that I missed during this migration phase.
Below are my top pros and
cons of Azure IAAS
Updating the virtual
machines that don’t have outgoing internet access is a pain.
For confidentiality and data integrity purposes we had
to prevent incoming and outgoing internet access from our virtual networks. We achieved
this by configuring network security groups and defining allow/ deny rules for
all incoming and outgoing traffic within the subnets. Now Microsoft provides something
called as service tags which represents a group of IP address prefixes from a
given Azure service to the virtual networks. You can make use of these service
tags to create exception rules to the NSGs. For e.g you can block all incoming
traffic to the VMs except from the Azure Storage services or Vault.
It is a very good service from MS and by making use of
these service tags you don’t have to worry about the changes in the IP address of
the Azure data center or any other services provided by Microsoft.
The problem was with windows updates on the VMs. With outgoing
internet blocked from the virtual machines, our VMs were not able to contact
update center to download critical updates/ patches to be applied. This creates
a security issue and there is no information on the internet or from Microsoft
support on the IP addresses to whitelist for allowing automatic updates. When
the Azure support was contacted for this issue, they point you to a planned
task to implement this feature which is in progress from 2017.
Now you are left with 2 options, either to create and
configure a WSUS server on Azure or make use of the new Update Management feature
(which you have to pay for 😊)
Azure monitoring needs
access to a storage account in South Central US, or else it will not receive heartbeats
from your Virtual machines.
This again relates to the previous scenario, were we
need to block traffic to all external locations except West Europe to ensure
that our data does not leave Europe. But there is a mysterious storage account
created in our subscription which even the subscription owner cannot see (this
we were aware only after contacting the MS support via CSP), that needs to be
contacted to properly run the Health Service on the VMs. You need to explicitly
allow access to the IP address of the domain “scadvisorcontent.blob.core.windows.net” for monitoring to work properly.
Till now Azure Support or Microsoft does not have an
answer to this suspicious storage account!!
Virtual machines with private
IP address that are in the backend pool of a private load balancer cannot
access internet.
This one is by design, but a very annoying feature. (https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections)
To summarize, if you want internet access from a virtual
machine without a public IP address, you need to associate the VM that is
behind a Standard ILB, to a Public IP. The dirty workaround is to create a
dummy load balancer with a public IP address and use the VMs in the backend
pool of this load balancer.
AzureDevOps does not have a
service tag.
We use Azure DevOps extensively at work for planning,
coding, building, testing and releasing software on all our environments, and I
have to say that this is one of the best products from Microsoft. It is easy to
customize, user friendly and have loads of features for all stages of your
application development life cycle management.
Unfortunately Azure still doesn’t provide a service
tag for Azure DevOps services and you have to go through the painful process of
finding out the IP address ranges of these services and adding custom rules to
the NSGs.
Not too bad as the update servers, Microsoft atleast has
some documentation on these IP addresses. (https://docs.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops)
Azure monitoring is a
great solution, but can be improved.
Azure Monitor helps you
understand how your applications are performing and proactively identifies
issues affecting them and the resources they depend on. It’s an umbrella of services
that gives you a way to collect, analyze, and act on all the telemetry from
your cloud and on-premises environments. Even though it’s very easy to setup
and configure compared to the other services, the visualizations and UI can be
improved a lot. I do miss the drill down capabilities from the widgets and graphs
added to the dashboard. You can get this working by making use of Power BI or
workbooks in the dashboards, but that brings the additional complexities into
the service.
Now that we have seen the
negatives, I’d like to end this post with the reasons why I’m choosing Azure for
my next project as well.
Azure support is great.
They are just fantastic. Fast to respond, always willing
to help, trying to find out solutions, providing detailed and updated documentation,
free and practical learning paths, hands-on-labs. Contact the support anytime,
and you’ll not be disappointed. I’ve noticed that the maximum response time in
2 minutes in Twitter for any queries. That’s simply amazing. Kudos to the spirit
and passion @AzureSupport.
Security Center is a complete
perfected platform.
Azure Security Center provides unified infrastructure
security management that strengthens security posture and provides advanced
threat protection across your workloads running in Azure, on-premises, and in
other clouds. It is an incredible tool to manage all aspects of security in the
Azure Cloud. It’s very easy to create and configure policies, connect to the SIEM
solution (Azure Sentinel) and protect your workloads from all kind of attacks
and vulnerabilities. You don’t need to be a security expert to effectively
configure your infrastructure.
As a CTO/ CIO of a company the tool provides all kind
of information and trust that you need from a security solution.
Simple, extensive and up-to-date
documentation
The best documentation on any cloud service provider
you can find in the internet. Do I need to say more 😊