Design a disaster recovery strategy

Microsoft and Azure services which can be used as part of a DR strategy include:

  • Azure Backup – scalable, off-site, encrypted backup service
    • Create a recovery vault, specify the Azure region
    • Download vault credentials
    • Download agent
    • Install agent
    • Upload vault credentials
    • Launch backup
    • Configure backup properties
    • Schedule backup
  • StorSimple – hybrid storage appliance with tiered disk storage (SSD, SATA) and Azure storage.
    • Uses de-duplication and compression techniques
    • Use for backup and DR in addition to production storage
    • Data encrypted in flight and at rest, store encryption keys on-premise
    • Storage presented using iSCSI
    • 2 physical appliances available and a virtual appliance
  • Data Protection Manager – Microsoft’s enterprise backup and recovery solution which supports Bare Metal Restore (BMR) and file level recovery.
    • Integrates with Azure by registering with the associated Azure Backup Vault
    • Use tape, local disk storage or Azure
    • Supports workloads including server, client, SQL Server, SharePoint, Hyper-V, VM, Exchange

StorSimple is the optimal solution for high performance storage and support of low RTO and RPO requirements. Azure Backup is a cost-effective, simple solution for providing block level backup and and file level restore with a supported agent. Data Protection Manager can be integrated with Azure Backup and provides additional capabilities for protecting and recovering Microsoft workloads.

Design a monitoring strategy

Operations Manager is the primary monitoring component within System Center which integrates with other Azure services. On-premise SCOM deployments can integrate with Azure through deployment of the Azure Management Pack for Operations Manager.

The ideal configuration, particularly when a larger number of systems are deployed on Azure is to deploy a SCOM Gateway server. Systems can be configured as proxy agents to monitor other systems which are not directly accessible. TCP port 5723 is used for monitoring traffic.

By uploading the SCOM server Public Key to Azure Storage it is possibly to collect data from the Azure Monitor and Diagnostic Service (Windows, Azure, App Sources, Counters, Events, Logs, Dumps).

Azure build in monitoring capabilities include:

  • Default metrics (CPU usage, disk read / write, network in / out)
  • Web apps metrics (CPU time, data in / out, HTTP server errors, requests)
  • Application diagnostics and logging:
    • Application Logging (File System) – access from FTP share for web app
    • Application Logging (Table Storage) – access from specified field table
    • Application Logging (Blob Storage) – access from blob container

Configure application logging, certificate authentication and verbose logging for additional logging and statistics.

3rd party tools are also available often through the marketplace:

Global Service Monitor is an Azure cloud service which works with SCOM to monitors web applications from an end-user perspective and can help identify issues with DNS, network connectivity, etc.

Application Insights provides deep insight into your applications running on a VM or web role and integrates with SCOM to provide a single consolidated view.

When designing application resiliency consider the use of:

  • Availability Sets to split instances across Fault and Update Domains
  • 2 Fault Domains exist in Azure
  • Up to 20 Update (or Upgrade) Domains can be used but only 5 are by default
  • Use Virtual IP (VIP) Swap to test application upgrades

Design a data access strategy for hybrid applications

Service Bus Relay is an Azure service which facilitates hybrid applications by enabling secure connectivity between services hosted on Azure and Windows Communication Foundation (WCF) services hosted on premise. The Service Bus can listen for incoming external connections and provide granular security controls for access to services.

Hybrid Connections is a feature of Azure App Service BizTalk API Apps to make connections from Azure Web Apps and Mobile Services to on premise resources using static TCP ports (e.g. SQL, MySQL & web services). This service can be used to facilitate staged migrations to Azure by maintaining hybrid connectivity. Hybrid Connection Manager must be installed on premise by navigating to the BizTalk API Apps service in the Azure portal .

Azure Web Apps may be integrated with Azure Virtual Networks to provide access to the resources on the network and also connected resources on premise. VPN connections to other networks are limited to 6 on premise networks and 4 additional virtual networks for a maximum of 10 connections (Basic & Standard). High Performance VPN Gateways allow up to 30 connections.

Both Virtual Machines and Cloud Services can be joined to a domain. For Virtual Machines this can be done manually on the server or through PowerShell scripts. For Cloud Services PowerShell scripts can be configured as a Startup Task or it is also possible to add code to the RoleEntryPoint of the Cloud Service however this requires the Cloud Service to be run in elevated mode rather which is a less secure option.

 

Design a role-based access control strategy

Role Based Access Control (RBAC) allows management of access to resources at scale.

  • Groups allow access rights to be defined for a set of users
  • Roles define a set of permissions to be assigned to a User or Group
  • RBAC and claims work well with identity providers providing role claims to relying parties to verify role assignments of the user
  • Multifactor authentication i.e. something you are, you know or you have combined

Azure supports 3 tiers of access rights assignment:

  • Subscription
  • Resource Group
  • Resource

There are 3 built-in roles that can be assigned, in addition to more complex roles assignments:

  • Owner – full control (assigned to subscription admins and co-admins)
  • Contributor – all operations excluding access management
  • Reader – can view resources only

External users, e.g. a user in another Azure AD can also be granted access rights to resources where required.

Self-service password reset is available with Azure AD Basic and Premium and supports the following options.

  • Users Enabled For Password Reset
  • Restrict Access To Password Reset (only permitted for a group of users)
  • Authentication Methods Available To Users (challenges permitted for reset)
  • Number of Authentication Methods Required (1 or 2)

Self-service group management, available in Azure AD Premium, allows users to manage group membership and request to join groups.

The Azure AD Access Panel provides a web portal for users to access SaaS applications configured by an AD administrator. Federation and SSO support simplified user access. Login credentials can be configured to allow users access to applications without sharing said credentials. This allows user access rights to be easily assigned and revoked without worrying about credentials being compromised.

Cloud App Discovery tracks usage of SaaS services by collecting data via an agent deployed to enterprise devices.

The Azure AD Registration Service allows personal devices to use Workplace Join to join an Azure AD domain and access resources.

Azure AD provides audit reports showing activity including user and group role assignment changes and password resets.