Have You Considered a Hybrid Cloud Strategy?
It’s no surprise that the term ‘cloud’ is being thrown around more now than ever before. But with all the investment and comfort in their existing infrastructure, many organizations are hesitant to take the plunge, thinking that cloud is an ‘all or nothing’ approach. While there are certainly use cases for migrating entire infrastructure to a cloud platform, the reality is for the majority of businesses, picking everything up and moving it to the cloud is just not practical. This could be because you’re locked into leases or terms for on-premise (or datacenter hosted) equipment or lines, or the fact that a significant investment has been made on hardware. Whatever the case, many organizations are capitalizing on the ease of creating hybrid cloud environments.
According to Forbes:
- 93 percent of organizations surveyed are running applications or experimenting with infrastructure-as-a-service
- 82 percent of enterprises have a hybrid cloud strategy, up from 74 percent in 2014
In this article, we will cover some of the options available to extend your existing infrastructure (whether on-premise or collocated in a datacenter) to the Microsoft Azure cloud.
Need a Cloud terminology run-through? Check out this video:
Leverage Azure Cloud for a Hybrid Environment
The Microsoft offering of Azure can be used to extend your on-premise server infrastructure for purposes of backup and recovery, failover from hardware issues, or simply to expand your domain in a way that makes it fast and easy to provision new virtual machines. Once connectivity has been established, the organization can begin taking advantage of resources in the cloud, such as provisioning new machines, migrating resources, setting up backup and recovery options, and otherwise treating the environment as if it were an extension of their on-premise environment (no different than a remote site)
Methods of Extending an On-Premise Environment to the Cloud
Microsoft Azure offers two methods to provide permanent connectivity between sites. Site-to-site VPN, and Expressroute. Both methods can be used to expand the network as a WAN, meaning the cloud serves as another datacenter which may be internally routable and offers the safety of not being directly exposed to the Internet.
- ExpressRoute uses the MPLS network for a dedicated, managed, end-to-end connection solution, meaning it is a controlled environment. There is a cost involved because the hardware is dedicated, employees manage and maintain the systems, and it does not go over the public Internet. This can be thought of in the same way an organization leases a point-to-point connection between two of its sites or datacenters – in the same way, ExpressRoute can be leveraged to provide a leased connection with a pre-determined bandwidth, between an organization’s Azure environment, and one of its sites.
- Site-to-site VPN uses the public Internet to connect the locations, as you would from your laptop to the office. The difference being a site-to-site connection is persistent. The cost is lower, but there is more latency using this method, and there is no SLA in place to guarantee performance. The benefit of site-to-site VPN over ExpressRoute, for organizations just getting their feet wet with Azure, is the cost – it is significantly cheaper to establish a site to site VPN, and as the need for dedicated bandwidth grows, an organization can migrate to ExpressRoute functionality
Azure supports a dual-connection, meaning it can use both methods at the same time. With ExpressRoute as the primary connection, if that connection is broken or lost, an automatic failover to VPN occurs, utilizing already in-place WAN connections.
What About Active Directory and Authentication
The terminology of Azure can be confusing because there is Azure Active Directory (SaaS), Active Directory that would be hosted in Azure (IaaS), and Active Directory Federated Services (AD FS) (covered in greater detail later in this article).
Azure provides two service offerings for Active Directory:
- Azure Active Directory is how Microsoft provides authentication for their hosted services, such as Office 365, SharePoint, OneDrive, etc. The service is managed by the subscriber using a web interface on the Azure portal and is not identifiable as a server. This is an offering only available in Azure, and as a result, organizations that are new to the Azure service may not have familiarity with this offering. Think of Azure Active Directory as a Software as a Service (SaaS) offering.
- Active Directory hosted in Azure is a domain controller hosted as a virtual machine, managed by the subscriber just as you would an additional domain controller with your existing domain. When the Azure cloud is connected as an extension of the network, the same best-practice rule applies to put a domain controller in the same location as the servers. This method utilizes the Infrastructure as a Service (Iaas) aspect of Azure and is what most IT departments are most familiar with. Utilizing this method is no different than creating a new domain controller, where you have full functionality and access to the operating system, patches, and so forth.
Extending Local Active Directory to Azure
Now you have your Azure environment set up, and you’ve configured Azure Active Directory, you need to determine how you want your Azure users to authenticate as they access services within Azure or Office 365.
- Active Directory Federated Services is a server feature installed on an on-premise Windows server that allows authentication to happen over the Internet in a secure way. It provides a link between on-premise Active Directory and the Microsoft hosted services, which normally would use Azure Active Directory to achieve single sign-on. The locally-connected AD FS servers actually provide the authentication, so they must be available at all times. The benefit of this method is a seamless experience for the users. Although a user may be accessing a service hosted off-site (such as Office 365), their currently logged in credentials will carry over, and they will not have to re-enter them to connect to any of the services. Active Directory Federated Services allows for Single sign On (SSO) that provides the most seamless user experience.
- Azure AD Connect (formerly DirSync) is a tool used to replicate the local domain users into Azure Active Directory, to connect with services like Office 365 to avoid maintaining a separate set of usernames and passwords. The advantage of this method is the lower risk of interruption if there is a connection problem because Azure will continue to authenticate with hosted services using the most recently synchronized credentials. The disadvantage is that users will still need to sign in when accessing services utilizing the Azure Active Directory (such as Office 365), although the credentials they use will be the same as their on-premise credentials, they’ll need to re-enter them. While this does not allow for an experience as seamless as the aforementioned option (Active Directory Federated Services), it is a much simpler method to set up, requires no certificates, and is generally a good first step.
Merging Azure Active Directory and Local Active Directory
Some companies have jumped into the Office 365 service offering and later find they are maintaining two sets of users and passwords; local domain and Azure AD.
The two can be merged, but it must be done carefully to avoid duplicating the Azure AD users. Immediately, when the sync is turned on, the process will create a new user if there is not a unique ID for each user added to Azure.
Rand Group can help with the process of preparing the environment to connect local AD and merging those with existing users, but keep in mind the following points:
- What subset of users should be synchronized? Probably only active AD users and people from a certain organizational unit, but exclude service accounts. Without filters, the entire user base will be created in Azure AD!
- Should passwords by synchronized also? That may seem like an obvious “yes”, but keep in mind the user experience of a password change from the local AD is not immediately changed in Azure. The larger the user base, the more carefully the password sync process should be considered to keep help desk calls to a minimum.
Set-up Your Hybrid Cloud
Setting up a cloud environment is not something that needs to be feared or that you need to be overly cautious about. A good way to get your staff and end-users comfortable with the cloud is to go the hybrid approach. They can start using functionality in the cloud, and begin to appreciate the performance, the flexibility, and other benefits of leveraging the Microsoft cloud.
Rand Group’s Cloud Infrastructure team specializes in helping organizations understand how they can utilize the cloud by examining their current infrastructure and processes and making recommendations. We’re ready to help you start moving towards the cloud – contact us today.
– Software Delivered as Promised. No Surprises.