1. The document describes the journey of a historical French transportation company moving parts of its IT infrastructure and workloads to the cloud with Microsoft Azure.
2. Key challenges included modernizing the company's culture and processes to be more agile and innovative while maintaining security, as well as gaining approval from the larger corporate group.
3. An Azure team was established within the company to manage cloud projects and provide services like infrastructure setup, governance, and acting as an intermediary for other Azure services. This helped drive more cloud adoption over time.
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Onboarding a Historical Company on the Cloud Journey (IT Camp 2018)
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Onboarding a Historical Company
on the Cloud Journey
Marius Zaharia
Cloud Technical Manager, Cellenza (FR)
@lecampusazure
2.
3. This is the story of a journey.
The journey of a long run voyager.
It has started a few hours ago* and it’s still running.
The view is… cloudy, but so interesting.
Away, the horizon line looks bright and sunny.
I was there, accompanying the voyager on its way.
I am here, telling you the story.
* on the technological eve scale
6. Marius Zaharia
Marius Zaharia
http://blog.lecampusazure.net
@LeCampusAzure
marius.zaharia@cellenza.com
At the start of cloud computing at the end of the
first decade, Marius Zaharia - currently Cloud
Technical Manager at Cellenza - saw the enormous
potential of this technology, especially that of
Microsoft Azure.
Since then, his focus has been on setting up cloud
architectures and their corporate governance.
Marius has gained both professional developer and
infrastructure engineer experience, which allows him to
have a complementary approach and broad coverage
of project needs.
Passionate about the cloud, he is also an active
contributor to the Azure User Group France
community, organizer of community events and
speaker at local and international conferences.
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Our Customer : a strategic actor of the public
transportation sector in France
• Established public company in France for ages
• Large national coverage
– At the root of most of the transportation networks in
France
• Now part of a consolidated group of companies
(thereby called The Group)
The Story of a Customer
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The Customer’s IT system
– Large number of business or technical applications
– Includes many professions, mostly IT professional oriented
– Outsourcing different tasks
• managed services, operations, production, expertize, or
consulting
• Some services of the organization:
– Engineering Operations and Service (EOS)
• Technical Architecture (TA)
• Networking (NE)
– The Innovation Pole (IP)
– Information Security Service (ISS)
– Production Service Center
– Build Delivery Center…
The Customer’s IT system
10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Owns a number of Data Centers
– Two main regions (Lyon, Lille)
• Customer’s and Group’s infrastructure
networks got interconnected
– However, various elements of the
infrastructure are different
– Also, there are differences in governance
and procedures
• Very important security concerns and
restrictions
The Customer’s Infrastructure
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The Customer needs to encourage and
accelerate the pace of innovation via
experiments
• The projects need to deploy on the IT
infrastructure in a timely matter
• The actual internal (IS) and Group
organization and culture are not « agile »
enough for :
– More and more Innovation coming
– Time to Market and Cost Effective delivery
The Challenge
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Looking closely to the advancements of the
main actors in the public Cloud : Microsoft
Azure, Amazon AWS
– It seems that the Cloud may be the gate
• « Let’s try and see how it works and how it
could help us »
• Key factors :
– Onboard the Information Security Service (ISS)
team from the very beginning
– Openness of the CIO
When the Cloud Comes into the Picture
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Azure subscription contracted
– At the Group level
• Used first by ISS team (fall 2016)
• Several basic deployments were made, and a site-to-
site VPN connection was tempted
• The first learnings :
– some projects interconnected with the SI
– others separated/isolated from it
• Then, the advancements and works slowed down
• Also, the VPN was malfunctioning
Opening Azure
Note: the Group also
moved on Azure.
An ExpressRoute
connection was setup
at that level.
17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• How to fix the VPN, first ?
• How to organize and classify projects and environments ?
• How to protect our IS while being open to experiment ?
• How to give amplitude to the works in the Cloud ?
New Challenges
18. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The EOS engaged to initiate a dedicated Azure team
• Team directly attached to the chief of Technical Architecture
• The Azure Team will be the « the armed arm » of the
Innovation Pole
• 2 people, Azure experts, with knowledge in infrastructure,
networking, security, and governance
• Not an easy task, but people were found - at
Moving to a Real Team
19. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• First thing first: the VPN was fixed
– Dead Peer Detection set at 10s in local Juniper
appliance
• Second thing : « security hole » detected (and
solved)
– Force Tunelling setup missing in configuration
• Results:
– The team gains the Customer’s confidence
– The Networking team is also very cooperative
The First Real Works
Azure VPN Gateway
20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The Customer envisions moving on in the
Cloud and eventually targeting production
workloads
• Blocker : the Group strategy is not yet in phase
with the Customer’s one regarding the Cloud
– The Group warns about production responsability
in the cloud
• Result: agreement on an « experiment
oriented » scope for the Customer’s Cloud
works
New Challenge (and solution)
21. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• VNET w/ VPN : all traffic in Azure has now to be
monitored and configured in local appliances
– The actual process of configuring the rules for
projects takes days or weeks
• Solution: a set of 2 Network Virtual Appliances
(Palo Alto) was configured and implemented in
Azure
– Routing, detecting and filtering traffic
– Configuration of the rules directly implemented by
the Azure team jointly with the ISS
New Challenge (and Solution)
22. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• A first draft of governance and management rules is
defined
• The team is now ready to receive projects
• First internal communication (limited at this stage)
• First projects coming quickly
• The interest for the team’s services increases rapidly
• The team is reinforced on engineering and project
management sides
• ….
More and More Steps
24. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Results : A Platform for Innovation
Experimentations
•Appliances
•DB on PaaS
•Containers
•File Sharing
•…
Projects
Deployed
and Ran
A technological
advancement
•Driving IT innovation
•Positioning within the Group
25. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1. VM hosting (a lot)
2. Simple projects (less)
– Azure infrastructure
– Software installation
3. Complex projects (a few)
– Azure infrastructure
– Software installation
– App deployment and configuration
Projects Typology and Requirements
• OS :
• Windows (WS 2012 R2)
• Linux (Ubuntu)
• Containers (Ubuntu)
• Platforms: ASP.NET, Java,
SQL Server, PostGreSQL,
PHP, MySQL, …
• Apps & software: Tomcat,
WordPress, Jupyter,
HDInsight, Kubernetes,
Ckan, ngnix, Traefic, Faveod,
…
26. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Core services
– VMs (in mutualized infrastructure)
– Environment setup (VMs / software / networking / routing / …)
– Provisioning / Build / Deployment
– Governance : Backup, Log Analytics
• Other services
– DNS configuration in our DNS zone
– SSL Offloading (HTTPS to HTTP)
– « Consulting » : application architecture
• Intermediation for « third party » services
– Certificate requests
Our « Service Catalog »
28. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Zones
1. Intranet
– for applications willing to connect with
the core IT system
– Azure outbound to internet controlled
and opened on case by case basis
2. Internet
– for applications not connected with the
core IT system
– for low level classified data
Platform Overview
Connectivity, networking, securization
• Intranet
• Main VNET interconnected with the core IT
system via IPSEC VPN
• 1 mutualized subnet (for single VMs)
• VNETs peered with the main VNET
• All secured by 2 Palo Alto NVAs
• Internet
• Isolated environments
• VNETs dedicated to each project
• Each VNET/snet secured by NSG
• To manage VMs in Internet zone :
Jump VMs in Intranet, then RDP/SSH
29. Intranet Zone Infrastructure
Azure On premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
CyberArk
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
NSG
Rebond
Azure
SNET rebond
Rebond
Azure
VNET / subnet IP range
planning: extremely important
30. Intranet Zone : from on-premises to project
Proj A
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
Rebond
Azure
31. Intranet Zone : from project to on-premises
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
Rebond
Azure
32. Intranet Zone : from project to Azure & OUT
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
Rebond
Azure
33. Intranet Zone : managing NVAs
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
Rebond
Azure
34. Intranet Zone : Peering for large projects
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
Proj B
SNET PoC2
VNET
Peering
UDR
Vers NVA Intranet
VNET_POC_B
Strong impact on routing
configuration
35. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• At origin : multiple, inconsistent IAMs for
applications within the Group
– However, client infrastructure is mostly was domain
based Windows (Active Directory)
• Office 365 induced the necessary changes
• Domain at the Group level
• AD is synced to an Azure Active Directory
tenant
– Used today for all Azure subscriptions
– But AAD is not used for application
authentication
Identity and Access Management
37. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Azure Resource Manager
• Azure VMs
– several sizes used intensively (D_v2)
• Networking: VNET, Network
Security Groups, User Defined
Routes
– Intranet zone: all default routing
overrided
• Containers: Azure Container
Service, Azure Container Registry
– 1 cluster Kubernetes for a big project
• Network Virtual Appliances: Palo
Alto (licence PAYG)
Azure Services Used
• Azure AD
• directory synchronized at the Group Level
• Azure Backup
• Log Analytics
• App Service Domains
• Azure DNS
• Azure Automation
• PaaS: SQL Database, PostGreSQL, MySQL
• Currently experimenting:
• Azure File Share, Azure File Sync
• App Service Environment
• Other : Packer, for OS Imaging
38. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
From the comprehension of IaaS
to the productivity of PaaS
• IaaS was best understood at the beginning
• Simple PaaS models were accepted pretty rapidly
– Database SQL, PostGreSQL, MySQL had the fastest adoption
• More advanced models were provided in a transparent
way
– Ex. Delivering SSL offloading via App Gateway
From IaaS to PaaS
39. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Sécurisation PostGreSQL – Intranet Zone
Azure
VNET_POC_INTRANET
SNET de projet
Filtre IP :
12.34.56.78
IP Public :
12.34.56.78
Règle OUT
IP : (IPs publiques
Azure)
Port : 5432
https://[monsrv].postgres.database.azure.com
(Azure public IPs)
MABDD
VM Front End Auth. user/password
Conn. string:
Auth. user/password
Palo Alto
Trust
Palo Alto
Untrust
UDR
40. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Sécurisation SQL Database – Intranet Zone
Azure
VNET_POC_INTRANET
Filtre VNET :
VNET_POC_INTRANET
https://[monsrv].database.windows.net
MABDD
Auth. user/password
VNET_POC_INTRANET
service endpoint SQL
Règle OUT
IP : (IPs publiques
Azure)
Port : 1433
VM Front End
Conn. string:
Auth. user/password
Palo Alto
Trust
Palo Alto
Untrust
UDR
BUG detected!
Mixed VNET service endpoint
config not allowed
43. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Platform evolution
– Updates, patches
– Complimentary services
– New services added
• Tooling usage
– VSTS
• Work, Build, Release
– Planner
• Dashboard
– O365 Group
– SharePoint
– Excel
• DevOps
– Used internally for own
processes
Governance
44. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Prerequisites
– security pre-qualification (data classification,
flows, …)
– technical architecture document (DAT)
required if complex project
• PROCESS
– Onboarding
• gather requirements
• elaboration
• « official response »
– Implementation
• per segment : provision, configure, build,
deploy, request third party services, aggregate
response
• delivery
• Lifecycle monitoring
• Unprovisioning
Governance : Project Onboarding and Management
Project Onboarding Process
45. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• “Scrum”
methodology,
adapted
• Tooling : VSTS
• 2 weeks sprints
• Epics = Projects
• Product backlog
items = Requirements
• Tasks
Agility
Scrum management in Visual Studio Team Services
46. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• TEAM « EXPerimenting Projects on Azure »
(EXP Azure)
• Team formed of :
– 1 Team Lead / Azure Expert
– 1 Project Manager
(infrastructure integrator)
– 1 Infrastructure Architect / Azure Expert
– 1 System Engineer
– 1 Ops Engineer (« experimental »)
• Associated :
– 1 Security Expert from ISS
Team Organization
47. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• ARM templates
– adapt then reuse quick start
templates
– use of linked templates working
model
– standardize and reuse of linked
templates among projects
• Packer
– standardize OS images
• CI/CD with VSTS
– Build of OS or container images
– Deployment of containers
Industrialization
Packer JSON example, as stored in VSTS
49. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• A new team structure is built on top
– Will include roles:
• Service Catalog Owner
• Cloud Operations Engineer
• Cloud QA Lead
– Will expand work force on existing
• System Engineer(s)
• Cloud Architect
• More integration with existing IT services (build, production)
Moving to a new, larger team and scope
• More responsibilities
• More projects onboarding
• More production oriented
• Richer Cloud offering
• More services delivered
• Identity and Authentication
• More PaaS, Serverless, …
50. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The synergy with the Group will be essential
and strategical
– Azure Production workloads to be pushed to the
Group
– Keep Experiments responsibility and autonomy
• Integrate with ExpressRoute infrastructure
– Deploy projects with a faster interaction with the
core IT system
• Share more of our knowledge
– Our technological advance may influence decisions
and choices at the group level
Synergy with the Group
51. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• The results of the EXP Azure team are
progressively diffused in the
organization
• The DevOps and automation practices
applied internally are also propagated
• The Agile process shows to other
teams a much faster delivery process
• The other teams will start integrating
some of EXP Azure experiences
Diffusion : Culture of Cloud and Agility
53. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The Cloud
The Cloud
…is not (anymore) a tabou subject
even in the public sector
…proves to be a strong
innovation driver
…may be the way of developing
DevOps and Agility adoption
54. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
There is no success in the Cloud :
• Without a strong technical competency
• Without the maturity and experience
• Without a Team
Here is where we come in the play.
Our role in the success of our customers
55. Thank you,
• Picture references
• NG/MATTHEW G. WHEELER, VIA RAIL CANADA
• GLACIERBAYALASKA.COM
• PINTEREST
• IBC SYSTEMS
• CIO.COM
• SNCF
• SNCF RÉSEAU
• TRACKINTELLIGENCE.COM
• SHUTTERSTOCK
• PIXABAY
• CHILDREN’S MINISTRY LEADER
• WIKIPEDIA
Editor's Notes
The IT department of the Customer encompasses the implementation and operation of a large number of business or technical applications
It includes many professions, mostly IT professional oriented : infrastructure engineers, architects, technicians, and so on
It relies pretty heavily on outsourcing different tasks like managed services, operations, production, expertize, or consulting to external companies (mostly via service and competency centers)
Some services of the internal organization:
Engineering Operations and Service (EOS)
Production Service
Information Security Service (ISS)
Infrastructure Project Management
Owns a number of Data Centers hosting currently the infrastructure the applications
The whole infrastructure is known as The Information System (IS)
As The Customer joined The Group, their infrastructure’s networks got interconnected
Today, a user from the IS is capable to connect to a service within the Group’s infrastructure, and viceversa
However, various elements of the infrastructure (like networking appliances, identity systems, tooling, and so on) are different
Also, there are differences in governance and procedures
For the Customer and for the Group, there are very important security concerns and restrictions (due to their strategic activity)
Looking closely to the advancements of the main actors in the public Cloud : Microsoft Azure, Amazon AWS
It seems that the Cloud may be the gate
« Let’s try and see how it works and how it could help us »
Key factor : onboard the Information Security Service (ISS) team from the very beginning
This ensures there will not be [too many] blocking rocks on the road
[TODO bienvieillance du DSI / IT Officer)
Requesting an Azure agreement via The Group
An Azure subscription was provisioned
The ISS team was the one using an Azure Subscription (fall 2016)
Several basic deployments were made, and a site-to-site VPN connection was tempted
The first learnings :
some projects need to be interconnected with the SI
others need rather to be separated/isolated from it (risky or unknown stuff running)
Then, the advancements and works slowed down
Also, the VPN was malfunctioning
The EOS engaged to initiate a dedicated Azure team
Team directly attached to the chief of EOS
2 people, Azure experts, with knowledge in infrastructure, networking, security, and governance
Not easy task, but people were found (at Cellenza)
First thing first: the VPN was fixed
Not a big issue, the configuration was mostly good, but missing a « keep alive » option while no traffic (« Dead Peer Detection » set at 10s in local Juniper appliance)
Second thing (during the works for the first): « security hole » detected (and solved)
The « force tunelling » setup was envisioned but missing in configuration
Results:
The team gains the Customer’s confidence
The Networking team is also very cooperative
Enthousiastic of the advancement, the Customer envisions moving on in the Cloud and eventually targetting production workloads
Blocker : the Group strategy is not yet in phase with the Customer’s one regarding the Cloud
The Group warns about production responsability in the cloud
Result: agreement on an « experiment oriented » scope for the Customer’s Cloud works
VNET w/ VPN : Because of the Forced Tunelling, all traffic in Azure has now to be monitored and configured in local appliances (Palo Alto)
The actual process of configuring the rules for projects takes days or weeks
Solution: a set of 2 Network Virtual Appliances (Palo Alto) was configured and implemented in Azure
They now allow the configuration of the rules to be directly implemented by the Azure team jointly with the ISS
by this, interconnected with the whole Group
At origin : multiple, inconsistent IAMs for applications within the Group
However, client infrastructure is mostly was domain based Windows (Active Directory)
Office 365 induced the necessary changes
The Group imposed a central domain and unique client OS masters
The Group domain was synced to an Azure Active Directory tenant
This tenant is used today for all Azure subscriptions
Today, AAD is not used for application authentication
ANNEXES
Certificates issues
App Gateway SCHEMA
Preconisations DB PAAS
Dashboard; ASE