Onboarding a Historical Company on the Cloud Journey (IT Camp 2018)

@ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Onboarding a Historical Company
on the Cloud Journey
Marius Zaharia
Cloud Technical Manager, Cellenza (FR)
@lecampusazure

This is the story of a journey.
The journey of a long run voyager.
It has started a few hours ago* and it’s still running.
The view is… cloudy, but so interesting.
Away, the horizon line looks bright and sunny.
I was there, accompanying the voyager on its way.
I am here, telling you the story.
* on the technological eve scale

Many thanks to our sponsors & partners!
GOLD
SILVER
PARTNERS
PLATINUM
POWERED BY

Marius Zaharia
Marius Zaharia
http://blog.lecampusazure.net
@LeCampusAzure
marius.zaharia@cellenza.com
At the start of cloud computing at the end of the
first decade, Marius Zaharia - currently Cloud
Technical Manager at Cellenza - saw the enormous
potential of this technology, especially that of
Microsoft Azure.
Since then, his focus has been on setting up cloud
architectures and their corporate governance.
Marius has gained both professional developer and
infrastructure engineer experience, which allows him to
have a complementary approach and broad coverage
of project needs.
Passionate about the cloud, he is also an active
contributor to the Azure User Group France
community, organizer of community events and
speaker at local and international conferences.

• Our Customer : a strategic actor of the public
transportation sector in France
• Established public company in France for ages
• Large national coverage
– At the root of most of the transportation networks in
France
• Now part of a consolidated group of companies
(thereby called The Group)
The Story of a Customer

• The Customer’s IT system
– Large number of business or technical applications
– Includes many professions, mostly IT professional oriented
– Outsourcing different tasks
• managed services, operations, production, expertize, or
consulting
• Some services of the organization:
– Engineering Operations and Service (EOS)
• Technical Architecture (TA)
• Networking (NE)
– The Innovation Pole (IP)
– Information Security Service (ISS)
– Production Service Center
– Build Delivery Center…
The Customer’s IT system

• Owns a number of Data Centers
– Two main regions (Lyon, Lille)
• Customer’s and Group’s infrastructure
networks got interconnected
– However, various elements of the
infrastructure are different
– Also, there are differences in governance
and procedures
• Very important security concerns and
restrictions
The Customer’s Infrastructure

• The Customer needs to encourage and
accelerate the pace of innovation via
experiments
• The projects need to deploy on the IT
infrastructure in a timely matter
• The actual internal (IS) and Group
organization and culture are not « agile »
enough for :
– More and more Innovation coming
– Time to Market and Cost Effective delivery
The Challenge

• Looking closely to the advancements of the
main actors in the public Cloud : Microsoft
Azure, Amazon AWS
– It seems that the Cloud may be the gate
• « Let’s try and see how it works and how it
could help us »
• Key factors :
– Onboard the Information Security Service (ISS)
team from the very beginning
– Openness of the CIO
When the Cloud Comes into the Picture

The Steps
(and Other
Challenges)

• Azure subscription contracted
– At the Group level
• Used first by ISS team (fall 2016)
• Several basic deployments were made, and a site-to-
site VPN connection was tempted
• The first learnings :
– some projects interconnected with the SI
– others separated/isolated from it
• Then, the advancements and works slowed down
• Also, the VPN was malfunctioning
Opening Azure
Note: the Group also
moved on Azure.
An ExpressRoute
connection was setup
at that level.

• How to fix the VPN, first ?
• How to organize and classify projects and environments ?
• How to protect our IS while being open to experiment ?
• How to give amplitude to the works in the Cloud ?
New Challenges

• The EOS engaged to initiate a dedicated Azure team
• Team directly attached to the chief of Technical Architecture
• The Azure Team will be the « the armed arm » of the
Innovation Pole
• 2 people, Azure experts, with knowledge in infrastructure,
networking, security, and governance
• Not an easy task, but people were found - at
Moving to a Real Team

• First thing first: the VPN was fixed
– Dead Peer Detection set at 10s in local Juniper
appliance
• Second thing : « security hole » detected (and
solved)
– Force Tunelling setup missing in configuration
• Results:
– The team gains the Customer’s confidence
– The Networking team is also very cooperative
The First Real Works
Azure VPN Gateway

• The Customer envisions moving on in the
Cloud and eventually targeting production
workloads
• Blocker : the Group strategy is not yet in phase
with the Customer’s one regarding the Cloud
– The Group warns about production responsability
in the cloud
• Result: agreement on an « experiment
oriented » scope for the Customer’s Cloud
works
New Challenge (and solution)

• VNET w/ VPN : all traffic in Azure has now to be
monitored and configured in local appliances
– The actual process of configuring the rules for
projects takes days or weeks
• Solution: a set of 2 Network Virtual Appliances
(Palo Alto) was configured and implemented in
Azure
– Routing, detecting and filtering traffic
– Configuration of the rules directly implemented by
the Azure team jointly with the ISS
New Challenge (and Solution)

• A first draft of governance and management rules is
defined
• The team is now ready to receive projects
• First internal communication (limited at this stage)
• First projects coming quickly
• The interest for the team’s services increases rapidly
• The team is reinforced on engineering and project
management sides
• ….
More and More Steps

Results : A Platform for Innovation
Experimentations
•Appliances
•DB on PaaS
•Containers
•File Sharing
•…
Projects
Deployed
and Ran
A technological
advancement
•Driving IT innovation
•Positioning within the Group

1. VM hosting (a lot)
2. Simple projects (less)
– Azure infrastructure
– Software installation
3. Complex projects (a few)
– Azure infrastructure
– Software installation
– App deployment and configuration
Projects Typology and Requirements
• OS :
• Windows (WS 2012 R2)
• Linux (Ubuntu)
• Containers (Ubuntu)
• Platforms: ASP.NET, Java,
SQL Server, PostGreSQL,
PHP, MySQL, …
• Apps & software: Tomcat,
WordPress, Jupyter,
HDInsight, Kubernetes,
Ckan, ngnix, Traefic, Faveod,
…

• Core services
– VMs (in mutualized infrastructure)
– Environment setup (VMs / software / networking / routing / …)
– Provisioning / Build / Deployment
– Governance : Backup, Log Analytics
• Other services
– DNS configuration in our DNS zone
– SSL Offloading (HTTPS to HTTP)
– « Consulting » : application architecture
• Intermediation for « third party » services
– Certificate requests
Our « Service Catalog »

Zones
1. Intranet
– for applications willing to connect with
the core IT system
– Azure outbound to internet controlled
and opened on case by case basis
2. Internet
– for applications not connected with the
core IT system
– for low level classified data
Platform Overview
Connectivity, networking, securization
• Intranet
• Main VNET interconnected with the core IT
system via IPSEC VPN
• 1 mutualized subnet (for single VMs)
• VNETs peered with the main VNET
• All secured by 2 Palo Alto NVAs
• Internet
• Isolated environments
• VNETs dedicated to each project
• Each VNET/snet secured by NSG
• To manage VMs in Internet zone :
Jump VMs in Intranet, then RDP/SSH

Intranet Zone Infrastructure
Azure On premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
CyberArk
IP Mgmt
Internet (OPT.)
* NVA = Network Virtual Appliance
(Azure MarketPlace)
User
NSG
Rebond
Azure
SNET rebond
Rebond
Azure
VNET / subnet IP range
planning: extremely important

Intranet Zone : from on-premises to project
Proj A
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
(Azure MarketPlace)
User
Rebond
Azure

Intranet Zone : from project to on-premises
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
(Azure MarketPlace)
User
Rebond
Azure

Intranet Zone : from project to Azure & OUT
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
(Azure MarketPlace)
User
Rebond
Azure

Intranet Zone : managing NVAs
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
Proj A
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
UDR
Vers NVA
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NSG
Rebond
Azure
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
(Azure MarketPlace)
User
Rebond
Azure

Intranet Zone : Peering for large projects
Azure On-premises
VNET_POC_Intranet
Services
Mgmt Azure
VPN GW
VNG_POC_Intranet
VPN GW
Juniper
IPSec
NVA
Trust
IP Mgmt
Intranet (OPT.)
SNET Trust
NSG
NSG
SNET PoC Intranet
SNET GW
Internal services
Default
Route
UDR vers NVA
NVA
Untrust
SNET Internet
SNET
Mgmt
SNET Intermédiaire
Cyberark
SNET rebond
IP Mgmt
Internet (OPT.)
(Azure MarketPlace)
User
Proj B
SNET PoC2
VNET
Peering
UDR
Vers NVA Intranet
VNET_POC_B
Strong impact on routing
configuration

• At origin : multiple, inconsistent IAMs for
applications within the Group
– However, client infrastructure is mostly was domain
based Windows (Active Directory)
• Office 365 induced the necessary changes
• Domain at the Group level
• AD is synced to an Azure Active Directory
tenant
– Used today for all Azure subscriptions
– But AAD is not used for application
authentication
Identity and Access Management

• Azure Resource Manager
• Azure VMs
– several sizes used intensively (D_v2)
• Networking: VNET, Network
Security Groups, User Defined
Routes
– Intranet zone: all default routing
overrided
• Containers: Azure Container
Service, Azure Container Registry
– 1 cluster Kubernetes for a big project
• Network Virtual Appliances: Palo
Alto (licence PAYG)
Azure Services Used
• Azure AD
• directory synchronized at the Group Level
• Azure Backup
• Log Analytics
• App Service Domains
• Azure DNS
• Azure Automation
• PaaS: SQL Database, PostGreSQL, MySQL
• Currently experimenting:
• Azure File Share, Azure File Sync
• App Service Environment
• Other : Packer, for OS Imaging

From the comprehension of IaaS
to the productivity of PaaS
• IaaS was best understood at the beginning
• Simple PaaS models were accepted pretty rapidly
– Database SQL, PostGreSQL, MySQL had the fastest adoption
• More advanced models were provided in a transparent
way
– Ex. Delivering SSL offloading via App Gateway
From IaaS to PaaS

Sécurisation PostGreSQL – Intranet Zone
Azure
VNET_POC_INTRANET
SNET de projet
Filtre IP :
12.34.56.78
IP Public :
12.34.56.78
Règle OUT
IP : (IPs publiques
Azure)
Port : 5432
https://[monsrv].postgres.database.azure.com
(Azure public IPs)
MABDD
VM Front End Auth. user/password
Conn. string:
Auth. user/password
Palo Alto
Trust
Palo Alto
Untrust
UDR

Sécurisation SQL Database – Intranet Zone
Azure
VNET_POC_INTRANET
Filtre VNET :
VNET_POC_INTRANET
https://[monsrv].database.windows.net
MABDD
Auth. user/password
VNET_POC_INTRANET
service endpoint SQL
Règle OUT
IP : (IPs publiques
Azure)
Port : 1433
VM Front End
Conn. string:
Auth. user/password
Palo Alto
Trust
Palo Alto
Untrust
UDR
BUG detected!
Mixed VNET service endpoint
config not allowed

SSL Offloading

• Platform evolution
– Updates, patches
– Complimentary services
– New services added
• Tooling usage
– VSTS
• Work, Build, Release
– Planner
• Dashboard
– O365 Group
– SharePoint
– Excel
• DevOps
– Used internally for own
processes
Governance

• Prerequisites
– security pre-qualification (data classification,
flows, …)
– technical architecture document (DAT)
required if complex project
• PROCESS
– Onboarding
• gather requirements
• elaboration
• « official response »
– Implementation
• per segment : provision, configure, build,
deploy, request third party services, aggregate
response
• delivery
• Lifecycle monitoring
• Unprovisioning
Governance : Project Onboarding and Management
Project Onboarding Process

• “Scrum”
methodology,
adapted
• Tooling : VSTS
• 2 weeks sprints
• Epics = Projects
• Product backlog
items = Requirements
• Tasks
Agility
Scrum management in Visual Studio Team Services

• TEAM « EXPerimenting Projects on Azure »
(EXP Azure)
• Team formed of :
– 1 Team Lead / Azure Expert
– 1 Project Manager
(infrastructure integrator)
– 1 Infrastructure Architect / Azure Expert
– 1 System Engineer
– 1 Ops Engineer (« experimental »)
• Associated :
– 1 Security Expert from ISS
Team Organization

• ARM templates
– adapt then reuse quick start
templates
– use of linked templates working
model
– standardize and reuse of linked
templates among projects
• Packer
– standardize OS images
• CI/CD with VSTS
– Build of OS or container images
– Deployment of containers
Industrialization
Packer JSON example, as stored in VSTS

• A new team structure is built on top
– Will include roles:
• Service Catalog Owner
• Cloud Operations Engineer
• Cloud QA Lead
– Will expand work force on existing
• System Engineer(s)
• Cloud Architect
• More integration with existing IT services (build, production)
Moving to a new, larger team and scope
• More responsibilities
• More projects onboarding
• More production oriented
• Richer Cloud offering
• More services delivered
• Identity and Authentication
• More PaaS, Serverless, …

• The synergy with the Group will be essential
and strategical
– Azure Production workloads to be pushed to the
Group
– Keep Experiments responsibility and autonomy
• Integrate with ExpressRoute infrastructure
– Deploy projects with a faster interaction with the
core IT system
• Share more of our knowledge
– Our technological advance may influence decisions
and choices at the group level
Synergy with the Group

• The results of the EXP Azure team are
progressively diffused in the
organization
• The DevOps and automation practices
applied internally are also propagated
• The Agile process shows to other
teams a much faster delivery process
• The other teams will start integrating
some of EXP Azure experiences
Diffusion : Culture of Cloud and Agility

The Cloud
The Cloud
…is not (anymore) a tabou subject
even in the public sector
…proves to be a strong
innovation driver
…may be the way of developing
DevOps and Agility adoption

There is no success in the Cloud :
• Without a strong technical competency
• Without the maturity and experience
• Without a Team
Here is where we come in the play.
Our role in the success of our customers

Thank you,
• Picture references
• NG/MATTHEW G. WHEELER, VIA RAIL CANADA
• GLACIERBAYALASKA.COM
• PINTEREST
• IBC SYSTEMS
• CIO.COM
• SNCF
• SNCF RÉSEAU
• TRACKINTELLIGENCE.COM
• SHUTTERSTOCK
• PIXABAY
• CHILDREN’S MINISTRY LEADER
• WIKIPEDIA

Onboarding a Historical Company on the Cloud Journey (IT Camp 2018)

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Onboarding a Historical Company on the Cloud Journey (IT Camp 2018)

Similar to Onboarding a Historical Company on the Cloud Journey (IT Camp 2018) (20)

More from Marius Zaharia

More from Marius Zaharia (17)

Recently uploaded

Recently uploaded (20)

Onboarding a Historical Company on the Cloud Journey (IT Camp 2018)

Editor's Notes