BlueXP Blog

Azure Features for Enterprises Planning a Cloud Migration

Written by Gali Kovacs | Nov 16, 2017 7:43:43 AM

When companies decide to migrate their applications or infrastructure to the cloud, it creates a total paradigm shift from the traditional on-premises approach. Facing a change that massive, most companies prefer to leverage the services offered by industry-leading public cloud vendors, such as Microsoft Azure, especially when it comes to services such as Azure Backup.

Microsoft Azure is one of the most prominent cloud service providers, offering options for IaaS, PaaS and SaaS that cater to the rapidly changing business requirements of modern enterprises.

This article will explore five key enterprise-grade Azure features:

  • Data resiliency
  • Security
  • BCDR integration
  • Capacity planning
  • Single-pane operability

All of these key Azure features have major benefits for enterprises planning a shift to the cloud or a hybrid architecture.

1. Data Resiliency

When you use Azure cloud storage, your data is physically stored in secure data centers operated by Microsoft.

This abstracted layer of storage is consumed in the back-end by multiple services offered by Azure. For example, the disks of the virtual machines that you use for your virtual machine are stored as page blobs in Azure storage.

Azure SQL warehouse uses Azure blob storage to store data. Many organizations use these services to store their mission-critical data which makes ensuring resiliency of the storage very important.

By default, any data that you store in Azure storage will have a minimum of three copies stored in the same data center. This default resiliency level is called locally-redundant storage (LRS). If one copy of the data is unavailable due to any underlying hardware issues or updates, the data will automatically be made available from the other two copies stored in the data center, a switchover which is handled transparently by the platform.

Customers can opt for an additional level of resiliency by choosing either Geo-redundant storage (GRS), Zone-redundant storage (ZRS), or Read-only Geo-redundant storage (RA-GRS). GRS and RA-GRS storage will have three additional copies of the data stored in a different paired region, making six copies in total. Three additional copies of data are asynchronously replicated to the paired region for added resiliency.

The difference between GRS and RA-GRS is that customers get read access to the data endpoints in the secondary location when using RA-GRS.

Zone-redundant storage creates three additional copies which, in this case, are stored in other data centers in either one or two regions. You can consider these resiliency options analogous to the RAID configurations that exist in on-premises data centers to ensure data availability, transparent to users, in case of disk failures.

This is an important topic, so make sure to read more about Azure Storage data resiliency.

2. Data Security

Security in Microsoft Azure is built in at different levels and can be customized per customer requirements.

At the outermost layer is the built-in Distributed Denial of Service (DDOS) protection of the platform. DDOS protection kicks in when a DDOS attack is detected and reaches a specific, predefined threshold. In the recently concluded Microsoft Ignite event, DDOS protection at the VNet level was announced, offering the same capabilities as normal DDOS protection now at network level.

This level of protection comes in addition to the inbound and outbound network traffic management options provided by Network Security Groups (NSGs), which only allow permitted traffic to traverse the virtual machines. 

The security of data stored in Azure is managed by encrypting the data at rest through various mechanisms. By default, Azure Storage services (queues, files, tables, and blobs) are all enabled for Storage-side Encryption (SSE), which uses 256-bit AES encryption. The data is encrypted by Microsoft-managed keys before persisting to storage.

If customers wish to use their own keys for encryption, that can be done by using a key stored in Azure Key Vault (AKV). This option is currently only available in preview.

In addition to SSE, customers can enable additional security to the data stored in Azure VM disks by using disk encryption. The keys used for encryption will be stored in AKV. Both data and OS disks can be encrypted using this method.

Encryption can be utilized for Linux VMs with DM-Crypt and for Windows VMs with the BitLocker feature. In addition to the default storage options, several third-party solutions that offer data security using proprietary encryption mechanisms are also available on the Azure Marketplace.

One example is NetApp AltaVault Cloud-Based Appliance, which uses FIPS 140-2 level 1-validated encryption to make sure that your data stays safe wherever you decide to store it.

3. BCDR Integration

Azure storage integrates directly with your BCDR (Business Continuity/Disaster Recovery) strategy with options for Backup and disaster recovery.

Azure Backup is a versatile service that can be used for making backup copies of your on-premises files, folders, applications and even virtual machines hosted in Hyper-V and VMware. If your infrastructure is hosted entirely in the cloud, Azure IaaS VM level backup can be used for protecting the VM as well as the files stored in it.

All backed up data is kept in the Azure Recovery Services Vault, which uses Azure blob storage in the back end.

Azure Backup agent, or MARs agent as it is commonly known, is used for the simplest of use cases (such as making backups of files and folders). This agent can be installed either on your on-premises machines or on VMs hosted in Azure.

Azure Backup Server, or MABs server, is used to make backups of advanced workloads such as application, system state backups, or VM-level backups (Hyper-V & VMWare). The service is essentially same as System Center DPM. The only difference is that, unlike DPM, you cannot use tape drives with Azure Backup Server. It offers DPM-like capabilities for the customer with a pay-as-you-go model, which is an attractive proposition for small and medium businesses that do not want to make a major CAPEX investment in DPM.

On the other hand, if there is an existing investment in DPM, you can integrate that with Azure backup by installing an agent. As all data is sent to Azure Storage by Azure Backup agent, Azure Backup Server or DPM is compressed and encrypted to ensure storage efficiency and security.

Azure Backup intelligently identifies and backs up only the delta since the last backup, thereby ensuring data storage efficiency. The key used for backup encryption is managed by the customer and is required for recovery of data in the event of data loss.

Unavailability of services always has a direct impact on a business and its SLAs. An industry-standard DR solution is a key part of the DR plans of all organizations.

Azure Site Recovery (ASR) is the Azure service that focuses on restoring your entire data center to working condition in the case of a disaster. Azure Site Recovery is a completely cloud-based DR solution that supports different DR scenarios.

These scenarios can be broadly classified in three ways:

  • On-premises to Azure
  • On-premises to on-premises
  • Azure region to Azure region

ASR can be customized to meet RTOs and RPOs as defined by your DR plan and offers replication frequencies as often as every 30 seconds, depending on the source and network conditions.

When replicating from on-premises to Azure or from one Azure region to another, data is stored in Azure Storage and used by the Azure Recovery Services vault. While replicating from a primary on-premises data center to a secondary on-premises data center, the data remains in the customer’s primary data center while the orchestration of the replication and recovery is carried out by ASR. Only the metadata required for this orchestration is sent to the cloud.

ASR offers flexibility in terms of DR implementation by supporting heterogeneous deployment scenarios.

Customers using Hyper-V (with or without VMM), VMWare, or even physical servers can take advantage of the benefits of ASR to implement their DR plans. Encryption of data in transit and data at rest is supported for the on-premises to on-premises and on-premises to Azure scenarios.

The service works on a pay-as-you-go model and is a recommended alternative for organizations that do not want to make big investments in costly DR products.


4. Capacity Management

Capacity planning for storage is a time-consuming activity. In most organizations, the onus is on catering for exponential data growths. Microsoft Azure offers a hybrid architecture storage solution named StorSimple that helps address this challenge.

StorSimple has built-in features that address all the storage requirements of an enterprise business, including data tiering, archiving, compression, DR and off-site storage.

The automated data tiering feature intelligently places data in the SSD, HDD or cloud storage tier based on the usage pattern. Frequently used data will be found in the SSD tier, less-frequently used data is automatically tiered to HDD and cloud tier based on the data heat map.

Deduplication is also built in: This feature uses hash keys and the metadata map to identify duplicate data. The deduplication and compression Azure features combine to help optimize the usage of storage capacity.

Data tiered out to cloud storage is encrypted using AES 256-bit encryption. The solution has built-in local and cloud snapshot-based backups which can help recover services in a DR scenario.

StorSimple is available in three variants:

  • A rack-mountable physical device
  • Virtual appliance
  • Cloud appliance

It can offer storage capacities of up to 500TB of cloud storage using the physical devices sufficient to address growing data requirements of large enterprises. For small and medium-sized businesses, StorSimple Virtual appliance should be a viable option, which can be deployed as a VM in Hyper-V or VMware.

Another option enterprises have is to find solutions that outperform Azure’s native tools. NetApp’s Cloud Volumes ONTAP (formerly ONTAP Cloud) for Microsoft Azure is a similar hybrid architecture storage service that helps seamlessly manage your data, archival and DR requirements.

5. Single-Pane Operations

Last but not the least, it is important to have a single pane of management to gain visibility and insights into what is happening with your infrastructure, whether it’s hosted on-prem or in the cloud.

Microsoft Operation Management Suite (OMS) is a Management-as-a-Service (MaaS) that provides a single-pane view of hybrid environments.

At the heart of OMS is a log analytics solution which can connect with various data sources such as VMs, storage and network services, collect and analyze logs, and provide valuable insights. OMS also includes automation and security solutions to meet the new standards for operating with hybrid infrastructures.

Azure Automation is a versatile solution which uses PowerShell in the back end to automate complex operational tasks, both in the cloud and on-premises, using agents called Hybrid Workers. The security solutions bundled with OMS can provide insights into the security posture of connected resources such as patch level, malware infections, threat intelligence, and more.

Azure security center is another service that offers security guidelines and remediation by cross-checking Azure environment service deployments with Azure’s best practice recommendations.

The Backup and Site recovery services discussed earlier in this article can also be bundled with the OMS suite of services.

Summary

This article really only gives a glimpse of the various enterprise-grade Azure features that make Microsoft cloud offering a preferred service provider for large organizations. Depending on the use case requirements and specifications, specific features can be included in the target architecture.

When making a transition to the cloud, enterprises may want to seek out alternate solutions which may be easier to implement with existing on-premises deployments than Azure’s native services.

Current NetApp customers transitioning to Azure can leverage their existing expertise with ONTAP by trying Cloud Volumes ONTAP for Azure.

Want to get started? Try out Cloud Volumes ONTAP today with a 30-day free trial.