Adopting Multi-Cloud Services with Confidence
- 1. Adopting Multi-Cloud
Services with Confidence
The Complete Cloud Summit 2020
September 15, 2020Kevin Hakanson
Director of Customer Success &
Principal Cloud Solutions Architect
https://www.linkedin.com/in/kevinhakanson/
- 2. Poll:
Multi-Cloud
What is your opinion on multi-cloud?
1. Multi-Cloud is a good strategic idea
2. Multi-Cloud is a good tactical idea
3. Multi-Cloud is a bad idea
4. I don’t have an opinion on Multi-Cloud
2
- 3. Excerpts from Multi-Cloud is the Worst Practice by @QuinnyPig
• … the idea of building workloads that can seamlessly run across any cloud
provider or your own data centers with equal ease.
• Load balancers work differently on every cloud platform, so being multi-
cloud means you’re running your own with nginx or HAproxy.
• Companies don’t want to hire generalists who are broad across multiple
providers; they bias for specialists who are good on one particular platform.
• In practice, every “we’re multi-cloud” story I’ve ever seen in the wild means
“we’re over 80% on our primary provider, then have a smattering of
workloads on others.”
Bad Idea?
Source: https://www.lastweekinaws.com/blog/multi-cloud-is-the-worst-practice/ 3
- 4. • From Multicloud Scenarios in Azure Documentation
• Multicloud adoption should be contained to where it is required based on
technical needs or specific business requirements. As multicloud adoption
grows, so does complexity and security risks.
• Possible Scenarios
• Mergers and Acquisitions
• Targeted Workloads
• Technology Expertise
• Cloud Migrations (from on-premises or another provider)
• …
Fact of Doing Business?
Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/multicloud-improvement 4
- 5. Definitions
(for this presentation)
Cloud-Native
• building applications and using services specific to
a cloud platform
Cloud-Agnostic (or Cloud-Neutral)
• building applications which can be moved
between cloud platforms
• using services independent of a cloud platform
5
- 6. Cloud-Native Cloud-Agnostic
Source Code Repositories AWS CodeCommit
Azure DevOps Repos
Google Cloud Source Repositories
GitHub
GitLab
Bitbucket
CI/CD Pipelines AWS CodePipeline
Azure DevOps Pipelines
Google Cloud Build
Jenkins
GitHub Actions
CircleCI
IaC Templates AWS CloudFormation
Azure Resource Manager (ARM) Templates
Google Cloud Deployment Manager
Terraform
Pulumi
serverless framework
Building Applications – Infrastructure as Code
6
- 7. Poll:
Cloud Adoption
Who is leading your cloud adoption
strategy?
1. IT is leading our cloud adoption strategy
2. Business is leading our cloud adoption
strategy
3. IT and Business are co-leading our cloud
adoption strategy
4. We are still determining our cloud
adoption strategy
7
- 8. 88
Provides guidance, tools,
and best practices that
help organizations align
their business and
technical strategies in
order to accelerate a
successful cloud adoption.
Cloud Adoption Framework
- 9. • Organizes guidance into six areas of
focus called perspectives
• Each perspective is made up of
capabilities describing “what” a
stakeholder owns or manages
• Each capability provides guidance
related to skills and processes
• Assists in developing action plans
and creating work streams
AWS Cloud Adoption Framework
9Source: https://aws.amazon.com/professional-services/CAF/
- 10. • Builds a structure on the rubric of
People, Process, and Technology
• Evaluates four themes during the three
phases of cloud maturity
• Tactical
• Strategic
• Transformational
Google Cloud Architecture Framework
10Source: https://cloud.google.com/adoption-framework/
- 11. • Provides best practices,
documentation, and tools
needed to successfully
achieve short-term and long-
term objectives.
• Align strategies for business,
culture, and technical
change to achieve their
desired business outcomes.
Microsoft Cloud Adoption Framework for Azure
11
• Full lifecycle framework,
supporting customers throughout
each phase of adoption by
providing methodologies.
Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/overview
- 12. Thoughts • Each Framework has a different approach and adds value
to the ongoing conversation about multi-cloud adoption
• A common understanding that alignment between
Business and IT is needed for successful cloud adoption
outcome
• People and their ability to grown technology skills and
changing behaviors and processes are likely your limiting
factor
• Reminder that Security plays a central and going role
during cloud adoption, and is compounded by multi-cloud
strategy
12
- 13. Poll:
Cloud Center of
Excellence (CCoE)
What has been your experiences with Cloud
Center of Excellence (CCoE)?
1. I have a positive opinion and experiences
with a CCoE
2. I have mixed opinions and experiences with
a CCoE
3. I have a negative opinion and experiences
with a CCoE
4. I don’t have any substantial experiences
with a CCoE
13
- 15. Cloud strategy Align technical change to business needs
Cloud adoption Deliver technical solutions
Cloud governance Manage risk
Central IT team Support from existing IT staff
Cloud operations Support and operate adopted solutions
Cloud Center of Excellence Improve quality, speed, and resiliency of adoption
Cloud platform Operate and mature the platform
Cloud automation Accelerate adoption and innovation
Cloud security Manage information security risk
Required Cloud Adoption Functions
Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/ 15
- 16. Organizational Structure Maturation Stages
16Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/organization-structures
Accountable for technical solutions, business
alignment, project management, and operations
for solutions that are adopted
Accountable for platform maturity, platform
operations, governance, and automation
- 18. Cloud Center of Excellence (CCoE)
18Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/organization-structures
Modern cloud-first operating model
• Focus on self-service and democratization
with centralized governance, security,
platform, and automation
• Mutual agreement to modernize IT
processes will be required from business
and IT leadership
• Unlikely to occur organically and often
requires executive support
- 19. Poll:
Responsibility for
Cloud Security
Who has the most responsibility for cloud
security?
1. The Cloud Provider is the most
responsible
2. The Cloud Customer CCoE is the most
responsible
3. Each Cloud Customer “workload” team
is the most responsible
4. Everyone is equally responsible
19
- 22. A landing zone is a well-architected, multi-account AWS
environment that's based on security and compliance best
practices. AWS Control Tower automates the setup of a
new landing zone using best-practices blueprints for
identity, federated access, and account structure.
Source: https://aws.amazon.com/controltower/features/#Landing_Zone
Azure landing zones are the output of a multi-subscription
Azure environment that accounts for scale, security,
governance, networking, and identity. Azure landing zones
enable application migrations and greenfield development
at an enterprise scale in Azure.
Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/refactor 22
Cloud Provider
Responsibility for Security “of” the Cloud
Customer
Responsibility for Security “in” the Cloud
Platform
Responsibility for Security “of” the
Landing Zone
Workload
Responsibility for Security “in” the
Landing Zone
- 23. • Corporate IT (Platform)
Standards and policies that apply to all cloud workloads including the
management hierarchy of cloud accounts across cloud providers.
• Regional or Business Unit IT
Can apply an additional layer of governance with additive policies and
standards.
• Cloud Adoption Teams (Workloads)
Detailed decisions and implementation about applications or workloads
within the context of governance requirements.
Multiple Layers of Governance
23Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/multiple-layers-of-governance
- 24. 24
AWS GCP Azure
Organization (Root) Organization AD Tenant (Root)
Organization Unit (OU) Folder Management Group
Account Project Subscription
Resource Group
Resource Resource Resource
- 25. Thoughts Conway’s Law
“Any organization that designs a system (defined broadly)
will produce a design whose structure is a copy of the
organization's communication structure.”
— Melvin E. Conway
• Your Organization Unit / Folder / Management
Group hierarchy doesn’t need to mirror your current
organizational structure.
• What problems does a future re-org or M&A leave you
with?
• Consider a structure organized by workload
25
- 27. • A tag is a label consisting of a user-defined key and value attached
to resources as metadata
• Tags help you organize your resources and can enable cost
allocation, automation, and access control
• Tags can be IT aligned
• Workload, application, function, or environment
• Tags can be Business aligned
• Accounting, business ownership, or business criticality
Resource Consistency - Tags
27
- 28. AWS Azure GCP
Name Tag Tag Label
Per Resource Limit 50 50 64
Key Length 128 512 63
Case Sensitive Key yes no for operations yes
Reserved Key Prefixes aws: microsoft
azure
windows
Key Restrictions
(can vary by service)
Valid Characters
• letter, numbers, space
• _ . : / = + - @
Invalid Characters
• < > % & ? /
Valid Characters
• lowercase, numeric,
underscore, hyphens
• must start with a
lowercase letter
Value Length 256 256 63
Resource Tagging Limits
28
- 29. Thoughts • Define an organizational tagging standard early
• Use lower-kebab-case for tag keys
• Define a prefix strategy for standard (platform) tags vs.
project (workload) tags
• Allows teams to combine organization and project standards
without conflicts
• Use both reactive and proactive approaches for
governing tags
• Leverage cloud-native tooling
• Understand that cloud providers are not internally
consistent
• Some services still lack tags, don’t support tag-on-create,
or have other limitations
29
- 30. Well-Architected Framework
AWS Microsoft Azure Google Cloud
https://aws.amazon.com/architecture/well-architected/ https://docs.microsoft.com/en-us/azure/architecture/framework/ https://cloud.google.com/architecture/framework
Operational Excellence Operational Excellence Operational excellence
Security Security Security, privacy and compliance
Reliability Reliability Reliability
Performance Efficiency Performance Efficiency Performance and cost optimization
Cost Optimization Cost Optimization
Note: AWS added Operational Excellence in Nov 2017, and in May 2020 both Microsoft Azure and Google
Cloud updated their architecture frameworks to use similar naming.
30
- 31. Security
Pillar
“The security pillar describes how to take advantage of cloud technologies to
protect data, systems, and assets in a way that can improve your security
posture.”
• 6 Design Principles
Source: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
“Security is one of the most important aspects of any architecture. It
provides confidentiality, integrity, and availability assurances against
deliberate attacks and abuse of your valuable data and systems.”
• 14 Design Principles
Source: https://docs.microsoft.com/en-us/azure/architecture/framework/security/overview
“This section of the architecture framework discusses how to plan your
security controls, approach privacy, and how to work with Google Cloud
compliance levels.”
• 4 Strategies + 7 Best Practices
Source: https://cloud.google.com/architecture/framework/security-privacy-compliance
- 32. Cloud-Native (PaaS) Cloud-native (PaaS)
Cloud-Agnostic (protocol) Cloud-Agnostic (IaaS)
Amazon DynamoDB
GCP Firestore
Amazon RDS for PostgreSQL
Amazon Aurora for PostgreSQL
Azure Database for PostgreSQL
GCP Cloud SQL for PostgreSQL
PostgreSQL
Amazon ElastiCache for Redis
Azure Cache for Redis
GCP Memorystore for Redis
Redis Enterprise Cloud
Redis
Amazon DocumentDB (with MongoDB compatibility)
Azure Cosmos DB’s API for MongoDB
MongoDB Atlas
MongoDB
Amazon Keyspaces (for Apache Cassandra)
Azure Cosmos DB Cassandra API
Apache Cassandra
Amazon Neptune
Azure Cosmos DB Gremlin API
Apache TinkerPop Gremlin
Databases
32
- 33. Cloud Provider Service Name OSI Layer 4 OSI Layer 7 Location
AWS Classic Load Balancer X X Regional
AWS Application Load Balancer X Regional
AWS Network Load Balancer X Regional
AWS CloudFront X Global
Azure Load Balancer X Regional
Azure Application Gateway X Regional
Azure Front Door X Global
GCP Cloud Load Balancing X X Regional*
GCP Cloud CDN X Global
“Load Balancer”
Thought: Proper Names and URLs are your friend when discussing technology options.
33
- 34. Poll:
Most Useful
What cloud model/framework have you
found most useful?
1. Cloud Adoption Framework
2. Shared Responsibility Model
3. Well-Architected Framework
34
- 36. Closing
Thoughts
• People and skills are your limiting factor, and
you need to focus on workloads and business
outcomes
• A CCoE needs to have multi-cloud visibility into
the security and governance across all your
workloads and their dependencies whether
IaaS, PaaS, or SaaS
• Find an independent, trusted partner (specialty
consultant or software vendor) who focuses all
their time thinking about multi-cloud
36