Onboarding a Historical Company on the Cloud Journey
- 3. This is the story of a journey.
The journey of a long run voyager.
It has started a few hours ago* and it’s still running.
The view is… cloudy, but so interesting.
Away, the horizon line looks bright and sunny.
I was there, accompanying the voyager on its way.
I am here, telling you the story.
* on the technological eve scale
- 5. Cellenza, recognized experts
14
Azure
.NET
ALM
SQL Server
Windows Client
1 4
Publications and actions :
• White Papers (Cell’Insights) : http://www.cellenza.com/cellinsights
• Articles in Programmez!
• Cellenza Blog : http://blog.cellenza.com
• TechEvents and community meetups
• Speakers : TechDays / MS Expériences, Azure Camp…
- 7. Marius Zaharia
Marius Zaharia
http://blog.lecampusazure.net
@LeCampusAzure
marius.zaharia@cellenza.com
At the start of cloud computing at the end of the
first decade, Marius Zaharia - currently Cloud
Technical Manager at Cellenza - saw the enormous
potential of this technology, especially that of
Microsoft Azure.
Since then, his focus has been on setting up cloud
architectures and their corporate governance.
Marius has gained both professional developer and
infrastructure engineer experience, which allows him to
have a complementary approach and broad coverage
of project needs.
Passionate about the cloud, he is also an active
contributor to the Azure User Group France
community, organizer of community events and
speaker at local and international conferences.
- 9. The Story of a Customer
• Our Customer : a strategic actor of the public
transportation sector in France
• Established public company in France for ages
• Large national coverage
• At the root of most of the transportation networks in
France
• Now part of a consolidated group of companies
(thereby called The Group)
- 10. The Customer’s IT system
• The Customer’s IT system
• Large number of business or technical applications
• Includes many professions, mostly IT professional oriented
• Outsourcing different tasks
• managed services, operations, production, expertize, or
consulting
• Some services of the organization:
• Engineering Operations and Service (EOS)
• Technical Architecture (TA)
• Networking (NE)
• The Innovation Pole (IP)
• Information Security Service (ISS)
• Production Service Center
• Build Delivery Center…
- 11. The Customer’s Infrastructure
• Owns a number of Data Centers
• Two main regions (Lyon, Lille)
• Customer’s and Group’s
infrastructure networks got
interconnected
• However, various elements of the
infrastructure are different
• Also, there are differences in
governance and procedures
• Very important security concerns
and restrictions
- 13. The Challenge
• The Customer needs to encourage and
accelerate the pace of innovation via
experiments
• The projects want to move on the IT
infrastructure in a timely matter
• The actual internal (IS) and Group
organization and culture are not « agile »
enough for :
• More and more Innovation coming
• Time to Market and Cost Effective delivery
- 15. When the Cloud Comes into the Picture
• Looking closely to the advancements of the
main actors in the public Cloud : Microsoft
Azure, Amazon AWS
• It seems that the Cloud may be the gate
• « Let’s try and see how it works and how it
could help us »
• Key factors :
• Onboard the Information Security Service (ISS)
team from the very beginning
• Openness of the CIO
- 17. Opening Azure
• Azure subscription contracted
• At the Group level
• Used first by ISS team (fall 2016)
• Several basic deployments were made, and a site-to-site
VPN connection was tempted
• The first learnings :
• some projects interconnected with the SI
• others separated/isolated from it
• Then, the advancements and works slowed down
• Also, the VPN was malfunctioning
Note: the Group also
moved on Azure.
An ExpressRoute
connection was setup
at that level.
- 18. New Challenges
• How to fix the VPN, first ?
• How to organize and classify projects and environments ?
• How to protect our IS while being open to experiment ?
• How to give amplitude to the works in the Cloud ?
- 19. Moving to a Real Team
• The EOS engaged to initiate a dedicated Azure team
• Team directly attached to the chief of Technical Architecture
• The Azure Team will be the « the armed arm » of the Innovation Pole
• 2 people, Azure experts, with knowledge in infrastructure,
networking, security, and governance
• Not an easy task, but people were found - at
- 20. The First Real Works
• First thing first: the VPN was fixed
• Dead Peer Detection set at 10s in local Juniper
appliance
• Second thing : « security hole » detected (and solved)
• Force Tunelling setup missing in configuration
• Results:
• The team gains the Customer’s confidence
• The Networking team is also very cooperative
Azure VPN Gateway
- 21. New Challenge (and solution)
• The Customer envisions moving on in the Cloud
and eventually targeting production workloads
• Blocker : the Group strategy is not yet in phase
with the Customer’s one regarding the Cloud
• The Group warns about production responsability in
the cloud
• Result: agreement on an « experiment oriented »
scope for the Customer’s Cloud works
- 22. New Challenge (and Solution)
• VNET w/ VPN : all traffic in Azure has now to be
monitored and configured in local appliances
• The actual process of configuring the rules for projects
takes days or weeks
• Solution: a set of 2 Network Virtual Appliances
(Palo Alto) was configured and implemented in
Azure
• Routing, detecting and filtering traffic
• Configuration of the rules directly implemented by the
Azure team jointly with the ISS
- 23. More and More Steps
• A first draft of governance and management rules is defined
• The team is now ready to receive projects
• First internal communication (limited at this stage)
• First projects coming quickly
• The interest for the team’s services increases rapidly
• The team is reinforced on engineering and project
management sides
• ….
- 25. Results : A Platform for
Innovation
Experimentations
•Containers
•Appliances
•DB on PaaS
•File Sharing
•…
Projects
Deployed
and Run
A technological
advancement
•Driving IT innovation
•Positioning within the Group
- 26. Projects Typology and Requirements
1. VM hosting (a lot)
2. Simple projects (less)
• Azure infrastructure
• Software installation
3. Complex projects (a few)
• Azure infrastructure
• Software installation
• App deployment and configuration
• OS :
• Windows (WS 2012 R2)
• Linux (Ubuntu)
• Containers (Ubuntu)
• Platforms: ASP.NET, Java,
SQL Server, PostGreSQL,
PHP, MySQL, …
• Apps & software:
Tomcat, WordPress,
Jupyter, HDInsight,
Kuberntes, Ckan,
ngnix,Traefic, Faveod, …
- 28. Platform Overview
Zones
1. Intranet
• for applications willing to connect
with the core IT system
• Azure outbound to internet
controlled and opened on case by
case basis
2. Internet
• for applications not connected
with the core IT system
• for low level classified data
Connectivity, networking,
securization
• Intranet
• Main VNET interconnected with the core
IT system via IPSEC VPN
• 1 mutualized subnet (for single VMs)
• VNETs peered with a main
• secured by 2 Palo Alto NVAs
• Internet
• Isolated from each other
• VNETs dedicated to each project
• RDP/SSH via jump VMs in Intranet
- 30. Our « Service Catalog »
• Core services
• VMs (in mutualized infrastructure)
• Environment setup (VMs / software / networking / routing / …)
• Deployment (Azure provisioning and deployment; OS/container image build;)
• Governance : Backup, Log Analytics
• Mediation for « third party » services
• DNS (records in our dedicated zone : *.exp.xxx.yyyy.fr) : mediate requests to the DNS
owner service
• Certificates (corresponding to the records above) : mediate requests to the SSI
service
• Other services
• « Consulting » : application architecture
- 31. Industrialization
• ARM templates
• adapt then reuse quick start templates
• use of linked templates working model
• standardize and reuse of linked
templates among projects
• Packer
• standardize OS images
• CI/CD with VSTS
• Build of OS or container images
• Deployment of containers
Packer JSON example, as stored in VSTS
- 32. Azure Services Used
• Azure Resource Manager
• Azure VMs
• several sizes used intensively (D_v2)
• Networking: VNET, Network
Security Groups, User Defined
Routes
• Intranet zone: all default routing
overrided
• Containers: Azure Container
Service, Azure Container Registry
• 1 cluster Kubernetes for a big
project
• Network Virtual Appliances: Palo
Alto (licence PAYG)
• Azure AD
• directory synchronized at the Group Level
• Azure Backup
• Log Analytics
• App Service Domains
• Azure DNS
• Azure Automation
• Currently experimenting:
• PaaS: SQL Database, Database for PostGreSQL
• Azure File Share, Azure File Sync
• Other : Packer, for OS Imaging
- 33. Governance : Project Onboarding and Management
• Prerequisites
• security pre-qualification (data
classification, flows, …)
• technical architecture document (DAT)
required if complex project
• PROCESS
• Onboarding
• gather requirements
• elaboration
• « official response »
• Implementation
• per segment : provision, configure, build,
deploy, request third party services, aggregate
response
• delivery
• Lifecycle monitoring
• Unprovisioning
Project Onboarding Process
- 34. Governance
• Platform evolution
• Updates, patches
• Complimentary services
• New services added
• Tooling usage
• VSTS
• Work, Build, Release
• Planner
• Dashboard
• O365 Group
• SharePoint
• Excel
• DevOps
• Used internally for own
processes
- 35. Team Organization
• TEAM « EXPerimentation Projects on Azure » (EXP Azure)
• Team formed of :
• 1 Team Lead / Azure Expert
• 1 Project Manager (infrastructure integrator)
• 1 Infrastructure Architect / Azure Expert
• 1 System Engineer
• Associated :
• 1 Security Expert from ISS
• 1 Technical Architect from EOS
- 36. Agility
• Scrum methodology,
adapted
• Tooling : VSTS
• 2 weeks sprints
• 2 « epics » :
• projects
• platform governance and
evolution
• Features = Projects
• Product backlog items
• Tasks Scrum management in Visual Studio Team Services
- 38. Moving to a new, larger team and scope
• A new team structure is built on top
• Will include roles:
• Service Catalog Owner
• Cloud Operations Engineer
• Cloud QA Lead
• Will expand work force on existing
• System Engineer
• Cloud Architect
• More integration with existing IT
services (build, production)
• More responsibilities
• More projects onboarding
• More production oriented
• Richer Cloud offering
• More services delivered
• Identity and Authentication
• DNS ownership
• More PaaS, Serverless, …
- 39. Synergy with the Group
• The synergy with the Group will be essential and strategical
• Azure Production workloads to be pushed to the Group Managed
Services and Operations
• Keep Experiments responsibility and autonomy
• Integrate with ExpressRoute infrastructure
• Deploy projects with a faster interaction with the core IT system
• Share more of our knowledge
• Our technological advance may influence decisions and choices at the
group level
- 40. Difussion : Culture of Cloud and Agility
• The results of the EXP Azure team are
progressively diffused in the
organization
• The DevOps and automation practices
applied internally are also propagated
• The Agile process shows to other teams
a much faster delivery process
• The other teams will start integrating
some of EXP Azure experiences
- 42. The Cloud
The Cloud
…is not (anymore) a tabou subject
even in the public sector
…proves to be a strong
innovation driver
…may be the way of developing
DevOps and Agility adoption
- 43. Our role in the success of our customers
There is no success in the Cloud :
• Without a strong technical competency
• Without the maturity and experience
• Without a Team
Here is where we come in the play.
- 44. Thank you,
• Picture references
• NG/MATTHEW G. WHEELER, VIA RAIL CANADA
• GLACIERBAYALASKA.COM
• PINTEREST
• IBC SYSTEMS
• CIO.COM
• SNCF
• SNCF RÉSEAU
• TRACKINTELLIGENCE.COM
• SHUTTERSTOCK
• PIXABAY
• CHILDREN’S MINISTRY LEADER
• WIKIPEDIA
Editor's Notes
- The IT department of the Customer encompasses the implementation and operation of a large number of business or technical applications
It includes many professions, mostly IT professional oriented : infrastructure engineers, architects, technicians, and so on
It relies pretty heavily on outsourcing different tasks like managed services, operations, production, expertize, or consulting to external companies (mostly via service and competency centers)
Some services of the internal organization:
Engineering Operations and Service (EOS)
Production Service
Information Security Service (ISS)
Infrastructure Project Management
- Owns a number of Data Centers hosting currently the infrastructure the applications
The whole infrastructure is known as The Information System (IS)
As The Customer joined The Group, their infrastructure’s networks got interconnected
Today, a user from the IS is capable to connect to a service within the Group’s infrastructure, and viceversa
However, various elements of the infrastructure (like networking appliances, identity systems, tooling, and so on) are different
Also, there are differences in governance and procedures
For the Customer and for the Group, there are very important security concerns and restrictions (due to their strategic activity)
- Looking closely to the advancements of the main actors in the public Cloud : Microsoft Azure, Amazon AWS
It seems that the Cloud may be the gate
« Let’s try and see how it works and how it could help us »
Key factor : onboard the Information Security Service (ISS) team from the very beginning
This ensures there will not be [too many] blocking rocks on the road
[TODO bienvieillance du DSI / IT Officer)
- Requesting an Azure agreement via The Group
An Azure subscription was provisioned
The ISS team was the one using an Azure Subscription (fall 2016)
Several basic deployments were made, and a site-to-site VPN connection was tempted
The first learnings :
some projects need to be interconnected with the SI
others need rather to be separated/isolated from it (risky or unknown stuff running)
Then, the advancements and works slowed down
Also, the VPN was malfunctioning
- The EOS engaged to initiate a dedicated Azure team
Team directly attached to the chief of EOS
2 people, Azure experts, with knowledge in infrastructure, networking, security, and governance
Not easy task, but people were found (at Cellenza)
- First thing first: the VPN was fixed
Not a big issue, the configuration was mostly good, but missing a « keep alive » option while no traffic (« Dead Peer Detection » set at 10s in local Juniper appliance)
Second thing (during the works for the first): « security hole » detected (and solved)
The « force tunelling » setup was envisioned but missing in configuration
Results:
The team gains the Customer’s confidence
The Networking team is also very cooperative
- Enthousiastic of the advancement, the Customer envisions moving on in the Cloud and eventually targetting production workloads
Blocker : the Group strategy is not yet in phase with the Customer’s one regarding the Cloud
The Group warns about production responsability in the cloud
Result: agreement on an « experiment oriented » scope for the Customer’s Cloud works
- VNET w/ VPN : Because of the Forced Tunelling, all traffic in Azure has now to be monitored and configured in local appliances (Palo Alto)
The actual process of configuring the rules for projects takes days or weeks
Solution: a set of 2 Network Virtual Appliances (Palo Alto) was configured and implemented in Azure
They now allow the configuration of the rules to be directly implemented by the Azure team jointly with the ISS
- by this, interconnected with the whole Group