General Manager & Partner, Avalego
Microsoft Regional Director & Azure MVP
Before we begin
Click on the image to enlarge
Now we will focus more on getting the peace of mind while the workloads are running on Azure.
We will discuss what Managed Services on Azure and Microsoft 365 technically mean, what are the things a managed services provider or an internal IT operations (DevOps, IT) team should do proactively, focusing on aspects like:
- Azure governance,
- cost control,
Why Peace of Mind?
The real question is:
While your solutions are running in Azure, is there anything you should be doing for your peace of mind?
Or in other words, isn’t the Cloud supposed to (maybe magically) take care of your software solution out of the box?
The simple answer is while the Cloud offers us a lot of technology which makes IT operations much easier, especially under the Platform as a Service (PaaS) and Serverless offerings, it doesn’t mean that we don’t have to do anything anymore.
During our interactions with large organizations that we’ve helped in the past years to migrate to the Microsoft Cloud (Azure and Microsoft 365), we have discovered the best practices needed for good maintenance.
We have built those best practices in a set of services that we call “Peace of Mind (as a Service)”.that include proactive and reactive measures. And in this article, I will discuss the proactive actions we usually take. The reactive actions I am referring to are the usual SLA-based support activities any managed services provider, or IT team already knows about.
Those proactive best practices and actions are grouped into 5 different categories:
- Access and Users Experience
- Analytics and Monitoring
- Governance and Security
- Performance and Cost Optimizations
- Feature Usage and Roadmap
Further on, we will explore a few of them.
Access and Users Experience
There isn’t much to say here since the title is quite self-explanatory. What is worth mentioning is that there are specific techniques and tools related to authentication and authorization in Azure and Microsoft 365, which should be used properly to get the maximum benefits in a lot of areas, not only security but also cost control and monitoring for example.
This category of actions deals with:
- Role Based Access Control
This is how authorization on Azure resources, Resource Groups and Subscriptions should be done. One should make sure the right people or groups (from Azure Active Directory) have the right access to the right grouping of resources. This can have a tremendous impact not only on security, but also on resources’ organization (avoiding chaos, like a person without the right access being able to delete a resource), and cost control (restricting people which should not be able to create resources in a certain Subscription).
- Multi-Factor Authentication
Enforce some conditional access policies, e.g. enforce MFA for some users.
And this list is not an exhaustive one, but more like just a glimpse.
Governance and Cost optimizations
In general, governance can mean a lot of things, but we are thinking mainly of:
- Resources organization
- Resources security
- Cost control and optimization
For resources organization, we have to start from understanding the relationships between Tenants, Subscriptions
A customer with an Office 365 tenant (domain) will have an associated Azure Active Directory, and an associated Azure tenant. The directory in Azure is the same as the directory in Office 365: Azure AD. All the other Office 365 services (Exchange Online, SharePoint Online, etc.) are using Azure AD for authentication and authorization.
An Azure Subscription is usually a cost center or part of a cost center (in a larger grouping of Subscriptions). There is also a way to group more Subscriptions in a Management Group, for even better organization.
Why is this grouping of resources relevant? Because you can apply your governance conditions, for example using Azure Policies, at the scope that you choose: at a Management Group, or Subscription, or Resource Group. An example would be to limit the types of VMs that can be created in a Management Group (a collection of Subscriptions). Or to limit the VMs in a Subscription to a specific Azure region.
Another advantage of
- Cost centers (e.g. Subscriptions or Management Groups)
- Usually, a Resource Group contains the resources with together make up a solution (with the exception of course when a solution uses resources that might be shared with other resources).
- Type of resources, for example, resources used for testing, or by a certain user.
So cost control is crucial, especially in a pay-as-you-go type of Azure consumption. And it starts with proper allocation and grouping of resources.
Another thing is cost optimization. It can be done through a combination of, at least:
- Specific features like Azure Automation, DevTest Labs
Setting up Policies like allowed VM types or resource types in general. They can be applied per Resource Group, Subscription, or Management Group.
You can configure Azure alerts (from the Azure portal) like:
- When a costly (you define what costly means for you) resource is created.
- Showing orphaned resources – in combination with some custom code done with Azure Functions or Azure Automation. This is a very typical cost drain: expensive resources which are not being used anymore.
Or you can define cost/budget related alerts, such as when you’ve reached a spending limit, per resource group or per resource type.
You can easily define autoscaling rules, so the infrastructure needed by your solution scales up or down, exactly as needed. Autoscaling can be applied easily (from the Portal or through scripting) for many
Managing workloads in Microsoft Cloud is done differently than on-premises.
There are proven ways and best practices for Managed Services on top of the Microsoft Cloud, and while developing our Peace-of-Mind service offerings we made sure we incorporate pretty much all of them. For more information about our services around these technologies, browse our website.
For more in-person, in-depth information about this particular topic, you can register for free at for the next edition of our annual Cloud Conference.
If you are interested to explore more on this topic, Mihai talks about how should companies approach Cloud and the best way to migrate the workloads to PaaS in a video series available here.