Simplifying Cloud Adoption Framework with Examples

As technology evolves, businesses and organizations are increasingly adopting cloud computing to improve their operational efficiency, enhance scalability, and reduce costs. However, cloud adoption can be a complex process that requires a clear understanding of the different phases and best practices for success.

A Cloud Adoption Framework (CAF) is a methodology that provides a structured approach to guide businesses and organizations through the process of adopting cloud computing. The CAF helps organizations to develop a roadmap, identify potential risks, and plan a successful cloud migration.

There are six phases in the Cloud Adoption Framework:

Strategy: In this phase, the organization defines its cloud strategy, including goals, objectives, and business outcomes. The strategy should also outline the organization's overall cloud adoption vision, including the types of services to be used and how they will be managed.

Example: An e-commerce company that is expanding its operations globally might decide to adopt a cloud strategy that prioritizes agility and scalability to support the rapid growth.

Plan: This phase involves assessing the organization's current IT environment and identifying the workloads that are suitable for migration to the cloud. The plan should also include an assessment of the organization's cloud readiness and a roadmap for cloud migration.

Example: A healthcare provider may plan to migrate patient data from an on-premises database to a cloud-based electronic medical record (EMR) system, while ensuring compliance with regulations such as HIPAA.

Ready: In this phase, the organization prepares for cloud adoption by developing the necessary skills, processes, and tools. This includes training employees, developing governance policies, and ensuring that the organization's security and compliance requirements are met and accordingly Landing Zone would be deployed for the migration or modernization.

Example: A financial services company might invest in training employees on cloud security best practices and implementing a security and compliance framework to ensure that customer data is protected.

Adopt: This phase involves migrating workloads to the cloud and ensuring that they function as expected. The organization should monitor and optimize the performance of its cloud infrastructure and services, while also managing costs.

Example: An education institution might migrate its student information system to the cloud to improve accessibility and scalability while also reducing costs associated with maintaining an on-premises infrastructure.

Govern: This phase involves managing the ongoing operations of the cloud environment, including monitoring performance, optimizing costs, and ensuring compliance with security and governance policies.

Example: A government agency might implement a cloud governance policy that includes regular compliance audits, security assessments, and risk management processes.

Manage: In this final phase, the organization continuously manages its cloud environment to ensure that it meets its business needs and objectives. This includes optimizing costs, improving performance, and scaling resources as needed.

Example: A retail company might regularly review its cloud infrastructure usage to identify cost savings opportunities, optimize performance, and scale resources to meet increasing demand during holiday shopping seasons.

Measurement of Successful Outcomes:

To measure the success of a cloud adoption initiative, organizations should establish metrics that align with their cloud adoption goals and objectives. Some common metrics to measure the success of cloud adoption include:

Cost Savings: Organizations can measure the cost savings achieved through cloud adoption by comparing the costs of maintaining on-premises infrastructure with the costs of using cloud services.

Agility: Cloud adoption can enable organizations to respond to changing business needs more quickly. Agility can be measured by tracking the time it takes to deploy new applications or services.

Scalability: The ability to scale resources up or down as needed is a key benefit of cloud adoption. Scalability can be measured by tracking the use of cloud resources over time.

Security: Cloud adoption can improve security by providing access to advanced security features and technologies. Security can be measured by tracking compliance with security policies and regulations.

Performance: Cloud adoption can improve application and infrastructure performance. Performance can be measured by tracking application response times.

Well this is the very brief introduction with CAF, I am sure this will help you to start you journey to deep dive into CAF. All hyperscale's has there own Adoption Frameworks and I might be biased but as my experience MS has the best documentation. Happy Learning !! 

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/

Migration to Cloud - CutOver Steps - Overview

Its been a while I am doing Migration scoping and planning along with Cloud implementation designing and deployment. While performing migrations the important and crucial part is the cut-over so here I consolidated steps for Cut-over.

Scenario := what I assumed here is Web servers running on the VMware or on-prem and we have to migrate machines to Azure or any other cloud. Using ASR or any block or image level replication tool like RiverMeadow etc.

Design – As per my scenario we are keeping the existing Domain and migrating application and DB’s on Cloud. Below are Steps you need to keep in consideration -

• Extended the Domain to the Azure VM.
• Set up the Replication infrastructure like for ASR we deploy Config server or Master target server and incase of other Tools like RiverMeadow we deploy Cloud appliance. This step is depend what tool are you using to perform replication.

• Replicate the VMs to the Cloud and using NSG to stop the communication with AD.
• Once Replicated – Changed the name and remove from the domain.
• Restart the VM and add to the Domain after allowing communication to the AD.
• For DB – I assume we are using the PaaS SQL and used DMA for migration.
• Now once everything is migrated to Azure or we call it Initial Sync then We provide infrastructure to Customer for modification on IIS or any other configuration as Ips going to change etc .
• Once we have the go ahead we will plan for the Cut-Over.

Cut-Over : This is the Time where we would divert the application URL to point to the Azure VM rather on-prem and Shutdown the On-prem once Test is successful.

• As soon as initial sync is done and all are configured on Azure VM. Infrastructure is provided to the customer.
• Customer then tests the applications, accessing the servers from those public IPs. (As per the reequipment here we are taking the ex. Of Public website).
• Once tested, We get the go ahead for the Cut-over Date and time.
• Customer lowers the DNS TTL for the public domain names to 5 minutes. This happens one day prior to cutover. 
• At cutover time, Differential needs to run and Testing needs to perform again (Downtime). Once tested.
• Customers changes the DNS records for the public domain names to resolve to the public IP addresses of the new servers. 
• Customer retests the applications. 
• Once tested, We will open the firewall on port 443 to each of the new public IPs, allowing access from all addresses. As for now only testers allowed to access application over 443.

Now once all start working as expected – there are few steps needs to wrap up the task.

 Moves the FSMO roles to the Azure VM holding windows AD.

 Removes the AD role and shut-down the VM and other on-prem servers gracefully.

Azure Firewall - Demo

In the last post we discussed what Azure firewall is and all the features provided by it and today we are going to perform the demo “deploy and configure Azure Firewall”.

Azure Firewall controls the outbound network access & that is an important part of overall network security plan. Azure firewall does that task or control the traffic by configuring: -

·        Application Rules – define FQDNs that can be accessed from a subnet.

·        Network Rules – define source address, protocol, destination port and destination address.

Now to deploy and configure Azure Firewall Demo – lets create the required Lab

·        Create Resource group

·        Create Virtual Network

·        Create 3 subnets – one for Azure Firewall , One for Jump server and one for workloads.

·        Create VM in jump and workload subnet

·        Create Firewall

·        Configure Network and application rules

·        Create route

·        Configure route tables

·        Perform the testing

Lets start with creating Vnet in East-us2 as shown in the below configured snippet  -

In above snippet you can see , I have created one Vnet and 3 subent in East-us2 location under Arun.RG.

Important thing to notice Azure Firewall needs its separate subnet just like gateway or other NVA's, along with that Subnet name shoould be  AzureFirewallSubnet

Now we need to spin two VM's one as Jump server and other one as a workload VM which would help us during the testing of Firewall rule.

Jump server - Windows server with RDP enabled NSG and Public IP needed.

Workload server - Windows server with None RDP and None Public IP.

I am assuming you guys are trained to create VM and Vnet hence skipping those initial steps , all you need to make sure is the setting that i provided for both the servers along with there subnets But we would discuss all the settings of Azure Firewall creation.

As you can see i have 2 VM's in running state -

Now navigate to Create a resource and search Firewall and click on create as shown below -

Once you hit the create below window would appear where you need to provide all the information its looking for:-

·        Resource Group

·        Name of the Azure Firewall

·        Region

·        Virtual Network

·        Subnet

·        Public Ip

Now important thing to keep in mind is Subnet name "AzureFirewallSubnet" and public IP that creats is static. Now once you configure all as per the requirement selecting right region and vnet and it would look like this after creation.

You need to copy the private IP as you need that to update the route table. 

Now navigate the Route Table and click on Add and it would ask for very basic information as shown in the snippet.

Now once the route table is create you need to click on Route under settings and add a route . Where you provide some name to the route table and -

Address prefix = 0.0.0.0/0 that means all traffic or internet.

Next hop type = select virtual appliance 

Next hop address = Private ip of your Azure Firewall

Now you have the route created and we need to associate this route to subnet , here we would associate it with the prod-subnet where all the workloads are lying and whenever they would try to go to internet , they would be re-directed to the firewall.

Now lets go the firewall again and set the Network and Application rule. To configure the rule navigate to Azure firewall and under settings you will find rules and on the right hand side you have Network rule and Application rule.

Lets click on Application rule and click on Add and configure it as shown below -

Priority: 200

Action: Allow

Target FQDN :

Name : Allow-Google

Source Address : 10.0.2.0/24

Protocol:port = Http:80,Https:443

Target FQDNS: www.google.com

Now click on Network Rule collection and click on Add & configure it as shown below -

Priority: 200

Action: Allow

IP Address

Name: Allow-DNS

Protocol: UDP

Source Address: 10.0.2.0/24

Destination Address: 209.244.0.3,209.244.0.4

Now both the Rules configured and we are good to test. So to perform testing login to the jump server and RDP workload server and try to browse google.com and microsoft.com. Below snippet confirms the testing.

Google.com works as this is allowed but Microsoft doesn't as its not allowed and even error says the same thing

 Reference link -

https://docs.microsoft.com/en-us/azure/firewall/overview

 https://docs.microsoft.com/en-us/azure/firewall/fqdn-tags