Hybrid Cloud Infrastructure Solution for Enterprise IT - Scenario Definition

  • Article

Published: August 23, 2013
Version: 1.1
Abstract: This article defines a scenario for a fictitious company that defined the requirements for the firm's new hybrid cloud computing infrastructure. These requirements drove the design decisions that ultimately defined the hybrid cloud infrastructure implementation. This article is part of the Hybrid Cloud Infrastructure Solution for Enterprise IT guidance set.

Table of Contents

1.0 Introduction
2.0 Organizational Overview
3.0 Problem Definition
4.0 Envisioning
       4.1 Solution Definition
       4.2 Solution Requirements
5.0 Implementation Strategy
6.0 Summary

To provide feedback on this article, leave a comment at the bottom of the article or send e-mail to SolutionsFeedback@Microsoft.com. To easily save, edit, or print your own copy of this article, please read How to Save, Edit, and Print TechNet Articles. When the contents of this article are updated, the version is incremented and changes are entered into the change log. The online version is the current version.

This article includes discussion of solution and public cloud infrastructure service provider requirements, and therefore does not include references to specific technologies.  Separate articles within this article set discuss the technologies that were selected and implemented to meet the requirements defined in this article.

1.0 Introduction

This article is one of several articles that are included in an integrated article set called the Hybrid Cloud Infrastructure Solution for Enterprise IT. If you haven’t already, before reading this article, please read the Overview article within the article set, as it provides an overview of the article set as a whole, introduces the problem domain for the solution, the audience that it is written for, and the articles contained within it.

This article describes a fictitious enterprise IT organization that integrated resources from a public cloud provider with its private cloud infrastructure to enable a hybrid cloud environment. It details the organization’s original IT environment, the business problems they needed to solve, the solution requirements they defined, and the environmental policies and constraints that drove the design of their solution.

Many organizations will find that they have a similar environment with similar requirements and constraints as the organization discussed in this article. This article is most helpful to those responsible for evaluating and selecting public cloud service providers and integrating resources from public cloud service providers with their own private cloud resources.

2.0 Organizational Overview

Contoso is a manufacturing company. It has a main office and several regional offices that are located all over the world.  The regional offices connect to local branch offices. The figure below shows a high level depiction of Contoso's site infrastructure and the connections between the sites.

img11

The IT department had been implementing and maturing its service management processes and had recently started evolving its infrastructure from disparate hardware and software with little automation to a more standardized private cloud infrastructure that would facilitate greater automation for them in the future.  They had used the Cloud Infrastructure Solution for Enterprise IT article set when they started their journey to a private cloud infrastructure.

 

3.0 Problem Definition

Contoso's IT consumers were becoming increasingly dissatisfied with both the cost of the IT services provided by their IT department, as well as how long it took the IT department to provide new IT capability to them. The management team knew how quickly resources could be provisioned with public cloud service providers, but they also knew that they would not be able to provide new IT capability to consumers on their new private cloud infrastructure as quickly for some time.  

Though they had recently started their private cloud infrastructure implementation, it would be several months before they were able to provision new IT capability as quickly and automatically as they planned due to the time it was taking them to establish and fully implement their processes and automation. To add to this, the Contoso IT management team knew that it was running out of datacenter space and that 25% of its hardware was reaching end-of-life status next fiscal year.  Adding more data center space and replacing servers would increase its cost to provide IT capability even further.

The management team had read Microsoft's The Economics of the Cloud whitepaper. While the management team didn't have enough data to determine whether or not its own cost to operate IT resources was up to ten times more than operating the same IT resources with a public cloud service provider as was presented in the paper, it did suspect that it could operate some of its IT resources for less than the cost of building a new datacenter and replacing its end-of-life hardware. The potential cost savings, coupled with the faster provisioning of IT resources with a public provider, caused them to create a project team to define:

  1. Scenarios for which it might use a public cloud infrastructure service provider
  2. The effort required to integrate resources from a public cloud provider with its private cloud resources
  3. A low-risk application to migrate to a public cloud service provider that would enable the organization to familiarize itself with both the public cloud service provider and the technology necessary to integrate with a public provider 

The management team also expected the project team to configure the necessary infrastructure integration, and complete the migration of the low-risk application to the public cloud service provider. Upon project completion, the management team would evaluate its actual costs, and if it truly proved cost-effective, it would define plans to move more applications to the public cloud infrastructure service provider.

 

4.0 Envisioning

After the project team was created, it immediately started to define a solution to Contoso's problems.

4.1 Solution Definition

Though the project team knew that it would initially migrate only one application to a public cloud provider and establish basic infrastructure integration between its private cloud and the public cloud provider, it also knew that if all went well, it would likely move additional applications to the public provider in the future.  Given this, the project team defined the following high-level usage scenarios:

  • Hosting line of business applications where/when possible
  • Enable disaster recovery scenarios where/when possible
  • Support lower-cost storage and archival

The project team then defined the following high-level short and longer-term goals:

  • Set up organizational-level account and billing with an external provider of cloud infrastructure services, so that its consumers don’t do so at an individual level with personal accounts that they retain when they leave the organization.
  • Allow its consumers to provision new virtual machines with the public cloud provider that have capabilities as close to the same capabilities of virtual machines that are provided on its private cloud.
  • Allow its consumers to move existing applications that run on the organization’s private cloud into a public cloud infrastructure as a service (IaaS) offering.
  • Allow consumers of applications in the organization to resolve names and authenticate to resources that are running on the public cloud provider’s infrastructure, just as they do with resources that are running in their private cloud.
  • Enable core security, data access controls, business continuity, disaster recovery, availability and scalability requirements.
  • Enable "same sign-on" to both the portal and migrated applications.
  • Provide secure network access between on-premises resources and resources at the public cloud infrastructure service provider.

Next, the project team defined the following goals for their pilot project:

  • Identify and migrate an existing, low-risk, low business impact line of business application to the public cloud infrastructure service provider
  • Configure the foundational infrastructure integration to enable migration of the application
  • Migrate the application to the public provider

The project team members quickly identified the company's time card application as their migration candidate.  This was a fairly simple application that employees entered the vacation and sick days that they used into.  It contained low business impact information, and did not maintain any personally identifiable information, so Contoso's IT department thought it made a great pilot migration candidate. The project team currently uses the Cloud Services Foundation Reference Model (CSFRM) as a framework for identifying detailed project requirements in their environment.  

Since Contoso wanted to select a public provider that could meet both their short and longer-term goals, their detailed requirements were what they used to select a public cloud provider.  Due to this, they aligned their requirements to the CSFRM subdomains, and then within each sub-domain, they first divided their requirements into the following categories:

  • Public cloud provider requirements:  Though Contoso was starting its hybrid infrastructure project with a small solution, it knew the other cloud usage scenarios it expected to utilize in the future.  Therefore, when selecting a provider, Contoso wanted to ensure that the provider met the requirements for both its short-term pilot solution, and the other usage scenarios it planned to utilize the provider for longer-term.  The requirements that you'll find listed in this section include relevant requirements for the provider pilot project solution.
  • Provider pilot project solution requirements:  These requirements were specific to the time card application that the project team identified as part of its pilot, and were a subset of the broader public cloud provider requirements.  As a result, only the subset of the public cloud provider requirements that are unique to the application are listed in these sections.

Within the two categories of requirements, Contoso IT further divided its detailed solution requirements into groupings that aligned to the CSFRM components within each CSFRM subdomain.  These requirements are listed in the remaining sections of this article.

4.2 Solution Requirements

While the requirements listed below were Contoso’s final requirements, the project team arrived at them only after initially defining all of the requirements listed below, and then adjusting them after incorporating lessons they learned from several different design trial and errors. The requirements were defined to align to Contoso's existing environment, in terms of existing technical capabilities, services, constraints, policies, and processes.

Since Contoso hadn't utilized resources from public cloud providers prior to the start of this project, the project team members first read the Hybrid Cloud Infrastructure Design Considerations article, which helped them better understand the various design considerations that were applicable to designing hybrid cloud infrastructure before they started defining their own requirements. 

All requirements in the following sections are aligned to the applicable subdomains and components of the CSFRM.

4.2.1 Service Delivery Requirements

Before integrating public cloud services with its existing private cloud, Contoso identified the following requirements that were based on its existing IT environment and needs of its consumers. The requirements are aligned to the CSFRM Service Delivery components. As mentioned previously, the requirements below are Contoso's final requirements.  They had started their project by defining an initial list, but found that some requirements negated others, and eventually arrived at the final list below.

In Contoso's pilot phase they had only a single consumer with a single application, which simplified their service delivery requirements due to the limited scope of the pilot phase. Contoso IT will define unique service delivery requirements for each application that it migrates to the public cloud provider in the future.

4.2.1.1 Public Cloud Provider Requirements

Capacity Management

  • Able to support scaling to an almost infinite number of virtual machines as demand increases
  • Able to support up to 100 Mbps bandwidth to Internet-facing servers
  • Able to support up to 100 Mbps bandwidth across the connection between the provider's network and the on-premises network

Availability and Continuity Management

  • Able to insure uptime of at least 99.9% for the service components deployed at the public cloud provider
  • Provide a service level agreement (SLA) that includes financial penalties if the uptime requirement is not met in any specific month

Information Security Management

  • Provide a mechanism to secure the connection between any Internet-based client and any service components contained within the provider's network that accepts those connections
  • Provide a mechanism to secure the connection between the provider's network and the on-premises network

Regulatory Policy and Compliance Management

  • Support the capabilities and processes required to meet some of Contoso's regulatory and compliance needs.  This is a requirement that Contoso expects to evolve over time as the regulatory and compliance policies that it must comply with evolve. 

Financial Management

  • Provide a consumption-based billing capability
  • Support the segregation of billing accounts and service management accounts

4.2.1.2 Provider Pilot Project Solution Requirements

Capacity Management

  • Support up to four front-end web tier servers
  • Support up to 10 Mbps bandwidth to the front-end web tier servers
  • Support up to 20 Mbps bandwidth between the front-end web tier servers and the back-end database tier servers

Availability and Continuity Management

  • Insure uptime of at least 99.9%

Information Security Management

  • Secure the information between front-end web tier servers and the client system browsers using the SSL protocol
  • Secure traffic between the front-end web tier servers and the back-end database servers using an IPsec-based security protocol

Financial Management

  • Provide a chargeback mechanism that enables Contoso IT visibility into the separate charges they incur for bandwidth, storage and compute
  • Enable Contoso IT the ability to create a financial management account that does not have access to the virtual machines contained within the provider's network - the management account must only have access to the provider's financial billing and cost reporting sites and information

4.2.2 Service Operations Requirements

Contoso has a variety of operational processes that are applied to the delivery of all services and technical capabilities within its environment. As a result, it had requirements for how the hybrid cloud infrastructure must apply to and comply with their operational processes. The requirements are aligned to the CSFRM Service Operations components.

4.2.2.1 Public Cloud Provider Requirements

Request Fulfillment

  • Provisioning application programming interfaces (APIs) or other integration mechanism that allows Contoso to integrate its private cloud self-service capability with the provider's 

Access Management

  • Support identity integration with Contoso's on-premises Active Directory identity repository for management access control so as to enable same sign-on with on-premises identity management systems
  • Support identity integration with Contoso's on-premises Active Directory identity repository for access management for the application deployed into the hybrid cloud infrastructure
  • Allow different levels of access for the account managers and the service administrators. The account manager should not have automatic access to the public side of the hybrid cloud infrastructure management and configuration interfaces.

Asset and Configuration Management

  • Enable assets on the public side of the hybrid cloud infrastructure to be manageable through on-premises Group Policy settings

Systems Administration

  • Support administrators of the public cloud components only; this makes it possible to assign users as administrators of the public cloud infrastructure components while not enabling them to manage the on-premises components of the hybrid cloud infrastructure

Change Management

  • Provide logs that show what changes have been made to the infrastructure on the provider's end

Knowledge Management

  • Provide a knowledge base that Contoso's help desk personnel can use when taking calls from consumers of the hybrid cloud infrastructure

Release and Deployment Management

  • Provide pre-configured operating system images for virtual machine deployment
  • Provide simple, graphical-based deployment mechanims that can be used to deploy new virtual machines
  • Provide command-line methods to manage services that support automation
  • Support the ability to upload on-premises operating system images for the creation of new virtual machines

Incident and Problem Management

  • Must provide support options that range from no-cost options to different levels of paid support

4.2.2.2 Provider Pilot Project Solution Requirements

Request Fulfillment

  • None, as during the pilot phase, Contoso will use its current web-based self-service capability and it will provision resources at the public provider on the consumers' behalf.  In future phases, it plans to integrate its self-service capability with the public cloud provider to enable fully automated deployment of public cloud resources.

Access Management

  • Support identity integration with Contoso's on-premises Active Directory identity repository for management access control so that identity management for the hybrid cloud infrastructure can be done through the on-premises identity management systems
  • Support identity integration with Contoso's on-premises Active Directory identity repository for access management for the application deployed into the hybrid cloud infrastructure so that identity management for the hybrid cloud infrastructure can be done through the on-premises identity management systems
  • Allow different levels of access for the account managers and the service administrators

Asset and Configuration Management

  • Enable configuration management through Group Policy
  • None, as asset management (virtual machines hosted by the public cloud infrastructure service provider) will be done on a manual basis during the pilot

Systems Administration

  • Support administrators of the public cloud components only; this makes it possible to assign users as administrators of the public cloud infrastructure components while not enabling them to manage the on-premises components of the hybrid cloud infrastructure

Change Management

  • Log files must be made available that show events related to the creation and deletion of virtual machines and other changes to the public side of the hybrid cloud infrastructure

Knowledge Management 

  • None, as Contoso will continue to use its current knowledge management system
  • Provide a knowledge base that Contoso's help desk personnel can use when taking calls from consumers of the hybrid cloud infrastructure

Release and Deployment Management

  • Provide operating system images for the creation of new virtual machines
  • Provide simple, graphical based deployment methods that can be used to deploy new virtual machines

Incident and Problem Management

  • Provide a basic free support option, in addition to higher level options, that it may provide for a fee

4.2.3 Management and Support

Every organization uses a variety of technical capabilities to manage and support services in their environment. Contoso's private cloud has a variety of capabilities and constraints. The requirements in the sections that follow are aligned to the CSFRM Management and Support components. 

4.2.3.1 Public Cloud Provider Requirements

Consumer and Provider Portal

  • Enable a level of self-service so that acquisition of compute, network and storage does not require human intervention
  • Expose any "soft limits" (limit on service acquisition that require an override by the public cloud infrastructure service provider) on service acquisition and provide an online method to exceed any soft limits

 Usage and Billing

  • Provide information regarding the monthly costs related to service use
  • Provide a way that Contoso IT can assess its current billing, before the end of the month statement

Service Reporting

  • Provide service consumption reporting
  • Provide service usage reporting for at least the last 30 days
  • Provide some level of health reporting that provides information about the state of the virtual machines (on, off, rebooted) over time

Service Monitoring

  • Provide a mechanism to inform administrators of a service disruption on the public cloud service provider's service offering
  • Enable a level of connectivity to the on-premises network so that current operating system and service monitoring solutions can be extended to the cloud service provider's infrastructure

Configuration Management

  • Support the ability to manage virtual machine configuration via on-premises Group Policy settings

Authorization

  • Enable a level of role based access control to the extent that a single administrator account can be created that cannot be deleted by other administrators
  • Enable the creation of multiple administrator accounts that are authorized to manage the public cloud based components of the service

 Authentication

  • Enable on-premises Active Directory accounts to be used for authenticating to the service provider's portal so that Contoso doesn't need to maintain two different authentication repositories
  • Provide a way to synchronize the on-premises Active Directory with the service provider's authentication system
  • Provide a way to use on-premises accounts to authenticate to the provider's portal without requiring passwords to be synchronized between the systems

 Directory

  • Limit non-Active Directory account access to only the service owner account
  • Enable on-premises Active Directory accounts to log on to the cloud service provider's portal to manage virtual machines
  • Enable a mechanism that allows on-premises Active Directory accounts to log on to the services running on the virtual machines hosted in the public cloud infrastructure service network

Deployment and Provisioning

  • Support deployment of new operating systems based on images that the cloud service provider makes available
  • Support the ability to upload on-premises virtual disk files that can be used to create new virtual machines on the provider's network
  • Provide information about the success or failure of a deployed virtual machine

Network Support

  • Provide a built-in name resolution system that allows virtual machines to communicate with each other without support from corporate domain name system (DNS) servers
  • Support the ability to place DNS servers on the service provider's network that are integrated with the on-premises DNS servers
  • Support a way to connect the on-premises network to the public cloud provider's network
  • Support a network connection between the public cloud infrastructure provider's network and the on-premises network of at least 100 Mbps of bandwidth

4.2.3.2 Provider Pilot Project Solution Requirements

Network Support

  • Support a network connection between the public cloud infrastructure provider's network and the on-premises network of at least 20 Mbps

4.2.4 Infrastructure Services Capabilities Requirements

Every organization uses a variety of infrastructure technical capabilities, or infrastructure services, or some combination of the two to host IT services. Contoso has a variety of existing infrastructure service capabilities that support services within its environment. As a result, it had requirements for how the hybrid cloud infrastructure must integrate with its existing infrastructure service capabilities. The requirements are aligned to the CSFRM Infrastructure components.

4.2.4.1 Public Cloud Provider Requirements

Compute (Virtual Machine)

  • Does not charge for virtual machines that are not turned on
  • Provide images for operating systems that will be deployed on the provider's network
  • Support uploading of images that were created on-premises that can be used to create new virtual machines on the provider's network
  • Support auto-scaling of virtual machines

Network

  • Support an encrypted connection between the on-premises network and the public cloud infrastructure service provider's network
  • Support some mechanism that will enable connectivity between the on-premises network and the service provider's network that contains the virtual machines
  • Provide integrated load balancing capabilities from front-end services hosted on the server provider's network

Storage

  • Support virtual machine drives that enable you to turn off and on write caching
  • Support maintaining multiple copies of virtual drives in geographically dispersed locations
  • Does not delete virtual machine disk files out of storage automatically
  • Support virtual disk sizes required by service components migrated to the public provider's infrastructure

5.0 Implementation Strategy

The requirements listed in this article were those that Contoso IT defined during the first phase of their hybrid cloud project. The purpose of the project was to enable Contoso IT to begin to understand the capabilities, limitations, and functionality of a hybrid cloud infrastructure where applications, or portions of applications, would be moved to a public cloud provider's infrastructure. Contoso started very conservatively, as it had a very small team that participated in the project, and because it wanted to get a solid understanding of its public provider before migrating more applications to it. The team began by investigating how to integrate the public provider's core infrastructure functionality with its own before it moved additional applications to the public provider.

To begin to familiarize itself with both the public provider, and its hybrid infrastructure, Contoso deployed its time card application during a pilot phase.  This applications was a low business impact, simple two-tier application, that did not include any personally identifiable information. The application has a front-end web tier and a back-end database tier. The front-end web tier is accessible from the Internet and both managed and unmanaged devices are allowed access to it.  Users authenticate to the application with their corporate Active Directory accounts.

The front-end web tier was originally located in the de-militarized zone (DMZ) of Contoso's private cloud.  The back-end database tier was initially located in the internal network of Contoso's private cloud. In Contoso's pilot project, they migrated the web tier to the public provider, and kept the database tier in its existing location. They configured a virtual network over the Internet between their private cloud datacenter and their provider's datacenter. In addition to supporting web tier to database tier traffic, this connection enabled the application to authenticate users with the corporate Active Directory.

Contoso cataloged what they learned during the pilot phase of the project and plans to use this information to help them define the next phase of their project, where they will integrate more comprehensive management and automation capabilities into their hybrid cloud infrastructure. They also plan to begin identifying applications for migration to the public cloud infrastructure service provider's infrastructure during future phases.

The figure below provides a high level view of Contoso's hybrid cloud infrastructure design, which includes the pilot time card application that they initially migrated to the public provider's infrastructure.

img5

6.0 Summary

This article defined the requirements and constraints of a fictitious enterprise IT organization that integrated resources from a public cloud provider with its private cloud resources to enable a hybrid cloud cloud environment. If you’re interested in reviewing a lab-tested physical design that meets the requirements and constraints listed in this article, you’re encouraged to read the Design article in this article set. The Design article details which specific public provider, products, technologies, and configuration options were selected, out of the hundreds of individual available options, to meet the requirements listed in this article.

The Design article also explains the rationale for why specific design decisions were made. For organizations that have requirements and constraints similar to the organization discussed in this article, the lab-tested design and rationale in the Design article can help decrease both the implementation time and the risk of implementing a hybrid cloud solution. To understand the full spectrum of design options and considerations available to you when designing hybrid cloud infrastructure, you're encouraged to read the Hybrid Cloud Infrastructure Design Considerations article. You may also choose to refer back to the Overview article in this article set, or to view other cloud architectural and solution guidance at the Cloud and Datacenter Solutions Hub.

 

7.0 Authors and Reviewers

Authors

  • Tom Shinder - Microsoft

Contributors

  • Jim Dial - Microsoft
  • Yuri Diogenes - Microsoft

Reviewers

  • John Dawson - Microsoft

 

8.0 Change Log

 

Version Date Change Description
1.0 8/21/2013 Initial posting and editing
1.1 9/30/2013 Updated title and content from "IT" to "cloud"