Active Directory Considerations in Azure Virtual Machines and Virtual Networks Part 1 – Hybrid IT

imageIf you haven’t heard about Azure Virtual Machines and Virtual Networks, then you’re in for a treat. This new service, which is currently in Customer Preview mode, allows you to put virtual machines on the Azure Infrastructure as a Service (IaaS) offering. This means that you will be able to take advantage of Azure to run your virtual machines. You won’t have to build out infrastructure to support those machines.Cloud and Datacenter Solutions Hub

Azure Virtual Machines and Virtual Networks can enable a deployment scenario known as hybrid cloud, or more generally, Hybrid IT. When you have a hybrid environment, one portion of your infrastructure is hosted on premises while another portion is hosted in the cloud. You can use hybrid IT to run new applications (although for new applications you’ll more likely want to take advantage of the Azure Platform as a Service offerings), or relocate current applications that are running in your datacenter.

A Solution for an Overburdened Datacenter

This can be very useful for datacenters that are at or near capacity. Imagine that you have a line of business (LOB) application that is taking up resources in your current datacenter. Your datacenter is stretched out in terms of capacity and you need some on premises capacity to support a new application roll out. What do you do?

The traditional option is to acquire new hardware. You go through the requisition process, then take possession of the hardware. Then there are all the engineering processes that you need to go through to get the new hardware installed and configured, which of course includes all the racking, stacking and cabling. Then you’ll need to connect all that to storage and decide how you apportion the storage for the new applications or reposition it for existing ones.

Another option that you can use to free up datacenter resources for the new on premises application is to move existing applications from on premises deployments to hybrid deployments. There are likely going to be components of the application that can be moved to a public IaaS provider like Azure Virtual Machines and Virtual Networks and other components that you’ll want to keep on premises because of security or data governance reasons. That’s the hybrid IT play.

This second option is attractive because it’s going to be a lot less work for you. In addition, moving application components that can be placed in the public IaaS cloud can potentially save you money. In the white paper The Economics of the Cloud, you can see on page 22 that potential cost savings of 1000% (10X) might be realized by moving services to a public cloud environment. So, if you go hybrid IT, not only are you able to avoid the traditional acquisition and deployment overhead and costs, you are also able to save a significant amount of money. That money can then be used to support new strategic initiatives and forestall the need to expand that datacenter.

You can learn more about hybrid IT from Brad Anderson’s post Transforming the Data Center and Hybrid IT.

The Specter of Shadow IT

On paper, this all looks good. So good in fact that many organizations are having to deal with what is known as “shadow IT” or “credit card IT”. This takes place when someone decides that they want to side-step the IT department and stand up a new service on her or her own. This person or group doesn’t want to have to wait for corporate IT to provide the infrastructure they need. Instead, they can just pull out the corporate credit card, get the infrastructure on the public cloud and start developing and deploying applications.

The problem with this is that it can and does spin out of control. Your company has data governance, security, privacy, availability, and performance guidelines that it must adhere to. The people standing up shadow IT resources may or may not know or be concerned about these issues, but these issues need to be addressed to keep the company from getting into trouble.

As a member of the IT department, you need to address core infrastructure issues before you would want to even consider moving part of an on premises application to a public cloud IaaS provider. Key issues that need to be considered include:

  • Provisioning – how are virtual machines provisioned?
  • Management – how are the virtual machines going to be managed?
  • Security – what are the security issues that are involved with hosting an internal application that has pieces of it in a public cloud IaaS?
  • Networking – how are you going to connect the public components to the private components?
  • Authentication and Authorization – how are you going to connect the publicly hosted components of the solution to the back-end Active Directory infrastructure?

For most IT departments, these core infrastructure issues need to be assessed, addressed and rationalized before even considering moving pieces of an on premises line of business application to a public IaaS provider such as Azure Virtual Machines and Virtual Networks.

Blog Series on Active Directory in the Azure Virtual Machines and Virtual Networks Cloud

This blog post is the first in a series of blogs on hybrid IT infrastructure and authentication, and the focus will be on Active Directory authentication. While Active Directory is a very mature service that has been around for over a decade, there are things that you’ll want to consider before you move an Active Directory dependent application into the public cloud. Some of these considerations will be very similar to that encountered in branch offices, and some of them will be specific to circumstances you’ll encounter when deploying on the Azure Virtual Machines and Virtual Networks infrastructure. We’ll talk about these issues in detail.

I’m looking forward to writing this series and I hope you will enjoy it! As always, please let me know if there is anything unclear or if something needs wider coverage. Thanks!



Tom Shinder
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter:

Go Social with Building Clouds!
Private Cloud Architecture blog
Private Cloud Architecture Facebook page
Private Cloud Architecture Twitter account
Private Cloud Architecture LinkedIn Group
Private Cloud TechNet forums
TechNet Private Cloud Solution Hub
Private Cloud on the TechNet Wiki