If there’s one customer takeaway in 2018, it’s that most of you are now running at least some production workloads in somebody else’s data center, especially Azure. The great news is you can monitor cloud resources with the tools you already have, and in this episode, we’ll show you how. In this episode, Microsoft Cloud advocate Phoummala Schmitt (@ExchangeGoddess), Head Geek™ and 10-year Microsoft MVP Thomas LaRock, and Head Geek Patrick Hubbard present a special deep-dive into Azure monitoring, hybrid IT/Cloud operations, and assuring great services, regardless of where they live.
Learn how to break down remote monitoring barriers, get a telemetry plan in place before apps move, manage cloud costs, throttle Dev sprawl, and more. We’ll also cover the new Server & Application Monitor (SAM) templates for Azure and Office 365, including SharePoint, OneDrive, Skype, Teams, Dynamics, and account activation. Your live Azure operations questions were great in chat, and this is just one more episode powered by YOU.
Hello, and welcome again to SolarWinds Lab. Long-time viewers of the show know that we’ve been talking a lot recently about the cloud and DevOps-y stuff that comes with it.
DevOps-y, did you just make that term up?
Yes, and I trademarked it too. Hanging out with the legal team is beginning to pay off.
Look, slow your roll Edison, let’s just stay on point.
OK that’s fair enough, and the point of today’s show is that during Microsoft ignite in particular, Tom and I realized that cloud adoption rates among our customers is really accelerating, and specifically, they seem to be adopting a lot of Microsoft Azure.
That’s right, so Patrick and I were talking through some ideas for a Lab episode. We wanted to do Azure and monitoring and migration tips, and then we realized that we happen to know an Azure expert that could help us do a deeper dive into all things Azure.
That’s right, and not just an Azure expert, but a THWACK expert, who’s been with us for years. So please welcome back to the studio, Phoummala Schmitt, aka, Exchange Goddess.
Thanks, it’s great to be here, and it’s good that Leon left his apple boxes for me.
Apple box as a service. And Phoummala, you’re an Exchange guru, you’ve certainly been involved with the THWACK community for years, and interesting, just like many SolarWinds customers who are migrating from Office back end on-premises to O365 in the cloud, you also sort of made that migration, and you’re now at Microsoft as an ops guru.
Yes I am, I’m a cloud advocate for Microsoft, and in that role I get to talk a lot about customers, and how they’re migrating to Azure services, and many of our customers just happen to be SolarWinds customers, too.
And it’s great, because they also let you hang out with us still too, which is great.
And as it happens, we also have another Azure expert and an advocate who’s here with us today.
Well that’s you, Lurch.
I mean, we don’t talk about it often enough, but besides being circus tall, Tom is also a ten-time Microsoft MVP. Started as a SQL Server MVP, and is now a Data Platform MVP.
Guilty as charged.
And so, that’s why we’re having this episode. You’re using more Azure today. And even though SolarWinds is vendor-agnostic, it turns out that we have lots and lots of experience with Microsoft and Azure. And so, we want to share that experience with you today.
Right, I want to share with you some of what I’ve seen since I’ve joined Microsoft. We can talk about the different types of companies that are migrating, how they migrate, and how they maintain effective monitoring.
Awesome, that sounds good, so let’s get started. Let’s talk about what we’re going to actually cover today. So we’ll break this up into five big segments, or four and a half if you think about it, right? So, the first one is sort of lift and shift, this is the things that people do as a part of adopting Azure that can tend to either give them a little bit more heartburn than they need, or worse, encourage them to come back on-prem, right? So, we’ll talk about what are the two methods? Do you just pick up everything and shift it, and if so, what do you need to do to be able to monitor that? Or two, that’ll be lift and shift too, which is moving back-end pieces, but keeping the top. What, you’ve got a word for that.
Well, you know, there’s lift and shift, and then there’s re-host and re-factor. See now, re-factor, that’s a little DevOps-y.
It is a little DevOps-y, and it’s a little bit data-ish, too. Should we trademark data-ish? Then we’re going to talk about upgrades, right? So, I think one of the things that prevents a lot of people from adopting cloud technology is that you’re also upgrading a set of servers and systems that maybe you didn’t upgrade on-prem for a really long time. So, those problems don’t go away. So, we’re going to talk about how to actually identify what some of those are, and make sure that they’re not an issue. Last, we’re going to talk about security. That is just a small part of cloud. Is anyone afraid that if you open up your systems to people and admins that need to get at them on the cloud, that somehow that’s going to decrease security? That never happens.
I’m more afraid of some of the people in the office getting access to the systems.
[laughs] Exactly, so we’re going to talk about security and how to make sure that you can address some of those concerns. And then we’re going to wrap up with education. I know we talk about it a lot on this show, but when it comes to adopting cloud technologies, and especially Azure, these are a set of technologies that a lot of you know, or at least they’re related to ones that maybe you’re already using. It may just be differences training, but the ability to know where to go to work with these technologies before you start to go to your deployment, makes it a lot more successful. So, we ready?
All right, let’s- Let’s start with section one.
OK, so first, let’s start with this idea of lift and shift versus re-host and re-factor.
Oh so, this is basically things that I learned by going to cloud four years ago, three years ago, versus the way I would do it now.
Yeah, something like that.
It’s telling your younger cloud self what you would do.
So, what are the big issues that people usually run into? I know I made the joke before about it can tend to make people want to bring things back on-prem again, but what are some of the things that go wrong?
Well, I think the biggest thing that goes wrong is people don’t know what to expect when they go there the first time. So, if they do the lift and shift exercise, that’s usually what they think is the easiest thing, is that they can just, say, take snapshots of what they have or however they want to do it, and just easily migrate and then everything will just work. Except, they don’t consider things like network latency and all the other things that go with it, or they haven’t built and spec’ed the server in the cloud to run that workload appropriately. So, things tend to drag and then they get frustrated. Or maybe they didn’t really know how much certain things would cost.
Lift and shift is sort of like a Band-Aid. You know, it’s that quick fix. We need to go to the cloud, we need to do it quick. How do we do it quick? We just pick up and go, and as we’re finding out, that’s usually not the best thing to do, depending on your application.
Well, it was going to be sort of an elastic platform, right? You were going to use it for Dev maybe, or if you had some temporary workload you were going to expand into cloud, and then all of a sudden, the complaint was, “Well, this is more expensive.” OK, well it wasn’t made to take what was running in VMware and to shove it into another server somewhere else where someone else is getting paid to manage that.
Lift and shift does work for certain applications, especially if it’s legacy.
Let’s say you have some really, really old application that the developer probably isn’t around anymore. And it’s running on an old system, such as Server 2008, which is end of life here coming up January 14th, 2020, and you know, you basically either have to upgrade, or you’ve got to do something, cause you’re going to be out of support. And that’s where the scenario of lift and shift could work, where you just got to do something, otherwise you’re not going to be in potential compliance, if you’re not getting your security updates.
Right, and visibility ends up being a big part of that too is that one of the chief complaints is, “Well, now I can’t see it, I can’t monitor it, and I have a whole new set of tools that I need.” And that’s not really true, and we’re going to show you a couple of those. We’ve shown a couple of these before, but like specifically how to monitor lift and shift resources in Azure, using, in this case, Server & Application Monitor, which you probably already have. But before that, I did make the joke about cost. So, if you are not using the Cost Calculator for Azure, you should. I pulled it up here. It’s nice, it just installs in a folder somewhere, it doesn’t even do an install. And then give it your subscription details, and it’ll connect and actually go and look at all of the costs across all of those subscriptions and roll them up in one place. And we actually built this in collaboration with Microsoft, and we haven’t really seen anything else like this, and it’s completely free, so go get it. So, like, right here to your point before about, things like basics, like orphan resources, just show me the things that are just sitting out there, tell me how much I’m spending per resource. Do I want to just let it sit there forever, maybe for a rainy day, or can it finally be removed?
That’s real dollars.
That’s real dollars.
The cloud is real dollars.
So, you understand that the orphan resource, so you delete a VM, but the disc doesn’t go away. Just in case you made a mistake deleting the VM. So, that becomes an orphan disc and a lot of people don’t understand that they hit delete, they assume everything’s gone away, but that may not be the case.
Right, and the other one is if you’re IT, you end up rolling up all of those resources, and shadow IT ends up being a problem. Can you take a look at cost, for example, by the resources for a particular subscription? We’re just using a small subscription for little IoT stuff, it’s not a big deal. Well, that’s a third of our total spend? No, that’s not what you told me was going to be a part of my OPEX budget.
One of the things about this Cost Calculator, and I had mentioned that cost might be one of the reasons that you try lift and shift then you come back. So, in traditional IT, do we really know how much stuff was costing?
You had no idea.
You know how much stuff you bought.
You had an idea of what the data center cost per square foot, but nobody could look at you and say, “Wait, I know how much that database actually cost.” So, expand the types there.
Oh, what are you actually using?
Now check that SQL databases one, we got 52 of them, and now you can see how much a SQL database’s actually cost. Again, we just have a base example here, that’s not a lot, but imagine if it said ten thousand dollars. You know somebody in your company will look at that and go, “How is this database costing us ten thousand dollars a month?” Yeah, because we’re showing the last 30 days.
Well, then you get to have a conversation about on-prem and what clustering means.
See, but back to your point about being on-premises, that whole charge-back concept, when virtualization came into the picture? It was a great idea, wasn’t it? Oh, we can have all these VMs, we’ll charge back to the business. But, did people actually do that? No. Well here, the very nature of the cloud is it’s agile, it’s fast, and it’s easy. People spin up stuff. I mean, you can spin up a SQL database, and then you get the bill later and you’re like, “Whoa!”
Right, well we want to encourage that.
We want this. We want them to do that, but then we are sort of conditioned that then no one will ever go turn it off, so we actually just discourage all the time, people from spinning up new resources.
This allows you to see with real money how much this is going to cost you. I mean it’s real money, it’s not this concept of “Oh, we’re potentially going to do a charge back.” Where, no, you can see and you can actually send the bill. The bill can go to that business unit.
You can export all of this data, and it makes it a lot easier. And of course, it wouldn’t be a tool if it didn’t have charts and graphs, to your point, of showing what the trend is. Because a lot of times, that application may run a little bit here and a little bit there, and you just don’t really think about the drip. Well, over the last quarter, what have our costs been for that one particular database, right? So this will go and pull all of the services that each one of the subscription’s using, and then as new services are added, they’re automatically added by the API. But, Tom, you and Phoummala were speaking about something a little bit different, which was just the basics, when it comes to cost management, of how do you monitor the resources that you already have with lift and shift. Storage and compute and the basics of what you would be running in Azure. How do you actually do that with SAM?
A couple things I wanted to mention, when we talk about lift and shift, you had just mentioned about virtualization, so I think one of the reasons people think lift and shift is the way to go, remember all the virtual migrations?
Oh, the P2Vs.
All the P2Vs, and it has, so that kind of worked, but it also worked because you still had visibility into all that, so there was this comfort level. But when you go cloud, you no longer manage that infrastructure. So now there’s a little bit of uncomfortableness happening.
Well, it’s a different world.
It’s a different world.
It’s a totally different world.
So what you need to make sure is that you have the tools that can help monitor that, in the same way. So, do you really care if that endpoint is hosted in Azure or if it’s in your own data center?
You have to manage the resource, right? I don’t really care where it sits. I just need to know if there’s an issue with it, and then what are the steps and actions I need to take to remediate that issue. So, you’ll see in SAM, though, we can connect right to- this obviously is running in Azure, right? I have a Windows 2016 box running in Azure, and you can see it’s just like anything else you would see in SAM, except we get a few other pieces of information about its location. It looks just like the regular dashboard. But then, of course, we have over in the summary tab, we have no details for Azure cloud itself. So look at this, I can tell it’s in the east U.S. region. And if I need more information about this particular node, I can get the mapping, and I can figure out everything else that’s-
Troubleshooting step one, where is it?
Yes, where is it, and what’s touching to it, and so on and so forth. So we get a lot of information about that, just like we have in SAM and regular, right? So now, let me show you something else. Here’s the database instance that’s running inside of-
So this is an Azure database? This isn’t a SQL Server instance running in a VM container.
This is actually running on native-
That’s right, this is Azure SQL database that’s running, and if I want information about it. So, if I click on these queries, I can then quickly bounce over into DPA. And I can get information about that query running inside of an Azure SQL database, and what can I do about it? So, this is going to be one step towards tuning once the workload is running inside of Azure.
Do a lot of customers kind of get to that, and we were talking about cost perspective before, but because database pricing is not quite the same, it really is not just about the amount of storage that you’re using, but it’s actually compute and IO?
Right, so for Azure SQL database, how they do pricing right now, is this concept of database transaction unit, or DTU. What it really is, is it’s an aggregation of every possible resource that can be consumed, so CPU, storage, and memory. And, network, although I think they bill network separate. But you have to roll all those. There’s a formula out there, you can figure it out on your own. What you really need to know, though, is for a tool like DPA, this is the Table Tuning Advisors inside of DPA, so you’re going to come to this instance, and you’re going to say, “All right, well here’s something I might want to look at.” So maybe, if you’re not familiar with Table Tuning Advisors, what we’ve done is we’ve taken the data inside of the DMVs and usually people try to focus on one query to tune. But what if you knew that you could tune one index and it would affect 70 queries, like what we have here. We have one index, and four queries, five index, 70, four and 72. So if you’re paying by these DTUs, if you have all of these queries that are running, and if you know that you can make just one or two changes, you can affect your bottom line.
You can go to that Cost Calculator and you can say, “All right, this database instance is my highest bill,” now let me use DPA, let me go in there, and let me focus on the few things that I need to change in order to reduce that bill.
I love that point, because if you think about it, on-prem, wait time is free. It’s annoying, but you have a fixed set of resources and if you’re waiting in a query, whatever, but in this case, there’s actually a real cost, real dollar cost, to every bit of wait. So, being able to do something about it, thinking more about optimizing database is a big part of that.
OK, so what have we learned from all that? Lift and shift has been the traditional method for a lot of people to try to get their feet wet in the cloud, if that makes sense.
You would, it’s condensation.
You’d have to be upside down, but yeah, feet wet in the cloud. So, recently I’ve come across the phrase re-host and re-factor. And what that really is, is it’s sort of a hybrid approach to getting your stuff to the cloud. And the idea is simple that you understand, instead of the thinking that, “I can just move stuff from here to there.” It’s like, “I’m going to put this on the new host.” And then you start thinking about what are the changes, what do I have to do to re-factor this workload? What are some services, cloud-native services, that I can take advantage of, that can reduce my workload or things I’ve been doing? What pieces of this system can I offload to here, there, and everywhere? That’s that re-factoring approach. And I think when people use the phrase re-host and re-factor, they start to understand that there’s some work involved. Lift and shift is like no work, it’s easy. Re-host and re-factor means, oh right, we’ve got actual work to do.
Oh yeah, and it can actually be very complicated, depending on your application too. You’re going to need all teams, not just your developers, but you’re going to need your infrastructure teams as well. And your security, cause you basically have to break apart that existing application and figure out how am I going to re-factor that in the cloud, and making it cloud-native, rather than on-premises.
And it may not even be just one system, it could be your entire environment. So, for example, we’ve talked about a change, but one of the first steps I think a lot of companies do is Azure Active Directory. How do I just simply get my Active Directory to a tenant over in Microsoft’s cloud, and then you start factoring in now you build out the networks. If you were going to build a business from scratch, whatever you were doing, and you say, “All right, the same steps, but using cloud-native tools.”
And that’s a perfect segue here, because I think for many of you, you’re familiar with the O365 templates in SAM for Exchange and you’ve seen these for a while, and this is things like monitoring sign in and calendar access, the effectiveness of mailboxes, and basically all the metrics that you would lose by letting Exchange go off-prem, you can continue to see those in SAM. But what I wanted to show you was, we’ve been working on some new templates. These should be in the next release, definitely check THWACK What Are We Working On for all the details. But, here you can see, not only just Exchange, mailboxes, mobile devices, what are you seeing?
I see a Teams, wow!
Teams. And what’s right above Teams?
Skype for Business.
Oh my gosh, let’s go take a look at Skype for Business.
Isn’t that just called Link? [Phoummala laughs]
That’s one flavor.
Formerly known as Link.
So here we’re looking at the number of session counts that are peer-to-peer, I can look at total organized user sessions, number of iPhone, Android users, minutes of organizations, like I can see all of the metrics for actual use in the dashboard now as well. So even if that is hosted off-site somewhere else, I don’t have to worry about it.
Let’s go back to Teams and take a look at what you got there.
Ooh, look at that, there’s number of calls, number of meetings, number of chat messages, wow. And there’s even a number of daily iOS users and Mac users.
Right, the API for O365 exposes all of this information, and when you think about, how am I going to move away from Skype, and I’m going to move to Teams? Well, I don’t have any visibility, I don’t know whether people are going to use it. Will management find it effective? How many people will participate in each meeting? I’ll lose all of that. You’re not going to lose all of that, that’s all available.
This is great, the number of meetings. Just as my SysAdmin days in managing a Skype for Business environment, that’s one of the biggest questions we would get in the reporting, “How many meetings are we having on Skype for Business? What’s our organization doing per month? What are the number of calls?” So this is great information.
I hope that’s stored as a bigint. Sorry, data joke. [laughs]
That’s true, and it was funny to me. But, we’re going to talk about Azure Active Directory in just a minute and little bit of permissions migration and the rest of it that’s a part of that, we’ll talk about that in the security section at the end. But, I did want to talk about something that you had mentioned in a conversation we had the other day about time saving and skills recovery as a part of offloading the back end to O365.
Yes, so, you traditionally think Office 365 and Exchange, what is that Exchange administrator going to do? It’s the tier two and three engineers, you don’t have a server to manage anymore. So, you’re time is going to be, I don’t want to say empty, but now you have the ability to kind of refocus and one, work on other projects that are behind. But two, you can actually upscale. Learn about the new technologies, learn about Azure, to take that opportunity, because you’re not updating servers, you’re not maintaining that disc storage. Yes, you still need an administrator to create accounts for mailboxes, but oftentimes, that’s actually even automated now. So, that really frees up that tier three engineer to change their role a little bit into more of a cloud engineer.
Right, and it really was sort of a surprise when you mentioned it, because it actually follows up a conversation I had with one of you at Ignite earlier this year, where you basically said exactly the same thing. They were describing, “Now I’m finally closing off some projects that we’ve been investing in but we’d never really had time, and got a certification.” And so, it was an excitement about that, and I didn’t really put it together at the time that there can be what you think of as email, that’s a help desk function right? I’m locked out of my mailbox or it’s down or whatever else.
You’re still going to need that tier three engineer to do major troubleshooting, but it’s giving our tier three engineers the ability to focus more on their projects, upscale, but also, do those things that they’ve always kind of put on the back burner, like upgrades.
Yeah, that’s sort of impossible for a lot of reasons. That’s one of those things, when we talk about upgrades, and I suppose we’re as guilty as anyone else, we’re constantly adding new features to our products, and sometimes like the new flow-based alerts in NetFlow, you need to be on SQL Server 2016. So we, of course, stand right here at this booth, and we say, “Hey listen, here’s a list of amazing new things here’s how to use them, and all you’ve got to do is upgrade.” If you don’t own the server, that’s a lot.
In upgrades, typically, it’s more reactive. “Oh, I’ve got to upgrade because it’s going to be end of support in X amount of months.” Now when you’re offloading that, you can actually plan your upgrade and say, “OK, here’s my timeline. I have these applications, and they’re going to run out of support in 18 months. Here’s a timeframe that I need to work on to get those upgrades in place.” You could be more proactive rather than fire-fighting.
So, why does it seem that when people adopt a cloud, and they’ve been on 2008, let’s say, and they’re going to jump, more or less, straight to 2016. If they’re doing it today, that doesn’t seem to be as much of a barrier when you’re using cloud as it is on-prem for some reason. Do you think that’s one of the reasons why cloud is an exciting option, to the point of being able to, I made the joke before about deconstructing monolithic applications in the cloud-native services. You were a little bit kinder about re-hosting, but I think we ought to adopt that cause it’s less scary. Deconstruction just sounds-
Sounds like surgery.
It does, it doesn’t sound good. Does the transition to cloud seem to negate that upgrade step? Or people just don’t worry about it as much, they’ll just invest more to do it.
I think just really depends on the situation. I hate to say that. That’s your typical answer, “It depends.” But it really does depend. Certain applications, you can re-factor. And then that lift and shift, that is appealing from an upgrade perspective if the application is very legacy, those monolithic, or just the old applications that you just don’t know who the developer is, they’re gone. By doing the lift and shift, moving to Azure, especially on Server 2008, it gives you an extended three years of life for support, security updates, which in today’s age, you need security updates, otherwise you are pretty much putting yourself at risk at being non-compliant with HIPAA, GDPR, all sorts of regulations out there. So, if you’re not getting the security updates, you are at risk. So, that move to Azure, yes, it’s three years, it’s a Band-Aid, it’s not a fix.
Just paid support for 2008 for the next three years.
No, so if you move a legacy application that’s running 2008, and you move it to Azure, you’re re-hosting in Azure, we give you three more years.
So, you’re saying that by moving to Azure, Microsoft is giving an extra three years of security support and updates. So, when’s end of life for 2008?
January 14, 2020.
So, three plus years is 2023, just by re-hosting to Azure.
Correct, and remember, that’s just three years only. It’s basically-
Yes, that’s pretty much, it’s life support for three years
OK well, that’s a pretty good incentive.
But also, Tom, when you look at NetFlow, for example, and we’re recommending the upgrade to SQL Server 2016. One of the things that you were telling us, is that you were surprised at how well a lot of applications perform, or you’ll say things like, “Wow, my Windows Server in Azure just seems to run faster than it did on-prem,” and I’m wondering how much of that is actually just upgrading to a new version of Windows as a part of it, as opposed to comparing it to an older version that’s running in your environment.
I’m going to say a lot of it. A lot that you don’t realize, especially for a SQL Server workload. So much goes into the engine to make it more efficient, that a lot of the times, just upgrading to a new engine makes things faster, and you don’t even have to touch anything. It’s just a backup and the re-store.
The upgrade to the OS, too.
Yeah, but again, SQL Server is a process. It’s an engine running inside of a process that’s on top of an operating system. Are there advances in the OS? Absolutely. But the advance that they do inside that engine, things like they add in columnstore, right? The way that they can make queries faster by simply re-factoring a little bit of the logic inside of the optimizer. You get this benefit by just going to a new version.
And the other thing too, and I’m sorry I was messing with the computer here while you were talking, but I just wanted to pull up this page. One of the things that we absolutely recommend that you do, is compare the performance of your cloud resources with your on-prem resources. Because you’ve been using those machines forever on-premises you know them, you know the applications that run on them, so go ahead and put them side-by-side, right along with all of your cloud resources, and actually compare them. So, when you get into those cost management discussions, you get into that “Are we seeing the performance we expect?” conversations with leadership, it makes it really easy, because you can generate reports on that. But it also lets you, to your point earlier, of really manage cost. Like when I’ve got the hardware that I have on-prem, that was bought with CAPEX. But in the case of I’m going to go configure a new VM in Azure, I have options that I’ve never seen before. So, to get parity performance that’s going to not shock anyone, it’s really, really important to actually put those things side-by-side. So, what else is a stopper for cloud adoption that’s an impossible thing that gets in the way?
Number one for years, anybody I would hear, security.
Ooh, yeah, that’s true.
But you know what, the cloud is secure. And you can-
The cloud is secure.
It is, we have the tools available for you to make it secure. But it’s up to you as the owners of the tenant of your subscription, regardless of whatever cloud provider you’re using, is to enable those tools to make it secure.
So what ends up happening is we, as the admins who are actually working with cloud, think that we’re going to break it. So, we’re going to create a hole in our application that’s going to be attacked as opposed to cloud itself breaking.
No, as cloud administrators now, it’s up to us to enable those security features. At the end of the day, it is our data, right? All the tools and services to secure your application, to secure your environment in the cloud, it’s there. We just have to enable it. And, for instance, Azure. We’ve got the Azure Security Center, you can create security groups. And then, also, who has access to what functions within the cloud, RBAC, role-based access permissions. That is built into Azure.
But when you do that in cloud, you’re taking advantage of a lot of automation, and you’re actually applying real governance. From the top down, you’re setting a plan of what it should be from the outset, as opposed to sort of going and then doing your user access management later, after the fact.
I’m going to go out on a limb here, most organizations have some type of role-based access control. They’ve got some iteration of it, so you’re just going to take that and basically, take it to the cloud. Your developers are still going to have access to the applications, right? And network teams, they’re still going to have access to network resources. It’s just you’re going to apply that to Azure now. And then we also talk about governance. So, you have governance on-premises, you know, that’s-
On paper. Well, especially in highly regulated industries, like healthcare, the financial industry, you have governance on-premises. You’re going to have governance within Azure. You want to keep and maintain that governance. Azure has that available.
So what’s that look like?
Azure Blueprints. So, Azure Blueprints allows us to quickly deploy governed subscriptions. It’s a blueprint. And that blueprint contains these artifacts called policies. You can add RBAC, role-based access control, you can add Azure Resource Manager templates, also known as ARM templates. And then you can add Azure initiatives. Basically, it’s governance and security wrapped up and made into a blueprint, and then you stamp it to a subscription. And you can stamp it to multiple subscriptions. So, it’s quickly deploying governed subscriptions at scale. Because it’s something that when you’re in the cloud, you don’t want to forget about governance. So, let’s take a look. We’ll go to Azure here, the Azure portal.
Search is always your friend.
This is how you’ll find Blueprints, or anything.
Type in blue, it automatically comes up. And when you first create a Blueprint, you’re going to have to create definitions. As you can see, I already have a couple here, and we’ll take a look at one of my Blueprints. The TestDEMO, so this Blueprint I created a while back. As you can see, I have a group here for Network Contributor. So, this is a role-based access control group, and anybody that’s assigned this role will only have access to network resources within that subscription. And I’ve assigned a subscription owner for the subscription. So, I’m going to use a security group and then I also apply the policy, and this policy is particular to this subscription, allowing only a particular virtual SKU. This controls cost management as well. So, let’s say you have a test subscription and you want to deploy test subscriptions to multiple teams. You can create a Blueprint like this and define an owner, and define a network contributor, or any of the 70 built-in RBAC roles that we have. But the allowed virtual machine SKU is really neat, because what it allows you to do is say OK, your test dev, have at it. You’re allowed to create all the resources you want, but we’re going to limit the expensive VMs. We want you to create cheap VMs, because it’s a test environment, we don’t want our resources to go there. And also, with the Blueprint, you can define, OK, this particular Blueprint, I want SQL Servers, and I want a SQL Server resource group. And then here’s an RBAC group I created here, a SQL Server contributor. And then web servers, so this Blueprint, every time I deploy it or assign it to a subscription, it’s always going to have a SQL Server resource group, and a web server resource group, with the individual group membership for RBAC.
So I noticed there’s published versions.
That’s published, so that’s something you’ve deployed? Cause I was wondering if some of these things might be put into a store.
[laughs] So, published versions mean, so once you create a Blueprint, you actually have to publish it, and then you assign it. Publishing just means that you’ve published it, so it’s available. And with publish, you can actually create different versions. Let’s say you have a Blueprint, and then you realize, “Oh wait, we want to redefine that virtual machine SKU.” As you can see here, I created multiple versions of this Blueprint, I added different SKUs, I removed the SKU policy, I added the particular VM SKU here. And then every time you create a new version, you have to re-publish it and re-assign it to those subscriptions.
But it’s a way of, you know we talk about governance, and best practice, but it is a way, in this case, of applying versions so that you can do non-breaking changes at the same time you then facilitate new capabilities.
Yes, so the nice thing about Blueprints, is you can lock ’em or unlock ’em. And what locking means, if you lock a Blueprint to a subscription, even the owner can’t make changes. This is great for production. You can have Blueprints for production applications, and you can lock that subscription down so developers or ops, they can’t go and make certain changes to your critical applications. And then you can also unlock, and maybe it’s your test Dev environment subscriptions, that you don’t lock ’em, and then they can make changes. Definitely, with production, you may want to lock that up.
So, we’re going to talk about MS Learn in a minute, and that’s a great way to actually start with this, right? Cause this is a pretty different way of approaching it. If you look at this too, one thing that’s a little bit different is, this is applying roles to resources, right? We’re kind of used to more on the IT side, of thinking about it from the user perspective, right? Cause you have users on things, which could be any number of things, from a file share to a Linux file system to Active Directory to Azure Active Directory, it could be a lot of things, so more of the user perspective. So, why don’t we take a second and actually show what Access Rights Manager looks like in terms of managing a hybrid, both on-prem and out to Azure, and more from the user perspective. OK, in case you haven’t seen this before, this is Access Rights Manager, and again, it’s designed to make it easy to figure out what users have access to what, whether they’re on-prem or they’re using cloud resources, right? So, there’s a lot of reports that people tend to use right off the bat, like who has access to what? And we’ll pick on marketing, of course, because we like to. And we’ll take a look at the resources that they are using, and specifically, I want to know what are they doing in the marketing share on this server. So, I’m going to double-click this, it’s going to select my role, and then I can do things like also, maybe I want to look at group structure, or I want to actually look at the ACLs that are applied for that. And then I’m going to click start, and it’s going to run that report for me. So there’s a ton of just base reports of who has access where, but that’s not what most people are actually using this for. What most people are doing are thinking about it more from the resource role, especially when, to your point, of trying to get parity between what we were doing on-prem, and with what we are now doing in the cloud. Or someone says, “I had that before we went to O365, but now I don’t.” OK, well, in this case here, I’ve got Active Directory up here at the top. So, this one happens to be a local instance, but if I was connected to Azure AD, it would look exactly the same. I get my roles and groups, I get things like everything from built-in roles, including their access rights, the users underneath. But when Tom and I were talking about this yesterday, so often it ends up being an individual user, right? And we were talking about it before, if a help desk request ends up being access permissions, it always ends up getting escalated to layer two or three, because they’re asking for an exception. But in this case, let’s pick on Anton, let’s find him.
Anton Admin, yeah. Well, look, there he is, he’s a user. Here we can see Anton’s access and the account permissions for this archive share, right? Well, one of the things I do care about, is I care about things like inheritance, like where did these permissions actually come from? And if I want to make changes, I can right-click and then say, “Oh, let’s change the inheritance rules for that.”
Oh, look at that.
Right? Now technically, that’s an exception, because that is for this user on that file share, but where it gets a little bit more interesting, is if you want to take a look at a user where they are compared to everyone else. And for that, we’re going to use the show accounts view. Now, for those of you who’ve used NetPath, or the new mapping, this will look pretty friendly. And of course, you get-
Oh there’s a photo of him, so now I can go around the office looking for him.
Right? But again, we’re focused on that user, so this is everything that we know about him, last log on, the organization in the tree. But here I can see all of the parents that are a part of this view, and then also, the resources that he has access to. And if I want to, I can go ahead and walk through these, so I can figure out-
Oh, so you can see the group nesting.
Visualization of it, yeah.
And then I can also do things like look at exceptions, I can do reports and identifications of exceptions that way as well.
You know where I can see this as being very useful?
Of course, but when an individual transitions roles, when they leave a department. How often does permissions get left behind? The intention is there, you want to remove the old permissions and get the new ones, but sometimes you end up with both, your new and your old, and you still have it because there’s that transition period that sometimes-
Sometimes, all the time.
That doesn’t always get cleaned up, so this is a great visualization of, “Wow, Anton, does he really need access to all that?” and “I thought he’s not in marketing anymore.”
No, of course he does, it says “Admin” in his name, of course he needs access to all those things.
OK, so we looked at a couple different paths, right? So, the first one was resources drilled down to groups and users, so figure out who has access to what from the resource perspective. The other one was from the user perspective, what resources are available and how are they different and when were things applied? But when you really start to look at this in aggregate, if you’re the administrator, or if you’re the person in charge of governance, and you need to really have that top-level view of who’s doing what, especially across multiple environments the log book view is what most people tend to use. So, there’s a couple of things here.
The when, and then the volume, right? So, I can look to say AD accounts created, there were two of them on this day, and if I drill in.
Ah, new hire.
I’m going to see who and why, and then all the changes that were part of that provision.
Ooh, use this as a template.
Templates are handy, and if you want to see all the details of how this works in a future episode, let us know in the chat or on the home page, and then we’ll come back and walk you through how to actually set this up and how to use things like templates. But the other thing too here is this is sort of looking at that high-level log, this is how many actions were taken all at once. But if I want to really look at a specific log, I’m more likely going to actually be looking at something else. Like I’m going to be looking at a role or a user. So in this case, I’m looking, again, at the graph view for this user for their permissions. And right here I get the log for that user in that context. I get a log book right there, but the view is narrowed down specifically for this user for the roles, and who’s making the changes, so that I can see all of those right there as well.
Oh, there’s even details of a ticket number too, very useful.
I know that’s a lot, but the point here is that don’t let security and fear of being able to manage your cloud resources prevent you from taking advantage. There are tools available to make that relatively easy.
MS Learn, Microsoft Learn, it is the free learning portal that we just launched back in September. It is an entirely free, sandboxed environment that you can use, and it’s a module base. And it’s based off learning paths as well. Here’s a quick little intro to it, so you can just do a search on MS Learn. And we have these learning paths that you can take, and you can also just pick individual modules, as well. So, we’ll just select a learning path, and I’m going to be an Azure Administrator, and what type of modules are available? “Secure your Azure database.”
And it’s pre-filtering them based on your role, so you’re not just going through this enormous catalog.
Oh look at this, “Secure your Azure resources with role-based access control,” let’s click on that. So, you’re going to go into here, and like I said, it’s a module base, so you’re going to start, and you have all these different chapters. And it’s a sandbox environment within Azure, no credit card required, completely free, and you’ll go through the training at your own pace. And then there’s videos, and actually you might see a video of me on there.
I was going to say, are you in one of the videos?
I’m actually on one of the videos, I’m actually on a couple of them. But you basically go through the training on your own time, and then, if there’s certain features that the module has you doing, it’s a sandbox environment, and when you’re done, the sandbox environment gets wiped clean and then you can move on to the next module. And if you still don’t know for sure, you want to go back, you can repeat the module as well. And this is completely free for you to try.
And the reason we wanted Phoummala to talk about this, is that it really does parallel some of the other things that we’ve talked about. Like, you’ve heard me talking about Cisco DevNet for a long time. Certainly, obviously, this looks a lot like some of the content that you get in THWACK in our Customer Success Center now, GNS3 is offering training for everything including Python now. And so when you are looking at cloud technologies, and learning about cloud technologies, and selecting cloud technologies, try to find vendors that are educating maybe outside of what looks like the comfort zone. Like, why would Cisco want you to learn Python? That doesn’t seem very network-y, but they’re doing the right thing. So, a lot of times you will see these broader education opportunities and sites, and in a case of having sandboxes that you can play with, without setting up equipment are really, really helpful. So, it’s not entirely a self-service world with cloud, but there does definitely seem to be more learning opportunities that are attached to it, that are not the traditional certification, paid, special, you have to have the right hardware in order to learn. It’s available to anyone, and I think that may be one thing that’s attracting new people to cloud, and new admins who are looking to change their career or up-level, because it’s all self-service and it’s all available.
Well, thanks you two. I really tend to think about cloud in the abstract, or maybe at least in the agnostic sense, and I forget how much Microsoft and Azure-specific tools have really been added to SolarWinds products over the years.
Is that really a surprise? When I look at the THWACK community, I see admins managing just about every vendor tech you can think of, but two really stand out. Cisco and Microsoft.
Well, you know, it may also be that most customers, they’re pretty happy with what they have. For example, if everyone in your company collaborates well- [laughs] Yes, if everyone in your company collaborates well, why would your business want to change everything wholesale. So, instead they’re doing what IT does, they optimize the back end. So, maybe you like Office, but you don’t want to manage those Exchange or SQL or AD or SharePoint servers, right? So hey, O365 is for you. But maybe you want more storage options for your VMs, or advanced data analytics without changing up your entire tool set. Hey, expanding to Azure data services, that’s an easy choice.
Well the other thing too, is that we’re really getting into the meat of cloud transformation, right? Modernization of the applications, early adopters really had an advantage, because they were making changes to newer technology that was easier to move, or they were building a lot of new things from scratch. So, I’m not sure that it’s so much that IT is really learning cloud in 2019 and 2020, but rather, we’re just getting into the hard part. And maybe the tools weren’t really there yet.
Well, the other thing is that IT is now making changes to real critical apps and systems, which means it’s a real risk. And the only way to mitigate that is education for leadership and IT. Blogs, white papers, and some vendor sales pitch aren’t enough. That’s why communities like DevNet, the THWACK community, and MS Learn learning portal are so important. They let you form your own opinion about what and how to achieve your requirements.
So, we could go on-
We did go on.
Well, hopefully you’ve enjoyed today’s episode. And we’re looking forward to your questions in live chat. Of course, if you don’t see that chat box over here to the right, it means you’re not with us live, so swing by our homepage, which is lab.solarwinds.com Check out schedules for future episodes to be there, and give us some feedback on this one and tell us what you want to see in future episodes. And so, Phoummala, thank you so much for being here, it is always great to have you here on set.
Well, thank you for having me, I love coming back. But, you can also catch me on the Microsoft Ignite, the tour. We are going to be traveling to 17 different cities around the world, one U.S. city. And it’s a free two-day learning conference. All things Azure, M365, we’re going to talk about security, compliance, all the good stuff. And it’s free, and I’ll be there.
So it’s just a little bit like THWACKcamp, it comes to you.
So, anything else?
Yeah, but we’re out of time, so do you want to come back again?
Awesome, that’s great. So, with that, I’m Patrick Hubbard.
I’m Thomas LaRock.
And I’m Phoummala Schmitt. Thanks for watch SolarWinds Lab.