Category: Azure Cloud Adoption Framework

The last phase of Cloud Adoption Framework is the Manage phase.

Inventory and visibility

First step is to take a complete snapshot of the environment so it can be managed properly. Create inventory of assets and develop visibility into the run state of each asset.

There should be centralized logging about change management, service heath and configuration of IT operations.

Process	Tool	Purpose
Monitor health of Azure services	Azure Service Health	Health, performance, and diagnostics for services running in Azure
Log centralization	Log Analytics	Central logging for all visibility purposes
Monitoring centralization	Azure Monitor	Central monitoring of operational data and trends
Virtual machine inventory and change tracking	Change Tracking and Inventory in Azure Automation	Inventory VMs and monitor changes for guest OS level
Subscription monitoring	Azure activity log	Monitoring change at the subscription level
Guest OS monitoring	Azure Monitor for VMs	Monitoring changes and performance of VMs
Network monitoring	Azure Network Watcher	Monitoring network changes and performance
DNS monitoring	DNS Analytics	Security, performance, and operations of DNS

Operational Compliance

Establish controls and processes to ensure each state is properly configured and running in a well-governed environment.

Process	Tool	Purpose
Patch management	Azure Automation Update Management	Management and scheduling of updates
Policy enforcement	Azure Policy	Policy enforcement to ensure environment and guest compliance
Environment configuration	Azure Blueprints	Automated compliance for core services
Resource configuration	Desired State Configuration	Automated configuration on guest OS and some aspects of the environment

Protect and Recover

Ensure all managed assets are protected and can be recovered using baseline management tooling.

Process	Tool	Purpose
Protect data	Azure Backup	Back up data and virtual machines in the cloud.
Protect the environment	Microsoft Defender for Cloud	Strengthen security and provide advanced threat protection across your hybrid workloads.

Enhanced Baseline

Evaluate common additions to the baseline that might meet business needs.

Discipline	Process	Tool	Potential impact	Learn more
Inventory and visibility	Service change tracking	Azure Resource Graph	Greater visibility into changes to Azure services might help detect negative effects sooner or remediate faster.	Overview of Azure Resource Graph
Inventory and visibility	IT Service Management (ITSM) integration	IT Service Management Connector	Automated ITSM connection creates awareness sooner.	IT Service Management Connector (ITSMC)
Operational compliance	Operations automation	Azure Automation	Automate operational compliance for faster and more accurate response to change.	See the following sections
Operational compliance	Performance automation	Azure Automation	Automate operational compliance with performance expectations to resolve common resource specific scaling or sizing issues.	See the following sections
Operational compliance	Multicloud operations	Azure Automation Hybrid Runbook Worker	Automate operations across multiple clouds.	Hybrid Runbook Worker overview
Operational compliance	Guest automation	Desired State Configuration (DSC)	Code-based configuration of guest operating systems to reduce errors and configuration drift.	DSC overview
Protect and recover	Breach notification	Microsoft Defender for Cloud	Extend protection to include security-breach recovery triggers.	See the following sections

Platform Specialization

Invest in ongoing operations of a specific workload generally reserved for mission critical workloads.

Process	Tool	Purpose	Suggested management level
Improve system design	Microsoft Azure Well-Architected Framework	Improving the architectural design of the platform to improve operations	N/A
Automate remediation	Azure Automation	Responding to advanced platform data with platform-specific automation	Platform operations
Service catalog	Managed applications center	Providing a self-service catalog of approved solutions that meet organizational standards	Platform operations
Container performance	Azure Monitor for containers	Monitoring and diagnostics of containers	Platform operations
Platform as a service (PaaS) data performance	Azure SQL Analytics	Monitoring and diagnostics for PaaS databases	Platform operations
Infrastructure as a service (IaaS) data performance	SQL Server Health Check	Monitoring and diagnostics for IaaS databases	Platform operations

Workload Specialization

Invest in ongoing operations of a shared platform.

Requirement	Tool	Purpose
Application monitoring	Application Insights	Monitoring and diagnostics for applications
Performance, availability, and usage	Application Insights	Advanced application monitoring with the application dashboard, composite maps, usage, and tracing

Why is governance important?

Governance is important because it lays down a foundation to have a balance between transformation and risk mitigation such as maintaining compliance, creating cost visibility and control, improving security posture etc.

Here are some questions that should be asked regarding governance:

• Who is responsible for monitoring, support, and operations?
• Which services should be migrated to Azure?
• What roles & responsibilities must be defined?
• What security measures should we consider?
• What are the core processes needed
  for service management?
• How do we ensure a balance between innovation,
  cost and agility?
• What organizational changes are needed?
• What key capabilities  must be developed?
• Azure governance building blocks?

Governance benchmark assessment
aka.ms/adopt/assess/govern

Understand business risk

Here are some questions that should be asked when defining corporate policy:

• What are your compliance requirements?
• Have you identified your business risks as it relates to cloud?
• What are your business priorities and reasons for moving to cloud?
• How do you think about data risks and data governance?
• Is there a list of applications which are prioritized by business impact?
• Do you have specific application governance requirements?
• How do you audit for compliance?

governance pillars

Cost Management

Establish controls and processes to ensure proper allocation of cost across business units.

Define cost management Role-Based Access Control (RBAC) model.

Security Baseline

Establish policies to protect network, assets and data on your Azure environment.

Resource Consistency

Implement the foundation for governance best practices with appropriate resource organization.

Define the appropriate Azure management groups and subscriptions model to reflect security, operations and business hierarchy.

Identity Baseline

Protect your data and assets in the cloud by implementing identity and access control.

Define Azure RBAC model; using RBAC segregate duties within a team and grant only the amount of access to users that they need to perform their job.

Operationalize Azure Privileged Identity Management (PIM) as cloud based identity is an iterative process.

Deployment Acceleration

Establish polices to govern asset configuration or deployments, which could be manual or automated through DevOps best practices.

The DevOps practices in this discipline include:

Infrastructure as code

• Stand up environments in the fastest means possible.
• Remove the human element and reliably and repeatable deploy every time.
• Improve environment visibility and improve developer efficiency
• Store infrastructure definitions alongside application code.

Continuous integration and continuous deployment

• Accelerate delivery through automation
• Simple and easy to use
• Global community for actions

GOVERNANCE WITH AZURE NATIVE TOOLS

Governance Minimum Viable Product (MVP)

The below diagram illustrates the governance MVP and three governance iterations. Since these are iterations process, the process will evolve with each workload and maturity of the cloud.

Build the governance MVP

Standard enterprise	Complex enterprise
1. Customers or staff reside largely in one geography	1. Customers or staff reside in multiple geographies or require sovereign clouds
2. Business units share a common IT infrastructure	2. Multiple business units that do not share a common IT infrastructure
3. Single IT budget	3. Budget allocated across business units and currencies
4. Capital expense-driven investments are planned yearly and usually cover only basic maintenance	4. Capital expense-driven investments are planned yearly;  often include maintenance and refresh cycles of 3-5 years
5. Datacenter or third-party hosting providers with fewer than five datacenters	5. Datacenter or third-party hosting providers with more than five datacenters
6. Networking includes no WAN; or 1-2 WAN providers	6. Networking includes complex network or global WAN
7. Identity is a single forest, single domain	7.Identity consists of multiple forests, multiple domains
8. Cost Management (cloud accounting) showback model – billing is centralized through IT	8. Cost Management (cloud accounting) chargeback model – billing can be distributed through IT procurement
9. Security Baseline – protected data: company financial data and IP. Limited customer data. No third-party compliance requirements.	9. Security Baseline (protected data) – Multiple collections of customers’ financial and personal data

This wraps up the Cloud Adoption Framework – Governance Overview.

As discussed in the Azure cloud adoption framework (CAF) overview blog, the structure of CAF is not a linear journey and is a cycle that repeats itself as cloud adoption evolves. This blog post will provide an overview of data migration to Azure.

The below  decision tree helps identify the appropriate data store(s) to use.

Common Database Scenarios

Scenario	Data service
I need a globally distributed, multi-model database with support for NoSQL choices.	Azure Cosmos DB
I need a fully managed relational database that provisions quickly, scales on the fly, and includes built-in intelligence and security.	Azure SQL Database
I need a fully managed, scalable MySQL relational database that has high availability and security built in at no extra cost.	Azure Database for MySQL
I need a fully managed, scalable PostgreSQL relational database that has high availability and security built in at no extra cost.	Azure Database for PostgreSQL
I plan to host enterprise SQL Server apps in the cloud and have full control over the server OS.	SQL Server on Virtual Machines
I need a fully managed elastic data warehouse that has security at every level of scale at no extra cost.	Azure Synapse Analytics
I need data lake storage resources that are capable of supporting Hadoop clusters or HDFS data.	Azure Data Lake
I need high throughput and consistent, low-latency access for my data to support fast, scalable applications.	Azure Cache for Redis
I need a fully managed, scalable MariaDB relational database that has high availability and security built in at no extra cost.	Azure Database for MariaDB

Azure SQL

Azure SQL is a modern platform powered by the SQL Server engine.

Azure SQL Virtual Machine
Azure SQL virtual machine, is an infrastructure as a service (IaaS)model and is best suited for lift and shift scenarios where workloads requires an operating system access or if the database is customized.

Azure SQL Managed Instance
Azure SQL Managed Instance, is a fully managed service and platform as a service (PaaS) model, and offers the latest SQL Server (Enterprise Edition) database engine.

Azure SQL Database
Azure SQL Database is a relational database as a service (DBaaS) and falls under the platform as a service (PaaS) category, and provides a single database option and a elastic pool option.

Azure SQL Comparison Table

Azure SQL Database	Azure SQL Managed Instance	SQL Server on Azure VM
Supports most on-premises database-level capabilities. The most commonly used SQL Server features are available. 99.995% availability guaranteed. Built-in backups, patching, recovery. Latest stable Database Engine version. Ability to assign necessary resources (CPU/storage) to individual databases. Built-in advanced intelligence and security. Online change of resources (CPU/storage).	Supports almost all on-premises instance-level and database-level capabilities. High compatibility with SQL Server. 99.99% availability guaranteed. Built-in backups, patching, recovery. Latest stable Database Engine version. Easy migration from SQL Server. Private IP address within Azure Virtual Network. Built-in advanced intelligence and security. Online change of resources (CPU/storage).	You have full control over the SQL Server engine. Supports all on-premises capabilities. Up to 99.99% availability. Full parity with the matching version of on-premises SQL Server. Fixed, well-known Database Engine version. Easy migration from SQL Server. Private IP address within Azure Virtual Network. You have the ability to deploy application or services on the host where SQL Server is placed.
Migration from SQL Server might be challenging. Some SQL Server features are not available. No guaranteed exact maintenance time (but nearly transparent). Compatibility with the SQL Server version can be achieved only using database compatibility levels. Private IP address support with Azure Private Link.	There is still some minimal number of SQL Server features that are not available. No guaranteed exact maintenance time (but nearly transparent). Compatibility with the SQL Server version can be achieved only using database compatibility levels.	You need to manage your backups and patches. You need to implement your own High-Availability solution. There is a downtime while changing the resources(CPU/storage)
Databases of up to 100 TB.	Up to 8 TB.	SQL Server instances with up to 256 TB of storage. The instance can support as many databases as needed.
On-premises application can access data in Azure SQL Database.	Native virtual network implementation and connectivity to your on-premises environment using Azure Express Route or VPN Gateway.	With SQL virtual machines, you can have applications that run partly in the cloud and partly on-premises. For example, you can extend your on-premises network and Active Directory Domain to the cloud via Azure Virtual Network. For more information on hybrid cloud solutions, see Extending on-premises data solutions to the cloud.

Choosing a deployment option

Migration tooling options

Data security & protection

Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside.

Identify and classify sensitive assets, and define the technologies and processes to automatically apply security controls.

Once the data you need to protect has been identified, consider how you will protect the data at rest and data in transit.

Data at rest: Data that exists statically on physical media, whether magnetic or optical disk, on premises or in the cloud.

Data in transit: Data while it is being transferred between components, locations or programs, such as over the network, across a service bus (from on-premises to cloud and vice-versa), or during an input/output process.

Data Classification

Data classification process categorizes data by sensitivity and business impact in order to identify risks. When data is classified, you can manage it in ways that protect sensitive or important data from theft or loss.

The following is a list of classifications Microsoft uses. Depending on your industry or existing security requirements, data classification standards might already exist within your organization.
You can also create custom tags with the SQL classification tools in SSMS.

• Non-business: Data from your personal life that doesn’t belong to Microsoft.
• Public: Business data that is freely available and approved for public consumption.
• General: Business data that isn’t meant for a public audience.
• Confidential: Business data that can cause harm to Microsoft if overshared.
• Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Data management

Azure Data Catalog
Azure Data Catalog is a fully managed cloud service that serves as a system of registration and system of discovery for enterprise data sources. Data Catalog allows users to provide their own descriptive metadata – such as descriptions and tags – to supplement the metadata extracted from the data source, and to make the data source more understandable to more people.

Azure Data Catalog also allows users to provide their own complete documentation that can describe the usage and common scenarios for the data source.

This wraps up the Cloud Adoption Framework – Data Migration Overview.