220 likes | 298 Views
BP Azure Platform Adoption - A Megalopolis Design. John Foster Services Director – BP Microsoft Platforms John Maio Chief Architect – BP Microsoft Platforms. BRK2445.
E N D
BP Azure Platform Adoption- A Megalopolis Design John Foster Services Director – BP Microsoft Platforms John Maio Chief Architect – BP Microsoft Platforms BRK2445
The Megalopolis Architecture transformed BP’s journey to the cloud by creating smaller portfolio centric and app centric subscriptions thereby empowering DevOps teams. Modernize IT IT&S 2020 Vision explore think do
Large Enterprise Mindset…. Cloud Ops Provisioning PaaS Database Mindset Impact • Traditional data center model • Monolithic subscriptions • Rigid controls IaaS SecOps • Elaborate security controls • Manual processes for firewall rules • Operational wrapper around every Azure service • Separated AD domains • Off-the-market apps fail to lift & shift • Legacy can’t be migrated Directory Services NetOps Single orchestration for multiple cloud providers • Heavy customization • Lost native capability Single operations team • Governance nightmare • Overwhelming requests Can’t automate all.. • Reliance on manual processes • Elongated provisioning & adoption Personas modeled after platform services • Innovation is hindered by processes • Significantly lower rate of cloud migration
Key Design Decisions… think cloudy Pioneer Settler Town Planner Use services in a new way to provide innovative business value with central operations, monitoring & templatization available, but not a Pioneer’s primary focus Azure Product Council Key Design Decisions • Smaller Portfolio Centric Subscriptions • App-Centric approach using ARM • Cloud Native tool usage over third party • Empower Subscription Owner with more control • On-premise domain usage • Codified Policy Compliance and Security • Self Service Automation • VSTS plug-ins as accelerators • Open source culture and approach Develop cloud native solutions using existing or slightly different design patterns. Desire the use of central operations, monitoring, compliance & templatization Have a set of known, industrialized products, and rely heavily upon central operations monitoring, compliance and templatization Hub P S T Spoke Personas
Megalopolis Platform Architecture Spoke Provisioning Resource Group Provisioning Service Consumption Security, Compliance & Monitoring Directory Services GPOs OU Structure Synapse Archetypes & Reusable Artifacts BP AD Azure AD VSTS Spoke (Portfolio) Security Center Spoke Admin Core Resource Groups Monitoring & Patching Service / Portfolio Owner Customer Resource Groups CE Delegates SNow Team Reporting DevOps Team Hub (Enterprise) Build Pipeline Division • Management Group • Shared Services VSTS T S P Network Services ExpressRoute & Peering Domain Portfolio • Subscription(s) Service App • Resource Group(s)
Spoke Provisioning for Portfolios Spoke Provisioning Cloud Environment Provisioning • Process • Portfolio Owner Mapping & Management • Creation of Business Products i.e. Bots • Creation of Platform Products i.e. MAPS • Management of utilization Costs • Team management (JML of Spoke Admin & CE Delegates) Directory Services GPOs OU Structure BP AD Azure AD Synapse Spoke Admin • Architecture Service / Portfolio Owner • ServiceNow is the brokerage tool • Cloud provider specific orchestration • Spokes are registered in CMDB • Asynchronous Azure API calls for spoke provisioning • AD Integration • Services enabled at Management groups (PST) • Subscriptions mapped to domains and portfolios CE Delegates SNow Team Build Pipeline VSTS Division • Management Group T S P Domain Customer Enablement Portfolio • Subscription(s) • Portfolio Owner Mapping & Management • Creation of Business Products i.e. Bots • Creation of Platform Products i.e. MAPS • Management of utilization Costs • Team management (JML of Spoke Admin & CE Delegates) Service App • Resource Group(s)
Resource Group Provisioning for DevOps Spoke Provisioning ResrouceGropu Provisioning • Process • Delegated Access to Provision Cloud Environments • Chargeback captured at CE level tags • AD integration and CMDB integration • Creation of VSTS project • Enablement of DevOps teams Directory Services GPOs OU Structure BP AD Azure AD Synapse Spoke Admin • Architecture Service / Portfolio Owner • AD OU container mappings through tagging • Cloud Environments and ALM tool(VSTS) is aligned • MAPS (Core) Resource groups • Storage for Diagnostic Service Logging • Recovery Services Vaults • Management Services (Build Servers, Custom DNS) • App Service Environments • Network (Virtual Network, Subnets per App Requirements) CE Delegates DevOps Team SNow Team Build Pipeline VSTS Customer Enablement • Cloud environment created • RBAC assigned (Portal and Host access) for DevOps • VSTS Project and Service endpoints created • CE level OUs created
RBAC and Directory Services Spoke Provisioning Resource Group Provisioning • Process • On-premise (BP1) domain usage • Privileged account provisioning • Service account provisioning • Spoke admin and DevOps roles creation • Azure AD Synchronization Directory Services GPOs OU Structure BP AD Azure AD Synapse Spoke Admin • Architecture Service / Portfolio Owner • Extensible Hub and Spoke OU structure • OU container mappings through tagging • Granular GPO management • Integration through Synapse API • Protected AD privileged accounts and processes e.g. Domain Joining and DNS registration CE Delegates DevOps Team SNow Team Build Pipeline VSTS Customer Enablement • OUs created • AD groups created • Privileged accounts created • RBAC assigned (Portal and Host access) • Appropriate delegation for domain join accounts
Application Deployment - Automation Service Consumption ArcheTypes Repository • Process • Shared Code Repository • Network Segmentation • Workflow for Spoke to Spoke communication • Workflow for firewall enablement • Distributed Database Management and Support Archetypes & Reusable Artifacts + Build Pipeline Azure SQL Storage Template Cosmos DB Subnet Template Spoke (Portfolio) Windows VM provisioning Linux VM provisioning MySql DF & DMG Provisioning Core Resource Groups • Architecture VSTS Extensions Customer Resource Groups • Native ARM Support • Core Resource groups • Certain privileged actions are also done using polices on Azure control plane • Non-Prod and Prod Network segmentation through NGF & UDRs • ArcheTypes Repository for blueprints and approved patterns • VSTS extensions (DNS Registration and cert procurement) ASE Provisioning Spoke Provisioning Custom DNS Provisioning Hub (Enterprise) Private Build Sever Linux VM Provisioning SQL Single Instance • Shared Services Network Services ExpressRoute & Peering Key Vault Provisioning SSL Cert Procurement DNS Registration Customer Enablement • E2E Automation and support for Build pipeline • Supports all skillset level • VSTS extensions for Novice to Intermediate • ARM for Intermediate and Expert level DevOps App Principal Registration ASP Provisioning SQL AON Firewall rule automation FDT
Application Deployment - Automation Security, Compliance & Monitoring • Process • Codified Security Controls for Compliance & Audit leveraging Azure polices • Shared Security Accountability • Patching through OMS Update Management • Native Antimalware solution • Automated CMDB through OMS Inventory Management Security Center Monitoring & Patching • Architecture • Proximity based consolidation of Log Analytics (EU & US) • RBAC and Azure Polices set boundaries for DevOps teams • Azure Monitor and Security Center Access to DevOps teams • OMS Update Management specific to portfolios • Access for Azure Alert creation • Utilization Optimizations • Inventory Management integration with ServiceNow Reporting Customer Enablement • No Dependency on 3rd party tools, so evergreen • DevOps teams enabled to create alerts and monitoring dashboards for sophisticated operations & optimization • Empowered team to schedule their own patching routines • Central team still has ability to force patch • Greater Visibility to SecDevOps team
Key success factors Constant guidance and help from Microsoft Challenging the age old processes to modernize and automate Use Native Tools in Azure Keep it simple, follow Microsoft’s guidance Empower People; trust instead of control Do not solve future problems, remember cloud is changing everyday, so should you…. Skilled team
Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations
Build Pipeline Core Platform