On a cloud infrastructure in the way of landing party - architecture background papers (1) article, I introduced some preparation work in the early development of cloud architecture needs to be done. More is to understand the business drivers, IT strategy, maturity assessment, and defines the architectural principles. From a technical perspective, these seem to do very true, but from a management point of view Party "virtual" These things can often tell a better story, it is these "virtual" thing is after the "real" at the strategic level and lay a solid foundation.
So in this article we will focus on to talk about the cloud architecture vision in my eyes. In addition to re-emphasize that, due to personal experience and limited space, the main cases are based on Microsoft's public cloud floor as the project background.
Architecture Vision Phase:
1. The establishment of the project.
Generally speaking, a cloud infrastructure in large and medium enterprises by way of the project is to landing. I stayed in the foreign companies will have their own set of project management system, basically a PMP or Prince2 custom cut out of the product. Of course, there will be similar to recent years, agile methodology, but personally think that the cloud structure of the project is not entirely suitable for agility.
If the company does not mature project management system, then at least have a basic knowledge of project management, to grasp the basic elements and processes, and to control the overall project. There is also recommended that all party IT professionals at least have to learn about the PMP, or someone else when it comes to project some of the most basic terms can also make you hear foggy.
2. Identify stakeholders
Identification of stakeholders both in project management or in the infrastructure development is very important part. Because their concerns tend to determine your final output architecture.
In general the interests of stakeholders cloud architecture will be more applications department, application architect, operation and maintenance team, related to the management of personnel or global.
In addition to the recognition, but also to understand the rights and interests of each stakeholder level, as more stakeholders, the more difficult you do to make everyone happy, this time you need to have a choice. For example, if a person that is not a high position, its final architecture itself may affect not large, and that even then how he likes to express their unique concerns, you do not have to spend too much energy. In some cases do not even have to notify the alignment, as long as the final result directly to the line.
3. Determine the IT strategy and constraints
Overall demand for IT strategy and the business must be confirmed before embarking on the design when doing cloud architecture. Cloud architectural patterns there are many kinds, and therefore there is no absolute right or wrong, only the right or not. As you may find it too blind date in the eyes of others it is like a treasure truth. Here at least the following decision:
--- public cloud, private cloud or hybrid cloud.
Decision based on the general budget is to look at the situation, compliance requirements, types of business data and sensitivity.
--- single data center or multiple data center
Mainly based on budgets and business continuity requirements of the application.
--- single cloud or cloudy
The main differences based on different cloud platform technology components and the application itself is dependent on the platform.
--- with which one or a few cloud vendors
Reference single cloud or cloudy based on comparison service fee plus the use of qualified vendors, as well as global selection criteria
4. Assess capacity
Assess the current staff of enterprises. For example, if your technical team has become more familiar with Azure or AWS, it can move closer to the election cloud vendors in this regard when, in selected partner when you can also refer to the corresponding MSP list
5. definition.
Here is the range of your infrastructure project areas to be covered. To clear which is within the range of your baseline and target architectures of. Generally a infra-level cloud architecture to cover at least the following pieces:
- The entire cloud management platform
- IaaS-- involved including network, virtual machines, storage, etc.
- PaaS-- automation, application and database services and other related components
- --- security platform security (authorization and authentication), host security, application security, border security
- Business Continuity - Backup and recovery, disaster recovery
- Monitoring Alarms
- Audit log analysis
If the entire infrastructure projects related to the application, middleware, data exchange, it would need and application architects and application team to align other specific areas.
6. Confirm Architecture Principles
Prior to the development of architecture vision, architecture reaffirmed the principles defined in the preparation phase are clear enough. If the principle is still ambiguous or ambiguous, then the need for timely rework redefined.
7. Development Architecture Vision
Done so much preparatory work, more important than the dry time of the technology. But here, too, it is only the beginning, only the output of the 0.1 version of the schema definition, which is the high level of the draft.
Here is necessary to use a very important thing is the business scenarios. You might ask, do I have a scenario where the business to be considered infra, ah?
Like I said before, all the applications you face live on the cloud are all your customers, even if their own internal IT customers, there must be a corresponding business scenarios, but in our scenario here is called . And some of these stakeholders are many business scenarios before interest, IT strategy, constraints linked. I am here to Azure example, according to a few examples.
--- If the company where you have multiple BU, as each BU's hope that their IT can independently manage their own service so you can better their respective business needs
In this scenario, you may need to consider the need for a subscription license more than a way to build cloud-based Azure platform.
--- As important business ordering system, internal needs and the company's SAP system for data exchange, and the need to ensure network stability and continuity
Learn Azure students should know that in this case, your first reaction is often ExpressRoute + S2S VPN. ER overall cost is not low, but also precisely because of the high demand for transmission across the network stability and performance, generally will consider such a scheme.
In addition to demand from the business scene in the overall cloud infrastructure design also have specific priority consideration. With azure example, prior to specific technical details, the following questions must first confirm, otherwise do in the future to modify the application on line will take a great deal of manpower and material resources:
- Subscription management
Moment more subscription management is nothing less than the following:
Subscribe single unified management
Different business units / departments each subscription
Production and test environments subscription isolation
Different projects each subscription
From a layman's point of view, as if the other four modes are more reasonable than the first partial addition method. Unfortunately, I have come across in a relatively strong infra management system companies, but the vast majority are single subscription management.
Isolation from the environment and resource rights management, the division regardless of subscriptions actually not much difference. Different subscription IaaS, PaaS resources can still communicate through the azure public network without doing the ACL, and permissions can be controlled by RBAC achieve the same effect in the resource group level. Subscribe benefit more than most intuitive split only two --- more intuitive and self-control different BU / departments. If you can make good use of resource groups and labels, resource classification in fact it is not a problem. Subscribe so much the case in general also second more, mainly in order to define their respective boundaries.
Personally do not recommend different items each subscription, it is a waste of IP resources in the IaaS layer, followed by their environment too independent inconvenience management, project once multiply exceptionally messy. Also in the case of a single subscription, you can then set up a separate study to test a new subscription feature, similar to the IT department own sandbox environment.
- The basic model of network
Not much to do here compared to most recommended mode, but also the most frequently used business: hub-spoken Network Architecture
There is a core VNET VNET as a hub connecting other external and local networks. This design meets the traditional internal and external network security isolation requirements, and maximize the use of your infra some services such as patch management, monitoring, backup, anti-virus. It can also be centralized traffic control. Since the global on-line peering Chinese azure, even VNET in different regions at different subscription can be done peering. Therefore, this design from any angle of view is everything to gain and nothing to harm.
In addition to these two, the rest of the design even after some modifications, the cost of change is not particularly large. In addition you more at this stage is to consider what needs to service, and is built using a cloud platform or third-party integration. A few examples herein by reference:
--- WAF, you can use a relatively lower cost of Azure Application Gateway, you can also use third-party market mirrored self IaaS WAF in azure, or even purchase a third-party SaaS services such as CloudFlare. But in any case you have your heart there is a base, such as support to have at least OWASP 3.0.
--- Backup, azure platform itself MARS, MABS, Azure IaaS backup and other backup solutions to meet most application scenarios. You can also integrate some third-party services to deal with some special requirements.
--- monitor, Azure Azure Monitor itself to monitor resources on the cloud. You can still combine traditional monitoring software, some of IaaS to strengthen your monitoring system, from free open source Zabbix, to mature commercial product Solarwind, and the recent comparison of fire Prometheus. If you want to do granular application-level performance monitoring and troubleshooting to optimize, you can consider Dynatrace. The higher the cost of the more powerful performance monitoring products relative, if you want to ERP systems as an important move to the cloud, do not be too care about cost control level. Compared to you a set of tens of millions of SAP, who really is a fraction of the cost, but also powerful monitoring products will help you have a great debugging optimized future.
--- log analysis. Recently security center and log analytics to make up for shortcomings in this area in China, released after a great extent, but if you need a more comprehensive log analysis, integrating third-party program is also essential.
More than just a few examples to develop a framework for a high level of technical details but also in the architecture definition dig analysis. And while I mentioned some of the industry commonly used products, but at this stage you do not have to determine the final selection, more importantly, we are still involved in locating good service required in the schema.
8. identification and risk mitigation measures
In any project, there will be risks. In addition to lack of funds often encountered in the project, project delivery such as lack of time, the risk of a cloud architecture appear most often you draw visio ideas and found in the landing process, the technical level is very difficult to implement, future maintenance is also time-consuming labor-intensive.
Here on this single issue to mention my personal opinion:
A general framework or program designed by Architecture Team, deployed by the Engineering team to get the floor, there are future maintenance operation team to do it. If you have these three is your role actually a person, that is his own pit dug to fill your own, there may be some third-party vendor to assist you to complete, but the technical aspects have to check yourself. What are the most taboo to make their own vendor negotiations, the final result is often consequently can not handle. If the company's divisions are more clear, that the architect as early as possible involve other team, you can identify some of the risks and problems early in the process of doing architecture, and can be found earlier mitigation measures.
Happened recently watched a Chinese-made films "Dream Love", which is to have a plot, designer in the design of architectural drawings of the time because there is no site specific implementation experience, the results of design drawings was not taken into account the difficulty of construction, results is the foreman on the spot to strike directly accused the designer consequently do not understand just sitting in the office chart painting, the end result is the re-design blueprint to fight back.
Now with the idea DEVOPS is the development and operations teams put together seamlessly to do, this will be helpful to look at the problem from different angles in the cloud architecture floor plan, often give you a different harvest.
9. develop job descriptions and approved project
This is more determined from the perspective of the project and approval SOW, can be completed according to each company's individual requirements process.
Here the whole structure background on the introduction is complete, then I will start talking about some of the details of detailed, technical aspects of sharing schema definition will be some more. At the same time also very welcome to discuss the message.