Chapter 7: Multi-Cloud Management with Azure
In this chapter, we'll leverage the Azure Arc expertise we gained in previous chapters and expand on it by looking at multi-cloud scenarios. We will be learning about the multi-cloud management capabilities of Azure and Azure Arc.
We'll be covering the following topics:
- Azure Arc enabled multi-cloud solutions
- Azure managed multi-cloud solutions
- Upcoming Azure Arc enabled services
Technical requirements
To follow along with this chapter, you need to have an active Azure subscription, preferably with owner rights at the subscription level, though rights at the resource group level will also work.
You can get a free trial at https://azure.microsoft.com/en-in/free/ if you do not have an Azure subscription already.
You may also need an AWS trial (https://aws.amazon.com/free/) or GCP trial (https://cloud.google.com/free) to test the multi-cloud scenarios.
Azure Arc enabled multi-cloud solutions
Azure Arc enabled solutions can easily expand into multi-cloud architecture due to their underlying design, which allow them to run virtually anywhere as long as there's a supported OS and the Kubernetes platform. In this section, we will learn about the compatibility of Azure Arc solutions with multi-cloud architectures.
Multi-cloud server management
Azure Arc enabled servers support the organization and governance of Windows and Linux machines hosted anywhere outside Azure. This includes multiple cloud virtual machines (VMs), such as the following:
- AWS EC2 instances
- GCP compute instances
- Oracle Cloud VM instances
- IBM Cloud VM instances
- DigitalOcean Droplets
- Alibaba Cloud Elastic Compute Service
- Any other server infrastructure as long as server admin access is available
Onboarding multi-cloud server instances to Azure Arc works the exact same way that you'd onboard an on-premises machine. This includes the following:
- Ensuring that the server OS is supported by Azure Arc
- Generating the onboarding script
- Running the script in your cloud platform VMs
You would then see the server as any other Arc enabled server instance.
Once the servers are onboarded, you can then use Azure tools such as Policy and Custom Script Extension with them irrespective of where they are hosted.
Please note that you must allow access to the required network ports for onboarding to be completed successfully. Please refer to Chapter 2, Azure Arc Enabled Servers, to learn more about the pre-requisites for onboarding servers in Azure Arc.
Multi-cloud Kubernetes management
Similar to multi-cloud server management, onboarding Kubernetes to Azure Arc is the same irrespective of the hosting location. You can run AWS Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) and manage them through Azure Arc enabled Kubernetes, leveraging the benefits of technologies such as GitOps and Azure Policy.
Hosting Azure data services on other cloud platforms
If you are currently using an AWS or GCP Kubernetes platform to host your workload and need a PostgreSQL Hyperscale data service for your environment, running the data service far from your workload may impact your workload's performance negatively.
Running Azure Arc enabled data services in AWS or GCP can eliminate such situations and you can keep your data close to your workload. You can run Azure PostgreSQL or SQL Managed Instance in any supported Kubernetes environment in AWS or GCP, just as you would run it in an on-premises environment.
Azure managed multi-cloud solutions
In addition to Azure Arc, various Azure services support the management and governance of other cloud platforms, such as these:
- Azure Active Directory
- Azure Monitor (Includes Azure Log Analytics)
- Azure Security Center
- Azure Sentinel
- Azure Policy
Let's take a closer look at some of these solutions.
Azure Active Directory multi-cloud solutions
Azure Active Directory (AAD) is an authentication service that can be used by web applications as an identity provider. AAD supports authentication for AWS, GCP, Oracle, and many other cloud platforms, as long as supported federated authentication is provided. Let's look at some of the common cloud platforms that support AAD as an authentication service.
Authenticating AWS with AAD
AAD is one of the most widely used identity providers in the world. It is a very common scenario for organizations to use AWS resources while leveraging Microsoft's AAD and other M365 solutions.
Microsoft supports using AAD as an authentication provider for logging in to the AWS console. It helps by giving you a single identity source and single sign-on. SAML 2.0 is used for authenticating.
In addition to authentication, you can also use AAD groups to manage your AWS authorizations.
If you have a single AWS account, please follow the instructions here, https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial, to learn more about how to set up AAD authentication for AWS.
Please use this for multi-account AWS scenarios: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial.
Authenticating GCP with AAD
Google Workspace (previously known as G Suite) can use AAD as its identity provider, enabling you to use your AAD credentials to log in to Google Workspace. Since GCP also leverages the authentication service, this allows you to log in to the GCP console using AAD.
Please follow the instructions here to learn more about setting up GCP authentication with AAD: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial.
Authenticating Oracle Cloud with AAD
Oracle Cloud Infrastructure can use AAD as its identity provider, enabling you to use your AAD credentials to log in to the Oracle Cloud Infrastructure console.
Please follow the instructions here to learn more about setting up Oracle Cloud authentication with AAD: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oracle-cloud-tutorial.
Azure Monitor
Azure Monitor with Log Analytics provides a powerful monitoring service for infrastructure and workloads running inside and outside Azure.
Azure Monitor can collect logs and usage data from various sources outside Azure, including the following:
- VMs: Supported Linux and Windows servers running on AWS, GCP, and so on can have Microsoft Monitoring Agent (MMA) installed and send logs and usage data to Azure Monitor.
Please refer to the documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) to learn more about installing Azure Monitor agents and the supported OSes. You can follow these instructions and monitor your multiple cloud VMs using Azure Monitor.
- Applications: Azure Application Insights can monitor web applications and various other types of applications for errors, performance, usability, anomalies, and much more. It supports applications developed on many platforms, such as .NET, Node.js, Java, and Python. You need to install a small Azure Application Insights instrumentation package in your application so that Application Insights can give you visibility into your application similar to if it was running in Azure App Service. Please follow Microsoft's documentation (https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview) to learn more about Azure Application insights and its deployment.
REST API client: Any custom service or application can ingest logs and matrices by calling Azure Monitor APIs. Please refer to https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api and https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-store-custom-rest-api to find out how to ingest any custom logs or matrices data to Azure Monitor from any cloud platforms.
Azure Security Center
Azure Security Center (https://docs.microsoft.com/en-us/azure/security-center/) is a security posture management and threat protection service for workloads running in Azure, on-premises, or on other public cloud platforms. You can connect your multi-cloud servers to Azure Security Center and leverage its capabilities to protect your multi-cloud environments.
Azure Security Center for AWS
Microsoft provides a mechanism to connect your AWS accounts to Azure Security Center, which allows you to automatically provision Security Center agents to your AWS EC2 instances using Azure Arc enabled servers capabilities. Once your servers are onboarded to Security Center, you can use Security Center capabilities such as vulnerability assessments, threat protection, Microsoft Defender for endpoint antivirus protection, and more for your AWS machines.
Please refer to the documentation (https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-aws) to learn more about onboarding AWS machines to Azure Security Center.
Azure Security Center for GCP
Azure Security Center includes a GCP connector, which connects your GCP accounts to Azure Security Center, allowing you to protect and monitor your GCP workloads using Azure Security Center.
Please refer to the documentation (https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-gcp) to learn more about connecting GCP accounts to Azure Security Center.
Azure Security Center for other cloud platforms
Since Security Center supports protecting any Windows and Linux supported servers, you can install the required agents and use it to protect servers running on any other cloud platform as long as you have admin rights.
Please read the documentation (https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-machines?pivots=azure-portal) to learn more about onboarding non-Azure servers to Security Center.
Azure Sentinel
Azure Sentinel (https://docs.microsoft.com/en-us/azure/sentinel/) is a cloud native security information event management (SIEM) and security orchestration automated response (SOAR) solution by Microsoft. You can use Azure Sentinel to ingest logs and automate actions for workloads running inside and outside Azure.
Connecting AWS CloudTrail to Azure Sentinel
Azure Sentinel provides a native connector with AWS accounts, which sends all AWS CloudTrail (https://aws.amazon.com/cloudtrail/) logs to Sentinel for further log archival and action.
Please go to the documentation (https://docs.microsoft.com/en-us/azure/sentinel/connect-aws) to learn more about connecting AWS CloudTrail to Azure Sentinel.
Connecting Google Workspace to Azure Sentinel
Azure Sentinel includes a data connector for ingesting Google Workspace activity logs and events into Azure Sentinel through an Azure function app. The Azure function app fetches the logs from Google Workspace APIs and ingests them into Azure Sentinel.
Please see the documentation (https://docs.microsoft.com/en-us/azure/sentinel/connect-google-workspace) to learn more about connecting Google Workspace to Azure Sentinel.
Connecting other workloads to Azure Sentinel
If your cloud platform does not have a direct connector available for Azure Sentinel ingestion, you can choose to store logs in a Syslog machine in your cloud platform and let Sentinel ingest logs data from Syslog.
Please refer to the documentation (https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) to learn more about Azure Sentinel log ingestion from Syslog.
Azure Policy
Azure Policy (https://docs.microsoft.com/en-us/azure/governance/policy/) includes guest configuration agents that can govern and manage configurations on Windows and Linux machines.
Azure Policy guest configuration capabilities can be used to manage the configuration of Windows and Linux servers hosted on other cloud platforms, including AWS EC2 and GCP compute instances. Please refer to the documentation (https://docs.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration) to learn more about guest configuration management with Azure Policy.
Upcoming Azure Arc enabled services
Azure Arc is a continuously innovating service; it will continue to add new capabilities and services under its umbrella.
At the time of writing of this book, the following services have been announced:
- Azure Arc enabled machine learning: Currently in private preview, this service helps you run Azure machine learning capabilities on any supported Kubernetes cluster. Please refer to this blog post, https://techcommunity.microsoft.com/t5/azure-arc/run-azure-machine-learning-anywhere-on-hybrid-and-in-multi-cloud/ba-p/2170263, to learn more.
- Azure Arc enabled VMware.
Please stay up to date on the Azure Arc service by checking this documentation regularly: https://azure.microsoft.com/en-in/services/azure-arc/.
Summary
In this chapter, we learned about Azure's multi-cloud solutions and management capabilities. We started by learning the fact that as long as you have a supported server and Kubernetes infrastructure, you can use Azure Arc to manage your multi-cloud environments. Later, we learned about several other Azure services and their multi-cloud capabilities.
This concludes this chapter as well as the book. We hope you have enjoyed reading this book. We hope it was useful to you in learning about hybrid cloud management with Azure Arc. You should be able to plan and implement a centralized governance strategy for servers in your hybrid and multi-cloud environments. You should also be able to run Azure's PaaS data services on your hardware, providing best-in-class database services for your engineering teams.
Azure Arc is an ever-involving service: you can expect new features to be added to existing offerings and brand new services to be launched regularly. It is recommended to stay up to date through Azure's blogs and Microsoft's documentation to ensure that you're configuring things the right way and that you're continuing to learn about new additions to Microsoft's hybrid cloud strategy, which should help you grow in your career.