Cloud Adoption Framework: Introduction landing zones for Terraform

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
thanks everyone for joining today's session on a Microsoft cloud adoption framework and especially accelerating the deployment of revolution framework with the landing zones using terraform today armed with a regular of this show no home nice to meet you thanks for being here again on this on this show so today is about a couple of stuff how you accelerate the deployment of Microsoft you're using terraforming so the agenda for today is very simple first introduction to the very fundamentals of cloud adoption framework then we're going to talk about the landing zone concept how you create your first landing zone how you customize the following deployment and basically just getting started with it so what can we do about that before I'm going to talk about the landing zone and the blueprints so I want to make an analogy with what we are trying to achieve and trying to build here when it goes to as you go so it's very similar like an airport so if you take an analogy I know with an airport so what you need to do with the airport there's so many things you need to do by building the hallways make sure that the planes will be able to have a car park make sure that you will be able to build your terminal to welcome the people who are going to be at this Airport you will create an experience for departure arrival people we have to check the boarding pass as an identity as well when you go through the border so you see an airport as different dimensions but at the end of the day it's also creating a unique experience for the people who are going to be at the upper like the beautiful dome in the stronger airport you can see so trying to to make this experience a bit quite unique and different from all the other Apple that we know so building a virtual data center unless you are very similar to that so we need to make sure that we are going to be able to onboard all those different airlines because those airlines need to bring some people in and out that's how you measure the success but we found we can you can do that you need to make sure that you connect all the dots you see everything must be working properly like in an airport so on a virtual data center if I go to the Microsoft cloud adoption framework we need to follow exactly the same the Microsoft cloud adoption framework that you see here on the summary slides focus on defining the best practice that Microsoft has been learning of the last decade the virtual data center do scaffolding and it's all about aggregating those best practice in order to be able to focus on building those foundation connecting the dots to make sure that you can focus on what matters what matters when we do digital transformation is focusing on migration modernization and innovation that you can see on the adoption phase of this framework what we are going to focus on today in those as you have a landing zone and blueprint is on the readiness aspect and the adoption but if we focus just on the readiness aspect and the adoption without including the governance and the management we will be able to be ready and to focus and to open that to the public okay so we want to make sure that whatever we do can be usable in production so the cod adoption homework methodology that we've got and we're going to present today in this webinar focus on those different aspects if I go to the readiness session of the cloud adoption framework we see that the set of resource and and guidelines that explain how do you manage all your different resources but then we focusing very much on the landing zone so the infrastructure the identity the Cosman as mount and then a different set of blueprints the blueprints will be very much like your building blocks okay to be able to construct you data center your solution your applications like for example a city like Newark s cluster with kubernetes it could be a web app could be the DevOps and then the landing zone are going also to to reuse all those different components to make sure you can start deploying your applications you can focus then on migration so that some customer I want to start a digital transformation focusing on migration modernization so you can realize you can optimize you can also want to include also the security of your some consumer want to focus on innovation so they want to use the cloud as a way to innovate and want to embrace a machine learning they want to refactor whatever they want to react attacks you know the fiber that we that we have they want to maybe rebuild from scratch something that was the fit for purpose but they want to embrace you know innovation develops culture I think that's something that we see is like many customer are actually doing two at the same time they are actually trying to decommission their data center get savings out of that to then have more money more energy to spend on the innovation as well so that's really we see those customer tackling those two challenges at the same time so how do you achieve this well traduction framework and the landing zone basically off with your accelerators to go this way absolutely so they go to landing zones what is it all about well that's really the value proposition women insist is some prescriptive architecture guidance that we're giving from the Microsoft field so that's really those things that we are deploying every day you and I and many other engineers with our customers and really getting a direct guidance and say do that it's proven to work it's how we do that for a big organization and is how it fits in maybe small organization what we wanted to do with those cloud adoption framework landing zone is that obviously it's aligned with the guidance of the cloud a different framework so cloud adoption framework comes with a set of decision trees for your deployment for your decisions on compute storage and network well that's all directly aligned on those construct that we build do lending zones it's really important to mention that it is enterprise grade and it is inspired by FSI requirements so that's from the strictest type of deployment that we see we want to have auditing accounting of whatever is happening on the environment and that's really one of the focus that we want to have is out of the box all those production grade quality grade of deployment is in the box by default without you having too much to worry about so in a way it's a kind of a best practice in a box you just have to unfold it and all the thing comes alive but we want it really to focus is to have a lower and free cost to infrastructure our school we wanted to have a code base where you can rely on to deploy very easily an environment that comes with all the building blocks that you need to have as community-based we propose that available on github - you're free to fork it to create pull request and reach it use it in your environment add your own value and ultimately accelerate the delivery of value for you or for partners and we really had a focus on how to make it easy to customize deploy and reuse in multiple environment so that's really what we focused on those aspects that we focused on when we created those learning zones now if we give a quick example of what is the landing zone so we provide you with a set of landing zone that are available on the github repository so you see a landing zone for instance would be here this deployment that include all my core resources inside my hub operations my hub core security where I have my log analytics repository with the solutions for lag analytics or I have my subscription login which is automatically put into a storage account into an even hub and same thing for the security event and the operations log comes on a storage account for long term retention and even home for a fast access to data and as well as you see on the left part of the screen it comes with automatically deploying security Center adding the right policies that you have in this environment so as your policy to drive the behavior of the subscription maybe restrict some of the behavior to make sure that you're compliant with some frameworks for instance and deploying a set of technology so if you see on this environment you have in the resource group hub Cornette you have one network shared services with a set of virtual network you see that by default out of the box become with the right network security group with a security endpoints the service endpoint that agree that are aligned with that we come with the egress blueprint here having the Nasher firewall with a public IP address with the right UDR object that allows you to redirect all the traffic to this guy so that's really out of the box all those capability that we had in a landing zone it's a complex environment that deploys are ready to use let's say bed to lay my applications so what's the Bill of material well basically we provide you with the fat of terraform landing zone with a set of blueprint a set of modules and we're going to see later what it's all about and provide you as well with some deployment and design guidance how to create your or back model how to create your access delegation to the environment and it's all available on github you can find that on a KDOT MS - TF offer - landing zones you can download all those elements out of there so let's start with our first focus on the tranquility blueprint so this is one of the first blueprint that we use in the landing zone and as you see this one up operation deploying all the operations login fundamentals low kinetics for the best practices analysis for my active directory my ad replication my house my DNS analytics and my key vault analytics Security Center D activity logs online environment and all of that let's see in a demo how we put that in action get started and deploy our first cloud adoption framework landing zone based on terraform on Microsoft Azure so the first step is to clone the git repository that we have and then execute the launch pad which is going to set the foundation for our environment so the launch pad as we see is going to deploy a set of primary resources that are for instance a key vault where I have restricted the permissions and I will store the secrets a managed identity and storage account that I will use to store the terraform State the next step is to run my terraform plan so that I'm going to deploy the different modules in my landing zone and I'm going to see that amongst them there is Security Center a set of resource group log analytics and log analytics solution once I've done that I can run my first command using my apply command and this is going to really deploy the resources within my subscription after a couple of minutes you see that those resources are taking life and if you go back to your subscription you will see that you can filter the resources by tag as we are leveraging it and you can see that you have in the core security the activity logs for your subscription you can see that in operations you have your log analytics and a set of solution to analyze the health of DNS and key votes for instance and also even hub for the operations log and storage account for the longer term retention so this is how to get started with the landing zones using terraform on Microsoft Azure thank you for this demonstration of tronky the tranquility blueprint so what you can see now we can extend an additional blueprint as well when you build your virtual data center so let's focus on the policies as you see the policies here can focus on a digital capabilities on - on your virtual data center and focus for example on restrictions of location a section of services defining if you want to authorize or not some pubic IP address so there's different element like that that you can include in the in the policies you can do swing for Security Center if you want to monitor additional or security information the idea of the Security Center is to make sure that by default everything will be evergreen okay so you can identify before you start dipping anything this policies is going to enforce that this is what you can do this is what you can do this blueprint shared services is another one that we are going to to use to schedule to lay out the networking and that will be the foundation of my my shared services network so in this example what we are putting is an Active Directory sudden allottee can be a sequel server subnet it can be a network for monitoring so these different options but as you can see those elements are designed to focus only on shared services so the idea that were going to demonstrate on this account presentation is how can you build your first landing zone and a No share a little bit more on this landing zone whose demo was using cloud shell to deploy my environment I'm not gonna do that on my Windows laptop and cloning the repository to my local machine so I'm in Visual Studio code and you probably see that I'm gonna open a terminal I'm using windows subsystem for Linux this is a preview windows insider build when I'm using the value SL 2 and running Ubuntu on it I'm going to go to my git repository where I have the files and I'm going to clone the blueprints locally on my machine so I get the URI for the repository and I'm just going to run locally git clone of my environment so going back to visual studio code and here we go I'm starting to download the component and I have that locally available so you see that I have the launchpad all the data for the launchpad then I have the blueprint and I have the landing zone which is the level one we're going to see in this environment so here you see all the technicalities of the provider versions the data providers that were using for the reform state and you see that we have proto the landing zone that auto the TFR so for usability that's the default template that we provide that you're able to tune an environment set a couple of variables and being able to quickly get started with the environment so here I have a couple of extra resource group I don't need em I can remove them I just keep the Diagnostics log for 30 days and I have a set of tags that I'm going to customize here for just the lab environment that I'm going to deploy you can see that I can customize the name of my log analytics workpace and I can customize the email address for security center where I'm gonna store the I'm gonna send the alerts I have a set of log analytics solution as well and if you look at the details actually you see that the landing zone is calling a blueprint which is tranquility and tranquility is actually a set of modules that's at the very foundation of your subscription like the log analytics Security Center so that's how it is coded use here I'm going to actually call other modules that are stored inside the github repository so if I'm going to actually launch the first script I'm going to see that the first step that I need to complete is to run launchpad so Launchpad is going to set the world environment with key volt repository and all the technical prerequisites I need to run my landing zone so it's creating the user application identities is creating here all the information that we have to store the terraform State inside a storage account and restrict to the write permission for it once is completed you can see that I'm uploading the tour form State inside this very storage account that I created previously so you can see that in blog TF state here we go that's where my shared state is actually stored if I go back inside my environment then I need to run the landing zone so first step is running the landing zone VGC level one and I'm going to do a plan to check at what resources is going to be deployed you can see that at this stage this is when I'm downloading all the different module and I'm downloading the different providers for a form with the version constraints I specified in my source code you can see also in here that are having the set of modules that are being called with different arguments and how it's going to look like in my deployment so here we go we have 19 things objects that are going to be deployed so I'm gonna run the apply and after a couple of minutes while all the elements are going to come to life inside my subscription that's completed so now back to my subscription and let's see a little bit more clearly here by filtering based on the tags that I'm having those two issues group as I define with the storage account and even hub for my other activity logs and inside there is roof operations then this is where I have stored the Logan a tick the log analytics repository and same thing the event hub and the storage account as well we don't see it here but there's a security center that has been deployed for me at the same time and here let's configure to my email so we just seen our first landing zone and the deployment of the first landing zone we can go way further and accumulating the landing zone on top of each other to create a really complex environment so we see here that we have our egress or core network and we added transit and why not it's very common in the environment that we're going to add some features like the ingress for instance so I would like to add in my environment my maybe next-generation firewall my web application firewall for the inbound path and that would be the one that we'll be publishing centrally my web application to the outside world so let's do that into a demo where we're stacking up the landing zones in an environment so let's go big and tranquility is just the green side of this screen now we're going to deploy all the rest around it so you see that I have actually additional landing zone inside my environment tranquility you already know it I'm gonna add a couple of more resource group that I need for the deployment of this environment and that's that's it for this one I'm gonna then check at the configuration for the level 2 so able to add all the networking aspects of my environment plus some operational aspect you see that a landing zone is actually calling a set of blueprint and those blueprint you have the egress to share networking and the operations each of them being called by their own terraform file so if you look at an example here I'm configuring the network information for my shared egress Network so I'm putting the IP address space the different subnet DNS that I want the public IP address name the name of the azure firewall that I'm going to create to filter the egress and then that's my share network and you see that I put here all the lists of my energy my network security group in my operations here I'm tuning the name of the automation account and the azure site recovery vault so in the meantime I'm going to do the launch burden again I'm gonna start the deployment from scratch deploying all the information here in the meantime I can see at this content and I can see that actually the networking egress and shared services are actually calling a set of blueprints so let's have a look at what's inside those blueprints if I go and start with shared egress you can see that from this guy I am actually deploying first the virtual network then a public IP address then once I have that I'm deploying neither firewall I'm deploying a set of rules for this as your firewall and I'm also creating a user-defined route object you can see also here that I'm configuring some sample routes to authorize communication to Microsoft that government authorized communication to Windows Update as your backup and as your site recovery I can have a look at the operations blueprint and you can see that from this guy we are actually going to call two things as your site recovery and Azure automation so blueprint operation is responsible for populating only those two components for my environment so here you see the stacking a blueprint is actually a set of modules and a landing zone is actually a set of blueprint so that each of those components is very specialized is doing only one task but is doing it well so you're not afraid to update a different component you can also make your environment easily evolve inside the deployment so I'm gonna run and actually what we see after a couple of minutes if I'm a little bit fast-forwarding I can see that all the components are coming to life so here we go you see that we have all the components so if I go to the core network I see that of my network security group are present so we see the LDAP and RPC endpoint mapper rules for my network security group I have my different subnet with the network security groups attached and I have also configured appearing to the egress virtual network that is also being deployed within the subscription now I can go back and I can see that for instance when I'm going to see the egress Network then I have here all the egress configuration with my virtual network the azure firewall that is tied to it on 10.04 and when I go back to this environment I see that I have a UTI object that points to Asia firewall if I go to edify all I see that here I'm having this public IP that is being used and I can see that I have automatically the diagnostic settings being configured so all the logs I have them already no need to do further action and I also have a set of template's rules that I've seen in the code a couple of seconds ago with my URL filtering and with my tag filtering to authorize communication from this network to Azure backup Windows Update and address recovery then I can see at the operations I have my asher automation account and my asher site recovery and i have my backup policy that i created in its raw form as well which is here present for me and ready to serve my virtual machines so here we go that's how much you can play with those terraform landing zone and how it really accelerates the way that you're deploying things on Azure allowing you to focus on what matters allowing you to prototyping faster deployment with your customer or yourself internally in your organization and really iterating fast iterating improving at each iteration learning from those deployment that's really what we wanted to have with those landing zone easy to get started easy to build complex tough being extensible and being a community work so taking contribution from internal Microsoft Architect people from our community people from our partners that's really what we have in mind for that so really start playing you have started deploying your first landing zone like we just didn't in this demo a kms /tf - landing zones and that's available there you can go further by a set of resources low on yeah so you got the credible shell framework a methodology that when you got all the details of what Kefka workers you've got also the virtual data centers with the VDC which is a good way to see those reference architecture the hub-and-spoke topology and how to organize all the different resources if you if you are very new to telephone there's also a good way to start using the azure citadel for telephone a very good way to understand how to start with Gotham on SEO and of course I know we got your famous blog yeah if you have not subscribed yet so please do thanks for the free and we got also a YouTube playlist where we got all those set of videos on the landing zone that you will be able to follow over time so we're still taking a couple of questions in the chat box in the intersection right now so don't hesitate happy to take any of your question and again thank you for joining this session and thanks for your attention don't forget on the next module we're going to go deep dive into how all the things that we show our architected and how you can go very deeper in the configuration out of that thank you again and see you in the next session
Info
Channel: Arnaud Lheureux
Views: 2,566
Rating: 5 out of 5
Keywords:
Id: 4UrIakS-j_Y
Channel Id: undefined
Length: 25min 28sec (1528 seconds)
Published: Tue Jan 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.