Lessons from field: Azure Stack services integration - Beyond the basics!

Azure stack is a advanced "private cloud as a appliance" that helps customers use and reap benefits from day one, without having to worry about the design and architecture of the solution. However customers do need to consider a number of factors before they can start using it. In this article, we will take a look at some of the core features, integration points and support services/applications that are needed to run the system smoothly.

Core Features

Core features are the features/capabilities that customers have come to rely on in their datacenter using applications and appliances for security, monitoring and governance aspects. Below we list those and compare which feature of Azure stack matches with it. Few things to note about the below table is that, this list is not exhaustive and not all customers use all the compared features. Also to note is that each Azure stack feature provided in the list contains varying levels of capabilities when compared with specialized products in those class, so comparing these features to other specialized products in not the intention of this list.

In an Azure stack system, there are logical and physical boundaries that affect the integration factors. Below diagram shows all the services that are provided a large cloud hosting service provider and hence the integration points that needs to be planned.

The above services can be broadly classified in to:

1. Azure Stack internal services - These are services that can be enabled or installed inside the Azure stack resources such as VMs.
2. Azure Stack external services - These are services that can be provided outside of the logical and/or physical and/or network boundary of Azure stack, examples of such system are, hardware firewall, load balancer, network gateway, SSL offloading, SIEM, DDoS, service management, event management, WAF, IDS, IPS etc.

The Azure Stack internal services integration will be performed at three levels as below:

Azure Stack Host - There are services such as logging, Monitoring (SCOM/OMS), backup (Azure) that can be enabled or integrated with the hosts themselves by installing agents.

Azure stack hosts are locked down black boxes and does not have any user accounts in the OS. Only way to login to them are using the One-time password (OTP) code that will be generated by Microsoft support using the key displayed in the stack host login screen

Virtual Machines - There are services that can be integrated by installing agents directly in the Azure Stack VMs or as software appliance in another VM, they are:

1. Anti-virus/malware [Windows defender/3rd party],
2. Backup [Azure/3rd Party]
3. Logging [Azure stack logging/3rd Party]
4. Monitoring [SCOM/OMS/3rd Party],
5. Scheduler [Task scheduler/3rd party],
6. SIEM [Azure security center/3rd party],
7. Data Loss Prevention [Azure Information Protection/3rd party],
8. Security analytics [Azure log analytics, Azure security center or 3rd party],
9. Web Application Firewall [3rd party],
10. Privileged Identity Management [Azure Stack/3rd party],
11. Bandwidth throttling [Azure stack VM bandwidth limits/3rd party]
12. SSL Inspection and offloading [3rd party]
13. IDS & IPS [3rd party]
14. Deployment and configuration management [ ARM & DSC / 3rd party]
15. Billing and charge-back - [Azure stack adapter or Azure billing or 3rd party]

App Services - There are services that can be integrated into Azure stack PaaS services, they are:

1. Anti-malware - The underlying VMs come with Windows defender pre-enabled, no other Anti-virus programs can be installed in the VMs
2. Backup - Use app services integrated backup
3. Logging - Web Apps and respective services' logging capability
4. Monitoring - Azure stack dashboard
5. Scheduler - None
6. SIEM - Azure stack logging can be integrated with SIEM products with API calls
7. Data loss prevention - Not Applicable
8. Security Analytics - Azure stack logging integrated with Azure security center or 3rd party products
9. Web Application Firewall - 3rd party external appliance
10. Privileged Identity Management - Native Azure AD/On-premises AD integration
11. Bandwidth throttling - 3rd party
12. SSL inspection and offloading - 3rd party
13. IDS & IPS - 3rd party external system
14. Deployment and configuration - [ARM]
15. Billing and chargeback - [Azure stack adapter or Azure billing or 3rd party]

As you can see from the above services, the points of integration for Azure stack goes well beyond the regular services and believe it or not, the above services are not exhaustive! Knowing as many of these integration points and raising correct questions during the planning process helps Azure stack Architects the correct information needed to plan for a great Azure stack user experience.

Until next time, happy learning!