Sentia's building blocks for a manageable cloud

Sentia's building blocks for a manageable cloud

Emro Thierry

Emro Thierry

Managing IT environments is a serious job. This article illustrates how a relatively simple cloud environment can quickly turn complex. You’ll learn about the solution Sentia uses to automate building and managing complex IT environments in the cloud. Ultimately, we will show how we use proven technology to deliver reliable and scalable cloud environments.

Simplified IT environment

Let’s take a step back and take a relatively simple cloud environment containing only a virtual machine and a database as an example. The virtual machine will serve as an application server to host “Application A”. The application server processes data and needs to store information in a database, for which we use Azure SQL.

Looking at this simplified example, several conditions have to be met to have a successful running application.

Simplified IT environment

First, the virtual machine needs to be configured. Think about basic things like an operating system to be able to install and run the application. Then, there needs to be networking in place to enable the virtual machine to communicate with the database.

Still there is a lot more that comes into play. We cannot forget about the importance of security. Who will gain access to the environment, in what manner and when? We can then continue onto other advanced topics like Firewalling, Identity and Access Management, Disaster Recovery Planning, Monitoring, etcetera… The picture is clear.

The purpose of the simplified example is to show how a relatively modest, straightforward setup environment already requires planning and management.

In Enterprise enviroments, an application often has separate environments for Development, Testing, Acceptance and Production (DTAP). So potentially, each application consists of four environments.

If you have a modest Enterprise environment with about 25 applications, that could easily add up to 100 or more environments in total. If we were to manage these by hand in Azure Portal, taking into consideration all the requirements, it becomes quite the overwhelming task, right?

Luckily this is where Sentia steps in to Lead the Way.

Sentia Landing Zone

The Sentia Landing Zone is developed and managed by Sentia. This article focuses on Microsoft Azure. Besides Azure, Sentia also offers Landing Zone solutions for AWS (Amazon) and Google Cloud.

In the simplest way put: the Landing Zone delivers building blocks to prepare an environment to host your application. With these building blocks, large cloud environments can be built in a structured, flexible, and automated fashion. These building blocks result in so called “Infrastructure-as-Code”. Such code is a way to describe your IT environment in code - a cloud provider deploys the defined components for you automatically.

The snippet below shows an example of infrastructure code to deploy a virtual machine (with Windows 2016) along with a network.

{
    "customer-application-acc-01": {
        "deploymentLocation": "{{deploymentLocation}}",
        "tags": {
            "department": "{{department}}",
            "environment": "{{environment.name}}",
            "costCenter": "{{costCenter}}",
            "productName": "{{solutionName}}"
        },
        "resourceGroups": [
            {
                "name": "app-acc-rg",
                "location": "{{deploymentLocation}}",
                "tags": {
                    "Application": "application-name"
                },
                "virtualMachines": [
                    {
                        "name": "customer-application-a21",
                        "size": "Standard_D2s_v3",
                        "tags": {
                            "patchRestartTier": "GroupA",
                            "Purpose": "Application Service"
                        },
                        "username": "{{adminUsername}}",
                        "password": "{{adminPassword.windows}}",
                        "zone": 1,
                        "bootDiagnostics": {
                            "enabled": true,
                            "storageAccount": {
                                "resourceGroup": "app-acc-rg",
                                "name": "resource-groupname"
                            }
                        },
                        "network": {
                            "virtualNetworkResourceGroup": "application-acc-rg",
                            "virtualNetworkName": "application-acc-vnet",
                            "subnetName": "app-acc-subnet",
                            "needsPublicIp": false
                        },
                        "os": "{{osWindows-2016Dc-hybridFalse-StandardSSD_LRS}}",
                        "management": {
                            "networkWatcher": true,
                            "customScripts": "{{customScript.windowsWithAnsible}}",
                            "domain": "{{domainSettings}}",
                            "encryption": {
                                "keyVaultName": "application-encrypt-acc-kv",
                                "keyVaultResourceGroup": "keyvault-acc-rg"
                            },
                            "endpointProtection": "{{endpointProtection}}",
                            "logAnalytics": "{{vmLogAnalyticsWorkspace}}",
                            "backup": "{{backupPolicy7Days}}"
                        }
                    }
                ]
            }
          [...]

In its essence, the Landing Zone simplifies the deployment of larger and more complex environments, by providing building blocks instead of having to put, or even worse “click” together the cloud environments “piece by piece”.

Another neat feature of the Landing Zone is that various “baseline” levels concerning security, manageability and other global requirements are incorporated in the building blocks.

Hub-and-Spoke Topology

When more applications come into play, you will notice the re-use of components like, for instance, a firewall. Firewalls are often a relatively expensive part of an implementation and can take a while to configure. If every application would need its own firewall, the complexity and costs would rise proportionately. Another example of a shared component is a VPN Gateway, but there are various possibilities.

Sentia centralizes shared components in a Hub-and-Spoke topology. The hub consists of services shared between applications. The hub forms the central entry-and-exit-point.

The big advantage of sharing certain services is new applications can be added more efficiently timewise and money-wise. The drawback of having one central entry point is that it can form a “single point of failure” that can affect all spoke availability. This risk of unavailability is mitigated, where possible, by placing high-available components and or services in the hub.

To illustrate this concept, look at the picture below of a typical hub and Spoke implementation within the Azure Landing Zone. Notice the production environment of our simple “Application A” is one of the spokes.

Hub-and-Spoke Topology

Below the hub multiple spokes are connected to the hub. To improve security, each DTAP-workload is placed in a separate containment, called a spoke.

Transform your cloud environment with our building blocks?

Would you like to take advantage of our Landing Zone and its building blocks to embark or improve on your cloud journey in a structured, manageable, secure, and scalable manner? Contact us and tell us about the challenges you face with moving your organization to the cloud.