Niraj Bhatt – Architect's Blog

Ruminations on .NET, Architecture & Design

Managing Access to Cloud Resources

As you start your cloud incubation journey, one of the very first hurdles you would run into is access management. How to secure access to your cloud provider? Whom do you allow to provision resources? Do you want to centralize the provisioning, or empower project teams with self-service capability? Can we leverage on-premise identity stores for cloud access? Needless to say, these aspects can get quite tricky. In this post, I will talk about different options around managing accessibility to cloud services and as always would love to hear your feedback.

No Self Service: Many organizations looking at cloud as an extension to their data center, and want similar to enforce similar control over their cloud environment. Their IT team provisions and de-provisions cloud resources as necessary. But the end users have no direct access from their end. They still raise a ticket through tools like Service Now which are then full filled by IT Ops through automation or manual setup.

Self Service via Custom Portal: This is standard practice across many organizations. Instead of providing direct access via cloud service provider portal, they create a layer of abstraction – a custom portal for managing access. This is definitely feasible as most of the cloud service providers have APIs, controlling access to cloud resources. A typical custom portal can help drive governance. An example use case could be – someone requests a VM image and an request approval email is automatically sent to her manager. Further custom portals can provide a unified view catering to different cloud platforms – i.e. a single UI to provision workload on AWS, Azure or Google Cloud. But challenge with such initiative is to keep pace with new cloud services. Most of the cloud platforms are introducing new features biweekly, making custom portal a never ending project. One solution here could be to control the feature scope of the custom portal – e.g. cater to just IaaS services – Compute, Network, Storage & Security.

Controlled Access to Provider portal with extensions: Many enterprises don’t want to reinvent the wheel. Their intent is to add only delta functionality to the existing self-service cloud provider portal. For instance, most of the cloud provider portal have no context of the consuming enterprise, its projects, its policies, etc. In such cases, it makes sense to augment cloud provider portal with additional project view and build an ecosystem to enforce organizational policies. E.g. When User A logs into the extended Portal she can view the list of projects (a project can have a direct mapping to cloud subscription or account), her role / rights on each. But provisioning any cloud resources would have to be carried out through provider portal (may be a SSO with provider portal). Depending on the rights user has, she will be able to provision only those cloud resources.

Let’s understand the last option from Microsoft Azure perspective, though similar features are available in other cloud platforms like AWS as well.

Single Sign On:
To setup Single sign on you will require Azure Active Directory domain configuration and ADFS setup. You can find more details here. This ensures that only employees of the organization will have access to Azure portal & resources.

Controlling access to resources:
SSO is great, but you don’t want every user of the organization to have unrestricted access to Azure resources. Rather only the authorized set of users should have access to them. That’s where Role based access control comes in. A role in RBAC terms is a collection of actions that can be performed on an Azure resources or group of Azure resources (group of resources referred to as ‘Resource Groups’ in Azure are containers holding resources for a given application). RBAC is currently supported in Azure Preview Portal only. You can also configure the access through PowerShell.

Azure RBAC

Subscription, Administrators & Azure AD:
While RBAC is the preferred way of setting access control, knowing the different Azure Portals administrative roles is necessary to gain comprehensive understanding. Once you sign up for Azure EA, MS sets up an account for you called ‘Enterprise administrator’. As an enterprise admin you can create different accounts and subscriptions. Each account has an Account administrators who in turn can create multiple subscriptions, with each subscription having its own service administrator. Service Administrator is the super user having complete access to the subscription and can provision resources (VMs, Databases, etc.) as required. Service Administrator can also create co-administrators as required to support them with administrative tasks.
Coming to Azure AD, you can create, rename, delete Azure AD from Azure Portal. Every Azure Subscription can trust only one Azure AD and only service administrator has the rights to choose the trusted AD for a given subscription (Settings -> Subscriptions -> Edit Directory).

Azure Subscription & Azure AD

Hope that provided some good perspective. As always do drop a note below, on how are you managing access to cloud resources.

Dealing with Resourcing Constraints

As part of my current role I engage with top execs of fortune 500 companies discussing cloud transformation and strategy. While discussions are very engaging, they invariably stall around resourcing. After all, everyone wants an ‘A Player’ and they want to on-board that person very next week. The common approach here (unless you have budget to maintain a good bench strength for your practice) is get into an endless loop of interviewing candidates, first internally and then with customer. And even if you are lucky to find right candidate, you are still on hook till he or she really joins the organization. Such situations can derail projects and even create a dent on your reputation. Below are some of the workarounds I have seen working, and would be good to hear your thoughts.

Contracting – Let’s go over the simple option first. There are dozens of recruiting firms out there, who can provide you resources to staff on your project. While these firms charge a premium, you can leverage them to start an engagement at short notice. Contractors can act like tip of the spear, for you to build the launching platform of bigger projects. What’s more, once you get the right person hired, you can swap him with the contractor. Of course, all of this works only if your customer is willing to onboard contractors.

Travel Ready Offshore Candidates – Most of the IT companies today have global delivery center across globe. Resources working in these offshore locations can be availed legitimate work Visa and you can plan to staff them on client engagements. This is good option for global players as they don’t have to maintain a big bench onsite or hire contractors, which is usually expensive.

Supplementing Skill Sets with Onsite / Offshore mix – At times it might be difficult to find a single resource having all the skill necessary for a client engagement. In such cases, you can try to split the profile, deriving an onsite / offshore mix and creating the right symbiosis. If you have the right mix of people, this can be a real savior. Even better, you can convince customer to transfer work entirely offshore or plan for onsite transition when resource becomes travel ready.

Loan from other teams – I have been a loaned resource myself. One of the SVPs in my previous organizations pulled me out to support a key post-merger project. Idea here is, other teams within your organization might have skillset you are looking for or at least in the near range. Key then is to know who those teams are, and how you can leverage them. In a competing scenario, who will have to play it right, so that you don’t ending up losing opportunity to those teams. But it’s still better, as the overall organization wins not losing to an external competitor.

In addition to above, you can also revamp your referral program. There could be company norms here, but one of my earlier VP made is so lucrative that the referral system was flooded. Interestingly, he didn’t go overboard. All he did was to try and bridge the gap between an internal and external referral bonus. You can also get referrals into the annual goal system, but I would recommend not pushing it down the throat of your employees without enough motivation.

Finally, a word on margins (profitability). When you are starting a new engagement taking one of the above approaches your margins would be impacted – you get a resource from market at premium, at the same time customer doesn’t know your capability, so they will bargain for less. You have very less options here but to absorb that cost – ideally indicating you are discounting, considering the fact it’s a new initiative or plan to slowly transition to a blended rate of onsite / offshore mix, where the margin for overall engagement can be improvised (for instance, you make 20% for onsite resource and 40% for offshore resource, your margin for the engagement would average out to be 30% which could be lot better).

All of above though is in addition to prepping up your recruiters & their resourcing channels, making them feel that they are integral to your team, take risks and have guts to maintain a small bench, even if you are on a wafer thin budget.

Hope this provides you some food for thought on dealing with your resourcing constraints. Let me know if you have additional approaches or improvised versions of above. Comments / Suggestions are welcome :)

Client Profitability vs. Practice / Company Profitability

This post is for dummies covering few business terms which I am dabbling with these days. Thoughts below are primarily related to software services, but I think they would be of help to any service industry.

Having ran a startup earlier, I have always cared for margins which is necessary for the healthy growth of the business. Before getting into a customer engagement getting your margins or simply put profits right is very important, for both fixed bid and T&M (Time and Materials) projects. Apart from resource costs, you also need to take into consideration other costs like T&E (Travel and Expenses) and call them out separately.

Keeping above in mind, the profits you derive out of a given customer project is called Customer or Client Profitability (CP) – usually measured in terms of percentage. So, is good CP all what a company should care for? Answer is, of course not. While you might have a high CP it’s still possible that the overall company or practice is making loss. Let’s see how.

The common reason for discrepancy here is overlooking the fixed costs. For instance, you are going to incur salary costs irrespective of whether your resources are allocated (billable) to a project or not (e.g. project you signed up for got over in 5 months) and you will have to still pay rent, infrastructure bills, etc. All of these expenses fall under the larger category called SG&A (Selling, General and Administrative Expenses) which includes advertisement, sales, taxes, training, corporate functions, etc. In short, the Practice Profitability (PP) is not a sum of various CPs; rather it’s Sum of CPs minus SG&A.

It should be clear by now that the only way you can grow your business is increment CP without proportionally increasing SG&A; i.e. do more with less. Most of the budget planning exercises in corporate companies is around this agenda. One way to achieve this is move away from RFR (Resource following Revenue) to non-linear revenue models, shifting the focus from services to products.

Hope this was useful in putting these terms into the right perspective.

Overview of Office 365

Office 365 is suite of Microsoft products delivered software as a service from cloud. For consumers it represents a simplified pay as you go model, helping them use office products across multiple devices while for the enterprises the value proposition is workplace transformation by driving Enterprise Mobility.

Consumers can now pay a monthly subscription fee and have the word, excel and other office tools installed across 5 PCs and Macs. Users also get 5 more mobile office installs for Android and iOS platforms and there is a feature available called Office on demand which allows users to temporarily stream office 2013 applications on a windows 7 / 8 PC. In addition, one gets 20 GB of SkyDrive integrated with Office Web Apps (a subset of desktop version) and 60 Skype world minutes to make calls in over 60 countries.

Image

Enterprises, on the other hand, are being disrupted by various needs of geographically distributed teams, decentralized work locations, BYOD and data security, social engagement platforms, etc. Office 365 for enterprise, adds additional hosted services like Exchange, Lync, SharePoint, Yammer, SkyDrive Pro, etc. to cater to these needs. These services can be accessed using Single Sign On with an on premise AD / ADFS. What’s more, with SaaS model you take the entire IT complexity and management out of the equation.

Office 365 also has something for developers. The developer subscription which is bundled free with MSDN subscription or otherwise costs 99 USD, allows developers to build applications for Office 365 including SharePoint Online. These applications typically enhance office tools – for instance an enterprise can develop set of applications for their employees and avail them under my organization section of the portal. Developers can do application development using familiar development tools. For small enterprises, which want an easy way to augment the OOB office functionality, office team offers “NAPA” – office 365 development tools right of your browser. In addition to this, enterprise developers can also use Visual Studio. ISVs planning to develop commercial applications, can publish their applications to the office store.

Using a Single Windows Azure Active Directory tenant for All EA Azure Subscriptions

As you know by now Windows Azure Active Directory is at the root of every Azure subscription.

 Image

But in an EA setup you typically have multiple subscriptions and you definitely don’t want to create a different WAAD tenant for every other subscription. So here’s what you can do (there might be other ways too of achieving this). You can first create a Shared account and under that a Shared Subscription. Also create the WAAD tenant you want to use and ensure your shared subscription is under that WAAD tenant. In that WAAD tenant create all the account administrators.

Image

Now go to your EA portal, and add new accounts specifying the account administrators you just created. That’s it – next when you create subscriptions for those newly created accounts, these subscriptions will be by default part of the same WAAD tenant under which you created your shared subscription.

Image

It can’t get any easier, isn’t it :) ?

Windows Azure Portals and Access Levels

When you sign up for Windows Azure you get a subscription and you are made the Service administrator of that subscription.

Image

While this creates a simple access model, things do get little complicated in an Enterprise where users need various levels of access. This blog post would help you understand these access levels. 

Enterprise Administrator
Enterprise Administrator has the ability to add or associate Accounts to the Enrollment and can view usage data across all Accounts. There is no limit to the number of Enterprise Administrators on an Enrollment.
Typical Audience: CIO, CTO, IT Director
URL to GO: https://ea.windowsazure.com

Account Owner
Account Owner can add Subscriptions for their Account, update the Service Administrator and Co-Administrator for an individual Subscription, and can view usage data for their Account. By default all subscriptions are named as ‘Enterprise’ on creation. You can edit the name post creation in the account portal. Under EA usage, only Account Administrators can sign up for Preview features. Recommendation for accounts to be created is either on functional, business or geographic divisions, though creating a hierarchy of accounts would help larger organizations.
Typical Audience: Business Heads, IT Divisional Heads
URL to GO: https://account.windowsazure.com

Service Administrator
Service Administrator and up to nine Co-Administrators per Subscription have the ability to access and manage Subscriptions and development projects within the Azure Management Portal. The Service Administrator does not have access to the Enterprise Portal unless they also have one of the other two roles. It’s recommended to create separate subscriptions for Development and Production, with production having strict restricted access.
Typical Audience: Project Manager, IT Operations
URL to GO: https://manage.windowsazure.com

Co-Administrators
Subscription co-administrators can perform all tasks that the service administrator for the subscription can perform. A co-administrator cannot remove the service administrator from a subscription. The service administrator and co-administrators for a subscription can add or remove co-administrators from the subscription.
Typical Audience: Test Manager, Technical Architect, Build Manager
URL to GO: https://manage.windowsazure.com

That’s it! With above know-how you can create an EA Setup like below

Image

Hope this helps :)

Azure Benefits for MSDN subscribers

Friends, hope you are aware of this great offer. Click on the image below to sign up :)

MSDNAzureOffer2

Windows Azure vs. Force.com vs. Cloud Foundry

Below is a brief write up of some personal views. Let me know your thoughts.

Windows Azure is the premier cloud offering from Microsoft. It has a comprehensive set of platform services ranging from IaaS to Paas to SaaS. This is a great value proposition for many enterprises looking to migrate to cloud in a phased manner; first move as-is with IaaS and then evolve to PaaS. In addition, Azure has deep integration across Microsoft products –including SharePoint, SQL Server, Dynamics CRM, TFS, etc. This translates to aligned cloud roadmap, committed product support and license portability. Though .NET is the primary development environment for Azure platform, most of the Azure services are exposed as REST APIs. There are JAVA, Ruby and other SDKs available which allows variety of developers to easily leverage Azure platform. Azure also allows customers to spawn Linux VMs, though that’s limited to IaaS offerings.

Force.com allows enterprises to extend Salesforce.com – the CRM from SalesForce. Instead of just providing SDKs and APIs, Salesforce has created force.com as a PaaS platform – so that you focus only on building extensions; rest is managed by Salesforce. Salesforce also provides a marketplace ‘AppExchange’ where companies can sell these extensions to potential customers. Though force.com offers an accelerated development platform (abstracting many programming aspects), programmers still need to learn APEX programming language and related constructs. Some enterprises are considering force.com as their de-facto programming platform – taking it beyond the world of CRM. It’s important to understand the applicability of force.com for such scenarios would typically be limited to transactional business applications. So, where should enterprises go when they need to develop custom applications with different programming stacks and custom frameworks? Salesforce answer is Heroku. Heroku supports all the major programming platforms including Ruby, Node.js, JAVA, etc. with exception of .NET. Heroku uses Debian and Ubuntu as the base operating system.

Many enterprises today are contemplating their move to PaaS cloud citing vendor lock-in. For instance, if they move to Azure PaaS platform their applications would run only on Azure, and they would have to remediate them to port to AWS. It would definitely be great to have a PaaS platform agnostic of a vendor. This is the idea behind open source PaaS platform Cloud Foundry. It’s an effort co-funded by VMware and EMC. VMware offers a Cloud Foundry hosted solution, with the underlying infrastructure being vCloud. Cloud Foundry supports various programming languages like Java, Ruby, Node.js, etc. and frameworks like MySQL, MongoDB, RabbitMQ among others. VMware also offers vFabric, a PaaS platform focused on JAVA spring framework. vFabric is an integrated product with VMWare infrastructure, providing a suite of offerings around Runtime, Data Management and Operations. I feel future of vFabric is likely to depend on the industry adoption of Cloud Foundry (there is also another open source PaaS effort being carried out by Red Hat called OpenShift).

Overview of VMware Cloud Platform

Continuing my discussion on major Cloud Platforms, in this post I will talk about VMware (subsidiary of EMC) – one of the companies that pioneered the era of virtualization. Flagship product of VMware is ESX (VSphere being product, which bundles ESX with vCenter) a hypervisor that runs directly on the hardware (bare metal). As you would expect, VMware is major player in private cloud and data center space. It also has a public IaaS (Infrastructure as a Service) cloud offering and also supports an open source PaaS platform (understandably no SaaS offerings). Below is a quick overview of VMware offerings.

Private CloudvCloud Suite is an end-to-end solution from VMware for creating and managing your own private cloud. The solution has two major components – Cloud Infrastructure and Cloud Management. Cloud Infrastructure components include VMware products like vSphere (cloud OS controlling the underlying infrastructure) and vCloud Director (multitenant self-service portal for provisioning VM instances based on vApp Templates), while Cloud Management consists of operational products like vCenter (centralized extensible platform for managing infrastructure) among others. There are also vCloud SDKs available which you can use to customize the platform to specific business requirements. Also, with last year acquisition of DynamicOps (now called vCloud Automation Center) VMware is extending its product support to other hypervisors in the market. Other vendors too like Microsoft are evolving with similar offerings with Hyper-V, System Center, SPF and Windows Azure Services. It’s important to note though, quite a few enterprises operate a private cloud like setup using VSphere alone and build custom periphery around it as necessary.

Public Cloud – In case you don’t have budget to setup your own datacenter or are looking to build a hybrid approach which helps you do a cloud burst for specific use cases, you can leverage VMware’s vCloud Hybrid Service (AKA vCHS). The benefit here is migration and operation remains seamless, as you would use the same tools (and seamlessly extend your processes) that were being used for in-house Private Clouds.

PaaS Cloud – VMware has a PaaS offering for private clouds called vFabric. vFabric application platform contains various products focused on JAVA Spring Framework stack. Architects can create a deployment topology using drag and drop for their multi-tier applications. Not only they can automate the provisioning, but also scale their applications in accordance with business demand. In addition, VMware is also funding an open source PaaS platform called Cloud Foundry (CF). The value proposition here is you can move this platform to any IaaS vendor (vCloud, OpenStack, etc.), so when you switch between cloud vendors you don’t have to modify your applications. This is contrary to other PaaS offerings which are tied to the underlying infrastructure – e.g. application ready for Azure PaaS would have to undergo remediation to be hosted on Google PaaS. Also, being open source you can customize the CF platform to suite your needs (there is similar effort being carried out by Red Hat called OpenShift).

Finally, you might hear the term vBlock (or vBlock Systems) in context of VMware. VCE (Virtual Computing Environment) – the company which manufactures vBlock Systems was formed by collaboration of Cisco, EMC and VMWare. These vBlock systems racks contain Cisco’s servers & switches, EMC’s storage and VMware virtualization. There are quite a few service providers using vBlock, to create their own set of cloud offerings and services.

Hope this helps!

Overview of Google Cloud Platform

In next few posts, I will try to give a brief overview of major Cloud Computing platforms. As I started writing this post, it reminded me of an incident. Few years back I was chatting with a Microsoft Architect. He proudly told me that if Google were to shut tomorrow, none of the enterprises would care about it. Well, since then things have changed. From a provider of search engine, email and mobile platform (Android), Google has made it ways into enterprises. To add another experience, recently I was visiting a fortune customer and saw one of the account managers using Gmail. While my first reaction was he shouldn’t be checking his personal emails at work (we were discussing something important), he, in fact, was replying to an official email. I learned from him that they were among the early adopters of Google Apps. With those interesting anecdotes, below is quick overview of Google cloud platform.

Google Apps – You can think of Google Apps as a SaaS offering more on the lines of Microsoft Office 365. It includes Gmail, Google Calendar, Docs, Sites, Videos, etc. Value proposition is – you can customize these services under a domain name (i.e. white label). Google charges per user monthly fee for these services (this fee is applicable to Google Apps for Business; Google also offers a free version for educational institutions under brand Google Apps for Education). In addition, Google has created a market place (Google Apps Marketplace), where organizations can buy third party software (partner ecosystem) which further extends Google Apps. As you would expect, Google also provides infrastructure and APIs for third party software developers.

Google Compute Engine – GCE is the IaaS offering of Google. Interestingly, it offers sub hour billing calculated at minute level with minimum of 10 minutes. For now only Linux images / VMs are supported. Here’s a Hello World to get started with GCE. Note that you need to setup your billing profile to get started with GCE.

Google App Engine – GAE is an ideal platform to create applications for Google Apps Marketplace. A PaaS offering from Google – easy to scale as your traffic and data grows. Like Microsoft’s Windows Azure Web Sites, you can serve your app from a custom domain or use a free name on appspot.com domain. You can write your applications using JAVA, Python, PHP or Go. You can download respective SDKs from here along with a plugin for Eclipse (SDKs come with an emulator to simplify development experience). With App Engine you are allowed to register up to 10 applications per account – and all applications can use up to 1 GB of storage and enough CPU and bandwidth to support an application serving around 5 million page views a month at no cost. Developers can also use NoSQL (App Engine Datastore) and relational (Google Cloud SQL) stores for storing their applications data. Google Cloud Storage a similar offering to Windows Azure Blob Storage, allows you to store files and objects up to terabytes in size. App Engine also provides additional services such as URL Fetch, Mail, Memcache, Image Manipulation, etc. to help perform common application tasks.

Google BigQuery – BigQuery is an analytic tool for querying massive datasets. All you need to do is move your dataset to Google’s infrastructure. After that, you can query data using SQL-like queries. These queries can be executed using a browser or command line or even from your application by making calls to BigQuery REST API (client libraries are available for Java, PHP and Python).

So, in a nutshell these are the major offerings of Google Cloud platform encompassing SaaS, PaaS and IaaS. Google Apps appears to be the most widely used of all offerings, with Google claiming more than 5 million businesses running on it.

Hope you found this overview useful.

Follow

Get every new post delivered to your Inbox.

Join 204 other followers