Migrating to Azure Transforming Legacy Applications into Scalable Cloud-First Solutions — Josh Garverick Migrating to Azure Transforming Legacy Applications into Scalable Cloud-First Solutions Josh Garverick Migrating to Azure Josh Garverick AKRON, New York, USA ISBN-13 (pbk): 978-1-4842-3584-3 ISBN-13 (electronic): 978-1-4842-3585-0 https://doi.org/10.1007/978-1-4842-3585-0 Library of Congress Control Number: 2018960822 Copyright © 2018 by Josh Garverick This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed Trademarked names, logos, and images may appear in this book Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made The publisher makes no warranty, express or implied, with respect to the material contained herein Managing Director, Apress Media LLC: Welmoed Spahr Acquisitions Editor: Joan Murray Development Editor: Laura Berendson Coordinating Editor: Jill Balzano Cover designed by eStudioCalamar Cover image designed by Freepik (www.freepik.com) Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013 Phone 1-800-SPRINGER, fax (201) 348-4505, email orders-ny@springer-sbm.com, or visit www.springeronline.com Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc) SSBM Finance Inc is a Delaware corporation For information on translations, please e-mail rights@apress.com, or visit www.apress.com/ rights-permissions Apress titles may be purchased in bulk for academic, corporate, or promotional use eBook versions and licenses are also available for most titles For more information, reference our Print and eBook Bulk Sales web page at www.apress.com/bulk-sales Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the book’s product page, located at www.apress.com/9781484235843 For more detailed information, please visit www.apress.com/source-code Printed on acid-free paper This work is dedicated to my wife Melissa, and my daughter Audrey, for allowing me to chase my lofty goal of getting published Table of Contents About the Author ���������������������������������������� About the Technical Reviewer ��������������������������������������� Acknowledgments ����������������������������������� Introduction �������������������������������������� Part I: Assessing the Legacy ���������������������������������������� Chapter 1: The Baseline ��������������������������������������� Conducting the Initial Discovery ��������������������������������������� Getting Details on the Short (and Long)-Term Goals of the Business ������������������������������������� Learning the Business Context of Application Domains ��������������������������������������� Gathering Functional and Nonfunctional Requirements ������������������������������������� Discovering Integration Points ���������������������������������������� Creating and Examining Dependency Graphs ���������������������������������������� Finding Existing Build and Release Pipelines ��������������������������������������� Proactively Seeking Out Pain Points ���������������������������������������� Summary��������������������������������������� Chapter 2: Domain Architectures ������������������������������������� Identifying Primary, Secondary, and Tertiary Components �������������������������������������� Documenting Application Collaborations ������������������������������� Locating the Components ������������������������������������ Constructing a Basic Infrastrucutre View ����������������������������������� Enhancing the Infrastructure View ��������������������������������� Physical Devices ��������������������������������������� Networking �������������������������������������� v Table of ConTenTs Seeking Interactions with Applications, Technology and Data ��������������������������������������� Determining Information Consistency �������������������������������������� Go with the Data Flow ����������������������������������������� Immediate Consistency �������������������������������������� Eventual Consistency�������������������������������������� Fleshing out the Build Process (Further) ��������������������������������������� Lighting up the Runway ������������������������������������� Summary��������������������������������������� Chapter 3: Security and Compliance ������������������������������������ Leading in with Expectations ���������������������������������� Security Controls ��������������������������������������� PCI DSS ����������������������������������������� GDPR ���������������������������������������� Identifying Domain Risk Areas �������������������������������������� Data Security ��������������������������������������� Application Security���������������������������������������� Infrastructure Security ��������������������������������������� Deployment Security ��������������������������������������� Software Security ��������������������������������������� Mitigating the Risks ��������������������������������������� Risk Register ��������������������������������������� Risk Mitigation Plan ����������������������������������������� Preparing for Regulatory and Compliance Audits ��������������������������������� Summary��������������������������������������� Chapter 4: Operating Models ���������������������������������������� Documenting the Existing Support Model ���������������������������������������� Sketching out the Process �������������������������������������� Documenting the Suppliers ������������������������������������� Lighting up the Locations ������������������������������������ vi Table of ConTenTs Organizing the Organizational Structure ��������������������������������������� Inventorying the Information Systems ��������������������������������������� Managing Metrics and the System of Management ������������������������������������� Zeroing in on Baseline Details ���������������������������������������� Tracing the Escalation Paths ����������������������������������������� Collating the Baseline and Target Models ���������������������������������������� Baseline Operating Model— Andromeda �������������������������������������� Baseline Operating Model— Gamecorp ��������������������������������������� Beginning the Target Operating Model ���������������������������������������� Summary��������������������������������������� Part II: Planning for the Future ���������������������������������������� Chapter 5: The Wireframe �������������������������������������� Common Migration Scenarios ��������������������������������������� Case 1: Lift and Shift ��������������������������������������� Case 2: Greenfield ������������������������������������� Case 3: Hybrid ��������������������������������������� Case 4: Lift, Shift, and Enhance �������������������������������� The “Baseline” Target State ��������������������������������� Business Architecture �������������������������������������� Physical Architecture �������������������������������������� Application Architecture �������������������������������������� Data Architecture �������������������������������������� Technology Architecture �������������������������������������� Security Architecture �������������������������������������� Deployment Architecture �������������������������������������� Reviewing the Roadmap ������������������������������������� Work Breakdown Structure ��������������������������������������� Point of Sale Upgrades ��������������������������������������� Identity Providers ��������������������������������������� vii Table of ConTenTs Selecting the Right Services ��������������������������������������� Conducting Assessments of Options �������������������������������������� Reviewing Assessments with Stakeholders ����������������������������������� Going Through Peer Review ���������������������������������������� Summary��������������������������������������� Chapter 6: Capacity Planning ��������������������������������������� Network Architecture �������������������������������������� Laying the Groundwork ������������������������������������ Network Peering ���������������������������������������� ExpressRoute, the Backplane, and the Edge ������������������������� Peering Routes and Custom Routes ���������������������������������������� Ingress Points and Load Balancing ��������������������������������������� Exploring Storage Options ���������������������������������������� Application Architecture �������������������������������������� Event-Driven Architecture �������������������������������������� Container Registries and Container Services ��������������������������������������� Data Architecture �������������������������������������� Backup and Recovery ������������������������������������� Summary��������������������������������������� Chapter 7: Performance Considerations ������������������������������������� The Impact of Geography ������������������������������������� Anticipating Traffic Patterns ������������������������������������ Performance Under Load ����������������������������������������� Performance Under Stress ���������������������������������������� Performance During Chaos ���������������������������������������� Considering Component Use Cases ���������������������������������������� Application Gateway ��������������������������������������� Azure Container Registry ��������������������������������������� Azure Container Services ��������������������������������������� viii Table of ConTenTs Dealing with Data ��������������������������������������� Message Payloads ��������������������������������������� chaos engineering, 134 Kubernetes, 224 cloud components SonarQube container, 227 AKS, 138 storage, 228 application gateway, 136 lean definition, 243, 248 Azure container registry, 138 leveraging approvals, 242 VMSS, 136 release gates, 242 data process, 139 release pipeline mechanics, 243 inbound and outbound services endpoints payloads, 140 app creation, 238 indexing, storage and build service, 235–240 regionalization, 141 Cardstock team project, 232 297 Index Pipelines ( cont.) Risk management and configuration, 234 remediation, 255 development cluster, 239–240 Role-based access control (RBAC), 56, 63, Sonar endpoint, 234 161, 172 SonarQube connection, 235 steps of, 233 Azure DevOps Services, 232 S whitesource service, 235 Secure socket layers (SSL), 163 team project prework, 229 Security and compliance, 45 right extensions, 231 application, 55 service endpoints, 232 data security, 53 service principals, 229–230 deployment, 59 Platform monitoring, 272 domain risk areas, 53 component, 273 expectations, 45 automation and control, 275 GDPR, 51 application gateways, 275 infrastructure, 57 app services, 275 device, 58 insight and analytics, 274 network, 57 Kubernetes, 276 node, 58–59 OMS solutions gallery, 274 PCI DSS, 46 protection and recovery, 275 risk mitigation security and compliance, 275 audits, 63 solution offerings, 274 plan, 63 virtual machines, 276–277 register, 61 network monitoring, 277 safeguards/countermeasures, 46 OMS platform, 272 software, 60 security, 278 Security architecture, 5, 93 Point of sale (POS) system, 70, 145 Security information and event management (SIEM) system, 165 Q Security monitoring, 278 Self-assessment questionnaire Quality of service (QoS), 74, 165 (SAQ), 47 Server infrastructure, 33 Service level agreements (SLAs), 25 R Single points of failure (SPOFs), 25 Read access geo-redundant storage Site reliability engineers (SREs), 251 (RA-GRS), 112 Software security, 60 Recovery time objective (RTO), 152 Solid-state drives (SSDs), 112 298 Index Source and dependency web application firewall, 164 scanning, 204 solution architecture, 145 Static analysis solution, 63 Technology architecture, 90 Subject matter experts (SMEs), 206 Third-party virtual appliances, 110 Trading card game (TCG), 69 T Transition architectures, 171 developer experience, 187–188 Target, 145 DevOps pipelines, 191 application architecture DevTest labs, 192 adoption of Azure service, 152 fault driven development, 189 components, 152 images and formulas, 197 event data from Eventbrite, 156 operational parameters, 193 Gamecorp portal of migration, 154 shift left, 188 messaging and integration training stage, 188 points, 155 high-level view, 173 Square Connect, 155 operational efficiencies trust vs control continuum, 153 ( see Operational efficiencies) data architecture, 157 policy management ( see Azure data flows, 157 policy management) event structuring, 158 role-based access control, 172 persistence, 160 security center, 173 deployment architecture, 165–166 Transport and delivery DNS services channels, 56 nonproduction workspaces, 151 Transport layer security (TLS), 163 zones, 150 infrastructure, 147 BC and DR strategies, 151 U DNS zones, 150 User interface testing, 133 Gamecorp general design, 149 Hub and Spoke networking, 148 network configuration, 147 V security group, 149 Vendor management, 255 traffic management, 150 Virtual desktop/development requirements, 145 interfaces (VDI), 215 security architecture, 161 Virtual hard drive (VHD) storage, 112 HSTS, TLS and HTTPS, 163 Virtual machine scale sets next-generation firewall, 164 (VMSS), 136 RBAC back, 161 Virtual private networks (VPNs), 108 299 Index W, X, Y greenfield development, 86 hybrid approach, 86 Web application firewall (WAF), 136, 164 lift and shift, 85 Wireframe, 85 physical architecture, 88 application, 89 roadmap assessment Gamecorp organzational component/technology roadmap, 95 selection, 97 identity providers, 96 identity management sale upgrades, 95 integrations, 99 work breakdown structure, 94 inventory data, 98 security architecture, 93 peer review, 101–102 service landscape, 96 POS system integrations, 99 technology architecture, 90 stakeholders, 100 web-based applications, 89 business architecture, 88 data architecture, 90 cloud services, 96 Z deployment architecture, 94 migration scenarios, 85 Zachman framework, enhance, lift and shift, 87 Zone-redundant storage (ZRS), 112 300 Document Outline Table of Contents About the Author About the Technical Reviewer Acknowledgments Introduction Part I: Assessing the Legacy Chapter 1: The Baseline Conducting the Initial Discovery Getting Details on the Short (and Long)-Term Goals of the Business Learning the Business Context of Application Domains Gathering Functional and Nonfunctional Requirements Discovering Integration Points Creating and Examining Dependency Graphs Finding Existing Build and Release Pipelines Proactively Seeking Out Pain Points Summary Chapter 2: Domain Architectures Identifying Primary, Secondary, and Tertiary Components Documenting Application Collaborations Locating the Components Constructing a Basic Infrastrucutre View Enhancing the Infrastructure View Physical Devices Networking Seeking Interactions with Applications, Technology and Data Determining Information Consistency Go with the Data Flow Immediate Consistency Eventual Consistency Fleshing out the Build Process (Further) Lighting up the Runway Summary Chapter 3: Security and Compliance Leading in with Expectations Security Controls PCI DSS GDPR Identifying Domain Risk Areas Data Security Application Security Identity and Access Management Transport and Delivery Channels Infrastructure Security Network Device Node Deployment Security Software Security Mitigating the Risks Risk Register Risk Mitigation Plan Preparing for Regulatory and Compliance Audits Summary Chapter 4: Operating Models Documenting the Existing Support Model Sketching out the Process Documenting the Suppliers Lighting up the Locations Organizing the Organizational Structure Inventorying the Information Systems Managing Metrics and the System of Management Zeroing in on Baseline Details Tracing the Escalation Paths Collating the Baseline and Target Models Baseline Operating Model—Andromeda Baseline Operating Model—Gamecorp Beginning the Target Operating Model On-Call Rotation Site Reliability Outreach Standardized Response Wrapping Up the Draft Summary Part II: Planning for the Future Chapter 5: The Wireframe Common Migration Scenarios Case 1: Lift and Shift Case 2: Greenfield Case 3: Hybrid Case 4: Lift, Shift, and Enhance The “Baseline” Target State Business Architecture Physical Architecture Application Architecture Data Architecture Technology Architecture Security Architecture Deployment Architecture Reviewing the Roadmap Work Breakdown Structure Point of Sale Upgrades Identity Providers Selecting the Right Services Conducting Assessments of Options Reviewing Assessments with Stakeholders Going Through Peer Review Summary Chapter 6: Capacity Planning Network Architecture Laying the Groundwork Network Peering ExpressRoute, the Backplane, and the Edge Peering Routes and Custom Routes Ingress Points and Load Balancing Exploring Storage Options Application Architecture Event-Driven Architecture Container Registries and Container Services Data Architecture Backup and Recovery Summary Chapter 7: Performance Considerations The Impact of Geography Anticipating Traffic Patterns Performance Under Load Performance Under Stress Performance During Chaos Considering Component Use Cases Application Gateway Azure Container Registry Azure Container Services Dealing with Data Message Payloads Inbound and Outbound API Payloads Indexing, Storage, and Regionalization Summary Chapter 8: The Target Solution Architecture Infrastructure Architecture Network Configuration and Topology Network Security Groups Traffic Management Setting up and Converting DNS Zones Adding New DNS Zones in Azure Allowing for a Private DNS Zone for Nonproduction Workspaces Business Continuity and Disaster Recovery Application Architecture Adoption of Azure Kubernetes Service Migration of the Gamecorp Portal Messaging and Integration Points Squaring up with Square Getting Event Data from Eventbrite Data Architecture Changes to Data Flows Event Structuring Problems with Persistence Security Architecture Bringing RBAC Back HSTS, TLS, and HTTPS Web Application Firewall Next-Generation Firewall Deployment Architecture Summary Part III: Bringing it to the Cloud Chapter 9: Transition Architectures Focusing on Security and Access Role-Based Access Control Microsoft Security Center Azure Policy Management Building Operational Efficiencies Cost Controls Azure Automation Accounts Runbooks Scheduled Jobs Azure Automation Desired State Configuration Microsoft Operations Management Suite Investing in the Developer Experience Preparing to Shift Left Setting the Stage with Training Embracing Fault Driven Development DevOps Pipelines Work Pipelines Build Definitions Release Definitions DevTest Labs Setting Operational Parameters Leveraging Custom Images and Formulas Summary Chapter 10: Development Concepts Start with the Big Picture Building on Continuous Integration Source and Dependency Scanning It’s Not Delivery, It’s Deployment Artifact Management Working with Continuous Testing Test Classification Resource Validation Testing the Developer Experience Automating the Developer Experience Summary Chapter 11: Deployment Pipelines Building Flexible Pipelines Team Project Prework Installing the Right Extensions Setting up Service Endpoints Moving the Built Bits Choosing Continuous Delivery Using Release Gates Leveraging Approvals Keeping Definitions Lean Summary Chapter 12: Operations and Site Reliability Operating Model Revised Roles and Responsibilities Assess Capabilities and Role Mappings Business Domain Application Domain Infrastructure Domain Technology Domain Data Domain Security Domain Operational Automation Compliance Monitoring and Enforcement Platform Monitoring Leveraging the OMS Platform Offering Component Monitoring Application Gateways App Services Kubernetes Virtual Machines Network Monitoring Security Monitoring Incident Management Summary Index ... Scalable Cloud- First Solutions Josh Garverick Migrating to Azure Josh Garverick AKRON, New York, USA ISBN -13 (pbk): 978 -1- 4842-3584-3 ISBN -13 (electronic): 978 -1- 4842-3585-0 https://doi.org /10 .10 07/978 -1- 4842-3585-0... members’ information, requests, and card © Josh Garverick 2 018 J Garverick, Migrating to Azure, https://doi.org /10 .10 07/978 -1- 4842-3585-0 _1 Chapter the Baseline inventories The application itself... summary of the NRF’s first and second level concepts can be found in Table 1- 1 below 11 Chapter the Baseline Table 1- 1 NRF Business Process Model: Levels and Level Level serve Customers Manage