needed to enable logging, especially for monitoring cloud native logs, such as
Azure Activity logs, Azure AD logs, etc. To simplify the equation, the decision
was made to use Azure Log Analytics, as it supports the logging of cloud native
Azure Services, such as Azure Functions, Azure Activity logs, etc., across mul-
tiple subscriptions consolidated within a single workspace. For infrastructure
logs, such as NSG logs, Application gateway logs, Azure Key Vault logs, etc.,
Azure CLI scripts are embedded in Terraform to forward logs to specified
workspaces. And for agent-based logging, such as VMs, Containers, etc., Chef
cookbooks are used to provision the agents. Azure log analytics also provide
pre-built dashboards and solutions to report key Azure resources such as con-
tainers, Azure AD, NSGs, etc.
Security
Security standards and best practices need to be embedded within each com-
ponent of Azure resources and deployment. Azure Security Center should be
enabled to detect infrastructure vulnerabilities. ASC is now natively integrated
with Azure Log Analytics and log analytics agents, etc., to build security aware-
ness and recommendations. All the VM disks and storage accounts are enabled
with encryption at rest, as part of the automation. Advanced threat detection
features in the Azure AD are enabled to monitor the login patterns. Trend
Micro Deep Security is deployed to provide the network and host-based IDS/
IPS. Trend Micro agents are provisioned within each VM as part of the automa-
tion. These features will provide the security coverage required to detect any
suspicious activities within the Azure infrastructure.
Application Configuration
With a wide range of tools in the mix–such as Terraform, Azure Automation,
Azure VM extensions, Chef, etc.–application configuration functionalities
might overlap. Azure VM extensions support provisioning Chef agents, Trend
Micro agents, custom scripts, etc., but there isn’t an easy way to manage VM
extensions across multiple servers. To make them easy to maintain, all custom
VMs are pre-built with Chef agents using Packer and Chef as standard plat-
forms for all application configurations. Terraform is used strictly to stand up
the cloud infrastructure and supply the configuration data, such as cookbook
attributes, connection strings, etc., from Consul and Vault to the Chef agents
on VMs. Chef agents will pull the cookbooks and perform VM configurations.
Jenkins, in conjunction with Chef and Artifactory will establish CI/CD pipe-
lines for both infrastructure and application deployments.
Conclusion
With the current maturity of CLI, OMS and security features in Azure, along
with third-party DevOps toolsets, it is quite possible to maintain automation
end-to-end, and to build reliable, repeatable and maintainable infrastructure
in Azure, just as you can with AWS.
WINTER 2018 | THE DOPPLER | 25