Kickstart your Azure Landing Zone deployments with Terraform

Introduction to the Azure Cloud Adoption Framework

So, you’ve heard the terms CAF and WAF being thrown around, but have no idea what they are supposed to mean? Then look no further, because in this and the following articles we will dive into the first acronym, CAF, or Cloud Adoption Framework.

This first article will focus on the Cloud Adoption Framework itself and aims to give you a short overview. The upcoming articles will dive straight into making your plans reality using Terraform and the Microsoft-maintained CAF resources and modules:

• Remote State Storage, Management Groups and Policies and the budding beginnings of a build and release pipeline for your platform DevOps team
• Connectivity and Identity services - the lifeblood of your cloud stamp
• Application Landing Zones and the subscription vending machine - handing off to the business

Since yours truly is a subject matter expert on Azure, this article series will highlight the Azure Cloud Adoption Framework (https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/get-started/). Rest assured that the Google Cloud Platform and Amazon Web Services both offer their own Cloud Adoption Frameworks and architecture tenets.

What is the Azure Cloud Adoption Framework

The Azure Cloud Adoption Framework, henceforth abbreviated as CAF, describes a set of architectural guidelines, best practices as well as antipatterns (also known as a framework ?? ) that are intended to help you and your organisation to increase your cloud adoption.

CAF can cover the entire lifecycle of your cloud strategy and is based around the seven phases of your cloud adoption journey. While the bulk of technical guidelines in this framework are focussed on Azure, Microsoft also provides great strategies and architectures that include the resources hosted by other cloud providers.

As with all big frameworks and transformative ideas, the success of using the cloud adoption framework hinges on the support of nearly everyone in your organisation. The entire process is ideally supported by a tenured cloud architect who can serve as a facilitator (in some organisations sadly a mediator rather than a facilitator) bringing together all stakeholders.

Luckily, here at shiftavenue we can provide your organisation with the aforementioned tenured cloud architects. In our experience, an outside voice can sometimes bring about change more effectively through fresh ideas and an uninfluenced view. Contact our sales department for more details! But that’s enough self-aggrandizing advertisement for this article series. Let’s get into it.

Why use the Azure Cloud Adoption Framework

If I haven’t made my case in the last section, let me provide more detail why using the Azure CAF is a major boon for your cloud journey. Microsoft has put in more and more resources over the last years to really make the CAF a central and authoritative source for every cloud architect, business decision maker and engineer out there.

Strategy

The first step on your wonderful cloud journey focuses on arguably the most important thing: Defining your cloud strategy. So many businesses neglect or half-ass that step, leading to a rather chaotic cloud journey that alienates not only the businesses’ DevOps teams but also their business stakeholders.

In most steps along the cloud journey, Microsoft provides a list of free assessments and other smart tools that help you reach a decision faster. The one recommended at this point is called the Cloud Adoption Strategy Evaluator. Available for free to anyone with a Microsoft account (Work and Personal) on Microsoft Learn, this assessment should be taken seriously and requires a bit of time to fill out in earnest.

While filling out the assessment questionnaire, you will be confronted multiple times with your own decisions, and it may be difficult to admit that for example your cloud strategy is fragmented at best.

I can tell you however that if you go through this process earnestly and without assigning blame to whoever made the decisions in the first place will accelerate your cloud adoption journey and improve cohesion in your organisation as a side effect.

The result of your assessment will be a simple traffic light at first glance, but will include lots of recommendations if you scroll down a bit.

Since Ignite 2023, all steps of the cloud adoption journey now include a list of helpful antipatterns. If they feel familiar to you while reading them, it may explain parts of your current IT strategy that could benefit from optimisation. To highlight one from Strategy: “Fail to communicate motivations” - sounds familiar? All too often, especially bigger organisations fail to effectively communicate transformative changes.

Plan

It should come as no surprise that the planning stage follows the strategy phase. Again, Microsoft provides great assessments and tools that you should utilise to cover ground quickly. I would like to highlight the “Strategic Migration Assessment and Readiness Tool” at this point.

This assessment can be taken multiple times and allows you to create milestones. Seeing a gradual improvement in your growth areas as well as seeing where you are already acing it not only motivates you, but also helps you tailor your strategy and plan to your organisation’s needs.

To empower everyone in your organisation to build cloud-first solutions and support your cloud journey, also consider building a readiness plan. All too often I have experienced that organisations do not openly encourage employees, especially in the IT Ops department, to improve their readiness through training courses and learning environments.

Operators are often left to fend for themselves and need to develop the necessary skills under pressure - as the first department eagerly wants to use Function Apps, Cosmos DB and an Event Grid for example.

With planning done, it is time to move to the juicy bits: The implementation! But wait, not yet. We’ll only go over the basics here, you won’t be surprised by code.

Ready

The ready phase, as the name implies, is there to make your organisation ready for the cloud journey. In this phase, you will usually start with bootstrapping. Creating a new Entra ID tenant if you don’t have one yet, configuring your Microsoft Customer Agreement and Billing Scopes and maybe even creating your first important platform subscriptions manually.

Ultimately, you will also begin planning for your application landing zones. The landing zone concept is very central to the CAF and in short describes what is necessary to lay out the red carpet for your organisation’s applications or services.

An enterprise-scale landing zone deployment consists of all the resources necessary to successfully deploy or migrate workloads to the cloud. An apt comparison is city planning: A successful city has well-working utilities like electricity, water and sewage already in place before any development can begin. If only city planning and building buildings could be done using a CI/CD pipeline…

What we here at shiftavenue recommend is starting code-first so as to not start with an already drifting environment. Why is that important? Remember the days of yesteryear, when administrators (what we called Operators back in the day) would caress each system like a little kitten, where they would log on here and there and twiddle settings without properly documenting them? Yeah, we can’t have that at the scale of a cloud deployment.

Microsoft provides several ready-to-go templates and approaches that should fit most platform DevOps teams. We at shiftavenue believe that Terraform and the accompanying modules developed by Microsoft and the Azure community are a good fit for many organisations, as your skills crafting modular Terraform code carry over to all cloud providers. Sure, resources are called differently, but you will still need to manage configuration data at scale.

Be sure to update your SMART assessment as you go.

Adopt

The adopt phase is where it gets interesting for your existing product owners and likewise stakeholders. It contains guidance on how to migrate, modernise, innovate and relocate workloads.

When starting on the proverbial green field, you will often face the decision to migrate or modernise a solution. Think of an old monolithic ASP.NET application merrily chugging along on-premises. It’s connected to an MSSQL database cluster providing databases to many of your LOB apps and uses your on-premises Active Directory for authentication and authorization.

While the urge to migrate the application might be strong in you, you could also think about a redesign. Conveniently, I’ve chosen ASP.NET with a MSSQL backend as your legacy app. This one is rather easy to modernise without alienating your existing Devs, Ops and Data Engineers. Azure App Service combined with a managed SQL database could be an easy modernization target.

So easy, apparently, that Azure Migrate will suggest the very same. In general, Azure Migrate is an important tool to aid your migration efforts. Even if you’re not planning to migrate your solutions, its assessments will grant you more insight into your own infrastructure if for example you are not sure which applications communicate with each other.

Apart from migrations and modernisations, I would like to draw your attention to innovation. Only innovative companies can survive the passing of time and always emerge on top. While the ideas Microsoft presents like data democratisation, engagement and empowerment may not sound revolutionary you should not dismiss them but rather embrace them.

With the data resources that Azure offers and the provided AI services, innovation gets easier by the day.

After those first heady days of migrating and innovating are over, you will at some point need to think about the next phase, cloud governance.

Govern

Governance is important, doubly so in cloud or multicloud environments where the sheer number of resources and controls requires appropriate governance at all times. The CAF section on governance includes very detailed guidelines around governance for even complex scenarios, including multicloud.

All guidelines you can find in CAF relate neatly to the five guiding tenets of another important framework, the Azure Well Architected Framework, or WAF. Boy oh boy, do we have some great content for you in the future! But let us concentrate first on CAF before moving on to WAF.

The policy-driven infrastructure approach you adopted in the ready phase is especially useful when it comes to governance. As your myriads of policies become commits in a source code repository, it is easier to publicise changes internally, make changes reviewable and will enable your security and governance teams to sign off on changes and improvements that now everyone in your organisation can suggest via Merge Requests or Pull Requests.

Any new policies included in your source code will automatically be deployed in your test tenant (you do have one, right?) and will be sent on to production, where a manual gatekeeper is going to sign off on the automated deployment to production. At no point in this process is time wasted due to unclear responsibilities, opaque management tools (looking at you, Azure Portal!) or siloed information (looking at you, 90% of big organisations!).

Before you get all misty-eyed, let’s see how we can manage all this new greatness.

Manage

The manage section dives into all the different ways of managing your resource inventory, ensuring compliance, protecting your workloads and improving your policy-driven infrastructure through feedback during the entire process.

If you use one of the suggested approaches to enterprise scale deployments like Terraform, you will already have the necessary plumbing in place to securely and effectively manage your resources as they are deployed.

From Log Analytics and Azure Monitor to change tracking, inventory and update management with Azure Automation to the activity log and the network watchers - everything serves its purpose.

With regards to operational excellence, tools like Azure Policy with Azure Automanage (formerly Guest Configuration, among the community usually known as Desired State Configuration) can be used very effectively. Since you use the Terraform enterprise scale module, dropping in new policies is easy and can be done in minutes.

With Azure Backup and Microsoft Defender for Cloud, you can improve your security and business continuity posture. Extended with Sentinel this quickly becomes an integral part of your security team’s toolset.

Secure

While we are talking about security, let’s quickly move to the next phase in the CAF: Secure! As stated multiple times throughout the CAF, “A journey without a target destination is just wandering.” - as with every phase, having a clearly defined desired state in mind, it becomes easier to work towards it.

As you security professionals know, this is still very much a moving target and should not be seen as a static goal to be reached. An organisation's security posture needs to be improved continuously, aided by a well-oiled DevOps approach. Sometimes, people throw in unnecessary word creations like DevSecOps. What they mean, deep in their hearts, is that security professionals need to adopt a DevOps approach, and that DevOps teams need to keep security front and centre.

Our previous articles here have already highlighted many important documentations, standards and frameworks that you will need with any cloud provider, even if you yourself are the provider. Principles like Zero Trust should be top-of-mind, and frameworks like the NIST cybersecurity framework might help.

Organise

Organising transformative change is not an easy feat. Your organisation needs to foster a good working environment and ensure your teams have enough room to grow and build technical skills. This also includes an investment in knowledge transfer, should you employ external consultants to aid your cloud migration efforts. At this point, it is also high time to break up old silos and stop treating IT as a cost centre rather than a profit centre.

While governance certainly helps, your organisation will also need to become more cost-conscious than you may have been on-premises.

Lastly, I would like to stress the antipattern of silos and fiefdoms that is outlined in CAF. I’ve seen this at countless clients. A recurring problem of managers with a very closed mindset resisting change, key IT engineers sticking to their decades-old knowledge and refusing to learn something new, teams fighting against each other instead of collaborating - you’ve surely all experienced something similar. Nothing can stop a successful cloud strategy more efficiently than this behaviour.

What about AWS and GCP

Both AWS and GCP have their own set of guidelines regarding cloud architecture and cloud adoption.

Amazon centres their guidance along the capabilities ‘Business’, ’People’, ’Governance’, ’Platform’, ’Security’ and ‘Operations. Sounds familiar? It should. Apart from product names and tooling, all clouds are pretty similar. Learn more here: https://aws.amazon.com/cloud-adoption-framework/

Google follows a streamlined approach along the four themes ‘Lead’,’Learn’,’Scale’,’Secure’, placing a focus on the actual people driving your cloud migrations. Learn more here: https://cloud.google.com/adoption-framework

Both providers have lots of documentation on this important topic, and just like Microsoft are trying to help you make the most of your cloud investments. That being said, with all three providers be aware that some tools are highly cloud-specific and will mean some form of vendor lock-in. This is not necessarily bad, but should be considered when making a decision.

So, with that being said, go ahead and start planning your cloud adoption journey! Join us next time to see the actual implementation, starting with a management group structure and policies!