AZURE IAC FRAMEWORK
International Tire Manufacturer
The main goal of the project was the creation of the unified, high-available, transparent and predictable IT infrastructure for manufactories across Europe to minimize maintenance costs and provide scalability.
Also customer needed to increase the security posture by enhancing protection of all types of workloads in Azure and end-user devices running on OS Windows 10 and higher.
The Hybrid IT environment has been designed, built, and is maintained by ICL. It consists of an Azure multiregional environment, two main datacentres on-premises, and multiple remote locations across the world which have their own local IT infrastructure that is part of the Hybrid IT environment. The Azure environment built as a Hub and Spoke Platform that encompasses several Azure regions now and is being managed by using the Infrastructure as Code (IaC) approach.
GDC Services has migrated more than 500 servers running business applications and infrastructure applications from two datacentres on-premises and a legacy Azure environment to the new Azure environment without any impact on the customer’s business processes. For each server/solution the most suitable migration approach has been used depending on technical and business requirements – rehost (lift and shift), refactor/re-architect, revise, rebuild, or replace.
GDC Services has designed and implemented and maintains now:
- an Enterprise Management toolset that is built on Azure cloud native tools – Azure Backup, Azure Monitor, Azure Update Management, Azure Desired State Configuration. Servers and applications deployed in a new Azure environment have been migrated from the traditional management tools (SCOM, SCCM, CommVault) to Azure cloud native management tools;
- a Security service toolset that is built on Azure cloud native tools – Sentinel, Microsoft Defender for Endpoint (including such features as Endpoint Detection and Response, Antivirus, Threat and Vulnerability Management, etc.), Microsoft Defender for Identity for AD domain controllers, IDPS, WAF. Also, ICL designed, implemented, and maintains now an antivirus solution for end-user Windows 10+ devices that is based on Microsoft Defender for Endpoint + Defender Antivirus;
- integration between the customer’s ITSM system (ServiceNow) and the Enterprise Management toolset (SCOM, PRTG, Azure Monitor, Sentinel, Elasticsearch);
- the automation of the Technical Service Catalog in the customer’s ITSM system (ServiceNow);
- an Azure B2C solution;
- a new Azure Virtual Desktop environment consisting of multiple host pools. ICL has successfully migrated thousands of users from previously used Windows Server RDS and Citrix environments to the Azure Virtual Desktop environment without any impact on customer’s business;
- a hybrid Management solution that is built on SCCM Cloud Management Gateway, Intune, and Defender for Endpoint. This solution provides full control on end-user devices even if users work
- remotely without connectivity to the customer’s corporate network. The solution includes such features as – software management and distribution, software and hardware inventory, patch management, advanced antivirus protection;
- a new SSL VPN solution that is build on Azure native PulseConnectSecure VPN appliances. The solution is configured as an active-active cluster consisting of two nodes in order to provide fault tolerance and continuous remote access service for customer’s users;
- the Evergreen service for customer’s end-user devices.
- The implemented IaC approach enables the customer to accelerate deployment, improve governance and security, and ensure resource consistency across the Azure Platform. It provides a common library with re-usable blueprints, patterns, building blocks, templates, and pipelines. The use of this library with existing CI/CD processes and toolchains may be aligned with other individual product teams that develop or maintain their own products within the Azure Platform as part of on-boarding process. The library may be expanded with any interesting re-usable components from the product teams as part of on-boarding process to promote common use across product teams.
- Reduced TCO. No dependency on on-premises datacentre and network services. No need to purchase and maintain underlying infrastructure components - network equipment, servers, storages, management software. Easy scalable and reliable infrastructure.
- Reduced TCO. Azure cloud native SaaS tools. No need to maintain the underlying infrastructure like management tools' software, storages, servers. No need to purchase/prolong licenses of previously used enterprise management tools. The price of Azure native management tools in most cases is already included in the Azure cost.
- All IaaS and PaaS workloads deployed in a new Azure environment as well as end-user Windows 10+ devices are currently protected by modern continuously evolving Security solution.
- The integration provides automatic registration, update, and closure of incidents based on the monitoring events. It eliminates human involvement in registration of monitoring incidents and reduces significantly the time to react/resolve such incidents.
- This automation enables users to request deployment of resources in the Azure environment, e.g., virtual servers, PaaS and SaaS workloads, business applications; manage user accounts, their roles, and permissions; manage SSO and MFA settings; etc. Having received and approved, all such requests are implemented automatically by means of Azure automation and Azure DevOps capabilities.
- This new identity management service enables external users to access customer’s business applications by using their personal accounts from social networks such as Microsoft, LinkedIn, Facebook, and Google.
- The solution addresses the increased demand of enabling employees to be able to work remotely. Users can work remotely with corporate resources from anywhere via the Internet by using any device.
- The solution addresses the increased demand of enabling employees to be able to work remotely. The solution makes sure all the end-user devices are in consistent state in terms of software patching, vulnerability management, and antivirus protection. The customer has all the required inventory data from end-user devices even if those are not connected to the corporate network. Users can request and install all the required software packages from the corporate application catalog.
- The solution addresses the increased demand of enabling employees to be able to work remotely. Users can work remotely via the Internet by using their corporate laptops.
- This service enables users to use constantly the latest versions of system software and business applications on their devices.