We’ve been assisting a lot of clients as they move some or all workloads up to Azure. They’re taking advantage of the improved security and availability being offered by those services. But as they are moving things up to Azure, sometimes they are forgetting a few basic things. These are some of the things that they would normally do on-premises, but for some reason are overlooked during the expansion into Azure.
Active Directory Sites & Services
One of the most common items we see is that admins fail to define the Azure location as an AD site. The Azure location and the resources will by default be associated with another AD site (possibly ‘Default-First-Site-Name’ if nothing was defined) and clients may end up leveraging resources at the Azure location for authentication of users on-premises.
Why does it matter? When users log into the network, the workstation will find a list of domain controllers / services that are in the same site as them for handling authentication. If authentication is being processed over a remote link such as a VPN link to Azure, they will experience additional latency. And it will not be consistent. It will be sporadic for different users. So it might not make sense why some actions seem faster for some users than others when they could be sitting right next to each other. Or it could affect the same user on different days. Also, certain applications leverage Active Directory Sites to locate local services. This could cause performance problems for those applications which could be difficult to sort out.
Backup and Disaster Recovery Planning
Just because your data is stored in triplicate in a datacenter, or duplicated to another datacenter for a total of 6 copies, doesn’t mean you can preclude performing backups or DR planning. Microsoft does offer backup options for Azure resources so you can restore your resources as necessary. Backups will help you get back to a particular point in time should you have data corruption, malware, ransomware or other issue syou need to recover from.
One item people sometimes are mistaken about with Azure’s redundant datacenter and Azure GRS (Geo-Redundant Storage) is that you don’t have control of when to declare a disaster. Microsoft is the one that will decide a datacenter is down and can’t be recovered promptly. Depending on your business requirements, that may not meet your goal. If that is that case, or you just want an extra safety net to sleep easier at night, you should look at Azure Site Recovery options to protect your Azure resources (and on-premises resources too).
It is possible that based on your recovery point objectives (RPO) and recovery time objectives (RTO) that you may need a different solution than what Microsoft is currently offering. We can help discuss the options, be it application-level protections or other product offerings that help fit your business needs.
I’ll follow-up with some additional items in the next post. Any questions? Email email@example.com. We are happy to help.