Meet the speakers

Kevin Harris (00:00):
Welcome everyone to the Microsoft Azure Red Hat® OpenShift®, also known as ARO, video series. My name is Kevin Harris. I'm part of the Azure Global Black Belt App Innovation Team. I love helping customers and partners build cloud-native solutions on top of Azure. I'll be one of your hosts today.

Aneesh AR (00:14):
And I'm Aneesh AR from the Red Hat Managed OpenShift Black Belt team. ARO is one of my focus areas and today's session is on ARO Landing Zones. So we'll cover some of the commonly asked questions by customers on this topic.

Kevin Harris (00:25):
Speaking of questions, one of the common questions I typically get, especially for a customer that's new to Azure: how do I organize the resources?

How to organize resources in Azure Red Hat OpenShift

Aneesh AR (00:32):
Right. That's where Azure Landing Zone helps. It's based on Microsoft's cloud adoption framework, that gives you a conceptual architecture that represents how an end target state should look like in Azure. So to maintain a good topology of resources in Azure, you have different scope levels starting from management groups, subscriptions, resource groups, and at the bottom are resources. So it considers a lot of network and security considerations and takes care of services that are shared and as well as isolated, and gives you an overall enterprise architecture framework to start off with.  Now that we have got a foundational landing zone set up, the next question is how do we build an ARO-specific one?

Kevin Harris (01:12):
Good question. Let's go over to the board for that. The first of the key design decisions we're going to cover are network topology and connectivity. So first thing we think about here is, we think about hub and spoke technology. So we have a hub over here. We've got our spoke over here. These are then connected via VNet peering.

(01:43)
Some of the key things we think about when we go through this process in the hub, we look at things like firewall, bastion. We got VMs in terms of jump boxes. We got a gateway that might be going back to on-premise DNS. A lot of these are your shared resources. These are the things that Aneesh talked about earlier. Now, when we move over into the spoke, this is the ARO-specific landing zone. So you see we've got ARO, we've got a Front Door subnet, and we've got an Azure Private DNS zone. So one of the examples for ingress could be a user out here coming into Azure Front Door and then coming in and coming into our ARO cluster. And that can be an example of ingressing. Now for the egress side of the house, from ARO getting back out, egress lockdown type idea. From ARO I wanna filter those things through a firewall. And then from a firewall out to the internet. These are just a few of the key design decisions that we think about.

How Azure Landing Zone resources are organized

Aneesh AR (02:38):
Alright, when it comes to management of resources, we always spoke about how in an Azure Landing Zone resources are organized. If you have to extend that to the ARO space we could place the hub in its own hierarchy of management group and subscriptions, being a shared centralized service. ARO and related components could go into its own hierarchy. 

(03:05)
This could be here and this could be another sub-hierarchy. In any organization, there will be different classification of applications: paid, internal, B2B, corporate applications or e-commerce only applications. And ideally you would have them placed in different hierarchies so that a different set of regulatory policies and security policies can be run against each. For example, PCI is where an application might have a specific set of regulatory policies that you would wanna run against them. So that's how resource management can be class organized in an ARO world.

Identity and access management in Azure Red Hat OpenShift

Kevin Harris (03:43):
Next section we wanna talk about is identity and access management. So the first thing we think about inside Azure, and we think of that we think of Azure Active Directory, or Azure AD. In this case here, we can connect Azure AD up to ARO as an identity provider.  What does this mean? It means I can actually log on using my Azure Active Directory credentials to the ARO console and the ARO portal. That allows me to take advantage of things like conditional access, multi-factor authentication, and the other RBAT capabilities that are built into Azure AD.

Aneesh AR (04:15):
So when it comes to security, we've covered some of the aspects already. So ARO lets you take advantage of the egress lockdown capability, whereby all the platform required endpoints are connected via the Azure backbone network and the words need to have an internet access for it. And then for any applications that require internet access, it goes via the firewall out to the internet. So all the outbound traffic filtering happens there. For the inbound incoming requests, a web application firewall helps with controlling the incoming requests. And we are talking about container workloads here and scanning of images is very important. So the Azure Container Registry, or key registry, lets you scan images and find any vulnerabilities that it might have. For storing all the sensitive data as encrypted secrets, you could use Azure Key Vault for storing the secrets as encrypted, for storing the sensitive data as encrypted secrets. So it's one of the solutions that can integrate with ARO.

Kevin Harris (05:25):
Excellent. Next section is operational management and baseline. When I think of this, I think of well-architected framework in the context of Azure and operational excellence. It's one of the first things we think about in there: we think about Azure Monitor.

How to use Azure Monitor

(05:46)
The idea behind Azure Monitor: this is a way to collect logs, it's a way to collect metrics from your hub, as well as your spoke. And now I've got a centralized place to be able to search metrics and search logs. The other key thing I think about operational excellence, I think of backup. I might have some "stateful" workloads inside ARO, or maybe I've got some databases essentially in this particular landing zone. I wanna make sure those are backed up and I've got a whole business continuing disaster recovery strategy around that. I also need to think about deploying my actual workloads. So in that kind of context, I think of Pipelines and GitOps. So Pipelines is a traditional push model. GitOps essentially is more of a pull. There's a couple different options for what's in ARO and what's inside Azure. So those are again, some decisions to make in terms of how to deploy those different pieces.

Aneesh AR (06:30):
So the deployment option section in Landing Zone covers the platform automation possibilities when it comes to infrastructure and applications in ARO. We spoke about OpenShift Pipelines and GitOps for all your CSED needs and you can use Azure DevOps or any tooling that your organization might be using. When it comes to infrastructure as code, you can use tools like Terraform, Red Hat® Ansible® Automation Platform, or Bicep to spin up your ARO cluster and the Landings Zone components. So these are some of the basic design considerations when it comes to ARO Landing Zone. Now that we've covered some of the key design decisions around ARO Landing Zone, the next question that I get is: is it rigid and fixed or is it customizable?

Customization with Azure Red Hat OpenShift Landing Zone

Kevin Harris (07:21):
I think that's the key thing that we just went through is all the design decisions. They're decisions that are made and they need to fit your organization's needs. So you look at your culture, you look at your people, you look at your process, and you fit those needs to your organization. So in short order, it's a template to start, but you can change it and customize it to your needs.

Aneesh AR (07:40):
Alright, today we've covered  several aspects of the design considerations on ARO Landing Zone. So if a user wants to try this all out, where do they start?

Kevin Harris (07:50):
Yeah, we've got a getting started link down in the description for this video. At that link, you'll find a couple different resources. You'll find some guidance around our cloud adoption framework in general that Aneesh talked about. You'll have an ARO-specific landing zone talking through those design decisions. There's also a corresponding GitHub repo so I can look at templates. Again, those are those starter templates we just talked about that I can use those to start, I can customize on top to meet my organization's needs. If you'd like to learn more about Azure Red Hat OpenShift and how it can help you scale to meet your critical business needs, please check out the other videos in this series. Thanks.