Azure Migrate Identity Networking Connectivity

From Rack to Cloud: Part 4 – Bridging the Worlds: Networking and Identity in Azure

How to ensure secure and seamless connections in a hybrid setup

Opening

As you navigate the journey to the cloud, you’ll often face a tug-of-war between what stays on-prem and what shifts to Azure. Balancing these demands makes the integrity of your networking and identity systems paramount.

In this post, we’ll uncover the best practices for hybrid connectivity and identity management, with insights from our ongoing migration story of a Sydney-based not-for-profit transitioning 300 VMs within a tight deadline.

Networking in a Hybrid Environment

When organisations transition to Azure, two primary networking models often come into play: Hybrid networking and cloud-only networking.

Key Connectivity Options

  1. VPN Gateway: Connecting Securely

    • Connects your on-premises network securely to Azure via Site-to-Site VPN.
    • Best for workloads needing an extended environment without incurring high costs.
    • Ideal Use Case: Temporary setups during migrations or infrequent workloads.

  2. ExpressRoute: For the Heavy Lifters

    • A dedicated, private connection to Azure that bypasses the public internet for added reliability and performance.
    • Ideal Use Case: Consistent high-throughput workloads, like data transfer-heavy applications.

  3. Azure Virtual WAN: Comprehensive Networking

    • Centralises network resources like VPNs, ExpressRoute, and Azure Firewall in a single framework.
    • Useful for enterprises with many geographic locations or branch offices.

Network Security Considerations

  • Ensure NSGs (Network Security Groups) are properly configured to allow necessary traffic while blocking unwanted exposure.
  • Centralising your connectivity for inbound and outbound by utilising an Azure Firewall or Network Virtual Appliance (NVA) Firewall will provide you with more insight and logging capabilities
🍺
Brewed Insight: In 2025, Internet Direct for Azure IaaS Virtual Machines will be discontinued. Ensure you deploy either an Azure Network Address Translation (NAT) Gateway, an Azure Firewall or Network Virtual Appliance (NVA) firewall solution to maintain connectivity.

Implementing Networking: A Real-World Example

For our not-for-profit organisation:

  • They opted for Site-to-Site VPN during the migration due to its speed and low initial cost.
  • Once more cloud resources were assessed, they could evaluate the need for ExpressRoute for data-heavy processing applications, ensuring secure real-time connections with lower latency.
  • They had an on-prem Fortigate Firewall after reviewing the Azure Firewall functionality they decided to go with Azure Firewall Premium for the cloud.

Identity Management in Azure

With networking sorted, you can’t neglect identity. Entra ID (Formerly Azure Active Directory) is the backbone of identity management in a hybrid environment.

Key Components of Identity Management in Azure

  1. Single Sign-On (SSO) with Entra ID

    • Enable SSO to help users access both on-prem and cloud applications without repeated logins. This reduces friction and improves overall experience.

  2. Conditional Access Policies for Security

    • Set policies that allow administrators to enforce restrictions based on user location, device compliance, or risk level, ensuring only the right users access sensitive applications.

  3. Real-Time Vulnerability Detection with Identity Protection

    • Use Entra ID Identity Protection to detect vulnerabilities and respond in real-time, protecting your organisation from potential threats.

Implementing Identity: Approach of our NFP

In practice for our not-for-profit, they already had Entra Connect running for M365 Services from their existing Active Directory (AD):

  • All users were synchronised to ensure no service disruptions during the cloud transition.
  • Policies were set up so staff accessing sensitive systems from outside the corporate office were prompted for MFA (Multi-Factor Authentication).
  • Active Directory still required as legacy applications still dependant on AD Authentication

Gotchas & Edge Cases

  • Cost Awareness: Be aware of ExpressRoute costs. This choice might be ideal, but budget impacts must align with operational needs.
  • Overlapping IP Spaces: Ensure both on-prem and Azure have non-overlapping IP ranges to avoid routing issues.
  • DNS Configuration: Mixed environments may require both Azure and on-prem DNS strategies. Test resolution paths before cutover.
  • User Experience: Users may face confusion if they aren’t adequately trained on new SSO practices or if some applications haven’t fully transitioned to the cloud identity model.
  • Potential Latency Issues: Hybrid configurations may create a performance latency if not properly architected, especially during peak usage times.
  • Insufficient Bandwidth: Lack of adequate bandwidth may hamper data-intensive applications during peak loads, especially when connecting Azure services with on-premises infrastructure.
  • Compliance Gaps: Hybrid setups must adhere to organisational and regulatory standards that might shift throughout a cloud transition. Regular audits can help ensure ongoing compliance.

Best Practices

  • Use Azure Monitor and Network Watcher to keep an eye on traffic flows and potential bottlenecks.
  • Regularly review and adjust network security rules and identity policies as new resources are added.
  • Validate connectivity paths before actual cutovers to identify potential issues.
  • Create clear documentation and runbooks for ongoing operations under the new hybrid model.

Brewed Take ☕

🍺
Brewed Insight:

In hybrid cloud environments, networking and identity are not mere technical details — they are the lifeblood of seamless operations.

Smart integrations between Azure and on-premises systems fortify your infrastructure. Neglect them, and your migration efforts could stumble over easily avoidable hurdles.

Learn More