One-click disaster recovery of applications using Azure Site Recovery

Disaster recovery is not only about replicating your virtual machines but also about the end to end application recovery that is tested multiple times, error free, and stress free when disaster strikes.

Automate most recovery tasks to reduce RTO

Recovering large applications can be a complex task. It can be difficult to remember the exact customisation steps post failover.  Sometimes, it is not you, but someone else who is unaware of the application intricacies, who needs to trigger the failover. Remembering too many manual steps in times in a disaster recovery scenario is difficult and error prone.

A recovery plan helps gives you a way to automate the required actions you need to take at every step, by using Microsoft Azure Automation runbooks. With runbooks, you can automate common recovery tasks like the examples given below. For those tasks that cannot be automated, recovery plans also provide you the ability to insert manual actions.

  • Tasks on the Azure virtual machine post failover – these are required typically so that you can connect to the virtual machine, for example:
    • Create a public IP on the virtual machine post failover
    • Assign an NSG to the failed over virtual machine’s NIC
    • Add a load balancer to an availability set
  • Tasks inside the virtual machine post failover – these reconfigure the application so that it continues to work correctly in the new environment, for example:
    • Modify the database connection string inside the virtual machine
    • Change web server configuration/rules

For many common tasks, you can use a single runbook and pass parameters to it for each recovery plan so that one runbook can serve all your applications.

Real-world example – WordPress disaster recovery solution

Watch a quick video of a two-tier WordPress application failover to Microsoft Azure and see the recovery plan with automation scripts, and its test failover in action using Azure Site Recovery.

  • The WordPress deployment consists of one MySQL virtual machine and one frontend virtual machine with Apache web server, listening on port 80.
  • WordPress deployed on the Apache web server is configured to communicate with MySQL via the IP address 10.150.1.40.
  • Upon test failover, the WordPress configuration needs to be changed to communicate with MySQL on the failover IP address 10.1.6.4. To ensure that MySQL acquires the same IP address every time on failover, we will configure the virtual machine properties to have a preferred IP address set to 10.1.6.4.

The following video has been created by Microsoft – Channel 9.

When disaster recovery needs to be evoked, you need to ensure that you are able to successfully recover the those applications in a timely manner.  Azure Site Recovery provides  a platform to enable not just the  tier-1 applications to have a business continuity plan, but offers a compelling solution that empowers an orginisation to set up a working end to end disaster recovery plan for 100% of your organisation’s IT applications.

You can use the powerful replication capabilities of Azure Site Recovery for 31 days at no charge for every new physical server or virtual machine that you replicate, whether it is running on VMware or Hyper-V.  For more information,  please review the following URL additional product information  and if you would like to learn more about Azure Site Recovery and how it can help your business, please contact using the form below.

Send us mail

 

CoreAzure and Vuzion announce CSP partnership

CoreAzure are delighted to announce a new partnership with Vuzion to become a tier-two Cloud Solution Provider (CSP). The partnership will enhance our capability to offer Microsoft solutions and services to our customers in the public sector, including discounted pricing, and enhanced managed service capabilities.

Microsoft created CSP indirect partners with the aim of strengthening the partner customer relationship, and with a specific objective of making it easier for customers to purchase the solutions and services they need through enabling them to build a long-lasting relationship with a partner they can trust.

CSP partners commit to providing a high-quality service, to bring their own value and services to final solutions, and provide efficient and accurate billing along with expert customer support.

Charlie La Foret, Pre-Sales Consultant at CoreAzure, says; “We are looking forward to passing on the benefits of becoming a CSP to our existing and prospective public and private sector clients, in particular helping them to realise the full potential of the Azure platform.

Julian Dyer, Vuzion CTO, says “CoreAzure has an excellent reputation as an established provider of Microsoft Cloud services. The partnership with Vuzion will help strengthen our respective services and bring value to Microsoft customers.

“For Vuzion, CoreAzure’s skills and expertise represent a valuable addition to our partner ecosystem, and we’re very pleased to welcome them on board.”

About CoreAzure:

CoreAzure are leaders in the Microsoft technology stack, specialising in Microsoft Azure, with an ability to maximise our client’s investment in Microsoft technology whilst supporting their vision to adopt cloud. We believe that technology needs to align with business vision, and aim to be the partner that always goes that extra mile. Our customers see us as the “go-to experts” when it comes to Microsoft technology, and time and again we prove to them that our knowledge, skills and experience are second to none.

About Vuzion:

Vuzion is an innovative cloud aggregator born from Cobweb, the number one independent cloud hosting provider in Europe that has been liberating technology since 1996. We strive to deliver the best hand picked cloud solutions through our one-of-a-kind partner ecosystem and reach our mission, to future proof business.

For more information, please contact:

Charlie La Foret

07557372803

charlie.laforet@coreazure.com

How to address the 14 UK Cloud Security Principles – Using Microsoft Azure

The National Cyber Security Centre (NCSC) is the UK’s authority on cyber security.

In its publication “Implementing the Cloud Security Principles,”  it lays out the 14 security principles that organisations should use when evaluating cloud services, and which cloud service providers should consider when offering those services to government customers (referred to as “consumers” in the principles).

The 14 principles are aligned with ISO 27001, an auditable, international, information security management standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 formally defines requirements for a complete ISMS to help protect and secure an organisation’s data.

The principles defined by NCSC are:

  1. Data in transit protection. Consumer data transiting networks should be adequately protected
    against tampering and eavesdropping via a combination of network protection and encryption.
  2. Asset protection and resilience. Consumer data, and the assets that store or process it, should be
    protected against physical tampering, loss, damage, and seizure.
  3. Separation between consumers. Separation should exist between different consumers of the
    service to prevent one malicious or compromised consumer from affecting the service or data of
    another.
  4. Governance framework. The service provider should have a security governance framework that
    coordinates and directs their overall approach to the management of the service and information
    within it.
  5. Operational security. The service provider should have processes and procedures in place to
    ensure the operational security of the service.
  6. Personnel security. Service provider staff should be subject to personnel security screening and
    security education appropriate for their role.
  7. Secure development. Services should be designed and developed to identify and mitigate threats
    to their security.
  8. Supply chain security. The service provider should ensure that its supply chain satisfactorily
    supports all of the security principles that the service claims to implement.
  9. Secure consumer management. Consumers should be provided with the tools required to help
    them securely manage their service.
  10. Identity and authentication. Access to all service interfaces (for consumers and providers) should
    be limited to authenticated and authorised individuals.
  11. External interface protection. All external or less trusted interfaces of the service should be
    identified and have appropriate protections to defend against attacks through them.
  12. Secure service administration. The methods used by the service provider’s administrators to
    manage the operational service should be designed to mitigate any risk of exploitation that could
    undermine the security of the service.
  13. Audit information provision to consumers. Consumers should be provided with the audit records
    they need to monitor access to their service and the data held within it.
  14. Secure use of the service by the consumer. Consumers have certain responsibilities when using a
    cloud service in order for this use to remain secure, and for their data to be adequately protected.

To help find a way through the principles, Microsoft have released a number of Azure Blueprints, enabling the UK public sector to review and understand how solutions built on Azure can implement the 14 individual Cloud Security Principles supporting workloads with information designated as UK OFFICIAL level. The Azure Blueprint outlines how Azure implements security controls designed to satisfy each security principle and assists customers in understanding how they may implement safeguards within their Azure solution to fulfil the requirements of each principle where they hold a responsibility.

As an example, an Azure Virtual Network (VNet) allows full control of security policies and routing within virtual network architectures through deployment and configuration of subnets, network security groups, and user defined routes. Network security groups can be applied to subnets or individual machines, logically separating resources by workload, based on a multi-tier architecture, of for any other purpose.

In the reference architecture below, resources are grouped in separate subnets for the web, business, and data tiers, and subnets for Active Directory resources and management. Network security groups are applied to each subnet to restrict network traffic within the virtual network.

Network security groups can be applied to outgoing communications from subnets and virtual machines. This allows full control over communication between information system components in Azure and external information systems.  Network security group rule processing is implemented as a deny-all, permit-by-exception function. Further, user defined routes can be configured to route both incoming and outgoing communications from specific subnets and virtual machines through a virtual appliance such as a firewall or IDS/IPS, further managing system communications.

The reference architecture above demonstrates how Azure resources can be logically grouped into separate subnets with network security group rulesets applied to ensure that security functions and non-security functions are isolated. In this case, the three web-application tiers are isolated from the Active Directory subnet as well as the management subnet, which may host information system and security management tools and resources.

The reference architecture also implements managed access control points for remote access to the information system.  An Internet-facing load balancer is deployed to distribute incoming Internet traffic to the web application, and the management subnet includes a jumpbox, or bastion host, through which all management-related remote access to the system is controlled. Network security groups restrict traffic within the virtual network ensuring external traffic is only routed to designated public-facing resources.

Network security groups allow full control of communications between Azure resources and external host and systems, as well as between internal subnets and hosts, separating information system components that are designated publicly accessible and those that are not. In addition to the solutions in the reference architecture above, Azure enables deployment of virtual appliances, such as firewall and IDS/IPS solutions which, when used in conjunction with user defined routes, further secure and manage connections between Azure resources and external networks and information systems.

Rulesets for network security groups enable restrictions on specific network ports and protocols, which is a key component of ensuring that information systems are implemented in a manner that provides only essential capabilities.

Whilst this is just one example, there are lots of built-in features that can help organisations meet their security control compliance requirements to take full advantage of the security features offered by Azure.   The 14 Cloud Security Controls for the UK cloud whitepaper provides insight into how Azure services align with the fourteen cloud security principles set forth in the NCSC  publication Implementing the Cloud Security Principles.

If you would like to discuss how CoreAzure can help you take full advantage of the security features offered by Azure , then please get in touch with us using the form below.

Send us mail