This session, oriented on governance and strategy, unveil you the challenges we have encountered and the solutions we've applied to succeed in onboarding one of the most important public companies in France to the Azure Cloud. Real life customer feedback and insights here.

1. Architecture technique
Onboarding a Historical Company
on the Cloud Journey

3. This is the story of a journey.
The journey of a long run voyager.
It has started a few hours ago* and it’s still running.
The view is… cloudy, but so interesting.
Away, the horizon line looks bright and sunny.
I was there, accompanying the voyager on its way.
I am here, telling you the story.
* on the technological eve scale

4. Introduction

5. Cellenza, recognized experts
14
Azure
.NET
ALM
SQL Server
Windows Client
1 4
Publications and actions :
• White Papers (Cell’Insights) : http://www.cellenza.com/cellinsights
• Articles in Programmez!
• Cellenza Blog : http://blog.cellenza.com
• TechEvents and community meetups
• Speakers : TechDays / MS Expériences, Azure Camp…

6. A few of our customers

7. Marius Zaharia
Marius Zaharia
http://blog.lecampusazure.net
@LeCampusAzure
marius.zaharia@cellenza.com
At the start of cloud computing at the end of the
first decade, Marius Zaharia - currently Cloud
Technical Manager at Cellenza - saw the enormous
potential of this technology, especially that of
Microsoft Azure.
Since then, his focus has been on setting up cloud
architectures and their corporate governance.
Marius has gained both professional developer and
infrastructure engineer experience, which allows him to
have a complementary approach and broad coverage
of project needs.
Passionate about the cloud, he is also an active
contributor to the Azure User Group France
community, organizer of community events and
speaker at local and international conferences.

8. The (Hi)story

9. The Story of a Customer
• Our Customer : a strategic actor of the public
transportation sector in France
• Established public company in France for ages
• Large national coverage
• At the root of most of the transportation networks in
France
• Now part of a consolidated group of companies
(thereby called The Group)

10. The Customer’s IT system
• The Customer’s IT system
• Large number of business or technical applications
• Includes many professions, mostly IT professional oriented
• Outsourcing different tasks
• managed services, operations, production, expertize, or
consulting
• Some services of the organization:
• Engineering Operations and Service (EOS)
• Technical Architecture (TA)
• Networking (NE)
• The Innovation Pole (IP)
• Information Security Service (ISS)
• Production Service Center
• Build Delivery Center…

11. The Customer’s Infrastructure
• Owns a number of Data Centers
• Two main regions (Lyon, Lille)
• Customer’s and Group’s
infrastructure networks got
interconnected
• However, various elements of the
infrastructure are different
• Also, there are differences in
governance and procedures
• Very important security concerns
and restrictions

12. The Challenge

13. The Challenge
• The Customer needs to encourage and
accelerate the pace of innovation via
experiments
• The projects want to move on the IT
infrastructure in a timely matter
• The actual internal (IS) and Group
organization and culture are not « agile »
enough for :
• More and more Innovation coming
• Time to Market and Cost Effective delivery

14. The Approach

15. When the Cloud Comes into the Picture
• Looking closely to the advancements of the
main actors in the public Cloud : Microsoft
Azure, Amazon AWS
• It seems that the Cloud may be the gate
• « Let’s try and see how it works and how it
could help us »
• Key factors :
• Onboard the Information Security Service (ISS)
team from the very beginning
• Openness of the CIO

16. The Steps
(and Other
Challenges)

17. Opening Azure
• Azure subscription contracted
• At the Group level
• Used first by ISS team (fall 2016)
• Several basic deployments were made, and a site-to-site
VPN connection was tempted
• The first learnings :
• some projects interconnected with the SI
• others separated/isolated from it
• Then, the advancements and works slowed down
• Also, the VPN was malfunctioning
Note: the Group also
moved on Azure.
An ExpressRoute
connection was setup
at that level.

18. New Challenges
• How to fix the VPN, first ?
• How to organize and classify projects and environments ?
• How to protect our IS while being open to experiment ?
• How to give amplitude to the works in the Cloud ?

19. Moving to a Real Team
• The EOS engaged to initiate a dedicated Azure team
• Team directly attached to the chief of Technical Architecture
• The Azure Team will be the « the armed arm » of the Innovation Pole
• 2 people, Azure experts, with knowledge in infrastructure,
networking, security, and governance
• Not an easy task, but people were found - at

20. The First Real Works
• First thing first: the VPN was fixed
• Dead Peer Detection set at 10s in local Juniper
appliance
• Second thing : « security hole » detected (and solved)
• Force Tunelling setup missing in configuration
• Results:
• The team gains the Customer’s confidence
• The Networking team is also very cooperative
Azure VPN Gateway

21. New Challenge (and solution)
• The Customer envisions moving on in the Cloud
and eventually targeting production workloads
• Blocker : the Group strategy is not yet in phase
with the Customer’s one regarding the Cloud
• The Group warns about production responsability in
the cloud
• Result: agreement on an « experiment oriented »
scope for the Customer’s Cloud works

22. New Challenge (and Solution)
• VNET w/ VPN : all traffic in Azure has now to be
monitored and configured in local appliances
• The actual process of configuring the rules for projects
takes days or weeks
• Solution: a set of 2 Network Virtual Appliances
(Palo Alto) was configured and implemented in
Azure
• Routing, detecting and filtering traffic
• Configuration of the rules directly implemented by the
Azure team jointly with the ISS

23. More and More Steps
• A first draft of governance and management rules is defined
• The team is now ready to receive projects
• First internal communication (limited at this stage)
• First projects coming quickly
• The interest for the team’s services increases rapidly
• The team is reinforced on engineering and project
management sides
• ….

24. The Result
[As Of Today]

25. Results : A Platform for
Innovation
Experimentations
•Containers
•Appliances
•DB on PaaS
•File Sharing
•…
Projects
Deployed
and Run
A technological
advancement
•Driving IT innovation
•Positioning within the Group

26. Projects Typology and Requirements
1. VM hosting (a lot)
2. Simple projects (less)
• Azure infrastructure
• Software installation
3. Complex projects (a few)
• Azure infrastructure
• Software installation
• App deployment and configuration
• OS :
• Windows (WS 2012 R2)
• Linux (Ubuntu)
• Containers (Ubuntu)
• Platforms: ASP.NET, Java,
SQL Server, PostGreSQL,
PHP, MySQL, …
• Apps & software:
Tomcat, WordPress,
Jupyter, HDInsight,
Kuberntes, Ckan,
ngnix,Traefic, Faveod, …

27. How All This
Works

28. Platform Overview
Zones
1. Intranet
• for applications willing to connect
with the core IT system
• Azure outbound to internet
controlled and opened on case by
case basis
2. Internet
• for applications not connected
with the core IT system
• for low level classified data
Connectivity, networking,
securization
• Intranet
• Main VNET interconnected with the core
IT system via IPSEC VPN
• 1 mutualized subnet (for single VMs)
• VNETs peered with a main
• secured by 2 Palo Alto NVAs
• Internet
• Isolated from each other
• VNETs dedicated to each project
• RDP/SSH via jump VMs in Intranet

29. Intranet Zone – Base Infrastructure

30. Our « Service Catalog »
• Core services
• VMs (in mutualized infrastructure)
• Environment setup (VMs / software / networking / routing / …)
• Deployment (Azure provisioning and deployment; OS/container image build;)
• Governance : Backup, Log Analytics
• Mediation for « third party » services
• DNS (records in our dedicated zone : *.exp.xxx.yyyy.fr) : mediate requests to the DNS
owner service
• Certificates (corresponding to the records above) : mediate requests to the SSI
service
• Other services
• « Consulting » : application architecture

31. Industrialization
• ARM templates
• adapt then reuse quick start templates
• use of linked templates working model
• standardize and reuse of linked
templates among projects
• Packer
• standardize OS images
• CI/CD with VSTS
• Build of OS or container images
• Deployment of containers
Packer JSON example, as stored in VSTS

32. Azure Services Used
• Azure Resource Manager
• Azure VMs
• several sizes used intensively (D_v2)
• Networking: VNET, Network
Security Groups, User Defined
Routes
• Intranet zone: all default routing
overrided
• Containers: Azure Container
Service, Azure Container Registry
• 1 cluster Kubernetes for a big
project
• Network Virtual Appliances: Palo
Alto (licence PAYG)
• Azure AD
• directory synchronized at the Group Level
• Azure Backup
• Log Analytics
• App Service Domains
• Azure DNS
• Azure Automation
• Currently experimenting:
• PaaS: SQL Database, Database for PostGreSQL
• Azure File Share, Azure File Sync
• Other : Packer, for OS Imaging

33. Governance : Project Onboarding and Management
• Prerequisites
• security pre-qualification (data
classification, flows, …)
• technical architecture document (DAT)
required if complex project
• PROCESS
• Onboarding
• gather requirements
• elaboration
• « official response »
• Implementation
• per segment : provision, configure, build,
deploy, request third party services, aggregate
response
• delivery
• Lifecycle monitoring
• Unprovisioning
Project Onboarding Process

34. Governance
• Platform evolution
• Updates, patches
• Complimentary services
• New services added
• Tooling usage
• VSTS
• Work, Build, Release
• Planner
• Dashboard
• O365 Group
• SharePoint
• Excel
• DevOps
• Used internally for own
processes

35. Team Organization
• TEAM « EXPerimentation Projects on Azure » (EXP Azure)
• Team formed of :
• 1 Team Lead / Azure Expert
• 1 Project Manager (infrastructure integrator)
• 1 Infrastructure Architect / Azure Expert
• 1 System Engineer
• Associated :
• 1 Security Expert from ISS
• 1 Technical Architect from EOS

36. Agility
• Scrum methodology,
adapted
• Tooling : VSTS
• 2 weeks sprints
• 2 « epics » :
• projects
• platform governance and
evolution
• Features = Projects
• Product backlog items
• Tasks Scrum management in Visual Studio Team Services

37. The Next Steps
[Of Tomorrow]

38. Moving to a new, larger team and scope
• A new team structure is built on top
• Will include roles:
• Service Catalog Owner
• Cloud Operations Engineer
• Cloud QA Lead
• Will expand work force on existing
• System Engineer
• Cloud Architect
• More integration with existing IT
services (build, production)
• More responsibilities
• More projects onboarding
• More production oriented
• Richer Cloud offering
• More services delivered
• Identity and Authentication
• DNS ownership
• More PaaS, Serverless, …

39. Synergy with the Group
• The synergy with the Group will be essential and strategical
• Azure Production workloads to be pushed to the Group Managed
Services and Operations
• Keep Experiments responsibility and autonomy
• Integrate with ExpressRoute infrastructure
• Deploy projects with a faster interaction with the core IT system
• Share more of our knowledge
• Our technological advance may influence decisions and choices at the
group level

40. Difussion : Culture of Cloud and Agility
• The results of the EXP Azure team are
progressively diffused in the
organization
• The DevOps and automation practices
applied internally are also propagated
• The Agile process shows to other teams
a much faster delivery process
• The other teams will start integrating
some of EXP Azure experiences

41. Conclusion

42. The Cloud
The Cloud
…is not (anymore) a tabou subject
even in the public sector
…proves to be a strong
innovation driver
…may be the way of developing
DevOps and Agility adoption

43. Our role in the success of our customers
There is no success in the Cloud :
• Without a strong technical competency
• Without the maturity and experience
• Without a Team
Here is where we come in the play.

44. Thank you,
• Picture references
• NG/MATTHEW G. WHEELER, VIA RAIL CANADA
• GLACIERBAYALASKA.COM
• PINTEREST
• IBC SYSTEMS
• CIO.COM
• SNCF
• SNCF RÉSEAU
• TRACKINTELLIGENCE.COM
• SHUTTERSTOCK
• PIXABAY
• CHILDREN’S MINISTRY LEADER
• WIKIPEDIA