Azure, a Safe Innovation Environment

Microsoft Azure allow segmentation of applications, their tiers and the respective staging environments using the controls already built into Azure. Segmentation can be achieved at both network and user access level in Azure.

Segmentation is introduced for the following primary reasons-
Security
Performance
Deployment/Releases Management
Isolated/Safe Innovation Environment

Security
To secure the platforms/applications it is important to-
Separate the application tiers in different Azure virtual network subnets with NSG (Network Security Group/Firewall).
This helps mitigating breach impact as only a limited access is provided to the layer down the stack. Also, it provides a safe container for the components within a tier/subnet to interact with each other, for example a SQL/MongoDB cluster.

User Defined Routes (UDR) in Azure can enforce traffic to route via a virtual intrusion detection appliance for enhanced security.

Employ the principle of least privilege (POLP) using Azure ARM.
This helps ensuring only a minimum required access is provided to the users for supporting the application/platform. For example, only infosec team will have access to manage the credentials, applications will only have read access and will not store credentials on the file system at any time. This also limits the impact of breach in any tier.

Performance
To ensure each application tiers individually and the application themselves provide a guaranteed performance and quality of service (QoS), it’s important to-
Implement SoC (Separation of Concerns) principle and avoid mixing different workloads on the same tier/VM.
Understand disk IOPS thresholds and segment the storage accounts accordingly.
Understand networking/bandwidth thresholds and separate production traffic from dev\test to maintain network QoS.

Deployment/Release Management
Azure fully supports agile methodology natively including the concepts of continuous integration/deployment, blue-green deployments , A/B testing and Canary Releases. By clearly segmenting and demarcating the boundaries of the services\APIs and their environments, following microservices principles, we can deploy and upgrade the services with minimal impact on the platform. Azure natively support microservices architecture and provides a fully managed platform for running a highly sophisticated microservices (ServiceFabric) in cloud.

Isolated/Safe Innovation Environment
To ensure developers, testers and release management teams get a secure environment to deploy applications and platform, it’s important to implement the above mentioned security concepts i.e. NSG, UDR, ARM RBAC/Policies. A well designed environment provides developers a safe environment to try out new technologies without any hindrance to continue to innovate and deliver business value.

Segmentation