Rethinking AWS and Azure CloudOps for Digital Acceleration at Scale

Rethinking AWS and Azure CloudOps for Digital Acceleration at Scale Bruno Amaro Almeida November 2022 Photo by Mark Fletcher-Brown on Unsplash

Hello! About me • Head of Technology & Architecture at Fortum • Independent Advisor / Architect Consultant Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

Fortum Digital Development: Energy Optimization, Sustainability, Electric Mobility Generation, Trading and Asset Optimization District Heating, Recycling & Waste Consumer Solutions Enterprise 3 … … Startups

Once Upon A Time… CIO Office IAM Security Infrastructure Network 0% 100% Employees 4 Datacenter Core IT Applications Core IT Applications ü ü ü ü CapEx > OpEx Better capacity planning. Speed & Agility Focus on the Business (not on Datacenters)

Part II 10% CTO Office Developers QA Core IT Applications CIO Office IAM Security CDO Office Network Data Mgmt Infrastructure 40% BI & Analytics Digital Core IT Applications Development 50% Employees Datacenter 5 Core IT Applications § § § § CapEx ↓ OpEx ↑ New competence centers emerge J Digital Enablement, R&D & Innovation Projects ↑ CIO office is struggling to cope with service requests L

Part III CTO / CDO Office 60% Developers QA DevOps Core IT Applications Data Mgmt BI & Analytics Data Eng. Data Science 30% Digital Core IT Applications Development Employees CIO Office IAM Security 6 Datacenter 10% Network Core IT Applications Infrastructure § § § § Decentralized IT Advanced and Complex Digital Solutions J Bottlenecks, Lack of Context & Tickets ↑ ↑ ↑ Shadow IT and Fragmented Governance 👀

Cloud Operating Model for Digital Acceleration Business Core IT Digital Development App B App C App A IT Service Owners 7 Service X Product X Experiment X AI & Data Team DevOps Team I&V Team Platform Products, Services & Competences IT Operations Fin & Cost Manag. Security Data Platforms IAM Network Platform Engineering APIs & Integration

“A digital platform is a foundation of self-service APIs, tools, services, knowledge and support which are arranged as a compelling internal product.” Evan Bottcher https://martinfowler.com/articles/talk-about-platforms.html 8

Connecting the dots with Backstage.io • Tech Radar’s • Builders Library and Templates • Digital Development Handbook • Core IT Handbook • API Catalog • Digital Project Catalog & Discovery • Metrics (e.g. DORA, SLAs, SLOs) • Self-service Cloud & Tools Provisioning • … 9

“Product” based Cloud Operating Models Personal Sandbox Managed Cloud Temporary Standard For temporary usage (e.g. learning) • • • • 10 Expires after N days Limited budget (e.g. 500 EUR) No network connectivity to other environments No confidential or secret data storage For Core IT Application Hosting • • • Standard workload (e.g. managed instance/container + database) Network connectivity across multiple environments is possible by default Internet access (in & out) restricted Self Managed Cloud Dev Staging Production For Digital Development Teams • • • SW Teams with end to end ownership Flexible and complex architectures with several managed services (e.g. eventdriven, microservices, etc) Network isolation by default. Internet access adjustable.

AWS & Azure Same Same, But Different Network Compute Security & Identity Storage • AWS EC2 • AWS VPC • AWS EBS • AWS IAM • AWS ECS / EKS / Fargate • AWS Route 53 • AWS S3 • AWS KMS / CloudHSM • AWS Lambda • AWS Elastic Load Balancing • AWS EFS • AWS Inspector / Advisor / GuardDuty / Shield • AWS Elastic Beanstalk / Amplify • AWS CloudFront • Azure Virtual Machines • Azure Virtual Network • Azure Disk Storage • Azure Active Directory • Azure Containers / AKS / Service Fabric • Azure DNS • Azure Blog Storage • Azure Key Vault / Dedicated HSM • Azure Functions • Azure Load Balancer • Azure File Storage • Azure Sentinel / Security Center / DDoS Protection • Azure App Service • Azure CDN 11

AWS & Azure Same Same, But Different Account vs Subscriptions vs Resource Groups Cost and Service Limits Network Topology Organization Structure: Management, Digital Teams, Restricted Environments AWS Control Tower Managed Landing Zone Reference https://aws.amazon.com/blogs/architecture/fast-and-secure-accountgovernance-with-customizations-for-aws-control-tower/ 12 Microsoft Azure Enterprise Scale Landing Zone Reference https://github.com/Azure/Enterprise-Scale Infrastructure as Code …

Self-Service, Automation, IaC • Design the user journey (empathize, define) – Identify problematic and/or time consuming areas • Explore self-service options and automate (ideate, prototype) – Done is better than perfect! – Balance short-term with long-term CloudFormation ref templates (e.g. Innovation Sandbox) ARM ref templates (e.g. Enterprise LZ) 13 baseline module - network info - IAM - … SW Team IT Ops

Customer Employee Engineering > > Experience Experience Experience 14

Thanks! Questions? Feedback? Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida