Rethinking AWS and Azure CloudOps for Digital Acceleration at Scale

A presentation at Codefrenzy 2023 in March 2023 in by Bruno Amaro Almeida

Slide 1

Slide 1

Bruno Amaro Almeida Fortum Rethinking AWS and Azure CloudOps for Digital Acceleration at Scale 27-31 MARCA 2023 ONLINE

Slide 2

Slide 2

Hello! About me • Head of Technology & Architecture at Fortum • Independent Advisor / Architect Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida

Slide 3

Slide 3

We Create Value with Data and Software Enabling Fortum’s transformation and success through efficient use of data and digital solutions. 1) Digital growth engine – e.g. Rapid Development Hub 2) Digital acceleration – e.g. Citizen development, analytics 3) Operational efficiency – e.g. CloudOps, Platforms, Data Hubs 4) 5) Ability to execute through strong internal technical competences complemented with few selected key strategic partners Technology advisory and support – e.g. technology strategy and roadmaps, well architected reviews, open source recommendations and threat modeling 3

Slide 4

Slide 4

Fortum Digital Development: Energy Optimization, Sustainability, Electric Mobility Generation, Trading and Asset Optimization District Heating, Recycling & Waste Consumer Solutions Enterprise 4 … … Startups

Slide 5

Slide 5

Enteprise Cloud Adoption Path • CapEx ↓ OpEx ↑ • New competences, increased R&D & Innovation J • Internal IT struggling to cope L • • • • 5 Driven by Internal IT (or niche digital experiments) Better capacity planning Speed & Agility Focus on the Business (not on Datacenters) • • • • Decentralized IT More advanced and Complex Digital Solutions J Bottlenecks, Lack of Context & Tickets ↑ ↑ ↑ Shadow IT and Fragmented Governance 👀

Slide 6

Slide 6

Typical Enterprise Cloud Operating Model Business App B App C App A Service X Product X Experiment X AI & Data Team DevOps Team I&V Team Platform Products, Services & Competences Data Platforms Fin & Cost Manag. IT Service Managers IAM Network 6 CloudOps APIs & Integration Security

Slide 7

Slide 7

Different Profiles with Different Needs, Expectations, and Frustrations 7

Slide 8

Slide 8

John is an employee at Fortum. He is a service manager that is accountable for one (or more) Core IT / Enterprise application. The business stakeholders (internal and/or external) are counting on him to deliver an excellent IT service experience. Own the budget for new development and RUN. Johanna is an employee at Fortum. She is a product owner that works alongside a multi-disciplinary Digital Development team to deliver a successful digital product or service that Fortum customers love. Tech Lead 1 FTE Front End developers 1-2 FTE Back End developers 1-2 FTE UX/UI 0.5-1 FTE DevOps / Solution Architect 0.5 - 1 FTE Quality Assurance & Testing 0.5 - 1 FTE

Slide 9

Slide 9

Evolving towards a Cloud biOperating Model 9

Slide 10

Slide 10

“Product” based Cloud Operating Models Personal Sandbox Managed Cloud Temporary Standard For temporary usage (e.g. learning) • • • • 10 Expires after N days Limited budget (e.g. 500 EUR) No network connectivity to other environments No confidential or secret data storage For Core IT Application Hosting • • • Standard workload (e.g. managed instance/container + database) Network isolation by default, connections are allowed only when requested separately Internet access (in & out) restricted Self Managed Cloud Dev Staging Production For Digital Development Teams • • • SW Teams with end to end ownership Flexible and complex architectures with several managed services (e.g. eventdriven, microservices, etc) Network isolation by default. Internet access adjustable.

Slide 11

Slide 11

Core IT x Digital Development Business Core IT Digital Development App B Platform Products, Services & Competences App C App A IT Service Owners SOC Rapid Development Hub CloudOps & Platform Engineering APIs & Integration Experiment X AI & Data Team SWD Team I&V Team LowCode / NoCode Data Engineering Data Science Network Data Platforms Software Development IAM Solution Architecture / Advisory DevSecOps & SRE End User Services 11 Product X BI & Analytics Service Management Cyber Security Service X Quality Assurance Virtual and Lean Governance, Risk and Compliance steering

Slide 12

Slide 12

Rapid Development Hub Hybrid Rapid Development Team

Idea collection Engagement Implementation Planning & Sprint Present the results Handover (design, data, development, advisory) § Technical competence leads § Business enablers Virtual Extension Body 12 We empower anyone in Fortum to experiment innovative digital ideas in 6 weeks

Slide 13

Slide 13

“A digital platform is a foundation of self-service APIs, tools, services, knowledge and support which are arranged as a compelling internal product.” Evan Bottcher https://martinfowler.com/articles/talk-about-platforms.html 13

Slide 14

Slide 14

Growth Engine for Digital Acceleration Digital Development Digital Dev Proj Team A Digital Dev Proj Team B Digital Dev Proj Team C … Cyber Security Virtual Cloud, GRC and FinOps steering group SOC Network IAM … Each team has end to end responsibility: develop, test, deploy and operate. Each team has full (ownership and) responsibility for their cloud workload infrastructure: monitoring, alerting, vulnerability management, incident response, etc CloudOps & Platform Engineering Team Focus on enabling a great Service Management and SW Engineering Experience. Develops automation, self-service capabilities, templates and reference implementation in DevSecOps, Cloud, Tools, SOC, built-in integrations, Security, … Platform Products, Services & Competences 14

Slide 15

Slide 15

Connecting the dots with Backstage.io • Tech Radar’s • Builders Library and Templates • Digital Development Handbook • Core IT Handbook • API Catalog • Digital Project Catalog & Discovery • Metrics (e.g. DORA, SLAs, SLOs) • Self-service Cloud & Tools Provisioning • … 15

Slide 16

Slide 16

AWS & Azure Same Same, But Different Network Compute Security & Identity Storage • AWS EC2 • AWS VPC • AWS EBS • AWS IAM • AWS ECS / EKS / Fargate • AWS Route 53 • AWS S3 • AWS KMS / CloudHSM • AWS Lambda • AWS Elastic Load Balancing • AWS EFS • AWS Inspector / Advisor / GuardDuty / Shield • AWS Elastic Beanstalk / Amplify • AWS CloudFront • Azure Virtual Machines • Azure Virtual Network • Azure Disk Storage • Azure Active Directory • Azure Containers / AKS / Service Fabric • Azure DNS • Azure Blog Storage • Azure Key Vault / Dedicated HSM • Azure Functions • Azure Load Balancer • Azure File Storage • Azure Sentinel / Security Center / DDoS Protection • Azure App Service • Azure CDN 16

Slide 17

Slide 17

AWS & Azure Same Same, But Different Account vs Subscriptions vs Resource Groups Cost and Service Limits Network Topology Organization Structure: Management, Digital Teams, Restricted Environments AWS Control Tower Managed Landing Zone Reference https://aws.amazon.com/blogs/architecture/fast-and-secure-accountgovernance-with-customizations-for-aws-control-tower/ 17 Microsoft Azure Enterprise Scale Landing Zone Reference https://github.com/Azure/Enterprise-Scale Infrastructure as Code …

Slide 18

Slide 18

Self-Service, Automation, IaC • Design the user journey (empathize, define) 💚 – Identify problematic and/or time consuming areas • Explore self-service and automation (ideate, prototype) 🛠 – Done is better than perfect! – Balance short-term with long-term CloudFormation ref templates (e.g. Innovation Sandbox) ARM ref templates (e.g. Enterprise LZ) 18 baseline module - network info - IAM - … SW Team IT Ops

Slide 19

Slide 19

Customer Employee Engineering > > Experience Experience Experience 19

Slide 20

Slide 20

Thanks! Questions? Feedback? Bruno Amaro Almeida brunoamaro.com Reach out on: @bruno_amaro @brunoamaroalmeida