Demystifying Azure Stack HCI multi-tenancy for Enterprises
Introduction:
In this blog series, we delve into diverse multi-tenancy scenarios encountered by Azure Stack HCI customers. In this article let's explore the various enterprise scenarios in which you want to harness the potential of Azure Stack HCI. We will be covering more insights on Service Providers in separate articles.
In the ever-evolving landscape of cloud computing, Azure Stack HCI stands out as a powerful solution that brings together the best of both worlds—on-premises infrastructure and Azure's cloud capabilities. It promises seamless integration, flexibility, and scalability, making it an attractive choice for organizations seeking to optimize their operations.
What is Azure Stack HCI?
Azure Stack HCI is a cutting-edge hyperconverged infrastructure (HCI) cluster solution designed to seamlessly host virtualized Windows and Linux workloads alongside their associated storage. This innovative platform operates within a hybrid environment, cleverly merging on-premises infrastructure with the rich array of Azure cloud services, offering a powerful combination of capabilities.
You can have multiple nodes and clusters within the Azure Stack HCI environment. Microsoft enables multiple options for you to manage resources in Azure Stack HCI conveniently using the Windows Admin Center or the Azure Portal via Azure Arc. Additionally, you can implement Role-Based Access Control (RBAC) for these resources and apply software-defined networking (SDN) based isolation for your workloads.
However, it's important to note that administrators with access to the underlying infrastructure still retain the ability to access tenant resources due to their administrative privileges over the environment. This distinguishes Azure Stack HCI from Azure Stack Hub, where such access is restricted because the underlying infrastructure is a black box to the administrators.
Is it possible to enable true multi-tenancy on Azure Stack HCI?
As with any technology, there are questions and challenges to address. One such question looms large in the minds of those considering Azure Stack HCI: Is it possible to enable a true multi-tenant implementation on Azure Stack HCI?
From Microsoft’s perspective, Azure Stack HCI is not considered a multi-tenanted solution, as administrators have access to the underlying infrastructure and thereby can access end users’ resources.
Nevertheless, there are practical scenarios where you may want to leverage Azure Stack HCI within your organization for multiple departments/ business units or You might also aim to provide shared cluster services to different departments. How will you achieve this?
In a world where no man is an island, it's equally true that no Azure Stack HCI cluster is designed exclusively for a single developer or team—unless, of course, you're exploring its capabilities in splendid isolation. But for most organizations, the need to accommodate multiple end users or workloads within a single or shared cluster is a pressing reality.
Azure Stack HCI Multi-Tenancy with Hybr®
Hybr® is a versatile multi-cloud, multi-tenant platform that excels in orchestration, automation, cost management and billing experience. It delivers a seamless single-pane-of-glass portal experience for efficiently provisioning and managing resources across on-premises and public cloud environments, including Azure Stack HCI.
Does Hybr® offer any special capabilities or workarounds to enable functionalities that are not achievable with native Azure Stack HCI on its own? No, there's no magic involved here. Hybr® simply provides a more convenient way to manage the capabilities that Azure Stack HCI is inherently designed to support. Hybr® offers a user-friendly management interface, automation features, and simplified billing experiences for both single shared and multiple dedicated Azure Stack HCI clusters. It also includes standard Role-Based Access Control (RBAC) for comprehensive asset control.
For instance, your team can utilize a shared cluster for development and testing purposes, and when a higher level of isolation is needed, dedicated clusters can be employed. All of these can still be efficiently managed through a single Hybr® portal, and you can generate unified usage and billing reports spanning multiple departments within an enterprise.
Enterprise Perspective
Picture yourself as a prominent enterprise organization that has implemented two Azure Stack HCI clusters, referred to as Cluster A and Cluster B. Within your corporate structure, you have R&D and Operations department.
Scenario 1: Ensure storage and network level isolation:
Your primary objective is to establish strict resource isolation at the storage level, ensuring that any resources created by the R&D department are inaccessible to the Operations department, and vice versa.
Solution
By leveraging Hybr®, you can seamlessly integrate all your clusters and allocate each one exclusively to a specific department, group, or subsidiary company. For example, you can designate Cluster A solely for R&D department’s use, while reserving Cluster B exclusively for Operations department. This deliberate allocation ensures that R&D department remains entirely isolated from Operations department’s resources, establishing a robust barrier of separation between the two departments, ensuring that both the R&D and Operations departments have storage-level isolation. If you aim to establish isolation among different individuals within the same department, you can activate software-Defined Networking (SDN) features to enable network-level isolation.
Scenario 2: Ensure network level isolation only:
Your objective is to allocate and share the Azure Stack HCI clusters, A and B, between R&D and Operations department, while maintaining strict resource isolation. This means ensuring that any resources created by R&D department are inaccessible to Operations Department, and vice versa, though storage hardware can be shared.
Solution with Hybr® and SDN:
Utilizing Hybr®, you can harness Azure Stack HCI's SDN capabilities to achieve network isolation. This allows the R&D and Operations departments to create distinct virtual networks within a shared infrastructure, ensuring the segregation of data and services, even when multiple groups coexist in a single cluster or shared clusters. Furthermore, if there are multiple workloads running within their respective subnets within these virtual networks, we can enable micro-segmentation using datacenter firewall rules.
For example, the R&D and Operations departments have established their virtual networks labelled as 1, 2, 3, and 4, each assigned A & B clusters. These virtual networks operate independently, guaranteeing that traffic within each network remains isolated from the others. Both departments have the flexibility to define access control, firewall rules, and security settings tailored to their specific requirements.
Summary of Multi-Tenancy and Isolation Scenarios with Hybr®
Isolation Layer | Isolation Layer Native Support in Azure Stack HCI? | Alternative | Alternative Hybr® Support? | Comments |
---|---|---|---|---|
Hardware / Storage Infrastructure | No | Dedicate Hardware cluster per tenant | Yes | With Hybr® role-based access control, users can be allowed only to manage and access resources and workloads within specific clusters. |
Network | Yes | N/A | Yes | Hybr® leverages Azure Stack HCI SDN constructs to provide end user network isolation. |
Workload / VM | Yes | N/A | Yes | Hybr® enables configuring Virtual Trusted Platform Module (vTPM) to leverage advanced security features, such as BitLocker, in Gen 2 VMs. |
Advantages of Harnessing Hybr® Solutions to Manage Your Azure Stack HCI Clusters:
Cluster Integration and Dedication: Hybr® seamlessly integrates Azure Stack HCI clusters, allowing you to allocate them exclusively for specific departments, groups, subsidiaries (in the enterprise context). This ensures efficient resource management and isolation.
Utilizing Software-Defined Networking (SDN): Hybr® takes advantage of Azure Stack HCI's SDN capabilities to achieve network-level isolation. This means you can create separate virtual networks within shared physical infrastructure. These virtual networks are independent, allowing for isolated traffic. Additionally, you have the flexibility to define access control, firewall rules, and security settings tailored to specific requirements.
Plan and Offer Configuration: With Hybr®, you can create custom service plans and offers for each departments. These plans can be fine-tuned to meet the specific resource needs of individual departments/ users, ensuring resource alignment and optimized service delivery.
Monitoring and Reporting: Hybr® provides monitoring and reporting tools that enable you to track the performance and health of each cluster. This helps you proactively address any issues that may arise, ensuring a smooth and reliable operation.
Streamlined Experience: Users benefit from a dedicated portal experience with Hybr®. Each department gets his own cluster, granting them flexibility to scale resources as needed. Importantly, their data and workloads remain completely isolated from other department users, enhancing data security and privacy.
Role-Based Access Control (RBAC): Hybr® employs Role-Based Access Control (RBAC) to enforce access policies. This means that only authorized users or administrators with specific permissions can manage and access resources and workloads within their designated clusters. This adds an extra layer of security to your infrastructure.
Centralized Management: Hybr® provides a single, unified management interface for overseeing all your Azure Stack HCI clusters. This centralized approach simplifies administrative tasks such as provisioning, monitoring, and maintenance. It also allows for efficient resource allocation, update application, and configuration management across all clusters, ultimately enhancing overall efficiency and reducing management complexity.
Utilization Tracking and Billing: Hybr® empowers you with the capability to effortlessly monitor and track resource utilization, allowing you to provide effective Show back and Chargeback services to your departments/ internal entities/ subsidiaries. It offers a range of flexible pricing models, including Fixed payment, Pay-as-you-go, and Hybrid options, to cater to diverse customer needs. Azure Stack HCI operators can seamlessly access both historical and current month usage details, complete with associated costs. Additionally, Hybr® streamlines the generation of invoices, facilitates the production of usage history reports, and simplifies the creation of forecasting reports for your convenience.
Conclusion:
Azure Stack HCI opens a world of possibilities for Enterprises alike, enabling them to harness the power of hyperconverged infrastructure while seamlessly integrating with Azure's cloud services. However, the concept of multi-tenancy in Azure Stack HCI is not straightforward, as administrators still have access to end users’ resources.
From an enterprise perspective, we explored scenarios where strict resource isolation is essential for organizations with distinct business units or departments. Leveraging Hybr® for managing and isolating Azure Stack HCI clusters dedicated to different departments or subsidiary companies offers a practical solution. It ensures robust separation, access control, enhanced security, centralized management, and improved efficiency.
Furthermore, Hybr® offers comprehensive billing capabilities, allowing operators to monitor resource utilization, implement flexible pricing models, generate invoices, and offer convenient payment options. This ensures transparency and flexibility in the billing process, benefiting both operators and end users.
To discuss how Hybr's multi-cloud features can benefit your organization, please reach out to info@cloudassert.com.
Stay tuned for Cloud Assert's upcoming Azure Stack HCI blog article focused on Service Providers!