Secure Azure Computing Architecture on Azure Government

[MUSIC] >> Hi. This is Steve Michelotti of the Azure Government engineering team, I’m joined here today by Jason Henderson, Cloud architect of Microsoft federal and we are here today to talk about secure Azure computing architecture for the DoD on Azure Government So we better start out by just having you help us understand what is the secure Azure computing architecture? >> Yeah. So in order to explain what secure Azure computing architecture is we like to call it SACA is, first we should probably talk about what the policy is that this is trying to meet for the Department of Defense So I’m going to talk to you guys real quick about the secure Cloud computing architecture functional requirements document that was published by the Defense Information Systems Agency that essentially governs all information operations throughout the DoD This what they call SCCA FRD, essentially outlines all the security policies that need to be met in order to connect to a commercial Cloud providers such as Azure This policy has four functional components of it, first one they call the boundary Cloud access point and this boundary Cloud access point is essentially boundary protection traditional IP filtering and things like that, sits in between the DoD’s on-premises network in the Cloud at a connection point where that sits Then they have the virtual data centers security stack This is where they’re doing traditional data center full of security type controls from web application firewall, SSL break and inspect and again, IP filtering, things like that Then we’ve got the virtual data center managed services, this is essentially like shared services that any enterprise would have such as like host-based security, Azure Active Directory functions as logging, aggregation and things like that, that’s where I guess SIM would sit Then they have a business role, it’s called a trusted Cloud credential manager and there’s some technical controls that need to be met in order to enable that person to do their job, it’s essentially identity and access management So all of these different controls and there’s a bunch of them that make up these four different components, essentially need to be met somewhere in an architecture, essentially in between the DoD and the Cloud provider So as we were talking to customers about how they can meet these policies, myself and a colleague, Kyle Hoyer that we worked on this with, decided it’s probably good to standardize reference architecture of how you would do this in the Cloud >> Got it. So the SCCA is the policy and so the SACA is the implementation or the reference of that policy? >> Right, so that’s where SACA came about So Secure Azure Computing Architecture, we essentially took out the Cloud part of this SCCA and called it Azure because this is the SCCA deployments on Azure, which made this policy and so we created this reference architecture So what SACA is, is a SCCA compliant architecture deployed on Azure We design this using currently available IL5, Impact Level five services in Azure and so that’s really key to this as most of our DoD customers are going to deploy IL5, we wanted to make sure that they could use this in IL5 >> So given the fact that recently Azure Government has had an expansion to the IL5 services, there’s quite a bit of services you can use within the SACA >> Yeah, so that’s a great point So actually when we first designed everything in what we call version one, V1 and into V2 that we’re going to show you today, there was a lot of things like Azure Monitor or Security Center, things like that that could be used to meet some of these controls, that were available in IL4 but not necessarily IL5, but with the expansion of the IL5 into the gov regions, that opens up the opportunity to be able to use some more of these services Then also we’ve decided to do some automated template deployments of this and essentially it’s just a DMZ reference architecture, it’s pretty standard but it it means these policies >> So it almost sounds to me like a little bit more than just a reference architecture because once you have your VNet setup for example, if you provision a new VM it just goes into that existing VNet, correct? >> Yes. So in the template we deploy essentially some subnets that you can drop in whatever other tools you want to bring in and I’ll show you in a little bit the VDMS section where we’re going to do our shared services There’s not a whole lot deployed in a template for VDMS because every customers is going to want to use different things to meet those shared services but we deploy a subnet inside the VNet where you can just start dropping the VMs in, and as soon as you drop the VMs in all the routing is taken care of to enable it, it all goes through the virtual appliances and all that >> Got it. So the template puts you into

the initial pit of success and then what about governance? Does Azure policy, how does that relate to this, if at all? >> Yes. So the governance piece of it with Azure policy and becoming blueprints for the DoD, these are things that can be deployed in conjunction with this template, so you can deploy this template and then also deploy an Azure policy that locks down your environments, sets up that governance structure for your actual enterprise It’s not part of this template, but it’s something that’s a follow on that’s also obviously here at Microsoft, we’re working really heavily on making that as easy as possible >> So I think that’s an important point Not only is the template you’re showing us today hugely important, but it’s not done Like we can continue to expand on the functionality and make it even better as we get these other services on-boarded into Azure Government >> Yeah, exactly >> Okay great >> So this is essentially a high level of what the architecture actually looks like, this little bit of a busy network architecture diagram, but what you see here is you see a VNet sitting in a hub VNet that has a bunch of different appliances, so you’ve got your express route gateway, you’ve got a management subnet that includes jump boxes to be able to manage your environment and then you’ve got the Azure load balancers which will load balanced traffic across the VMs that in this scenario our two network virtual appliances, it could be more scaling laterally and running it in an active-active scenarios So the Azure standard load balancer, when that became a service that we could use an IL5 was huge for this so we could actually enable active-active appliances scaling laterally >> I see it’s not just for VMs, we can use higher-level path services with like app services with the app service environment and that thing >> Yeah, absolutely. So the idea is that the SACA reference or the SACA deployment, is going to live in this hub VNets where the VDMS subnet lives, you see that there’s some VMs I put into that subnet for the diagram that corresponds to the specific controls, but really the idea is that the mission owner applications, the actual application owners that have some web application or whatever application it is, they all fall in line behind this connecting up to the hub through a VNet peer and having user-defined routes that force all traffic through these appliances and inside that application space you can absolutely use AIC, you could use service and points to use our PaaS SQL database and now you can take many mission owner applications and connect it and all be compliant behind this one security stack >> Awesome. Okay, so we see the diagram here What is a typical deployment like? >> Yeah, so the typical deployment we see across the Department of Defense is, they’ll typically taken this purple box you see, we call it the DISA BCAP, that is a DISA owned, it’s actually a service that they offer to provide your boundary cap, typically people actually use that DISA boundary cap on premises and the reason for that is because to connect to our PaaS services traditionally or our Software as a Service offerings that would connect over a Microsoft here, those would terminate on that boundary cap and it would be able to be used for that, as well as, connecting over a private express route directly to the IaaS environment that your Azure stuff is going to run in >> Great >> So they’ll usually do a connect that over two different express route locations, one on the East Coast, one on the more Central United States to connect to these boundary caps and then they will deploy their VDSS functionality that you saw in that hub VNet that we were showing earlier and their VDMS, they’ll deploy that in a hub in two different regions both at DoD East and DoD Central and then they will deploy their mission owner applications behind that and they can deploy as many mission owner applications behind these stats as they’d like But that enables them to have applications that live closer to the user and DoD central or the East Coast, as well as, some high availability if one goes down we can reroute traffic over the other and that’s really a scalable and resilient design architecture >> Okay. So we’ve seen a typical deployment, who typically deploys these? >> Yes, so the customers that should be looking to deploy this is every single DoD customer that wants to connect to the Cloud, needs to have this policy met, there are offerings through that so just subscribe to their all up service, but if it’s a customer that’s going to be a managed service provider for a bunch of different mission owner applications, that maybe today host a bunch of different applications in a data center a centralized enterprise environment for their DoD customers, they would probably be doing the same thing in the Cloud, if they’d look to do that, then it makes sense for them to deploy this template and manage a sack architecture on their own, getting more bang for the buck as more control over their applications As well as, really anybody that wants to be able to deploy a DMZ architecture in a more expedient and quicker way and it just try a quicker way, it doesn’t matter if they’re commercial customer or a DoD customer, one of the things that we did with our version two, is we scaled the automation back one layer

So before on our version one we were including in the automation the configurations of the actual appliances themselves to meet the policy What we’ve done is we’ve scaled that back so that the appliances don’t get configured for the policy right out of the gate or including the automation template, now you can tag a URI to go to a secondary script that will actually deploy that template so you can have your SCCA baseline template deployment that tags into this automation and meets all that policy But if you’re a commercial company that does some retail and you have your own security policies that you would want to do, you can create your own security policy script that gets tagged to the deployment and deploys on top of that >> So other vendors can use it too then? >> Yeah, any customer can use it, DoD, we already have an SCCA baseline created for you >> Okay. All right, great >> So with that, I mentioned that we had automated template deployments So right now we have three automated template deployment options, one of them is using F5 at the core for the network virtual appliances and with F5 we’ve got a one tiered architecture which is what I showed in the diagram, essentially this is a HA pair of F5 in the core of this architecture, we’ve also got what we call the three tier architecture which takes a couple of different F5, two HA pairs on the top, another layer on them in the bottom and input like an IPS in between them, to enable SSL decryption in between and see the clear text traffic Then we did the same thing with Citrix, partnered with them as well and then they’ve created a three tiered automated deployment template as well Although those are automated deployment options, the reference architecture itself, really stays the same across any network virtual appliance vendor you’d like to bring in So you can take this design and drop in whatever appliance you’d like, you just don’t necessarily have the automated follow up >> Okay. All right, this sounds great So let’s see a demo here Let’s see what one of these deployments looks like >> Yeah. Let’s do it. So what we’re going to do here is, we’re going to actually start off how I suggest to actually start this deployment off So first place, we usually start it as we started our public documentation on this architecture If you actually scroll down, then this gives you-all kinds of really interesting information that dives into the security controls, but really at the bottom, we have our automated deployment options We see we have our Citrix deployment It gives a little diagram for specifically what Citrix is doing Now, we’ve got our F5 deployment here We’re going to quickly demo the F5 one So you essentially click on “This GitHub” link, it will take you the F5 documentation In here, it just goes into GitHub It’s where all the scripture are deployed, they’ve got their read me all their documentation about it >> Plenty of documentation >> Plenty of documentation. So now, you’ll get down here to the actual template deployments So right now, we’re going to deploy the one-tier deployment on Azure government As you can see, we’ve also got the Azure commercial deployment buttons So you can deploy these in any of our Clouds you want it deployed into So we’ll go ahead and click on the “Deploy to Azure Government” and this will take you and log you into our Azure government portal, and this will show you the template here So in here, we’ve got a bunch of parameters that you can pass You can bring your own values, we have default values I’ll take you real quick into what this would look like So you can go in here and you can actually add the parameter So again, it’s all open source essentially Once in GitHub, you can go in and modify it for your specific needs But this is essentially what it looks like on the back end We’ve got different variables, passing settings parameters, and you can take that in >> So we’ve set up the big JSON file for you, but you can just come in and fill out a bunch of values and text boxes here and deploy it >> Yes >> In your subscription as easy as that >> So now you saw that you can actually edit these parameters through the JSON file So the first thing you would do is essentially, you just need to create a resource group I’m going to call this the demo resource group Again, this is your location as your actual Azure regions If you have access to the DoD East regions or Central, as well as the US government regions, you can deploy this into those regions If you had selected the commercial little deployment button, you’d be logged in the commercial and you’d see all the commercial regions So we’re going to play some DoD East You’ll see that there’s some default values passing and then we’ve got a couple little boxes that have little red stars, those required fields These are admin passwords for your jump boxes in your F5s I’m just going to go ahead and paste the password in here real quick So when you first log in, your default admin username would be whatever you select, but the default that we provide for you is xadmin, and then whatever password you supply, and then you’ll need a license key So here, we’ve got the license key, I’ll go ahead and paste the license key in there These are going to be licensing your F5 appliances and this one-tier architecture,

there’s two appliances, so you need to license keys So second key’s going to be popped in here So this is my second license key This is the best highest level license key that includes all their features That’s all you actually need to do this templates There’s just the provide a password and provide a couple license keys Agree to the terms and conditions and hit “Purchase.” >> Okay >> So now, this is actually going to start running here in the background For the purposes of this demo, I’ve already got one that has been created So at the end, this is what it’s going to look like So if you see here, this is a deployment that I did earlier, and took 12 minutes and 45 seconds to deploy this architecture, and created all of these different resources, I’ll tell you what they are But you see, it created a bunch of different resources Now, I’ll actually go to the resource group, then you can see where this was deployed to So here, first, you will go to the actual resource group that we created in the demo This is the demo 1, I call this one SACA _V2 This has your availability set that your VMs are going to be deployed into for high availability, and then the different network interfaces So as you can see here, these are the F5 appliances, external interfaces, and comes to deploy your three interfaces per appliance The external Azure load balancer, that’s going to sit in front of that and be able to connect to that and load balance across with VMs The actual VMs themselves, so if you actually filter, this will be a little easier So you’ll see all these network interfaces created, network security group that uses for access control, as well as the actual VMs themselves So you see you’ve got two F5 VMs that are deployed in the core and Linux jump box in a Windows machine that you can use the RDP into it as well Then from those boxes, you’ll be able to actually jump into your F5s or whatever else you want to be able to manage in the environment The cool part is that the first second you log into these devices, into these jump boxes, it’s already passing through the security stack to the F5 and meeting those security policies, so it’s already meeting that controls out of the box >> Excellent >> The most important thing that I think is deployed with this deployment is the route table that gets created This is where it’s going to attach to any subnet that you’re going to have an application living This route table, you would just now need to associate with any subnet that you create for applications, which is going to force that traffic through the F5s So we already created that for you at our a pre-stage So you’ll see that we have a default route that would, anything that doesn’t live in Azure, it’s going to force it to the backside of that F5s Then we’ve got to our Management Subnet, into the VDMS subnet, that has created, same thing So now, anything that’s in there is going to route through those F5 and you don’t have to worry about it That’s an area that as customers deployed images out of marketplace and want to force tunnel through them, it’s where we see a lot of confusion around how you set that up, we set that up for you >> That’s a huge point because not only does this template make it super easy to do your initial setup, but then when you’re adding new machines, whether it’s a marketplace image or a provision of a new VM or whatever, you’re provisioning those resources into this secure environment that’s already been established >> Yeah. Exactly >> Okay. Great >> So just to show some proof here that we’re getting what we advertise here, I’ll go ahead and show you the network diagram that gets created by default in Azure So if you actually go into the virtual network and you select this diagram here, it’s going to pull up a diagram that Azure essentially makes for you So if you see here, you’ve got your VNet at the top, your different subnets, VDMS subnet, management subnet, internal side of your F5 subnet, the external side, and that internal route table, you can see if you follow this line, it’s actually assigned automatically to the VDMS subnet and the management subnet So that that force that traffic the way we’re talking about You see these NIKs here for the management subnet, you’ve got the NIKs that actually are for those jump boxes attached to them already and it shows the VMs that they’re attached to Then the internal side and the external side, these are all F5 NIKs that are assigned to the load balance to that backend VMs, and then the Azure load balancer that live in front of that >> Yeah, that’s huge. This diagrams is great because before, we’re just looking at a list of resources, but this actually gives you the diagram that matches the diagram you were showing us in beginning to prove, yes, this is where all this stuff has been provisioned, so to speak >> Yeah. So that’s essentially it So I mean, it took 12 minutes and 45 seconds to get this deployment done Now, for the VDMS controls, you have to bring a lot of things on your own That’s an area where you can bring third-party tools or open source tools that you may want to deploy to meet some of the log aggregation, things like that, but you can also use a lot of our Azure services Again, as more services come in IL5, that opens up the opportunity for DoD to use more of those services I mentioned Azure Monitor before, but things like going forward,

Azure set null might be a great option If that comes into the DoD Cloud, we can actually use something like that and that would sit even that’s posters that want to sit in the VDMS subnet, but that can be used to meet the VDMS controls I mentioned earlier that, if you’re a commercial customer, that doesn’t have to adhere to the DoD policies and it’s Azure service or something you want to use in conjunction with this template, you can absolutely do that in the commercial regions >> Okay >> So it’s modular, you can modify it, you can do anything you want to do with it, but this is going to get your core enterprise security architecture stood up in about 12 minutes and 45 seconds >> Great. All right So any other thing that viewers should know to get started or is it really just go into the documentation page where the GitHub template was? >> Yeah. I would just say just get to the documentation page The short URL for it is aka.ms/ssca I’m sure we’ll tag it on the video here for you >> Yeah. Definitely >> Then from there, you can jump into anything you want From there, we talked on that document about the different Azure services that can be used and that there are links to those documentation Then you want to go the automated deployments from the two vendors that we mentioned You can go there documentation out there and just jump off from there and start going down the rabbit-hole But it’s all open for you to start doing it today >> Okay. Great. All right. This has been Steve Michelotti with Jason Henderson, talking about the secure Azure computing architecture for the DoD on Azure government Thanks for watching >> Thank you [MUSIC]