This blog, part of the Cloud Strategy Unboxed series, looks at the technology behind successful cloud adoption. A key principle of the cloud is to automate everything that can be automated. Manual checklists and organizational policies are automated in controls and pre-approved infrastructure templates.
Cloud platform 101
A workload or platform approach to managing and operating a cloud environment is a decision central to every cloud adoption initiative.
organizations that are highly regulated, more risk-averse or with less mature application teams tend to favour a preventive and corrective approach, even in development environments. However, it’s important to note that even with this stricter approach, developers are still enabled to provision at least the approved resources themselves, making it still preferable over any approach with separate provisioning teams.
Pre-approved infrastructure templates
Modern application teams use Infrastructure as Code (IaC) templates to provision the cloud resources they need. The CCoE can create pre-approved infrastructure templates, sometimes called blueprints, for application teams to use. These templates can be for a single cloud service or for an entire application architecture, such as a 3-tier application.
Pre-approved templates serve two key goals.
- The templates are built according to general and organizational best practices and the directives. The CCoE owns the templates and can control exactly which configuration settings can be changed by the app team. For example, in a 3-tier template, they may be permitted to select an appropriate server type for their application. However, they will be unable to change the network or firewall settings.
- Templates provide a ready-to-use, high-quality architecture for application teams to easily configure and provision infrastructure. Taking away much of the trial and error and uncertainty in following best practices. Given that most enterprize applications are quite similar, this can greatly increase productivity, especially for mass migrations of applications to the cloud.
Pre-approved templates solve several other common challenges, such as inconsistent approaches to the same architecture with varying levels of quality and security. They also make application architectures more predictable, improving productivity and project cost and timeline estimates.
The CCoE should develop templates for all the common patterns that an organization needs. Typically, this is done as each first type of application is migrated or built. The result from that first mover can then be reused by following projects.
While application teams should use an existing template, those with more unique needs can use the cloud service templates to construct a custom architecture. Justified cases that can’t be implemented with any of the available templates can be addressed by working with the CCoE’s application enablement team on a special blueprint just for that particular application.
The modern cloud deployment pipeline
Creating resources via the cloud console, also known as ClickOps, is not permitted in a cloud platform strategy. The pipeline holds the deployment permissions to the cloud; application teams do not have access to the cloud console or only minimal read access to the relevant application logs. Application teams must send their IaC templates and code to the cloud via a deployment pipeline. This is also desirable for the CCoE and the organization as it provides an auditable proof of compliance.
Consider this deployment pipeline a type of pipe through which digital information can travel. Traditionally, this is all that pipelines did; they carried code from point A to point B. However, in modern cloud, they have evolved in function and importance. Modern pipelines include the ability to enforce our controls. Think of it as a series of sensors and valves throughout the length of the pipe.
If a sensor detects something that is not compliant, such as an unapproved cloud service being requested, then the pipeline automatically closes the valve, and the deployment fails before any resources have been created in the cloud. The application team is notified of the failure so they can adjust their template and try again.
This means that the pipeline is a critical part of the security in many modern cloud management strategies. If an application makes it through the pipeline without being rejected, it can be considered compliant with the enforced directives.
Pipelines also have logging capabilities. As each deployment passes through the pipeline, the enforced directives will log their evaluation of it, providing an auditable trail of compliance proof.
The last part of a cloud platform that this article will address is a self-service portal. Core tenants of modern cloud strategy are to automate as much as possible and enable application teams to be self-sufficient with the rest.
On a high level, a self-service portal is an interface through which a product owner or similar business role can register new projects – also called project onboarding. Once the project is registered, the portal can automatically create the code repo, attach the deployment pipeline, and set up the application’s environments.
However, a self-service portal can potentially do a lot more. For example, as part of project onboarding, the business owner can be asked to note the data sets that the application will use so that a catalogue of sensitive data can be automatically maintained. The business owner can also be asked to indicate the expected number of users or similar, which can then be used to automatically calculate an operational cost estimate for the project. Information such as project name, team ID, and billing code can be requested. The values can be automatically included in tags attached to each provisioned cloud resource to support the organization’s FinOps strategy.
After onboarding, the business owner can manage access, assigning developers to the project who can access the created code repo and deploy their infrastructure templates and code. The portal is also a great place to build dashboards that provide status updates, logs, and alerts. For example, it can show the status of recent deployments, if they were approved or rejected by the pipeline and any messages that may be available for clarification.
Successful cloud adoption requires a platform approach that enables a left-shift of responsibilities to the application teams and provides a consistent control plane across all cloud applications within the organization. Although this approach requires considerable short-term effort to create the team and build the platform, it brings long-term benefits in cost, security, operations, and other areas. A modern cloud deployment pipeline, which enforces and logs compliance through controls, is critical to achieving developer enablement. Lastly, a self-service portal enables application teams to be self-sufficient, automating project onboarding, maintaining data catalogues, and supporting FinOps strategies. By adopting these technologies and strategies, organizations can maximize the benefits of cloud adoption and improve their overall productivity, project cost, and timeline estimates.
Don't miss out on unlocking the full power of the cloud.for a personalized consultation or to learn more.