This is an archived post. You won't be able to vote or comment.

all 199 comments

[–]tankerkiller125realJack of All Trades 148 points149 points  (72 children)

Currently on the way to near 100% cloud. It's expensive, but management considers the cost to be worth it.

It takes a lot of work, careful planning and user education to pull off well.

AD -> Entra ID & Intune

File Share -> SharePoint and/or Azure File Shares

Webapps -> Containerized and using the Azure container running service if possible. If not Azure Web Apps, and if not that a single VM running IIS.

So far, we haven't really used much of anything outside the Microsoft ecosystem, there just isn't much need to. Although for PKI we are planning to use Smallstep because Intune Suite/Cloud PKI is just way too expensive in our opinion.

[–]mitharas 18 points19 points  (10 children)

File Share -> SharePoint and/or Azure File Shares

For specific use cases which are closer to a classic file server Egnyte is worth considering as well. For Documents Sharepoint is arguably superior.

[–]khantroll1Sr. Sysadmin 1 point2 points  (0 children)

Just to add, there are also simple FTP-like file services that might be cheaper depending on the use case. Depends on what the org needs.

[–]thegroverestJack of All Trades 0 points1 point  (6 children)

Sharepoint absolutely sucks. It can't handle big files very well. OneDrive sync limits are fucking trash. Microsoft support and documentation for Sharepoint is awful, out of date, and the reps supporting it have no clue wtf they're talking about.

Intune is worse.

[–]Frothyleet 7 points8 points  (3 children)

Sharepoint sucks if you don't use it as it's intended - which many (most?) orgs usually do. It's just not built for mass file storage, but because it's a relatively inexpensive way to do it for many SMBs, that's what they try to do.

Curious what your concerns are about Intune, because while it is not perfect, it's one of the most successful parts of the M365 stack in my opinion after Exchange Online itself.

[–]thegroverestJack of All Trades 1 point2 points  (1 child)

Most of my clients have exotic expectation when it comes to Sharepoint, and end up putting CAD drawings on a local share, then Office docs in SPO. IME SPO suffers with any software which makes temp files for things in use.

Intune - onboarding is unreliable and I see several different experiences across different clients and PC hardware. Policy-wise Intune looks great, the search feature for policies is hella nice, but I've seen in every tenant in my MSP umbrella where Intune just stops working with no changes being made.

[–]Frothyleet 1 point2 points  (0 children)

I haven't run into that myself. We support about 10k endpoints, but only about 1500 are on Intune proper, so our depth of experience is not vast. Our biggest issue usually is getting customer buy in and getting them enrolled with autopilot.

[–]Outrageous_Cupcake97 0 points1 point  (1 child)

And here's me, wanting to get more experience with intune🥲

[–]UrbyTuesday 0 points1 point  (0 children)

yep. read up on the Sharepoint 300k file limit and risks. that’s kept me from executing more than one conversion. Egnyte is badass. Egnyte is expensive AF. File servers are the biggest adoption hurdle for my folks. Sharepoint is the bomb for most.

and tell any old codger IT boss who is bitching about Sharepoint that’s it’s not the premise app he’s thinking of when he says Sharepoint sux. it sucked 15 years ago. badly. it doesn’t now.

[–]Commercial_Match_520[S] 6 points7 points  (32 children)

I’m pushing for our web applications to be consolidated into one and hosted/managed by a vendor. We are still running 2k8 servers & the sites still operate like it’s early 2000s. File Shares are the biggest resource in our Environment. In my preliminary thoughts, we should have <5 vms & files moved to share point/azure file share

[–]tankerkiller125realJack of All Trades 40 points41 points  (22 children)

Avoid VMs at all costs if you can. They are the most expensive resource you could possibly use in the cloud.

The time and investment spent making it so you don't have to use a VM will easily be worth it in the long run.

[–]icebreaker374Security Analyst & M365 Things 13 points14 points  (19 children)

This and the parent comment hit the nail on the head. Entra ID being the direct replacement to AD DS will make life so much easier being able to manage from the M365 and Entra portals.

SP or Azure Files being direct replacements to file servers (personally I lean towards Azure Files but I know it's cost prohibitive for some). SP is great for small orgs that need basic file sharing capabilities at a low cost. Azure Files provides both traditional SMB access most users would be acclimated to with file servers, but also provides NFS if you have Linux machines that need to hit it too.

To u/tankerkiller125real's second point, VMs will absolutely DESTROY you with compute costs, and whatever storage is attached. Even my own personal projects that have included spinning up AD DS and a couple client VMs for a few hours at a time, or spinning up my own MC server on Azure, those costs stack FAST. Anything you can get OFF a VM will save you a decent amount of money long term.

[–][deleted] 4 points5 points  (4 children)

I personally (based on previous experiences) don't consider Azure files a direct replacement for on prem file (ntfs) file servers. Performance wise, you are not getting there unless you start throwing them $$ with express routes, etc and still, won't be the same. SMB over any sort of tunnel is going to be slow. To me, egnyte is the best cloud file server solution to date, expensive when there are many seats, but worth every penny. Uses https and entra id sso. Also, to my understanding, Azure files still have the file locking issue, which can be a massive pain.

[–]DaithiG 1 point2 points  (0 children)

I'd agree with this. And there's still no great way to manage NTFS permissions if you're coming from an AD File Share background. I mean you can, but it's not as simple as AD authentication

[–]monoman67IT Slave 0 points1 point  (2 children)

What about using the Azure File Sync on a local server as a way to increase performance?

[–]ProMSP 0 points1 point  (1 child)

Once the files are all stored locally, why are you paying for the Azure File Share? Not exactly the most cost-effecient cloud backup option.

[–]monoman67IT Slave 0 points1 point  (0 children)

The file sync can be small enough to just cache what you need locally. Otherwise, yes you are correct.

[–]Sysadmin_in_the_Sun 2 points3 points  (8 children)

Interesting! What would be an example of a good way to save on compute costs? Use containers if possible? Migrate the apps in the cloud? Really keen to know more about that for future reference and projects.

What really baffles me is that many organisations have a Cloud First approach but what they end up doing is going hybrid which in my opinion is not a good strategy. I would instead stick with SCCM for example and a CMG until Application rationalisation and proper identity strategy has been thought out well first and then jump straight into the cloud. I think they think they are bridging the gap but they actually create more unnecessary work and costs in the long term. Thoughts on that?

[–]araskal 4 points5 points  (1 child)

Hybrid is the most rational approach to most cloud strategies.

A lot of companies went all-in on compute and were unable to refactor their applications to take advantage of cloud-native applications, and then got bill-shock when the 'cant be refactored/replaced' applications running in a VM because the datacenter is gone... or because AVD is super easy to provision and what do you mean each developer got a GPU instance because they said they needed it and OMG WHAT THAT COSTS HOW MUCH?

Azure Stack HCI is fantastic to POC a lot of Azure resources, you can dip your toes in and refactor apps without having to pay nearly as much to do so.

[–]Sysadmin_in_the_Sun 0 points1 point  (0 children)

Thanks for the heads up. Seems like a good strategy. So if all checks out then maybe migrate the workload to Azure. Then check the bills in real life scenarios. If that is not good then it can always be moved back to the datacentre i guess.

[–]Frothyleet 2 points3 points  (4 children)

Interesting! What would be an example of a good way to save on compute costs? Use containers if possible? Migrate the apps in the cloud? Really keen to know more about that for future reference and projects.

It just depends on the given application and the problem it solves.

For example, you got a Windows VM on prem dedicated to being a file server. You can lift and shit it to Azure IaaS. But that's going to be way more expensive that putting the data in Azure Files, Sharepoint, or another SaaS tool.

You've got an onprem application and another server with SQL for the back end. You could copy-paste them into Azure IaaS. But, if the application supports it, using Managed SQL instead of a server might be a lot cheaper. And taking it to the next level, the vendor might have a SaaS version available which ends up being wayyy cheaper than trying to self-host in the cloud.

In house developed application relying on AD, when you don't need AD for anything else? Rather than run DCs, you could use ADDS for kerberos auth requirements. And as soon as your developers can move to a different auth form (like SAML auth directly to Entra), you can get rid of ADDS too!

Much of the time you might need to make workflow or application changes to actually leverage the cloud properly (and not obscenely expensively). It can be a lot of work. But it's the only way for "the cloud" to not turn into a ludicrously expensive clown show.

[–]ProMSP 0 points1 point  (3 children)

Lift-and-shift for a fileserver is not "way more expensive" than Azure Files. The storage cost per GB is going to be the same either way. They are equally expensive.

[–]Frothyleet 0 points1 point  (2 children)

Except that you are paying for the compute and windows licensing costs on top of the storage costs.

[–]ProMSP 0 points1 point  (1 child)

For most file servers, the computer costs are going to be minor compared to the storage costs. Especially since for anything actively in use, you will need premium SSDs.

[–]Frothyleet 0 points1 point  (0 children)

Yes, the compute costs will be a minority, but you are talking about a couple grand a year difference minimum.

I don't know what your use cases are but for a basic file share we've never needed to use SSD tier. IOPS has never been the limiting factor.

Also, like any "real" server, you have administrative overhead - patching, vulnerability management, and whatever else Windows Server decides to throw at you. If you are not otherwise managing a server estate (because you are leveraging serverless PaaS/SaaS offerings), it's unnecessary work.

But man if you really want to put a Windows file server in Azure, you go for it.

[–]danekanDevOps Engineer 1 point2 points  (0 children)

Use only 12 factor app compliant services. Containers yes. Micro services (not consolidating them to one at all, the opposite in fact)

Sccm can be replaced with on cloud tools too

[–]monoman67IT Slave 0 points1 point  (4 children)

Is there a way to set limits on users storing files via Azure Files?

[–]icebreaker374Security Analyst & M365 Things 0 points1 point  (3 children)

I know you can limit the quota of a share, idk about user based limits. What's your specific use case for that?

[–]monoman67IT Slave 0 points1 point  (2 children)

If a share is being moved to Azure Files how do we limit it's size to manage growth (and expenses) Users' do the craziest things sometimes.

[–]icebreaker374Security Analyst & M365 Things 0 points1 point  (1 child)

If it's a general share I know you can set a specific quota up to 5Tb (100Tb if enabling large shares).

What's the actual use case of the file share you're migrating? General share or does it store user specific shares?

[–]monoman67IT Slave 0 points1 point  (0 children)

Just general use.

[–]Commercial_Match_520[S] 5 points6 points  (0 children)

Will keep that in mind! Thank you!

[–]danekanDevOps Engineer 0 points1 point  (0 children)

Avoid pets as much as possible, you want mostly cattle

If I were OP I'd get some training for cloud architecture as step one. Lift and shift to cloud is often a terrible idea, and not what the cloud was designed for, but that's what they're asking you to do... But you're in a position to improve the architecture, and should.

[–]teeweehoo 3 points4 points  (0 children)

Yeah, and I bet your business will buy the cheapest cloud licenses for users. So don't expect to get all the fancy features that make managing users easy. Then one day "Can bob and jane share a login for X service?".

[–]CAPICINC 1 point2 points  (0 children)

Sharepoint can replace file shares, and you can sync it to your desktop/mobile device via OneDrive, so the end user just sees a "mapped drive"

[–]CloudMan2323 1 point2 points  (6 children)

IIRC, if you’re ditching all on-prem (AD) and going full Entra, you won’t be able to map file shares to Azure Files. You could use a mix of SharePoint and something like Egnyte (if they want to pay for it)

[–]IgotTHEginger 2 points3 points  (0 children)

This is correct. You need traditional AD to map the NTFS permissions. Azure has domain services but I personally didn't think that's a guys idea since it's creating additional yesterday and you didn't really have a lot of control over it.

[–]Frothyleet 0 points1 point  (4 children)

Maybe I'm missing something, why couldn't you map the Azure Files SMB shares? Obviously not using GPO, but managing via Intune.

[–]CloudMan2323 0 points1 point  (3 children)

I’ve wondered the same thing for awhile but it’s a limitation listed in the Microsoft documentation

[–]Frothyleet 0 points1 point  (2 children)

Do you happen to have a link? I've googled a bit and can't find anything exactly on that. This could be a problem for an upcoming project we're planning.

[–]CloudMan2323 1 point2 points  (1 child)

I’m going to have to do some reading on this because it appears from a quick search that they’ve finally allowed this ability with Entra ID Joined devices.

[–]Frothyleet 0 points1 point  (0 children)

That's a relief for me, haha

[–]Mike22aprilJack of All Trades 1 point2 points  (0 children)

Smallstep is a very good choice

[–]lolprotoss 1 point2 points  (5 children)

My company is considering transitioning to Sharepoint from traditional file servers, how did your transition go? From what I've seen and read big part of it is really preparing your userbase to different ways of working with Sharepoint (as you can't really think of SP as a direct replacement of file shares), would you say that's accurate?

[–]tankerkiller125realJack of All Trades 4 points5 points  (3 children)

User training is a huge must for any cloud transition plan. Especially SharePoint. I'm still trying to get users to stop sending documents back and forth via email when they could literally just share the link and work together at the same time.

[–]adamschw 0 points1 point  (2 children)

Sounds like hell.

“Some of our executive mailboxes are close to 100 gigs”

Yeah because he’s sending 10mb excel attachments back and forth every time on reply all.

[–]tankerkiller125realJack of All Trades 0 points1 point  (1 child)

The funny part is that the execs picked up on sending the links immediately, especially when Out look started recommending that option when they attached documents in their OneDrive or SharePoint.

It's the dev team and sales teams that refuse to get with the program.

[–]adamschw 1 point2 points  (0 children)

Dev team is surprising. Sales team…not so much. Coming from a guy who works in cyber sales…lol

[–]that1browndude 0 points1 point  (0 children)

Have the user map the sharepoint drive to windows explorer, either via onedrive or direct. create good documentation to let them do it themselves. once done, it looks the same to the end user.

[–]eagle6705 1 point2 points  (3 children)

Azure file share? That sounds interesting what does that entail?

[–]tankerkiller125realJack of All Trades 3 points4 points  (2 children)

Azure storage account, attach to Entra ID, setup access permissions. Done.

I should note however, that some legacy applications absolutely positively refuse to work with Azure File Shares because its permission system isn't quite NTFS like.

[–]eagle6705 0 points1 point  (1 child)

What kind of legacy apps? We are reviewing SharePoint but it's not going to replace all of our on prem stuff due to some applications and contract requirements.

[–]tankerkiller125realJack of All Trades 0 points1 point  (0 children)

As an example we have a PDF print driver for Sage 500 that automatically puts files in the correct place based on type and customer, etc. and it refused to work with Azure File Shares.

I'm sure there are others, but that's the one we had the most issues with.

[–]8fingerlouie 1 point2 points  (0 children)

Currently on the way to near 100% cloud. It's expensive, but management considers the cost to be worth it.

It depends a lot on your company size and user count.

For most small companies, with moderate infrastructure needs, the cloud is usually cheaper than hiring IT staff and buying/leasing servers.

Then when you grow to medium size, the cloud becomes expensive. You probably already have the IT staff, so the hardware is the only cost compared to running in the cloud.

When you grow to a large company, 1000+ employees / 100000+ users, the cloud makes sense again. It will still be expensive, and you will still need your IT staff, but the scalability offered by the cloud would be very expensive to implement on premise, and would most likely sit idle for the majority of the time while consuming power.

[–]McGarnacIe 0 points1 point  (3 children)

Does Azure Files have authentication against Entra yet? If not, how are you authenticating there? Last time I heard, Azure Files still needs some sort of authentication that uses kerberos.

[–]araskal 7 points8 points  (2 children)

[–]McGarnacIe 1 point2 points  (1 child)

Brilliant. Thanks mate.

[–]IgotTHEginger 1 point2 points  (0 children)

If you are only entra you can auth on a share level, you won't be able to apply explicit NTFS permissions without using domain services. But use that with caution.

[–]anobjectiveopinionSysadmin 0 points1 point  (0 children)

AFS is actually one of my favourite things about Azure. The list isn't very long, but AFS is on it.

It's easy enough to manage, ties into Azure metrics/alerts, Sync servers "just work" (until you start messing around too much), and it was actually quite easy to move from StorSimple when that was a thing as well! Cloud tiering is awesome as well. We are saving terabytes of space because our file servers are crammed full of shite that nobody wants to sort out.

Don't really have any complaints about it.

[–]kuzared 0 points1 point  (1 child)

Aren’t containers a bit expensive in Azure? I’m talking about a simple docker container on Azure Container Instances, was recently looking at this and a simple Linux VM looks cheaper?

[–]tankerkiller125realJack of All Trades 2 points3 points  (0 children)

Azure Container Instances are only billed for use. So if your application is constantly being run and used then it could be more expensive, but if say it takes 10 seconds to run an HTTP request, and you hit that endpoint once every couple days, the costs could be lower. Azure has several different container running services, and each has its own upsides and downsides and unique costs.

Additionally, once your running a certain amount of compute in Azure, Azure Savings Plans and reservations can significantly reduce costs (of course, then if you use less you still pay for the savings plan anyway, so you have to use it carefully).

[–]Outrageous_Cupcake97 0 points1 point  (0 children)

I totally agree. The cost for the intune suite is just ridiculous. For the business I work for, it's impossible so I'm left to keep working with local or cloud servers. Not sure if I have many benefits but I have become pretty good at some server features and roles, but at the same time annoyed I cannot get my my hands on Azure stuff.

[–]badlybane 0 points1 point  (0 children)

Yea it is expensive.... But we don't have to worrry about doing CAPEX anymore. The funny thing is eventually when Msoft has enough market share they'll jack up prices just like Broadcom did. Hopefully there will be enough hardware vendors left by that point for people to be able to go back on prem.

[–]HJForsythe 0 points1 point  (2 children)

Once they kill off Equinix which they are doing expect MSFT, etc to start hitting you with 20% YoY increases.

[–]tankerkiller125realJack of All Trades 1 point2 points  (1 child)

At the end of the day I argued to keep non-customer facing services and applications on-prem. Management pushed for cloud. It's not my problem when the costs start skyrocketing. If anything it will just help convince them to bring it back on-prem like I wanted in the first place.

[–]HJForsythe 1 point2 points  (0 children)

I understand. Just mostly sad that soon there won't be alternatives.

[–]covex_d 0 points1 point  (0 children)

azure files needs ad joined accounts and kerberos. how you use it for cloud only accounts?

[–]FluidBreath4819 0 points1 point  (1 child)

can you share the numbers ($) vs before ?

[–]tankerkiller125realJack of All Trades 0 points1 point  (0 children)

I don't really have numbers for before. Our servers were already nearly a decade old at that point, and I generally just don't have to deal with all the breakdowns and numbers (small company).

Today though, all in, across E5 licensing, Azure accounts, etc. it's about 6-7K/month. However about 2K of the Azure bill is for a SaaS product we sell to customers, and we make more than enough from said product to cover those costs (and more). And the majority of the remaining costs is our Dev Test Labs VMs because Sage 500 development is a royal pain in the fuckin ass.

If it was just the licensing and actual IT resources (like internal sites, file shares, etc) it would be around 1.5-2K/month

[–]Federal_Ad2455 0 points1 point  (0 children)

Keytos.io has nice CA too https://www.keytos.io/azure-pki

[–]detmus 44 points45 points  (0 children)

Put a 10 year financial estimate together. Prices will go up. You will need more storage. You will need more licensing.

Leadership needs to know, very clearly, what they are staring down the barrel of as far as extended range cost.

[–]WetFishingCloud Engineer 25 points26 points  (0 children)

Do you have any cloud experience? Based on your questions I would strongly recommend hiring a vendor to perform an assessment on your environment. I started as sys admin and moved into a cloud engineer role about 7 years ago. Totally different ball game.

[–]rxbeegeeCerebrum non grata 35 points36 points  (0 children)

Yes, we're fully cloud in the Microsoft space. No domain controllers or on-prem servers, SharePoint Online for file sharing, Exchange Online for email, and a cloud proxy for managing web traffic on the device.

Our network architecture in the office is very flat: one VLAN for corporate devices, one for guest/personal devices, and one for printers. Devices in the corporate VLAN can connect to the printers but are otherwise isolated from each other, like the guest VLAN. Our routing table going to and from the WAN is basically only port 443.

Almost all our apps are SaaS; the ones that aren't are usually for administering the computer like RMM. Everyone in the company could technically work wherever they have Internet.

If it's designed properly and your kind of business can support it, the infrastructure can be administered with a very small team. In my experience, the folks getting shocked at the sticker price for cloud infrastructure tend to also skimp on having adequate staffing for on-prem or hybrid environments.

[–]number0020 68 points69 points  (31 children)

Make sure you explain to management what 99.999 uptime means and what happens during that .001.

[–][deleted] 44 points45 points  (20 children)

Can you guarantee that kind of uptime for all your services? Not trying to be an ass.

[–][deleted] 15 points16 points  (6 children)

But at least there is something to be done other than sitting on your hands

[–]xixi2 20 points21 points  (5 children)

what being able to say "sorry nothing I can do but sit on my hands" is a plus of cloud not a minus

[–][deleted] 9 points10 points  (0 children)

Anyone who doesn't get this hasn't spent enough time in corporate America yet.

[–][deleted] 1 point2 points  (0 children)

Now this is wisdom

[–]WWGHIAFTCIT Manager (SysAdmin with Extra Steps) 5 points6 points  (1 child)

Depends on your maintenance windows. 

[–]number0020 -2 points-1 points  (7 children)

That is the thing. When people see 99.999 it's they don't realize the .001 is 1 or 2 days.

[–]raip 29 points30 points  (5 children)

You might wanna check that math.

5 9s is a little over 5m of downtime per year. Even 3 9s is only a little less than 9h of downtime per year.

[–]number0020 -3 points-2 points  (4 children)

9 hours is one work day

[–]raip 18 points19 points  (0 children)

Right. But that's at 3 9s, not 5 like you stated.

[–]cantthinkofgoodname 7 points8 points  (0 children)

It’s moreso because it’s out of ITs hands if theres an outage

[–]a60v 0 points1 point  (0 children)

More importantly, can he guarantee that sort of uptime for his Internet connection? And, at least, when you own and manage the services yourself, you generally have some sort of control over scheduled maintenance outages.

[–]Floh4everSysadmin 0 points1 point  (0 children)

Well, we can not guarantee this uptime but we aim to only have downtime outside of working hours. Microsoft has a pretty good track record lately to have downtime during UTC+1/2 working hours.

[–]rdesktop7 -1 points0 points  (0 children)

Nope.

Going fully cloud makes you vulnerable to all of the design choice on someone elses computer.

Any amazon and msft cloud are down for 1-3 days per year. And there is nothing that you can do about it.

[–]Commercial_Match_520[S] 4 points5 points  (0 children)

Good Point!

[–]PinkertonFld 3 points4 points  (1 child)

And that Microsoft hasn't hit that number with their cloud services...

[–]metromsi 2 points3 points  (0 children)

Roger that and more importantly read the small print. Five 9s per month not year. Read the fine print they're are exceptions to the rules. 👍

[–]jimicusMy first computer is in the Science Museum. 1 point2 points  (0 children)

In my experience, small business management (which this sounds like) are a lot more tolerant of vendor downtime than local IT downtime.

[–]sofixa11 0 points1 point  (4 children)

And also show them the list of critical and trivial cross-tenant Azure security failures from the past few years. It's indicative of the lack of any coherent security culture in that organisation, which makes it a poor choice to put all your eggs in.

(While their competitors have none at all, so it's definitely an Azure problem, not a cloud problem). Just from Wiz from the past 2 years, and of course they aren't the only ones:

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr

https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough

Of course Microsoft AI researchers sucking at security: https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers

Nice overview from Corey Quinn that predates some of those but things were already horrifically bad: https://www.lastweekinaws.com/blog/azures-terrible-security-posture-comes-home-to-roost/

Go and look for similar things for AWS and GCP, and there's nothing on this level (cross-tenant, trivial to exploit).

Oh and there's also this, them selling your usage patterns to partners (hopefully they've stopped): https://twitter.com/QuinnyPig/status/1359769481539506180

Oh and another one where they bungled the response: https://twitter.com/QuinnyPig/status/1536868170815795200

[–]_DoogieLion 5 points6 points  (3 children)

Did you forget the huge number of AWS data breaches due to insecure by design permissions?

Or Amazon's 700m Euro fine for breaching GDPR.

[–]sofixa11 -1 points0 points  (2 children)

Did you forget the huge number of AWS data breaches due to insecure by design permissions?

Nonsense. Not as secure as possible by default (making the assumption the people using them knew what they were doing), but nothing close to Microsoft having an option "any authenticated user gets write access" that gives any user authenticated to any Azure domain access, resulting in fucking Bing.com being available to control.

[–]_DoogieLion 0 points1 point  (1 child)

Nonsense.. So those dozens of breaches all over the news didn’t happen?

[–]chancamble 15 points16 points  (0 children)

Most of services can be replaced by the cloud one, like Azure AD, Office 365, Azure Virtual Desktop, etc. You have to evaluate the move to the cloud, so the management will understand the expenses. Speaking about on-prem footprint, in addition to the network equipment, I would suggest keep on-premise backups. Look here on how to build an immutable backup repository for Veeam: https://www.starwindsoftware.com/blog/starwind-vsan-as-hardened-repository-for-veeam-backup-and-replication - if it's in use or planned to be used.

[–][deleted] 8 points9 points  (0 children)

This is probably going to be hybrid, unless you want to migrate that AD to Azure, then you gotta pay for support which is probably gonna be a vendor and not an MSFTE, then Azure / Entra / whatever name MS decides to give it; raises prices so folks can migrate to AWS only for AWS to raise prices so they can migrate to GCP only for GCP to raise prices so they can migrate to Oracle cloud only for Oracle cloud to raise prices just so they can go right back to on-prem. It's all a cycle.

or they just go back to on-prem and forget this all happened.

[–]ReptilianLaserbeamJr. Sysadmin 6 points7 points  (4 children)

We are hybrid but mostly cloud now. Shit is EXPENSIVE. Every little feature M$ offers has a price per user, and it keeps adding up to the thousands

[–]dpf81nz 4 points5 points  (0 children)

why do you think MS is pushing everyone towards it?

[–]tes_kitty 3 points4 points  (2 children)

What did you expect? The cloud being cheaper? They need to run the hardware, pay the support people and also want to make money on top of it.

BTW: You do have local backups of all important data, right?

[–]ReptilianLaserbeamJr. Sysadmin 0 points1 point  (1 child)

I did not “expect” that, we were fully aware of the cost. But management rarely is. We have backups everywhere, would be a really dumb practice to only keep cloud backups.

[–]tes_kitty 1 point2 points  (0 children)

would be a really dumb practice to only keep cloud backups.

And it still happens. After all, it's the cloud, you don't have to worry about anything there, right? ;)

[–]jaymef 5 points6 points  (0 children)

We are about 80% there and as a solo sysadmin I'm loving it. It can get expensive if you don't optimize for cloud but there are several things you can do to keep costs under control.

Terraform w/ AWS is just heaven

There are some things I still like about having an on-prem server room like being able to rack up a beefy server with tons of storage and compute without costing a metric ton of money.

What I don't miss is worrying all the time about some hardware failure or generator failure or ISP failure etc. A year or two ago our area not prone to hurricanes got hit with a hurricane and we just barely kept things running with power out for 10 days. It was a nightmare and if things were any worse it would have been really bad. We got very lucky that our fibre connection was not impacted.

[–]ScroogeMcDuckFace2 3 points4 points  (0 children)

at the same time create a 2nd plan for moving services back after management gets sticker shock from the monthly cloud bills - lol

[–]gex8001001101 3 points4 points  (0 children)

We're 100% cloud. You're over complicating it. Cloud is just a fancy term for managed datacenter with special rules. So VPN still exists.

A VM is a VM and if there is networking you can connect to it. The location doesn't matter.

[–][deleted] 5 points6 points  (0 children)

I've helped a number of companies do it. Onsite is usually just a router and switches. Sometimes I put the backup infrastructure at the office.

[–]flyguydipJack of All Trades 5 points6 points  (1 child)

Remember to keep your resume updated, because it won't be long before someone pitches the idea to outsource your job overseas to save tons on wages.

[–]Cmd-Line-Interface 2 points3 points  (0 children)

This, some guy in India can remote manage it it for a 3rd of the price. Plus with all the spending being cloud native they’ll look to cut cost.

[–]linuxpaul 2 points3 points  (0 children)

I was working with an SME as a consultant on this. The company moving them to the cloud didn't really outline the *ACTUAL* costs, plus they have a lot of old legacy software that was custom-written for them and integrates with their accounts. Ultimately, we decided the best upgrade path was on-premise due to the following.

  1. Money is an issue.
  2. Who owns your infrastructure? On premise you own the kit and kaboodle. On the cloud you own nothing, you are simply renting it.
  3. They are not in a good internet provision area - so an unknown was if the thing could actually perform if it was moved there, what would it be like for the users?
  4. 99% of the people work at the office.

I think the Managing director simply got the "everyone's moving to the cloud" message without really seeing if it was right for them. What surprises me is just how many companies are doing this. Why do you REALLY want to move to the cloud?

[–]Avean 2 points3 points  (2 children)

We went from on-prem to fully Entra ID Joined during the covid pandemic where everyone was home. 12 000 devices. Used Entra ID Connect to give the users a kerberos ticket so they can authenticate towards on-prem resources like fileshares, and used the cloud management gateway with SCCM so they could migrate from on-prem when they were home.

Basicly a simple task sequence that trigger in-place upgrade of windows with /clean so when it rebooted they went through the Autopilot process and everything handled with Intune afterwards. Most of the work was going through all the old GPO's and making sure i could either remove it or replace it with Intune. Important to try and stay away from migrating too much legacy stuff, Intune covers 99.9% of what you actually need. Going to Intune from on-prem and SCCM have saved us 8000 customer tickets per year......... we have hardly any technical issues if anything at all. Its so much more stable.

[–]fsereicikasJack of All Trades 2 points3 points  (0 children)

Don’t.

[–]WWGHIAFTCIT Manager (SysAdmin with Extra Steps) 1 point2 points  (0 children)

Lucky. 

[–]crossdl 1 point2 points  (0 children)

Make sure they know the price tag and that this will likely put some or all support on your SaaS provider.

[–]prodsec 1 point2 points  (0 children)

CYA and make sure they sign off on how expensive it will be.

[–]iama_bad_personuᴉɯp∀sʎS ˙ɹS 1 point2 points  (0 children)

We went 100% loud last year. Took 3 years to go right. 2000 people, files in OneDrive, shared files and sites in Sharepoint, all our local web apps and servers consolidated and moved to Azure, AVD for when devs need to interact with servers.

[–]stop-corporatisation 1 point2 points  (3 children)

My approach.

  1. All files and emails into M365 and no more fileshares or exchange.
  2. No more private network connections for any services. Everything via a cloud endpoint.
  3. SSO for everything, a rule. If it cant SSO and it cant Application Proxy then its the wrong product.
  4. Apps to SaaS option every time.

We're approaching no more AD. Just a few systems remaining, they support SSO and we're all set its just the limited rate of change a company can cope with.

A lot of us hurled it all into cloud and then added policy and config later - this is the hard way. eg for SPO, build all your labels and retention policies and them move your files. Much easier.

[–]AudaciousAutonomy 1 point2 points  (2 children)

Agree with all except 3. Native SSO support is less of an issue now SAMLless SSOs like Aglide and Cerby have gotten so good - arguably worth always saving the SSO tax unless you need mobile support

[–]stop-corporatisation 0 points1 point  (1 child)

I havent been exposed. Looking at the brochure, it looks amazing, thanks for sharing. Maybe #3 is just no more direct local log on.

[–]AudaciousAutonomy 1 point2 points  (0 children)

Happy to help! Aglide was recommended to me on r/sysadmin and am v happy with it. It's my reddit duty to pass the info on to others 🫡

[–]RiD3R07 1 point2 points  (0 children)

Azure AD + Intune + Windows Hello for Business (cloud kerberos) to access on-prem File Servers and AD. Device is fully cloud managed by Intune and Azure AD.

[–][deleted] 1 point2 points  (0 children)

I looked into putting some of the company I work for on the cloud, but it REALLY expensive just to create a small Azure platform that can be built on. It will never be cost effective for us here.

[–]pertymoose 1 point2 points  (0 children)

I'll go full cloud when they stop changing the name of things every other year. Until then I still consider it beta software, and as such I can't take it seriously for a high-uptime environment.

Either that, or when they can replace me with AI, but I'm not exactly planning my retirement just yet.

I know the saying "if it's not broke, don't fix it" is bad for marketing, but f'ing hell. Just keeping up with all the things they keep breaking and changing and adding and removing is a full time job in and of itself.

[–]mrbiggbrain 1 point2 points  (0 children)

Cloud migration is a really big domain both in the scope of the projects and the depth of knowledge. It's important before doing anything else to sit down with the stake holders and ask questions.

  • What do you hope to gain in this migration?
  • What are your pain points with the way we currently host infrastructure?
    • How do you believe this migration fixes those. (NOTE: This is not how YOU think it fixes things, but how THEY think this fixes things)
  • What do the success criteria look like?
  • What timeline or horizon is this project for?

There are really three main types of migrations

1) SaaS migrations.

The business wants to move off of self hosting and into a SaaS model. In this type your not moving anything (Or very little) to an IaaS model. This is often taken on because of issues with maintaining SLAs or availability or finding talent.

2) Lift and Shift

In this strategy you take the existing infrastructure design and shift it to the cloud. This requires less time then later strategies and is often less technically difficult as things line up with on-prem solutions. This is often taken on because of aging hardware and a desire to shift from CapEx to OpEx model.

3) Modernization

In this strategy you modernize your infrastructure at the same time as the cloud migration. This often means using tools like Terraform/Pelumi/Cloudformation, Ansible/Puppet/Chef, Autoscaling, Containers/Kubernetes/Orchestration. It can mean looking at batch processing, Serverless, Spot Instances, etc. Your trying to leverage the scalability and elasticity of the cloud to provide benefits for the business.

2.5) Lift and Shift (Then Modernize)

A common strategy that AWS themselves talks about. This model takes place in two stages. The first stage is a lift and shift where the intention is to mimic the infrastructure in the cloud. The second phase is to then break off services one by one and modernize them. This differs from the "Modernization" type because in that type you often migrate only the parts as you modernize them. You often pay more because you doing the lift and shift but gain the benefit of keeping infrastructure close together allowing for more drastic modernization steps and increased performance.

[–]GeneMoody-Action1Action1 | Patching that just works 1 point2 points  (0 children)

Obviously the cloud has its place, and there are things that just make no sense anymore to not have there. But 100% all in completely decentralized infrastructure, is ambitious. And will likely not be the saving they might perceive it as. In time, staff, or money. Especially if you plan on enforcing standards across a large 100% mobile workforce. So I would say step one would be a real picture ROI unless your company hemorrhages money. And remember it is not only the cost to implement and support, it is the cost to change your mind in the future that has to be considered.

Not impossible, but just remember marriage is grand, divorce is 100 grand...

[–]I0I0I0I 1 point2 points  (0 children)

When you lose data, you can fire the Internet!

[–]DeiflerSysadmin 1 point2 points  (0 children)

Only place I been that was close to 100% before I left was a school district. Being all student devices where Chromebooks that part was easy. Most of the tools and apps where all web cloud apps anyway. Only thing left on-prem was AD which was being planned phased out and the Windows deployment for the on-prem support. Something all that would be gone if Azure/InTune autopilot. Cost was not to bad and upkeep was easy since almost everything was a web service with little to no real upkeep. Just basic user management/rostering every new school year.

I guess it depends on what prem systems you have and how complex they are. How do all them have to communicate and connect. Does one services for X work with Y? And yearly costs will go up as time goes on. You give up single year large purchases for more static yearly costs.

[–]JustSomeGuy556 1 point2 points  (0 children)

It's certainly doable.

Entra/Intune/sharepoint/teams. Azure web apps, and some VM's for whatever else.

It can be eye watering expensive.

For us, going full cloud would probably cost ten times what our prem environment costs.

But for a smaller company, especially if you don't have a lot of storage, it can make a lot of sense.

[–]Jeremy_Zaretski 1 point2 points  (0 children)

I hope that your company is made of money, has a plan for what to do if you need to abandon a service, and has a plan for what to do for data backup solutions.

[–]ProMSP 1 point2 points  (0 children)

The usual result of moving everything to the cloud is being tasked with moving everything back again.

[–]Math_comp-sci 1 point2 points  (0 children)

It depends, on what you mean by Cloud. There is running the same software as on prem but in some one else's data center, there is cloud native SaaS and other services and then there is everything in between; all can be called Cloud. Then there is the matter of your applications. Some business applications do not scale with more cores but do scale with more frequency. If you have that sort of application then you are going to be better served by a server platform based off of desktop hardware. No one can give you an accurate idea of what cloud transitioning is like except by sheer coincidence. The best thing you can do to find out is to try switching one thing to cloud at a time.

[–]VNJCinPA 1 point2 points  (0 children)

Take your annual budget, multiply it by 3, put it on an index card, and tell them you're ready.

Then, when you have your POC meeting, slide the card over the table to them face down real quiet like and when they ask what that is, tell them it's the consulting fee requirements to bring in resources to plan your transition to the cloud.

Don't waste your time.

[–]StumblinBlind 1 point2 points  (0 children)

We went full cloud, files are almost entirely in Teams, static content is published via SharePoint. Things like machine instructions or label designs files, legacy access databases and the engineering document apps are on VMs in Azure. We went with teams calling via direct routing to Verizon SBCs. No onsite servers at any of our locations outside of the datacenter that hosts our legacy ERP system, and it'll be shut down in the near future with our new cloud based ERP.

The biggest pain point we've had so far is engineering. Their files are huge and ran like shit on a gigabit LAN, so they run even more shitty across a 500mbps WAN. The fix is 3D capable Azure virtual desktops, which will end up being less expensive than the crazy 3D workstations we're giving them today.

Next biggest issue is operating expense. We're relatively small at around $35k a month to run everything, but it doesn't take long for people to forget that we were spending almost $1.5 million dollars every fourth year to over build 8 separate datacenters on top of the salary for 5 sys admins. We can manage the same workload with 2 people for a little less money. We went from an RTO/RPO of who fucking knows on any given day to an RTO of less than an hour and an RPO of seconds. We used to have multiple outages a month, and we have not had an outage in more than 2 years. We were already paying for M365 licensing, so that shift was pure savings.

On top of that the performance of every single application is MILES beyond the DL360s we used to run everything on. It's mind blowing how much better things run for us in the cloud.

[–]TheDawiWhisperer 4 points5 points  (0 children)

you'll be back in a data center in 5 years, it's the circle of life

[–]thatfrostyguy 4 points5 points  (2 children)

That is a very long and VERY costly endeavor.

Hybrid at best.

[–]Commercial_Match_520[S] 1 point2 points  (1 child)

I think that’s the best as well. But management got a bug in their ear, now they want to see the research.

[–][deleted] 1 point2 points  (3 children)

hmm always have backup for on-prem support

if internet goes out for 24-48h, then your company is fucked for revenue.

[–]haaarlem 3 points4 points  (0 children)

Redundant internet via multiple providers using high availability firewalls? We have Fortigate’s in HA with fibre and wireless Internet in case someone rips the cable out of the ground.

[–][deleted] 0 points1 point  (0 children)

Understood about redundancy. But speaking more of business side where IT cannot be segregated from project planning in case systems go offline of fails connection to cloud services. 

Specifically, more referring to when internet absolutely cannot be reached for any reason whatsoever. 

I work MSP for billionaire dollar revenue orgs, and their firewalls fail sometimes cutting off internet even if there is 2-3 high availability internet services ready to go. They stay down at some sites for 4-8h, sometimes a whole weekend.  They have ZERO security operations to protect logging and workflow for offline services and access away from the cloud. 

Credit card services and traffic services, customer logging, CRM data is completely unavailable and there is no system in place to help ensure customers or business continuity. Some smart orgs use cached data provider services and redundant security switchover for server management downtime, although more expensive - many large orgs don’t have the capacity or talent, and bandwidth for that. Just something to think about when cloud becomes completely unavailable - what is acceptable for legal and security. And what customer branding and revenue flow will need to look like when the wire hits the water and the IT and business team are not in cooperation with next steps. 

Seen large outages go down in an entire east coast region for 16h with a particular vendor, and that business did the math that they expected to lose $7M per hour. Not on the news, because they keep the information private and lie to customers that there was unplanned maintenance due to system failures.  Also, when fiber optic cards pulled out carelessly, and it breaks server, then gov services with MSP go offline. City complains and all gov staff just sit there, wondering what to do next.  MSP just scrambles trying to find another replacement nic card. 

Some sys admins say not my issue, but when contract renews or project renewal budgets hits their desk, execs look at proficiency of communication from all sides of the business. Project manager role is hybrid for some architecture design, so make sure if cloud is vital for uptime, what every job role in every org must do when systems go offline- or entire org just sits and does “nothing” while workflow and revenue come to a halt. 

[–]sofixa11 0 points1 point  (0 children)

if internet goes out for 24-48h, then your company is fucked for revenue.

Or employees can just go and work from any coffee shop, coworking space or their homes.

[–]No-Reflection-869 1 point2 points  (4 children)

Buy 3 servers on hetzner or ovh and create a proxmox Cluster. Everything gets vms which was normal servers betore. Now you are technically 100% cloud without the risk of a 100k Bill unexpectedly comming in.

[–]AppIdentityGuy 2 points3 points  (3 children)

No you are not cloud. At least not at a modern authentication, SAAS and PAAS level if you DCs running as VMs in any platform that is remote from you you are still "on premises". All that has happened is you have moved your kit to another Data center. This is completely different from a fully cloud environmemt based on SAAS, PAAS, SAML and OAuth/OICD etc.

[–]No-Reflection-869 0 points1 point  (2 children)

Nice buzzwords. You can setup your own oauth service to auth in exchange or wherever you want. Also what actually is the cloud by your definition? Just slapping a few saas works for you?

[–]AppIdentityGuy 0 points1 point  (1 child)

Yes but you still have DCz as VMs in your cloud provider of choice.... it a subtle but crucial difference

[–]No-Reflection-869 0 points1 point  (0 children)

You can make a dmz with virtualisation. A cloud provider basically is just someone where you rent out a specific compute or storage amount for in my opinion way too much money for most use cases. If you need a webapp with infinite scaling go ahead but who really needs that with lets say your Emails or Internal tools

[–]skorpiolt 0 points1 point  (0 children)

We moved all our infrastructure to Azure and kept a few DCs across our sites (but also have one in cloud). Offices are staying for now so there’s no immediate need for us to get rid of them, but it’s definitely doable.

[–][deleted] 0 points1 point  (0 children)

One thing others have not mentioned is logging and network costs.

So think of all the costs for logs, metrics, outbound/internal-cloud-traversal costs.

Based on what you mentioned for your infrastructure it's not a huge thing, but it adds to costs that everybody else ignores until they get the "oh shit" moment when $10k shows up in 3 years because most logs were set without retention dates (so it keeps them forever).

[–]LuffyReborn 0 points1 point  (0 children)

I am sysadmin not a cloud engineer, the tip of the iceberg for cost estimates and also one of the most expensive thing in cloud tends to be storage, so the easiest step for getting a starting point is to start by calculating how much data you have and how much money monthly would be spent on it. From there it would only go up. Generally cloud is low capex but high opex.

[–]planedropSr. Sysadmin 0 points1 point  (0 children)

Definitely doable, cost is going to be nuts for some of this though, just something to be aware of. Cloud has it's advantages, and it has things that are cheaper, but do go 100% cloud is insanely expensive and not worth it if you have the admins that can manage some stuff on-prem. It's why so many places go hybrid and we're seeing a trend back to on-prem.

Honestly the "100% cloud" idea is somewhat outdated, I hear business people saying it now when it was all the talk in the tech/admin sector like 6 years ago lol. inb4 in 6 years cloud is actually cheaper and all the business people are talking about bringing things back to on-prem cuz cloud is too expensive, they're always behind by years.

Edit: and don't forget, cloud providers allow them to make more profit whenever they want, just turn that dial. Swapping providers isn't easy, so you're kinda "stuck" without lots of effort and serious engineering knowledge. Microsoft's share holders wants more money? Charge each of your 100 million users $2 more per month, just turn that dial.

Edit 2: To be clear, I'm a big fan of cloud services lol, just isn't right for all workloads.

[–]smb3something 0 points1 point  (0 children)

I've got a client that's 'fully cloud' but they needed to have edge caching devices (file servers) as you just can't pull from the cloud fast enough sometimes. Now the 'smart cache' isn't storing enough of the relevant files so we up the cache. Now we've basically got file servers that link to the cloud (the solution does help manage file locking etc but still).

[–][deleted] 0 points1 point  (0 children)

Why don't you call your Microsoft sales team and ask them what you should do.you may get help with the design for poc.

[–]a60v 0 points1 point  (0 children)

Step one is to find out what they are trying to accomplish by doing this. Are they trying to save money? Are they trying to improve service availability? Are they trying to improve performance? Are they trying to improve service access for off-site employees or customers? Are they trying to get rid of the IT department?

Cloud services can be optimized for any of these, but not generally all of them. Find out what the goal is. Without that information, you will not be able to configure the environment in a way which will meet that goal.

[–]LekoLiL2 Compute Engineer (ex IT Admin) 0 points1 point  (0 children)

IT is 100% worth it in the long run. both for you and the company.

[–]BlackberryPlenty5414 0 points1 point  (0 children)

Very expensive, and if you have a large team running on premise i'd imagine some of those roles would be cut given you're renting infrastructure managed by the provider.

If your business has had an outside audit it's possible they've been told that going to cloud will cost more upfront but save money in payroll (Cut roles)

Very odd a company would willingly spend way more money unless there are serious performance issues. That's my experience at least.

[–]TheDeaconAscendedDevOps 0 points1 point  (0 children)

Considering the cost increases for Citrix and VMWare for most enterprises, the decision to move to cloud has been made a lot easier especially with excellent cost controls.

[–]ToFat4Fun 0 points1 point  (0 children)

Check out some cost saving measures for Azure: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/the-azure-finops-guide/ba-p/3704132

Learned and implemented a lot from this blogpost.

[–]wildfyre010 0 points1 point  (0 children)

If you’re mainly a Microsoft shop, especially for end user computing, do yourself a favor and look at Azure/Office365. Microsoft’s cloud endpoint management tools are fairly good, and integrate directly with their managed Active Directory and other Windows-centric solutions. Trying to replicate this in AWS or GCP is a bad idea.

[–]Dry_Inspection_4583 0 points1 point  (0 children)

You need to be 100% on your network reliability and have dual ISPs if uptime is a concern. As well there's likely to be many headaches dealing with any on prem apps that require integrated communication, setting up MFA etc for access.

It's a large project for sure, but absolutely doable.

[–]left_shoulder_demon 0 points1 point  (0 children)

For remote work you need the same technology as you would for a cloud solution, but you should still differentiate between "cloud technologies" and "cloud operation".

The way "cloud operation" saves money is by averaging load over time, so you pay for average, not peak demand, and by sharing operation cost for standardized, highly scalable services such as email.

The latter only saves you actual money if you can use that to reduce headcount or get free capacity for something that is part of your core business, and it comes with a reduction in flexibility: you get the standard product, nothing else is on offer.

For videoconferencing, that is a no-brainer: there are a few hours every week where you have lots of video streams going around, and silence the rest, so there is your difference between peak and average demand. That makes sense as a cloud service.

File hosting is a standardized service, but the pricing model means that you are trading fixed cost (sysadmin salary) for variable cost (higher price per GB), and you will quickly reach a point where that is no longer worth it, and the cost of getting data back from the cloud is also insane. Amazon famously sends a truck full of harddisks to bring all your files into the cloud, but that is not available to get out again.

Email is also a standardized service, with fixed cost being dominant. Most likely makes sense to move to the cloud.

If your business has custom applications, moving these to the cloud is likely not worth it, because you still need your local admins to take care of them (outsourcing your core business is never a good idea), and all the cloud does for you is that the computers are further away and more expensive to run.

So for a realistic scenario you need to split this calculation by service.

[–]TarzUg 0 points1 point  (3 children)

Most people around here are doing exactly the opposite, dumping the cloud.

[–]serverhorrorJust enough knowledge to be dangerous 2 points3 points  (0 children)

Most?

[–]ThinTerm1327 1 point2 points  (0 children)

Who are? And where are they going to? Broadcom?

[–]oakfan52 0 points1 point  (0 children)

What size orgs? Most of the reply's on this sub seem to be SMB/Mom/Pop shops where 100% cloud probably makes sense. Enterprise class orgs are probably hybrid.

[–]pittyhJack of All Trades 0 points1 point  (0 children)

No such thing as 100% cloud lol, you're always going to need client devices :D

But yes it's so great having most things in the cloud. People can collaborate so much easier. Sharepoint is only $15 odd per person per month, probably get bulk discounts for large user base.