This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.

1.       When an IPSec VPN (site-to-site) or Express Route (private peering) is used, the configuration for the self-hosted Integrated runtime varies. In the site-to-site, the command channel and the data channel from the self-hosted integrated runtime crosses the Azure virtual network to reach the Data Factory and the Azure managed storage services respectively. With private peering, the data channel is entirely within the Azure Virtual network in which the self-hosted integration runtime runs.

2.       Windows Firewall runs as a daemon on the local machine in which the self-hosted integration runtime is installed. The outbound port and domain requirements for corporate firewalls could be listed. These do not include the rules for the self-hosted integration runtime. The outbound port 443 must be opened for the self-hosted integration runtime to make internet connections. The inbound port 8060 must be opened only at the machine level. IP configurations and allow lists can be setup in data stores.

3.       Multi-region clusters increase resiliency.  This architecture builds on the AKS Baseline architecture where AD pod identity, ingress and egress restrictions, resource limits and other secure AKS infrastructure configurations are described. Each cluster is deployed in a separate Azure region and traffic is routed through all regions Even if one region becomes unavailable, traffic is routed through another that is closest to the user who issued the request. A regional hub-spoke network pair are deployed for each regional AKS instance. Azure Firewall manager policies are used to manage firewall policies across all regions. Azure FrontDoor is used to load balance and route traffic to a regional Azure application gateway instance designated for each AKS cluster. A single Azure container registry is used for all Kubernetes instances in the cluster.

4.       Multitenant SaaS is excellent for running solutions that can be unbranded and marketed to other businesses. It adds an entire new revenue stream for a company.  But the operational aspects of running this service is very different from that of a web application.  The architecture for hosting this involves creating multiple resource groups. All users access resources through the Azure Front Door that has integration with both the Azure DNS and the Azure Active Directory. In each resource group, an application gateway routes traffic to multiple app services that are all hosted on the infrastructure provided by a layer of Azure Kubernetes service.

5.       It is always good to spot check an AKS cluster against the current recommended Azure best practices. For example, the AKS baseline cluster architecture brings the best in terms of availability and protection. In addition, the AKS workloads can be effectively managed by designating proper control on requests and imposing limits. Setting the scale out of containers and the use of proxies, load balancers and ingress contribute to the best practices.

6.       High availability can be improved with availability zones. Using an architecture that uses redundant resources spread across zones to provide high resilience. Most of the resources are actively used because they serve the requests. Some backend services or stores such as the relational store might have redundancy and used only when the active ones fail. The use of Availability zones significantly improves the IaaS which is critical to the hosting of web applications that are not managed instances in the cloud. Therefore, using zonal and zone-redundant architecture is specifically useful to the Azure public cloud.

7.       Identity is a necessary investment for any software application and service hosted in the public cloud. The right choices can endear the software to its users. Seamless integration and SSO enables applications and services to work together with the same notion of user. Creating separate Active Directory domain in Azure is required in Azure that is trusted by domains in the on-premises AD forest is a significant step in this direction.