- Posted by Vladimir Stefanovic
- On July 23, 2020
- 0 Comments
- assessment process, azure, Azure IaaS, infrastructure audit
Client industry: healthcare
Goal: to perform infrastructure audit and provide actionable recommendations
Campaign Period: 1 day
Scope of work: Azure infrastructure audit and recommendation
Results: Potential 50% cost reduction on specific instances; 37% overall Azure cost reduction
Over the last several months, we’ve been receiving many various client requests regarding Azure infrastructure audit (or assessment). Some of them were focused on future implementation and security, others on performance. A few weeks ago, we received an interesting client request related to the security assessment for Azure infrastructure. The client, a software and mobile app development company, made a mobile app for a US-based health institution. The developers have deployed the mobile application to the Azure using PaaS services. They followed official documentation for most of the configurations during the deployment process.
Still, at the end of the project, they wanted professionals to assess their deployment resources, as well as perform an audit of the complete infrastructure.
Due to the nature of their core business, security assessment was our priority, but all other configurations were also part of our assessment. The client’s infrastructure is implemented using App Services and Azure Database for MySQL. These two services are the core of the application, but Azure Cache for Redis and Application Insights were implemented as well.
The General Process of Infrastructure Audit/Assessment
The first step is a detailed introduction call with the client. During the call, we strive to gather as much information as possible. The client shares infrastructure diagrams and documentation with us (given that they have them), which speeds up the assessment process. In most cases, infrastructure access is necessary for us so we can properly analyze the resources that are in use, and to figure out how long the assessment process will last, as well as what the price of the assessment would be.
The second phase is the very assessment and it begins once we have agreed with the client about the scope of the project. Our dedicated engineers start with analyzing every aspect of the client’s infrastructure. As mentioned earlier, if the client has some specific focus in mind, such as security or cost reduction, we focus on that particular aspect. Still, all other aspects are included in the assessment process as well.
The final, third phase, is deliverables. In that step, we provide an assessment report to the client with the following details:
- How infrastructure is configured and inter-connected
- How security is implemented on configured infrastructure
- Resource performances analysis
- Recommendations for the „must-have“ improvements
- Recommendations for the option improvements
- Potential cost savings (if applicable)
The Client’s Infrastructure Audit/Assessment Process
As mentioned earlier, due to the client’s nature of the business, security was the most crucial aspect of their infrastructure audit. During the assessment, we found that their infrastructure was configured well, considering that was their first Azure project, and that it has been done by a developer company.
However, we found some mistakes that are very common with this infrastructure type. The firewall configuration on the Azure Database for MySQL (that they have implemented as a core of the database layer) had many IP addresses on the „allow list.“
They have configured the „Allow access to Azure services“ option to YES, which is typical if App Service is implemented along with Azure Databases. That option is not the best practice as it allows all Azure services to access Azure Databases, regardless of the Azure tenant. Based on that fact, the most important recommendation is to implement Service Endpoint or Private Link to strengthen the communication between applications and databases.
This type of implementation is possible only if the resource that wants to communicate with the database can be part of the virtual network. App Service, the service that they have implemented to host applications, can integrate with a virtual network, so they are ready to implement one of the most significant changes. When we talk about App Services, it is essential to know that some of the default configurations – such as HTTPS Only set to NO – should be changed, if the application supports that. In their case, several applications were set to NO, which we changed to YES. Also, logging for all applications, as well as the Application Insight, should be enabled. Although that does not increase security, it could be beneficial for troubleshooting on the application level.
In this case, Performance and Cost analysis were cross-connected. We analyzed the performance metrics for the last 30 days for the App Services and the Azure Database for MySQL and found that half of the resources are the ideal candidate for the downscaling of Azure instances.
App Service CPU Usage:
App Service RAM Usage:
Azure Database for MySQL Connection, Memory and Storage Usage:
Azure Database for MySQL Connection, Memory and Storage Usage:
The Potential Results of Azure Infrastructure Audit
Based on these performance metrics analysis, cost reduction is possible and the client could cut costs by 50% on these specific instances and by 37% of their overall Azure costs, from $2230 to $1400.
Regardless of the size and type of a company, performing a proper infrastructure audit offers critical insights into:
- the overall state and performance of the computing system
- its functionality
- potential security risks
- potential cost reduction
The main goal of an infrastructure audit is to track down and identify inaccuracies and inefficiencies that may be hidden within a company’s management and use of the IT system. This type of assessment is able to see potential risks in an entity and then to assess these risks via advanced design controls, therefore provide the client with appropriate solutions in order to reduce costs, secure sensitive and valuable data, and improve the overall performance of their infrastructure.