{"id":9233,"date":"2024-12-22T10:06:17","date_gmt":"2024-12-22T18:06:17","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=9233"},"modified":"2025-02-04T20:44:59","modified_gmt":"2025-02-05T04:44:59","slug":"microsofts-cloud-centric-architecture-transformation","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/","title":{"rendered":"Microsoft&#8217;s cloud-centric architecture transformation"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"112\" class=\"size-medium wp-image-7498 alignright\" style=\"margin-top: 0px;\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png\" alt=\"Microsoft Digital technical stories\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories-300x112.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/ms-digital-technical-stories.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><em>[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.]<\/em><\/p>\n<p>Here at Microsoft, we\u2019re building our\u00a0systems in the cloud to be agile, resilient, cost effective, and scalable\u2014this allows us to be proactive and innovative as we transform our IT and business operations. Microsoft Azure\u00a0resides\u00a0at the core of our architecture, and we\u2019re using the platform to automate our processes, unify our tools, and improve our engineering productivity. We\u2019re working toward a process driven by user experience, which changes the way we provision and manage our IT infrastructure.<\/p>\n<p>For us, Microsoft Digital, the organization that powers, protects, and transforms the company, a modern cloud-centric architecture is foundational to our digital transformation. To fuel that transformation, we\u2019re building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation. To learn more about how we\u2019re transforming, refer to <a href=\"\/en-us\/itshowcase\/inside-the-transformation-of-it-and-operations-at-microsoft\">Inside the transformation of IT and operations at Microsoft<\/a>.<\/p>\n<h2>Building a foundation for digital transformation<\/h2>\n<p>Microsoft Azure is now the default platform that our IT infrastructure is built upon. Several years ago, Microsoft Digital created a vision for moving from on-premises datacenters to Azure as the \u201cfirst and best customer\u201d of our cloud services. We examined our infrastructure to understand usage practices and how we could best support application teams via Azure subscriptions and connectivity options. We reviewed on-premises datacenter assets and developed schedules to migrate or retire the assets and to close multiple datacenters.<\/p>\n<p>Our leadership established plans at the strategic level to move applications, which trickled down to individual cloud migration and adoption plans for each part of the organization. Our cloud-centric approach thus created a functional and flexible platform for our services and processes.<\/p>\n<p>We\u2019re using Microsoft Azure to enable a self-service model for users of the platform\u2014providing robust telemetry and reporting capabilities via Microsoft Azure Monitor and Application Insights and using Microsoft Azure ExpressRoute to facilitate enterprise-level connectivity to the cloud from our facilities and networks.<\/p>\n<h2>Establishing a vision for cloud-centric architecture<\/h2>\n<p>We\u2019ve moved more than 93 percent of our on-premises infrastructure to the cloud, and we\u2019re assessing our strategic initiatives around our cloud efforts. We\u2019ve fulfilled our goal of moving out of the datacenter. However, many services moved from virtual machines (VMs) running in a datacenter to infrastructure as a service (IaaS) VMs running in Microsoft Azure with very little change to those services. We thus recognize the opportunity to further optimize our presence in the cloud by creating more-refined and targeted strategic initiatives both for the company itself and as examples for external customers.<\/p>\n<p>We need to modernize our application and service portfolio to take advantage of capabilities that were previously unattainable because of datacenter and support constraints. We need to examine how we manage our data and work toward a strategy that separates data from compute resources. We need to examine open-source big data platforms, event processing, other modern services that we can more effectively scale. Policies should enforce required controls for all configurations to improve safety regardless of the network involved. We also need to continue embracing modern engineering practices and pipelines and Microsoft Azure DevOps methods of managing services. We\u2019re capturing the transformation of cloud-centric architecture in the following investment areas:<\/p>\n<ul class=\"c-list\">\n<li>Transitioning from on-premises\u00a0to\u00a0cloud offerings to enable dynamic elastic compute, georedundancy, a unified data strategy (that uses Microsoft Azure\u00a0Data\u00a0Lake), and flexible software-defined infrastructures.<\/li>\n<li>Moving to cloud-centered IT operations, including automation for provisioning, patching, monitoring, and backing up our cloud and on-premises\u00a0environments through Microsoft Azure-based\u00a0offerings. In this way, software engineers can manage their Microsoft Azure DevOps environments with a minimal number of manual operations.<\/li>\n<li>Facilitating continued company growth and the improvement of our platform services while staying flat on the running cost of our services.<\/li>\n<li>Developing deeper and richer insights into our service reliability\u00a0via the standardization of monitoring solutions\u00a0through Application\u00a0Insights,\u00a0incident-management tooling, and automatic alerting. At the same time, we\u2019re\u00a0increasingly modeling our critical business processes and\u00a0helping\u00a0ensure\u00a0end-to-end integrity through\u00a0the\u00a0monitoring\u00a0and\u00a0alerting of complex processes spanning multiple systems.<\/li>\n<li>Supplying a powerful feedback loop to our product-group partners (such as\u00a0those for\u00a0Azure,\u00a0Microsoft\u00a0Dynamics\u00a0365,\u00a0and\u00a0Windows) to showcase Microsoft running on Microsoft.\u00a0This is resulting in an improved\u00a0enterprise-customer experience, including running one of the largest SAP instances entirely\u00a0on Microsoft Azure and helping\u00a0ensure that\u00a0Azure\u00a0is\u00a0SAP-ready for our customers.<\/li>\n<\/ul>\n<h3>Designing for the future<\/h3>\n<p>As our services move to these modern designs, our architectures need to evolve. We need to build our solutions to adopt the advantages of Azure and to adapt as those advantages change and grow. We need to clearly understand that Zero Trust efforts will change how users access our solutions. Our network postures and zonal controls need to adapt as well. \u201cInternet first\u201d should be the goal of all solutions. We need to implement the governance of all corporate resources\u2014regardless of their network environments\u2014and recognize that user identity and data are the critical resources to keep under the proper controls. Through this continued transition to a more cloud-centric architecture, we need to remain cost effective and create clear guidance on how to transform from VMs and on-premises solutions to modern solutions.<\/p>\n<h2>Enabling the cloud-centric architecture<\/h2>\n<p>Deploying workloads to the cloud introduces the need to develop and maintain trust in the cloud to the same degree that we have in our existing datacenters. In this model, we can apply isolation policies to help achieve the required levels of security and trust. To use the cloud as our trusted platform for our new cloud-centric architecture, we need to invest in plans for multiple areas:<\/p>\n<ul class=\"c-list\">\n<li>Administering the Microsoft Azure fabric<\/li>\n<li>Using Infrastructure as Code (IaC)and Microsoft Azure DevOps<\/li>\n<li>Using identity management and governance<\/li>\n<li>Using modern apps and data solutions<\/li>\n<li>Using modern networks<\/li>\n<\/ul>\n<p>The following sections detail the specific investments that combine to fulfill these requirements.<\/p>\n<h3>Administering the Microsoft Azure fabric<\/h3>\n<figure id=\"attachment_12720\" aria-describedby=\"caption-attachment-12720\" style=\"width: 640px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-12720 size-large\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1-1024x576.jpg\" alt=\"A Microsoft employee smiles as he stands outside of a Microsoft office with a cup of coffee in his hand.\" width=\"640\" height=\"360\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1-1024x576.jpg 1024w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1-300x169.jpg 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1-768x432.jpg 768w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1-1000x562.jpg 1000w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801-SME1.jpg 1040w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><figcaption id=\"caption-attachment-12720\" class=\"wp-caption-text\">A modern cloud-centric architecture is foundational to our digital transformation, we\u2019re building integrated, reliable systems,\u202finstrumented for telemetry,\u202fto gather data and enable experimentation.<\/figcaption><\/figure>\n<p>The Microsoft Azure fabric is a collection of programming interfaces that allows application engineering to interact with the underlying services and infrastructure. On one end of the spectrum is an application engineer connecting to the fabric and running a script to provision a VM. On the other end of the spectrum is automation connecting to the fabric, pushing data into a service, merging this data with external data sources, performing an analysis, and then publishing this data to a user interface for consumption.<\/p>\n<p>The role of the IT infrastructure provider will be to supply security-enhanced, flexible, and reliable hosting in our corporate fabric for applications and data (whether in our private or our public cloud). From the perspective of an application engineering team, provisioning infrastructure will appear a lot like updating templates and running scripts that land code and data in VMs; in containers; or in purpose-built, platform as a service (PaaS) solutions, like Microsoft Azure SQL Database. The role of the core hosting provider will be to present a flexible, reliable, and safer fabric to these teams for interaction with their templates and scripts.<\/p>\n<p>The role of the infrastructure team will be to enable frictionless and security-enhanced access to a fabric of APIs. A subscription will enable access to the scope of computing capacity that the subscriber can use. Subscriptions will connect to on-premises environments for hybrid scenarios, to added subscriptions for scaling out, and to third-party services for specialized processing. Our infrastructure team will need to do all of this in a security-enhanced manner, use standardized methods and building blocks, and maintain fiscal effectiveness. The team will need to conduct these interactions in a way that Microsoft deems appropriate.<\/p>\n<p>The role of the fabric administrator will be to provision this fabric through subscriptions and to help ensure that each subscription has the required capacity and connectivity to meet the demands of the application in a security-enhanced and fiscally responsible manner. The fabric administrator will:<\/p>\n<ul class=\"c-list\">\n<li>Build subscriptions and help ensure that enough capacity exists to accommodate the demands of each application.<\/li>\n<li>Connect subscriptions to our corporate network zones where appropriate and help ensure that the required connectivity exists for the application to adequately perform and to reliably and securely communicate with integration points.<\/li>\n<li>Help ensure that our corporate standards for configuration and security are applied to the subscription.<\/li>\n<li>Work to continuously grow and expand our fabric. That is, we in Microsoft Digital will continuously release new capabilities and expand our cloud presence.<\/li>\n<li>Continuously monitor and troubleshoot fabric-related issues.<\/li>\n<\/ul>\n<p>In many ways, our IT organization will function like a managed service provider or Azure service broker. The Microsoft Azure product group recognizes that a necessary gap exists between corporate application engineering and Azure services. We refer to this addressable gap as the corporate context. The <em>corporate context<\/em> consists of the specific company\u2019s policies, standards, identity scenarios, and network connectivity scenarios. It\u2019s the role of the service broker or fabric administrator to apply the corporate context to the fabric to enable loosely moderated consumption by application engineering teams.<\/p>\n<h3>Using IaC and Microsoft Azure DevOps<\/h3>\n<p>Within the IaC and Microsoft Azure DevOps area, we\u2019re building a more agile and flexible process for developing and deploying critical pieces of the cloud-centric architecture. Self-service and automation are paramount, driving the goal of empowering our engineers to quickly create and configure their solutions in an unencumbered manner.<\/p>\n<h4>IaC<\/h4>\n<p>Infrastructure as Code (IaC) is the process of managing and provisioning cloud infrastructure and its configuration through definition files that machines can process\u2014rather than through the configuration of physical hardware or the use of interactive configuration tools. IaC is about using scripts and templates to build or configure a connected landing place for applications and business data.<\/p>\n<p>IaC doesn\u2019t involve building user-interactive portals or creating tickets for others to run automation. IaC instead involves supplying standardized, robust APIs to application engineering teams to integrate into their deployment automation. Beyond supplying APIs, the infrastructure team supplies standard, curated configuration templates and software images for application engineering teams to consume.<\/p>\n<p>Within the Microsoft Azure Resource Manager framework, Azure contains recognized IaC that allows engineering teams to rapidly provision the underlying hosting platform for their applications.<\/p>\n<h4>Microsoft Azure DevOps<\/h4>\n<p>We need to continue the push from fully centralized operations to a Microsoft Azure DevOps model. Specific efforts from infrastructure teams in partnership with business units need to continue and improve in the following ways:<\/p>\n<ul class=\"c-list\">\n<li>Continuing to decentralize operations that involve governance and auditing, while the centralized team remains responsible for the security and compliance posture<\/li>\n<li>Investing in management groups and Microsoft Azure Policy to supply guardrails for Microsoft Azure DevOps environments<\/li>\n<li>Decentralizing services, including those for patching, configuring, monitoring, backup, and managing alerts and events<\/li>\n<li>Gaining clarity on who&#8217;s responsible for responding to incidents by using the proper tools and processes for Microsoft Azure DevOps<\/li>\n<li>Improving automation by investing in tools such as Chef, creating a runbook library strategy, and specifying how teams should use Microsoft Azure Automation<\/li>\n<li>Ensuring that Microsoft Azure DevOps processes can properly deal with accessibility and privacy<\/li>\n<\/ul>\n<h3>Using identity management and governance<\/h3>\n<p>Identity management and governance supply the guardrails that help protect our cloud-centric architecture. Identity is the new perimeter in modern networking and architecture, so it deserves high-priority consideration within the architecture to help ensure the security of our environment. Governance is also critical in the modern architecture, helping to guide and safeguard a largely self-service environment.<\/p>\n<h4>Identity management<\/h4>\n<p>We need to simplify provisioning, entitlements, and access management. We also need to streamline account provisioning and management, helping ensure that all access is auditable and linked to an approved business justification. Finally, we need to ensure that all credentials will expire or be revoked when no longer required while maintaining the principle of least privilege for administrators and users. Our two primary efforts in identity management are:<\/p>\n<ul class=\"c-list\">\n<li>Eliminating passwords through Microsoft Azure Multi-Factor Authentication. We want to remove the use of passwords in favor of strong authentication mechanisms.<\/li>\n<li>Helping protect administrators. We want to help ensure that all users with elevated privileges use those privileges in compliance with our access control standard.<\/li>\n<\/ul>\n<h4>Governance<\/h4>\n<p>Cloud-focused architectures still require proper guardrails and governance for two reasons: to help protect corporate data and assets from internal and external threats and to help ensure that the data and assets adhere to corporate and compliance standards. Much of our current governance is manual in nature, and some is our own intellectual property created to fill product gaps in Microsoft Azure. As Azure continues to add features, we need to embrace those native features that will help ensure we\u2019re properly governing the cloud:<\/p>\n<ul class=\"c-list\">\n<li>Microsoft Azure Policy will take a forefront position in supplying the right guardrails to help ensure that application teams can operate day to day within subscriptions that will keep the data in those subscriptions safer and more secure.<\/li>\n<li>With Microsoft Azure Blueprints, we want to create appropriate sets of controls for bundling policies, networking, role-based access control, runbooks, and templates info full workspace packages that complement the Microsoft Azure DevOps environments we\u2019re pushing teams to use for their day-to-day operations.<\/li>\n<li>We need to invest efforts into the lifecycle workflow around governing subscriptions, exception management, and scaling to the enterprise via management groups.<\/li>\n<\/ul>\n<h3>Using modern apps and data solutions<\/h3>\n<p>The way we treat our apps and data has changed in cloud-centric architecture. With more user-design models becoming available, engineers no longer function as the only developers in our organization. Users are taking advantage of platforms and tools that offer no-code or low-code development methods to create business solutions. Through all of this and within our more traditionally developed apps, we need to drive consistent development and data usage and protection methods.<\/p>\n<h4>Modern apps<\/h4>\n<p>As more teams use Containers and Microsoft Azure Service Fabric, the infrastructure and security teams need to invest in creating the right guardrails for these new paradigms. This means that even more than previously, we need to track the Microsoft Azure subscription, make the correct policies and templates available, and then apply those policies and templates\u2014to help ensure that the more-transitory resources belonging to modern solutions immediately use the correct controls. Our priorities are as follows:<\/p>\n<ul class=\"c-list\">\n<li>We need to supply design patterns and templates to help ensure that teams build resources according to a standard. Automatic configuration should occur during deployment, and desired state should be automatically enforced on a continual basis.<\/li>\n<li>Developers need to create containers by using default images containing the correct settings and policies.<\/li>\n<li>For microservices, teams need to build Service Fabric clusters that use standardized settings and policies right from creation time.<\/li>\n<li>We need to assess the connectivity that modern apps require. We want users to primarily access these modern systems only via the internet, but private virtual networks might also have some use in data-focused, segmented environments. The hybrid model will benefit some teams and certain types of data.<\/li>\n<\/ul>\n<h4>Modern data solutions<\/h4>\n<p>Managing our most-critical data assets will continue to be a top priority going forward. With more modern architectures, an increased ability to separate the compute and storage resources will exist, so managing the storage data will become a critical priority:<\/p>\n<ul class=\"c-list\">\n<li>We need to continue examining solutions based on VMs and Microsoft SQL Server and transition them to more modern architectures.<\/li>\n<li>We need to accelerate data deduplication by moving commonly used data sources into Microsoft Azure Data Lake Storage.<\/li>\n<li>Our Microsoft Azure DevOps teams need to manage cloud storage in a security-enhanced and efficient manner. This includes having centralized standards for using encryption at rest whenever possible and helping ensure that all solutions use the proper business continuity and disaster recovery options.<\/li>\n<li>We need to ensure that we classify, label, and protect all Microsoft data.<\/li>\n<\/ul>\n<h3>Using modern networks<\/h3>\n<p>Our investment in the modern networks area involves all aspects of our networking environment. That is, we\u2019re investing in modern deployment and configuration practices to create and support a networking environment that supplies a solid foundation upon which the cloud-centric architecture rests. This includes adopting an internet first network model, increasing support for Software-Defined Networking, making more efficient use of Microsoft ExpressRoute connections, creating more intentional network segmentation, migrating to Internet Protocol version 6 (IPv6), and increasing Network Function Virtualization (NFV).<\/p>\n<h4>Internet first<\/h4>\n<p>All clients have been moving to an internet first model over time\u2014first, by enrolling mobile devices with Microsoft Intune and, eventually, by connecting branch offices and some corporate offices primarily through the internet instead of through traditional on-premises network connectivity. Clients traversing a virtual private network (VPN) or similar solution for access to corporate applications won\u2019t offer the best model going forward. To become an internet first organization, we\u2019re focusing on the following:<\/p>\n<ul class=\"c-list\">\n<li>We need to make line-of-business applications accessible from the internet by either providing a hybrid connection to the application\u2019s presentation layer, making the presentation layer entirely internet facing, or making the full application internet based versus traditionally on-premises network based.<\/li>\n<li>Infrastructure teams need to help secure the solutions in a standardized manner and always use verified intended access.<\/li>\n<li>Infrastructure teams need a way to correctly and efficiently handle edge traffic. They need to know how to accurately audit, respond to, and report that traffic.<\/li>\n<li>We need to find ways to supply hybrid access for data anchors that stay in a more-restricted zone, which won\u2019t be the on-premises network.<\/li>\n<li>We need to invest in resiliency and security for these internet-facing solutions to help prevent unwanted impacts.<\/li>\n<\/ul>\n<p>With most clients moving to an internet first model over the next few years, we in Microsoft Digital need to examine where line-of-business applications place services going forward. With most clients moving outside the on-premises network boundary, it makes the most sense for the applications they use day to day to have a presence on the internet versus continuing to require a special network connection back to an on-premises network-based solution. To improve services placement, we\u2019re examining the following:<\/p>\n<ul class=\"c-list\">\n<li>Making user-facing services and the presentation layer externally reachable.<\/li>\n<li>Placing data or the backend in an administrator channel or private zone if appropriate to help safeguard access.<\/li>\n<li>Resolving impact to clients and applications, such as when they send data to an on-premises printer.<\/li>\n<\/ul>\n<h4>Software-Defined Networking and ExpressRoute<\/h4>\n<p>Within Microsoft Digital, the Zero Trust and internet first efforts will encourage teams to examine their on-premises, network-bound solutions by using ExpressRoute. Additionally, the Microsoft Azure ExpressRoute service will continue to grow, because a plethora of product teams are just starting to move their lab and build solutions to Azure. Over time, we want teams to examine hosting their solutions outside the traditional corporate network more and more\u2014that is, in a fully internet-based posture, in an appropriate Software-Defined Networking environment, and with defense-in-depth security controls applied.<\/p>\n<p>To further embrace Software-Defined Networking and ExpressRoute, we\u2019re focusing as follows:<\/p>\n<ul class=\"c-list\">\n<li>Teams should modernize their solutions as their first choice versus migrating them directly to Microsoft Azure IaaS services. This needs to become a strategic goal across the organization.<\/li>\n<li>For our Microsoft Digital applications, we need to prioritize deployment governance over ExpressRoute usage. This will encourage the transition to modern applications that assume an internet posture versus continued dependence on the on-premises network.<\/li>\n<li>Even with a pure internet first design, these modern solutions should use Software-Defined Networking and the security features of Azure that supply controlled access to solutions.<\/li>\n<li>We\u2019ll simplify our current ExpressRoute architecture, which uses significant physical resources. We\u2019ll redesign the architecture to use more of the Software-Defined Networking components of Azure. The goals are to reduce costs, increase the deployment speed, make the service easier to consume, and make the service even less reliant on on-premises hardware.<\/li>\n<li>We need to engineer differentiated zonal-stratification offerings for production and mission-critical solutions versus those for research and development.<\/li>\n<li>We need to revisit the hybrid design options and revise them based on both new features and proper governance within all zones.<\/li>\n<\/ul>\n<h4>Network segmentation<\/h4>\n<p>For us in Microsoft Digital, network segmentation is one of the largest components of the cloud-centric architecture. The corporate extranet network and the security zones that define it have existed for decades. In the modern cloud-environment era, we need to revise network segmentation by:<\/p>\n<ul class=\"c-list\">\n<li>Dismantling the on-premises network and its security. This should result in the creation of multiple new zones that have improved controls and management.<\/li>\n<li>Noting that the traditional, on-premises-focused perimeter network is deprecated and that we\u2019ve created a modern perimeter network having the proper controls and less blanket access both vertically and horizontally.<\/li>\n<li>Using Software-Defined Networking to enable better horizontal network controls for larger zones and for individual zones created for specific solutions.<\/li>\n<li>Creating a new and different space for virtual local area networks that includes internal zones and an administrator network specifically segmented to manage devices and the Internet of Things.<\/li>\n<\/ul>\n<h4>Migration to IPv6<\/h4>\n<p>Internet Protocol version 4 (IPv4) address ranges continue to be challenging to manage because of the dwindling number of available addresses versus the growth of the environment. We need to accelerate IPv6 deployment to help ensure continued network capacity. IPv6 removes complications from network address translation and simplifies acquisitions. We\u2019re addressing the migration to IPv6 as follows:<\/p>\n<ul class=\"c-list\">\n<li>Our network team has deployed IPv6 to multiple environments and plans to have some areas use only IPv6 (where possible) to remove the dependency on the limited number IPv4 addresses.<\/li>\n<li>Application teams will need to bind their applications to IPv6 in addition to IPv4. Older applications that understand only IPv4 will need to modernize. Security optimization also needs to occur.<\/li>\n<li>The research and engineering teams will need to ensure that all policies are correct. They\u2019ll pay special attention to the boundaries between IPv4 and IPv6.<\/li>\n<\/ul>\n<h4>NFV<\/h4>\n<p>Going forward, we need to heavily invest in Software-Defined Networking, including Network Function Virtualization (NFV). NFV has substantially improved and will continue to do so. By moving older network zones to the internet, we can increase the internet first mentality while still supplying adequate controls. Making applications self-contained within a specialized zone can help lock down both vertical and horizontal access, which makes solutions more secure. The NFV-related actions include:<\/p>\n<ul class=\"c-list\">\n<li>Creating best practices for zones and disaster recovery.<\/li>\n<li>Helping ensure the proper governance of Software-Defined Networking devices and zones.<\/li>\n<li>Defining methods for monitoring Software-Defined Networking environments, including those for security, telemetry, and outages.<\/li>\n<li>Defining best practices for teams managing multiple perimeter networks versus the single, flat model used on-premises.<\/li>\n<\/ul>\n<h4>Service tunneling<\/h4>\n<p>Microsoft Azure is adding the ability to use service tunneling to access resources via VPNs, including ExpressRoute virtual networks. With this new model, teams might be able to use PaaS resources within a more-limited network and security boundary. To improve service tunneling, we\u2019re examining the following:<\/p>\n<ul class=\"c-list\">\n<li>Doing more work to understand this model and how we should use it within Microsoft Digital. This will potentially function as an interim step before getting to a full internet first posture. Service tunneling helps secure connections to Microsoft Azure from on-premises solutions, but we need to examine the benefits of this model and decide if it\u2019s the right model to use going forward.<\/li>\n<li>Creating an internet first tie-in. We\u2019re examining the potential for external presentation, where data is kept within a more private network that can use PaaS resources via a service tunnel. We need to work through the proper times and places to use hybrid cloud environments.<\/li>\n<\/ul>\n<h2><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"74\" class=\"alignnone size-medium wp-image-7448\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png\" alt=\"Key Takeaways\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways-300x74.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/key-takeaways.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/h2>\n<p>We\u2019re continually assessing our approaches to cloud-centric architecture to help ensure continued growth and reliable and optimized services. We have over 40 years of IT history and technical debt that we can\u2019t transform overnight. Our success will be determined by the fluidity of our users\u2019 experience and the level to which we can create an abstraction of our IT infrastructure via cloud-based platforms. This abstraction will create flexibility, usability, scalability, and resiliency for the entire business, which our cloud-centric architecture will support. We\u2019re exploring further transformation while staying dedicated to the effective operation of our entire service portfolio. We\u2019re finding common scenarios where we can optimize services and applications for the cloud, and we\u2019re automating and abstracting as many manual processes and tasks as possible. We\u2019re using the metadata across all our systems to digitally document our cloud infrastructure, creating software-defined templates for the deployment and configuration of infrastructure resources.<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"81\" class=\"alignnone size-medium wp-image-7482\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png\" alt=\"Related links\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links-300x81.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2021\/10\/related_links.png 500w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/h2>\n<ul class=\"c-list\">\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/itshowcase\/azure-and-cloud-infrastructure\">Learn more about how we are modernizing our applications and infrastructure<\/a>.<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/itshowcase\/inside-the-transformation-of-it-and-operations-at-microsoft\">Read about the major initiatives that are helping to transform Microsoft<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>[Editor\u2019s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we\u2019re republishing it here so you can see what our thinking and experience was like at the time.] Here at Microsoft, we\u2019re building our\u00a0systems in the cloud to be agile, resilient, cost effective, and scalable\u2014this [&hellip;]<\/p>\n","protected":false},"author":133,"featured_media":12719,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[89,115],"coauthors":[646],"class_list":["post-9233","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-digital-transformation","tag-microsoft-azure","program-microsoft-digital-technical-stories","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.8.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft&#039;s cloud-centric architecture transformation - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft&#039;s cloud-centric architecture transformation - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-12-22T18:06:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-05T04:44:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2300\" \/>\n\t<meta property=\"og:image:height\" content=\"1293\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Inside Track staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Inside Track staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/\",\"name\":\"Microsoft's cloud-centric architecture transformation - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg\",\"datePublished\":\"2024-12-22T18:06:17+00:00\",\"dateModified\":\"2025-02-05T04:44:59+00:00\",\"author\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e\"},\"description\":\"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg\",\"width\":2300,\"height\":1293,\"caption\":\"Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft&#8217;s cloud-centric architecture transformation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e\",\"name\":\"Inside Track staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/fb338dea806293f999356f7d8a399348\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g\",\"caption\":\"Inside Track staff\"},\"description\":\"Questions? Send us a note: msitstaff@microsoft.com\",\"url\":\"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft's cloud-centric architecture transformation - Inside Track Blog","description":"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft's cloud-centric architecture transformation - Inside Track Blog","og_description":"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/","og_site_name":"Inside Track Blog","article_published_time":"2024-12-22T18:06:17+00:00","article_modified_time":"2025-02-05T04:44:59+00:00","og_image":[{"width":2300,"height":1293,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg","type":"image\/jpeg"}],"author":"Inside Track staff","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Inside Track staff","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/","name":"Microsoft's cloud-centric architecture transformation - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg","datePublished":"2024-12-22T18:06:17+00:00","dateModified":"2025-02-05T04:44:59+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e"},"description":"Learn how Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg","width":2300,"height":1293,"caption":"Microsoft is building integrated, reliable systems, instrumented for telemetry, to gather data and enable experimentation."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/microsofts-cloud-centric-architecture-transformation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft&#8217;s cloud-centric architecture transformation"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/d87d5d73eed76dd055086299c842c17e","name":"Inside Track staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/image\/fb338dea806293f999356f7d8a399348","url":"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3788032f4762be09ee17b2ec39f3d75b?s=96&d=mm&r=g","caption":"Inside Track staff"},"description":"Questions? Send us a note: msitstaff@microsoft.com","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/insidetrack\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2022\/12\/8801_hero_2300x1293.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-2oV","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=9233"}],"version-history":[{"count":10,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9233\/revisions"}],"predecessor-version":[{"id":18311,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/9233\/revisions\/18311"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/12719"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=9233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=9233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=9233"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=9233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}