Reading Time: 3 minutes

In this post, I will introduce the case study that I will be using throughout most of my posts here, WingIt Airlines*.

WingIt Airlines is a medium-sized long-haul airline operating flights between its two bases in San Diego, California and London Heathrow, United Kingdom. Their main corporate offices are in Los Angeles, California. They employ around 450 FTEs and around 125 vendors who work remotely. In a recent strategic move, the company has decided to move core infrastructure to Microsoft Azure.

As there is a lot of infrastructure to migrate, it has been decided to migrate resources in phases beginning with the Core Services Engineering & Operations (CSEO) function. This function coordinates and administers core services such as the Active Directory domain, network infrastructure and the M365 tenant. Part of this strategy involves moving towards being a “cloud first” company utilizing the opportunities the cloud represents. This will involve migrating to Platform as a Service solutions where possible to reduce cost, increase efficiency, security, speed and reduce risk compared to an Infrastructure as a Service solution. To increase security, the CSEO implementation team will apply the three key principles from the Microsoft Zero Trust security model (Verify explicitly, least privilege access and assume breach).

Virtual machines will only be accessible using Azure Bastion and Just-In-Time access. All virtual machines will be automatically maintained using an Automation Account to ensure that all critical and security updates are applied. All virtual machines will be backed up using the Azure Backup service. All disks across all VMs will be encrypted using the Azure Disk Encryption service and this key will be stored in Azure Key Vault.

To allow for Geo-redundancy, the resources will be first deployed in the West US 2 region as this is closer to HQ and then mirror the configuration in the West Europe region. In addition, this design allows for reduced latency from a user experience perspective.

All infrastructure will be connected to the same Virtual Network which is connected to Azure Firewall, Azure Virtual WAN and Azure Sentinel instances. The Virtual WAN facilitates connections between HQ and the airports. The external vendors also connect to the VPN which is associated with this Virtual WAN. Up until this point, this level of integration has not been possible.

As well as the local domain controller at each site (HQ, San Diego, London Heathrow), there are some legacy servers that will not be migrated to Azure in the initial phases due to budget constraints. At HQ, there is a web app server that hosts approximately four bespoke applications and a Microsoft Exchange server. The Exchange Server is linked with their M365 tenant. Due to advancements in the Azure platform, it is now possible to backup and manage updates for non-Azure servers. Where possible, his will be implemented for the on-premises servers that aren’t going to be migrated. In future, the servers may be migrated using the Azure Migrate service.

After the successful implementation for CSEO, the next department to migrate is Sales and Marketing. Their workloads consist of the company website, data warehouse and various data systems. They will consolidate most of their legacy systems and migrate this into an Azure SQL Data Warehouse. Due to WingIt selling flights via external partners, Data Factory will be implemented to ingest both internal and external data feeds that arrives in varying formats to either be stored in Azure SQL Database or CosmosDB.

To help cater for differing customer needs between markets, WingIt will have two versions of their website with one being targeted at US customers and the other UK/EU customers; both hosted on the Azure App Service. To ensure customers get directed to the right version of the site from where they are geographically located, WingIt have deployed Azure Traffic Manager which automatically directs the user to the right version. These have been secured behind a global Azure Web Application Firewall, DDoS Protection and Azure Front Door.

 

 

 

*WingIt Airlines is a fictitious company. Any relation to a real-life company is not intentional.