Case studies

PFA gets ready for the future with Azure hybrid cloud infrastructure

Getting ready to move from an on-premises data center setup to public cloud in Azure is one of the cornerstones in PFA’s 2020 IT strategy.

Challenge

PFA is aiming to move workloads to Microsoft Azure and have the ability to build new cloud-based solutions quickly and as securely as their existing on-premises installations. All this with a relentless focus on governance, risk and compliance matching their existing on-premises setup.

The goal for PFA was to establish an Azure hybrid cloud architecture that was reliable, cost-effective, and enabled faster time-to-market for new solutions with full scalability and flexibility. In addition, a Cloud Center of Excellence (CCoE) function would be created to support the ongoing cloud journey and new cloud solution development and migrations.

All relevant parts of the organization required involvement, including IT security, architecture, operations, development, legal, finance, etc. The CCoE is a central cloud governance function which will make cloud services available to the entire PFA organization in a controlled and secure way.

The platform will support many development teams across all the different business areas. Finding the right balance between control and flexibility for the developer teams was a priority, given the detailed focus on governance, risk and compliance.

Solution

Skaylink has operated an internal Cloud CoE for many years. Among other things, the CoE is responsible for managing Skaylink’s acceleration platform CADD, a platform used by many customers both local and internationally. This experience and know-how was a key factor when PFA awarded Skaylink their Azure cloud project, including the creation of a PFA Cloud CoE. The project was a joint effort between PFA’s architecture team and Skaylink experts.

The implementation was based on Microsoft’s Cloud Adoption Framework (CAF) and the new extension “Enterprise Scale Landing Zones”. An architecture framework with design principles, guidelines, recommended policies, etc.

Deliverables included the entire cloud adoption cycle: Plan, Ready, Adopt, Govern and Manage. The close relationship between Microsoft, PFA and Skaylink further enabled pre-release access to the latest expansions of CAF, ensuring PFA was on the forefront with the technology and applied international best practices. An important part of the delivery included tools and a framework which, with the help of governance, risk management and compliance, ensures that PFA complies with the relevant legal legislation governing the pension and insurance industry. This includes security-by-design, detailed cost management and defined use principles for all SaaS, FaaS, PaaS and IaaS components making up cloud solutions at PFA.

As a validation of the new platform, Skaylink provides support for “Lighthouse” projects to be developed and operated using the new cloud platform.

"Finding a cloud partner with competencies ranging from infrastructure to DevOps development is not easy! Especially as cloud technology is a moving target."

Technologies Used

Iterative development of an Enterprise Scale Cloud Platform:

  • Standards and governance model
  • Security and automation operations
  • Pilot projects
 

Cloud capabilities:

  • Cloud CoE (Cloud Center of Excellence)
  • IaaS/PaaS infrastructure and components
  • Security and risk mitigation
  • 100% scripted/automated provisioning of build/deploy pipelines
  • Operations setup and monitoring
  • Operating and service model

Result

In just 6 months and on time, the platform was delivered and ready to onboard the first large scale strategic cloud project – “The Modern Data Platform”. We succeeded in building a very flexible platform, which provides freedom for the individual development teams rather than limiting them. All teams can write and implement the jnfrastructure-as-code needed to run specific workloads in Azure. Individual development teams no longer need to order servers and databases. Now they can provision what they need within minutes, just by clicking in Azure or with infrastructure-as-code from a DevOps pipeline.

Furthermore PFA development teams are now also able to create innovative solutions with Databricks, Azure Machine Learning and computing with GPUs. They have access to fully managed services, such as Azure Functions, which automatically and quickly scale down to 0 machines when not in use and potentially grows up to more than 100 machines during peak hours. Since the service is now managed, there is no longer a need for operations to handle security updates, upgrades or patching machines. All now starts with a fully automated process when ordering a so-called “Landing Zone” that will support the relevant workloads. Landing zones consist of an Azure subscription, some blueprints, a virtual network that is connected to a virtual WAN in Azure, which then again is connected on-premises via ExpressRoutes. To ensure compliance with all guidelines, several Azure policies are automatically implemented for each landing zone.

A large number of components have been developed for the solution, including:

  • Cloud Center of Excellence (CCoE) organization
  • Guidelines and standards
  • Development of landing zones
  • Establishment of hybrid connection to existing Data Center via Microsoft’s Express Route
  • IaaS and PaaS platform
  • White-listing services
  • Azure compute options (VMs, containers, app service, serverless)
  • Infrastructure provisioning (VMs, containers, storage, networks, …)
  • Integration with on-premises data sources and external systems
  • Templates and DevOps environments (i.e. Dev/Test/Prod)
  • Service and operating model
  • Cost management and resource/cost consumption reporting
  • Principles for minimizing supplier lock-in/exit strategy
  • Tenancy administration, resource/network administration and user role administration
  • Provisioning and ad-provisioning resources ad-hoc
  • Scaling of Azure resources
  • Monitoring and operational monitoring
  • Full scripting/infrastructure-as-code of components used
  • Scripting of build/deploy
  • Security, identity, risks and measures and application of the already established AD

 

The project also involved knowledge transfer and Azure training for the PFA team.

Case Stories