Microsoft Azure datacenters in Norway – This is what you need to know

microsoft-azure-managed-services-2-1

Microsoft has now opened their two datacenters in Norway so I decided to update this post with an Q&A on some of the pieces that are important to remember/consider from a data governance and technical aspect before you start using it and also address some of the most common questions I get. You can see the official statement from Microsoft here –> https://pulse.microsoft.com/nb-no/business-leadership-nb-no/manufacturing-nb-no/fa1-microsoft-skyen-i-norge-er-apen-med-de-forste-brukerne/

You can also read the official release post here –> https://azure.microsoft.com/en-us/global-infrastructure/norway/

Background info:

Microsoft have two regions in Norway: One outside of Oslo and one outside of Stavanger. Both Datacenters will be providing Microsoft Azure Services and will also in a later stage provide also Office 365 Capabilities. The Norwegian datacenters will be like the other regional datacenters that Microsoft has and not like the previous setup such as Germany or China. So the same trust model applies when it comes to compliance. You can also read a bit more here (Written in Norwegian here –> https://www.digi.no/artikler/microsofts-datasentre-i-norge-dette-vet-vi-fa-uker-for-apning/474789 )

 Microsofts to datasenterregioner i Norge forberedes nå til åpning, og vil bli de første i sitt slag i Norden.

For those that do automation against Azure need to use the short names for script/IaC and such.

“displayName”: “Norway West”,
“name”: “norwaywest”,

“displayName”: “Norway East”,
“name”: “norwayeast”,

Service Availability:

Unlike the other regions worldwide which have been up and running many years already, the Norwegian datacenter will be in smaller scale and therefore will not have all services available at launch, most likely be a rolled out approach, where more and more services will be added. You can view the service availabilty of the different regions here –> https://azure.microsoft.com/en-us/global-infrastructure/services/?products=all

There are some services that are marked as Global these services are therefore not directly location within Norway (such as Azure Active Directory) and also if your business already has established an Office 365 or Azure AD tenant, this placement of data has already been set (Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when subscribing for a Microsoft Online service such as Office 365 and Azure) –> https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-data-storage-eu you can also view other individual solutions here and locations –> https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9

It is also important to understand that the Norwegian Datacenters will be operated differently unlike the other regions such as West Europe and North Europe. One aspect is that the Norwegian datacenters are a lot smaller and does not have the same scale, therefore Microsoft will be introducing a set of base capabilities / services which you can see here –> https://azure.microsoft.com/nb-no/global-infrastructure/services/?regions=norway-east,norway-west&products=all

Secondly, the West Norway region does not have any plans to support App Services or other PaaS services by looking at the service availabilty https://azure.microsoft.com/nb-no/global-infrastructure/services/?products=all to it is most likely going to be a DR site meaning that it can not be used for active workloads but only to support GRS based workloads. Also by looking at the services you can see that it is supported compute and storage options (and also data box) intended to DR and Storage Migration and also network edges supports. . Also for services being deployed in Norway East will also be limited in terms of how much resources you can deploy directly.

Microsoft wants to have a bit more control using Soft Launch which means that you will need to define a support ticket to expand the amount of vCores and such. This can be done by going into the subscription –> Usage and Quota and setting up a request to increase the ratio.

Service Monitoring:

When you get up and running in Microsoft Azure and depending on the services you establish you also need to monitor the service, I’m not going into detail on that but the biggest thing that you should monitor is the underlying platform itself when it comes to planned and unplanned downtime. This is something that can be monitored using Azure Service Health https://azure.microsoft.com/en-us/features/service-health/ where you can get notified about download or service issues on the regions.

You can also view the status of services and availability here –> https://status.azure.com/nb-no/status

Network Edge:

Right now, both Stavanger and Oslo will be providing Edge Capabilities for network traffic. This means that if you use a service like Front-door or Azure WVAN your traffic will hit the closest Edge datacenter https://azure.microsoft.com/nb-no/blog/latency-is-the-new-currency-of-the-cloud-announcing-31-new-azure-edge-sites/ but it should be noted that these datacenters do not provide Edge Capabilities (Front-door) for Office 365 yet, so it means that Office 365 will go trough the network edges and then to Office365 (https://connectivity.office.com)

No photo description available.

A Scenario might be if you have offices worldwide and want to integrate these together without the use of MPLS but using regular Internet and Azure Virtual WAN. This allows the use of offices to leverage Azure’s corenetwork to transfer data between the different offices.

Virtual WAN diagram

You can read more about Azure Virtual WAN here –> https://msandbu.org/azure-virtual-wan-and-putting-the-pieces-together/ but in essence this allows you to bind multiple locations worldwide but leverage the Azure networking backplane to have communication across their dedicated links instead.

If you want to integrate your existing datacenter to Azure using a private connection such as ExpressRoute, Green Mountain is now one of the partners for ExpressRoute to the Norwegian datacenters –> https://greenmountain.no/2019/09/21/green-mountain-selected-as-microsoft-azure-expressroute-partner/ DigiPlex also has a similiar partnership with it comes to ExpressRoute to Azure.

If you need to integrate the Norwegian datacenter with exiting regions that you might have already created, you can leverage Azure Global VNET Peering https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Another options is to leverage regular Azure P2S VPN for cllient based access to the virtual network there (Which now supports Azure AD based authentication) –> https://msandbu.org/setting-up-azure-ad-native-authentication-with-azure-vpn-gateway/

Data Governance & Compliance

If you plan to only provide services only from Norway you should implement some Data Governance mechansims to ensure that data and other services are not placed within other regions. As within Azure you can choose which region a service should be established. The easiest way to implement control on this is by using Azure Policies and specifying an allowed region policy –> https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations

But regardless of how you plan to use Azure you should have some a main governance strategy in place to ensure a set of baseline policies and processes are in place and that you have a configured landingsone if you plan to migrate virtual machines out to Microsoft Azure

Cloud Adoption Framework overview

The best way to start is by using Microsoft Cloud Adoption Framework https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ which is a good starting point, but you need to be aware of that the framework is built for many large organisations and not always suiteable for smaller businesses.

Also if you want more information on data control and security compliance from within Azure you can read more about it here –> https://go.microsoft.com/fwlink/p/?linkid=2051120 this whitepaper shows the different security mechanisms that are in place both for physical aspect of the datacenter but also security mechanisms within Azure that customers can leverage.

Now besides this you also have the ability to setup for instance services or data as locally redudant / zone redudant or geo redudant. Just to give an example on this.

Setting up a storage acocunt with LRS means that data will be replicated 3-times within the same datacenter zone (such as East-Zone1) so if that datacenter goes down your data will be unavailable. If you setup Zone redudant storage it means that data is replicated within multiple zones within the same region so data can be replicated within (East-Zone1 & East-Zone2) so if the entire region goes down, it means that data is unavailable. Setting up Geo redudant storage, it means that data will be replicated between region East and West, where there are three copies within each region.

SLA and Availability

As part of each Datacenter that Microsoft is setting up, each region is configured with Availability Zones which are independant datacenters within the same region.

Bilderesultat for availability zones

When setting up for instance a service or virtual machine workloads in Azure you need to understand that the availability of that machine is only within the region where it is placed. Virtual Machines in Azure does not have live migration or mobility options to other zones or other regions. That means that if a region or zone goes down, your services will be unavilable. So ensure that your service leverages either Availability Zones where machines that provides a serivce are deployed into seperate zones. Now to actually get SLA from Microsoft you need to follow the guidelines underneath

  • For all Virtual Machines that have two or more instances deployed across two or more Availability Zones in the same Azure region, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.99% of the time.
  • For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.
  • For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%.

So understand the SLA requirements for each services that you deploy. Now many might already be using Availability Zones in other regions, there is one thing you note that Norwegian datacenters do not provide Availability Zones as of now. So this means that the highest SLA you can get on virtual infrastructure is 99,95% with using Availability Sets.

Another important aspect is that Microsoft uses a term called geo-paired regions. Meaning that if you have services which supports GR (Geo Redudant) Microsoft provides replication of services between two geo-paired regions. With the Norwegian datacenters it means that data will be replicated between Norway East and West. If you already have services deployed in regions such as West Europe it is paired with North Europe, so GRS based solutions be not be able to directly replication data from between West Europe and West Norway for instance.

Moving existing workload to Norwegian datacenters?

So if you as a customer have already established workloads in Azure, can we easily migrate services from one region to another? This is possible but not something that Microsoft will do for you, in that case you would need to reestablish or migrate services to the norwegian region.
For virtual infrastructure you can use ASR (Azure Site Recovery) to do replication –> https://docs.microsoft.com/en-us/azure/site-recovery/azure-to-azure-quickstart for other PaaS services there are limited options when it comes to migration so you would need to do restablishment of the services and use a data migration service such as Data Factory or AzCopy to copy the data across.

Also if you are moving workloads out of your own datacenter to Azure remember that it is only on supported workloads, where you can see here –> https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines

And not all services that you have on-prem can run optimal in the cloud, such as if you have services that require hypervisor integration, physical devices, spesific layer 2 network protocols such as GARP/RARP/VRPP are not available in Azure.

Shared Resposibility – Remember your role

Remember that when you start using Public Cloud serivces such as Microsoft Azure and are migrating out of your own datacenter you still need to understand what is your responsbiilty and what is Microsoft’s responsbiliity

Such as for virtual machines, the responsbility for backup, maintaince and such, is still ours. The same goes for Security capabilities and that is you need to design on firewall usage or virtual appliances or cloud native services or such. So such as data backup is not something that Microsoft is responsible for, that is something that you as a customer needs to ensure is in place either using your own backup tooling or built-in services such as Azure Backup

Bilderesultat for shared responsibility azure

Now what is it going to cost?

Right now there is no pricing information on the services that Microsoft will be providing from within Azure, the official price calculator will be updated with the Norwegian Regions here once it is available and you can start calculating here –> https://azure.microsoft.com/nb-no/pricing/calculator/ so you can start calculating using another region as base such as West Europe, but you need to adjust any calculations to Norway once they become available.

Early indications is that Norway will be similiar to West Europe with some slight adjustments.

Plan – Capacity scale is not endless!

If you have a big project that is dependant on using Microsoft Azure, one of the things that you should consider the capacity that you need, because regardless of this is a cloud platform there is large set of other customers that want access to resources as well and therefore Microsoft needs to plan for this accordingly. For instance there is a soft limit for vCPU in Microsoft Azure (20 total cores per subscription and 350 vCPU for Enterprise Agreement) but this is a bit different for Norway)

There you will need to apply to get access to a quota within each region.

If you need to above this limit you need create a support ticket and now depending on the amount of vCPU or cores that you need, Microsoft might need to actually get more hardware to meet that capacity, because they do not have endless capacity. In another project I was involved with previosly I needed to wait 2 months before capacity was available in that region. So start with this early to ensure that you have the capacity you need!

Architecture and Design

When it comes to design of services in Azure, Microsoft has a good starting point which is based upon a design model they call Virtual DataCenter which you can read more about here –> https://docs.microsoft.com/en-us/azure/architecture/vdc/ in addition using the Cloud Adoption Framework that Microsoft has –> https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/ which also goes into the different principals into adopting cloud. What I also recommend is that you use another subscription and region for testing new services in Azure. Microsoft is constantly developing new services and functionality which they are releasing into Microsoft Azure as Private / Public preview, now for the most part the new services are published in the main regions such as North / West Europe (as part of EMEA atleast) and other regions, services will be added in a later stage. So having a seperate subscription and another region is a good way to start to learn the new services in the early stages, before they are rolled out to the Norwegian Datacenter.

Now I’m also currently working on more content on the architecture and governance here a bit later, also stay tuned for a migration whitepaper coming soon which emphasis on lift-and-shift and moderinzing applications.

How do I follow changes and what’s new?

The best way to monitor and see changes that are coming to Azure and the upcoming regions, I recommend following the official blog https://azure.microsoft.com/nb-no/blog/ (Using RSS) and also leveraging  Azure Service Health to monitor the changes (also mentioned under Service Monitoring)

You can also view the status of services and availability here –> https://status.azure.com/nb-no/status

 

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *