Nimble Hybrid Storage for Azure VM

Microsoft Azure can be integrated with Nimble Cloud-Connected Storage based on the Nimble Storage Predictive Flash platform via Microsoft Azure ExpressRoute or Equinix Cloud Exchange connectivity solutions.

The Nimble storage is located in Equinix colocation facilities at proximity to Azure data centres to deliver fast, low-latency performance.

Key Features:

  • 9997% uptime and reliability over thousands of systems deployed in production.
  • Triple-parity RAID protection, data durability is improved by over 1,000x compared to traditional RAID6 protection.
  • Accelerates performance and optimises capacity via ExpressRoute and Equinix Cloud Exchange
  • On-Demand pay-for-what-you-use pricing model. Cloud Volumes pricing will start at $0.10/GB/month
  • Data mobility between Azure Cloud and Nimble Storage
  • Nimble’s Cloud Volumes (NCV) store block data for use by Azure compute instances
  • Data protection using Veeam Availability Suite or Veritas NetBackup

Direct Connectivity to Azure

Azure virtual machines connect directly to block storage volumes running on Nimble arrays. This provides access to secure, feature-rich and high-performance storage over a fast and low-latency connection.

Equinix Cloud Exchange provides further flexibility with Azure and Nimble storage connectivity by providing self-service on-demand provisioning and switchable virtual connections in the colocation facility. You can achieve this functionality using Nimble native tooling.

Hybrid Cloud Model

For hybrid clouds where you do need to move data from your on-premise storage to your cloud-connected storage Nimble’s efficient data replication ensures all data is compressed and only changed data is sent to minimise bandwidth requirements.

Nimble’s efficient data replication allows you to gain efficiency, reduce data transfer times, moreover, reduce network costs by avoiding massive data migrations to and from your on-premise storage or private cloud to the public cloud.

Regulatory Compliance

Breakdown one of the top barriers to cloud adoption. You always own and control your data when you use Nimble Cloud-Connected Storage allowing you to address data security as well as corporate compliance or governance requirements.

Low-Cost Disaster Recovery Solution

Pay for disaster recovery only when you need it instead of keeping fully operational secondary servers up at all times. Leverage the ability to quickly turn on Azure virtual machines to enable your DR site for drills and actual failures and turn them off when you are done. All the while Nimble’s efficient data replication ensures your DR data is up-to-date and secure.

Dev/Test Environments

If your production environment is on-premise, it is difficult to leverage the cloud for Dev/test since you need to move data back and forth between the cloud. With Nimble Cloud-Connected Storage, instant snapshots are made of your production environment and zero-copy clones of that data are immediately available for Azure virtual machines that can be spun up quickly for dev/test.

Secure Private Storage for the Public Cloud Apps

Stop debating which applications can move to the cloud due to concerns about Security, privacy performance, and reliability. With Nimble Cloud-Connected Storage, you will always control your data while taking advantage of Azure virtual machines for cloud compute.

Other use cases such as big data analytics and application cloud bursting can leverage Nimble Cloud-Connected Storage to gain agility, improve performance, while maintaining sovereignty and ownership of your data.

 

 

 

EMC Unity Hybrid Storage for Azure Cloud Integration

The customers who have placed their workload in both on-premises and cloud forming a “Hybrid Cloud” model for your Organisation, you probably need on-premises storage which meets the requirement of hybrid workloads. EMC’s Unity hybrid flash storage series may be the answer to your business critical problem. This unified storage array is designed for organisations from midmarket to the enterprise. Cover the broadest range of workloads – SAN and NAS both. The EMC unity has been designed for workloads rather than a tin seating on your data centre consuming power and cooling bills, and you are calling it a SAN. After all, that was a traditional tin-based SAN solution.

Previously I wrote an article about Dell Compellent. I received an overwhelming response from the Compellent user. I have been asked many occasion what other option do we have if not the Compellent storage.

To answer the question, I would choose from either EMC Unity Hybrid Storage, Nimble and NetApp Storage subject to the in-depth analysis of workloads, casestudy and business requirements. But again, this is a “Subject to x,y,z” question. The tin-based storage does not fulfil the modern business requirement. I would personally like to use Azure or AWS than procure any tin and pay for power, cooling and racks.

EMC Unity

The Unity midrange storage for flash and rich data services based on dense SSD technology helps provide outstanding TCO. The Unity provides intelligent insight into SAN health with CloudIQ, which provides cloud-based proactive monitoring and predictive analytics. Additionally, the ongoing operation is simple with proactive assistance and automated remote support.

What I like about Unity is that the Unity Software, most notably CloudIQ, Appsync and Cloud Tiering Appliance. The Unity has the capabilities include point-in-time snapshots, local and remote data replication, built-in encryption, and deep integration with VMware, Microsoft Apps, Hyper-v, Azure Blob, AWS S3 and OpenStack ecosystems. The Unity provides an automated tiering and flash-caching, the most active data is served from flash.

Management

The Unity provides the most user-friendly GUI management interface. After installing and powering on the purpose-built Dell EMC Unity system for the first time, the operating environment will boot. The interfaces are well-defined and highlighted for areas of interest – drive faults, network link failures, etc. Within Unisphere are some options for support, including Unisphere Online Help and the Support page where FAQs, videos, white papers, chat sessions, and more

Provisioning Storage

The EMC Unity offers both block and file provisioning in the same enclosure. The Disk Drives are provisioned into Pools that can be used to host both block and file data. Connectivity is offered for both block and file protocols using iSCSI and Fibre Channel. You can access LUNs, Consistency Groups, Thin Clones, VMware Datastores (VMFS), and VMware Virtual Volumes.

Fast VP

The FAST VP (Fully Automated Storage Tiering for Virtual Pools) is a very smart solution for dynamically matching storage requirements with changes in the frequency of data access. Fast VP segregate disk drives in three tiers

  • Extreme Performance Tier – SSD
  • Performance tier – SAS
  • Capacity Tier – NL-SAS

Fast VP Policies – FAST VP is an automated feature but provide controls to setup user-defined tiering policies to ensure the best performance for various environments. FAST VP uses an algorithm to make data relocation decisions based on the activity level of each slice.

  • Highest Available Tier
  • Auto-Tier
  • Start High then Auto-Tier
  • Lowest Available Tier
  • No Data Movement

Cloud Tiering Appliance (CTA)

If you are an organisation with hybrid cloud and you would like to move data from on-premises to Azure Cloud or AWS S3, then Cloud Tiering Appliance (CTA) is the best solutions for you to move data to a cloud-based on user-configured policies. The other way is also true which means you can return your data to on-premises using this appliance.

Why do you need this appliance? If you run of storage or free-up space, you can do it on the fly without capital expenditure. This ability optimises primary storage usage, dramatically improves storage efficiency, shortens the time required to back up data, and reduces overall TCO for primary storage. This functionality also reduces your own data centre footprint. You can move both file and block data to Azure Cloud or AWS S3 using CTA.

EMC CloudIQ

Another cool feature is CloudIQ. CloudIQ provides the operational insights and overall health scores EMC midrange storage. CloudIQ provides Central monitoring, predictive analytics and health monitoring.

CloudIQ is a no-cost SaaS application that non-disruptively provides overall health scores for Unity systems through cloud-based proactive monitoring and intelligent, predictive analytics.

AppSync Data Protection

Your priority is workload. You must protect workloads and simplify management of workloads. AppSync empowers you to satisfy copy demand for data repurposing, operational recovery, and disaster recovery with AppSync.

AppSync simplifies, orchestrates, and automates the process of generating and consuming copies of production data. You can integrate AppSync with Oracle, Microsoft SQL Server, and Microsoft Exchange for application-consistent copy management. AppSync is the single user interface and provides VM-consistent copies of data stores and individual VM recovery for VMware environments

RecoveryPoint

EMC RecoverPoint provides continuous data protection with multiple recovery points to restore applications instantly to a specific point in time. EMC RecoveryPoint protects applications with bidirectional synchronous and asynchronous replication for recovery of physical, virtual, and cloud infrastructures. Minimize network utilisation with unique bandwidth compression and deduplication, significantly reducing replicated data over the network.

RecoveryPoint is software-only solutions to manage the disaster recovery provisioning and control their replication policies and recovery, ensuring that VM service levels are met.

EMC Storage Analytics

The Storage Analytics software lets you extend VMware vRealize Operations analytics to supported EMC storage platforms. Optimize performance and diagnose issues across physical storage and virtual machines with EMC Storage Analytics (ESA).

The Storage Analytics is dashboards based visual tools provide deep visibility into EMC infrastructure. Actionable capacity and performance analysis help you troubleshoot, identify, and act on issues fast.

Encryption

EMC Unity lets you encrypt user data as it is written to the backend drives, and decrypted during departure. Because encryption and decryption are handled via a dedicated hardware piece on the SAS interface, there is minimal impact on Unity Storage. The system also supports external key management through the use of the Key Management Interoperability Protocol (KMIP).

Conclusion

The Unity Hybrid Storage reduce cost, datacentre footprint, complexity and management overhead of your SAN systems while maintaining workload performance, protection and path to migrate data to Azure Cloud or AWS.

Office 365 Hybrid Deployment with Multiple Active Directory Forests

This article explains how you can deploy a hybrid Office 365 and Exchange on-premises environment with multiple Active Directory Forest. An organisation that utilizes an account forest and a resource forest to separate Active Directory accounts and Exchange servers in a single forest, aren’t considered as multiple AD Forest. Let’s say Company A (DomainA.com) bought Company B (DomainB.com). Company A has an Office 365 tenant with default domain domainA.onmicrosoft.com. Now Company A wishes to migrate Company B mailboxes into the Office 365 tenant but maintains the hybrid environment.

Here is the infrastructure you should consider.

AD Forest 1 AD Forest 2
On-prem Forest Corp.DomainA.com Corp.DomainB.com
Email Domain or Externally Routable NameSpace DomainA.com DomainB.com
Externally Routable Autodiscover CNAME Autodiscover.DomainA.com Autodiscover.DomainB.com
Default Domain in Office 365 Tenant domainA.onmicrosoft.com domainA.onmicrosoft.com
On-Prem Exchange Server Version Exchange 2013 SP1 or later Exchange 2013 SP1 or later
On-prem Certificate Issued by Public CA

CN= mail.DomainA.com

SAN=Autodiscover.DomainA.com

Issued by Public CA

CN= mail.DomainB.com

SAN=Autodiscover.DomainB.com

To configure a hybrid environment for a multi-forest organization, you’ll need to complete the basic steps below:

  1. Create Two-Way Trust Relationship between on-premises Corp.DomainA.com and On-premises Corp.DomainB.com if Trust relationship is not already established.
  2. Make sure you have correct public certificates for both Exchange Organisation.
  3. Build AAD Connect Server in Corp.DomainA.com Domain. AD Synchronisation occurs Corp.DomainA.com domain. you do not need to add another AAD Connect server in domainB.com domain. Run custom AAD Connect wizard and use domain filter and select both domains to sync to Azure AD.
  4. Build ADFS Farm in Corp.DomainA.com Domain. You use either AD FS or password sync to allow for a seamless user authentication experience for both domains.
  5. Add domain and verify both domains in Office 365 tenant. Setup both domain in Office tenant as an Internal Relay Domain
  6. Run Hybrid Configuration wizard in both Forest. Select both domains whilst running HCW.  For Centralized MailFlow Configuration of both domains, you must retain your existing MX record. Add EOP in your SPF record for the both domains. If you do not wish to configure Centralized MailFlow then point MX record to the EOP record of Exchange Online.

AAD Connect Recommendations:

  • Separate Topology – This topology might be the situation after a merger/acquisition or in an organization where each business unit operates independently. These forests are in the same organization in Azure AD and appear with a unified GAL.

In AAD Connect Wizard Select “Users are only once across all forests” and Mail Attribute.

  • Full Mesh- A full mesh topology allows users and resources to be located in any forest. Commonly, there are two-way trusts between the forests.

In AAD Connect Wizard Select “Users identities exist across multiple forests” and Mail Attribute.

Hybrid with Multiple Forest  Recomendations:

  • Having a single tenant in Azure AD for an organization
  • Having a single ADD connect server for an organisation
  • Having a unique Active Directory object for an organisation. Each unique object is synced into the Azure AD for once only.
  • Having a single on-prem namespace (UPN: domainA.com, domainB.com) to match the registered domain in Azure AD.
  • Having a single namespace associated with an user or an object
  • Having all email domains registered in a single tenant
  • Having a single AAD Connect and ADFS Farm in a same forest if “Federation with ADFS” is selected in AAD Connect custom installation Wizard

Relevant Article:

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Hybrid Configuration Business Case.

  • On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send.
  • Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. However, for corporate compliance reason, mail must flow through via on-premises anti-spam and firewall devices.
  • Public Folder- You have on-premises public folder and you would like to retain on-premises public folder.
  • Legacy Application- You have legacy applications that only support localised email server instead internet based email server
  • On-prem UM- You have on-premises unified messaging infrastructure or telephony systems that only communicate with localised email servers
  • Use of current CAPEX- You want to utilise current on-premises investment until the equipment expires and you are not ready to move into cloud completely.

In a hybrid deployment when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:

  • Secure mail routing between on-premises between the organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @domain.com SMTP domain.
  • A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
  • Free/busy calendar information sharing between the organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the organizations.
  • Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
  • The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
  • Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
  • Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment

A hybrid deployment involves several different services and components:

  • Exchange 2016 Servers-   The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365.
  • Office 365-   Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans.
  • Hybrid Configuration wizard-   Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
  • Azure AD authentication system-   The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2016 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system. The Hybrid Configuration wizard as part of configuring a hybrid deployment creates the federation trust. A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
  • Azure Active Directory synchronization-   Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
  • Active Directory Federation Services- AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
  • Web Application Proxy Server- The Web Application Proxy under the Remote Access role that allows administrators to securely publish applications for external access. This service acts as a reverse proxy and as an Active Directory Federation Services (AD FS) proxy.

Hybrid infrastructure

To be able to configure your current on-premises Exchange organization for a hybrid deployment, the following components are required.

Exchange Server 2016 with Mailbox Role EXCH2016
Exchange Server 2016 with Edge Transport Role EXCH2016EDGE
Windows Server 2016 with Azure Active Directory Connect (AAD Connect) Installed AADCONNECT
Active Directory Federation Server(s) ADFS2016
Web Application Proxy Server in perimeter EDGE2016
Domain Controller running on minimum Windows Server 2008 R2 DC01
Office 365 Subscriptions with default domain configured i.e. Service tenant FQDN Domain.onmicrosoft.com
Accepted Domain in Office 365 and On-premises Domain.com
On-premises domain type Authoritative
Office 365 Domain Type Internal Relay
User principal name domain and Microsoft Online ID domain @domain.com
External Azure AD Connect with AD FS FQDN sts.domain.com
On-premises Autodiscover FQDN Autodiscover.domain.com
Office 365 Autodiscover Autodiscover.outlook.com

Configuring Hybrid Exchange Server

Step1: Add and validate primary Email domain to Office 365

Perform the following steps to add the primary SMTP namespace to Office 365:

  1. Log on to: Office 365 admin center preview
  2. Click Settings > Domains > Add domain.
  3. Enter the primary SMTP namespace. For example, domain.com. Then, click Next.
  4. Copy the TXT record from the Wizard, go to domain management portal and add a text record ms=msxxxxxxx record and verify the domain. Setup TTL to 10 minutes. When complete, wait 10 minutes and then click Verify. If the wizard says it can’t verify your domain ownership, you might need to wait longer for your DNS records to update across the Internet; this might take several hours. Also verify that the record you created is correct.
  5. On the Required DNS settings page, click Continue setup. Don’t update your DNS records right now. Instead, you’ll update your DNS records later in your hybrid deployment.
  6. On the Set up your online services page, select I’ll manage my own DNS records and click Next.
  7. On the Update DNS settings page, select Skip this step – I have custom DNS records, so I’ll add the records I need later. I understand that some Office 365 services may be unavailable until I manually add the records with my registrar. Click Skip, and then click Finish.

Step2: Setup Primary SMTP Domain to Internal Relay

Definitions of Domain Type

Authoritative – Selecting this option means that email is delivered to email addresses that are listed for recipients in Office 365 for this domain. Emails for unknown recipients are rejected.

Internal relay – Selecting this option means that recipients for this domain can be in Office 365 or your on-premises mail servers. Email is delivered to known recipients in Office 365 or is relayed to your own email server if the recipients aren’t known to Office 365.

Use the Exchange Online EAC to change the domain type

  1. In the EAC, navigate to Mail flow > Accepted domains.
  2. Select the domain and click Edit .
  3. In the Accepted Domain window, in the This accepted domain is section, select the domain type. Edit the domain value to Internal relay.

Step3: Configure Active Directory synchronization

  1. Download Azure Active Directory Connect on the computer where you’ll install it, and then open it.
  2. On the Welcome page, click Next if you agree to the license terms and privacy notice.
  3. On the Express Settings page, click Customize.
  4. On the Install required components page, click Install.
  5. On the User sign-in page, select Federation with AD FS and then click Next.
  6. On the Connect to Azure AD page, enter the username and password for a user account that is a Global Administrator in your Office 365 organization , and then click Next.
  7. On the Connect your directories page, select the Active Directory forest that contains the Exchange organization you want to configure for hybrid deployment, and then enter the username and password for a user account that’s a member of the Enterprise Administrators group in that forest. Click Next.
  8. On the Domain and OU filtering page, select Sync all domains and OUs if you want to synchronize all of your on-premises Active Directory users to Office 365. If you want to select a specific organizational unit (OU), select Sync selected domains and OUs, and then select the Active Directory domains and OUs you want to synchronize. Click Next.
  9. On the Uniquely identifying your users page, make sure that Users are represented only once across all directories is selected, and then click Next.
  10. On the Filter users and devices page, make sure that Synchronize all users and devices is selected, and then click Next.
  11. On the Optional Features page, select Exchange hybrid deployment, and then click Next.
  12. On the AD FS farm page, select Configure a new Windows server 2016 AD FS farm.
  13. In the Certificate File field, browse to the third-party certificate that includes a subject alternative name (SAN) that matches the external FQDN of the AD FS server. This certificate needs to include a private key. In the Subject Name field, select the SAN you want to use, for example sts.domain.com. Click Next.
  14. On the AD FS Servers page, click Browse, select the name of the server where you’re installing Azure AD Connect with AD FS, and then click Add.
  15. On the Web application proxy servers page, click Browse, select the name of the server that will act as a web proxy for external connections, and then click Add.
  16. On the Proxy trust credentials page, enter the username and password of a user account that can access the certificate store on the AD FS server that contains the certificate you specified earlier in these steps, and then click Next.
  17. On the AD FS service account page, select Create a group Managed Service Account, enter the username and password for a user that’s a member of the Enterprise Admins group, and then click Next.
  18. On the Azure AD Domain page, select the domain that matches the custom domain that you added to your Office 365 organization and matches the User Principal Name users with which users will log in. For example, if you added the custom domain domain.com, and usernames are @domain.com, select domain.com from the list. Click Next.
  19. On the Ready to configure page, select Start the synchronization process as soon as the configuration completes, and then click Next.
  20. On the Configuration complete page, click Exit.
  21. Make sure that your firewall is configured to allow connections on TCP port 443 from external sources to your AD FS web proxy server.
  22. At this point, Azure AD Connect will synchronize your on-premises user accounts and their information to your Office 365 organization. Depending on how many accounts need to be synchronized, this might take a while.

Step4: Create Federation with Azure Active Directory

Remote into the Primary ADFS Server, Run the below cmdlets

Connect-MsolService
Set-MsolAdfsContext -Computer “adfsserver.domain.com”
Convert-MsolDomainToFederated -Domain “domain.com” -SupportMultipleDomain

If you have multiple userprincipalname, you have run the below cmdlets to federate with Azure AD.
Convert-MsolDomainToFederated -Domain “domain1.com” -SupportMultipleDomain
Convert-MsolDomainToFederated -Domain “domain2.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain1.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain2.com” -SupportMultipleDomain

Further reading ADFS Configuration Guide

Step5: Verify tenant configuration

To create a mailbox in the Exchange Online organization, do the following:

  1. Open Active Directory Users and Computers on an Active Directory domain controller in your on-premises organization.
  2. Expand the container or organizational unit (OU) where you want to create a new Active Directory user.
  3. Click Action in the menu bar, and then click New > User.
  4. Enter the required user information. Because this user will be associated with a test mailbox, we recommend that you clearly identify the user as such. For example, name the user “Test User”.
  5. In the User logon name field, provide the user name that the user should specify when logging into their user account. This user name, combined with the user principal name (UPN) in the drop-down box next to the User logon name field, makes up the Microsoft Online Identity of the user. The Microsoft Online Identity typically matches the user’s email address, and the domain suffix chosen should match the federated domain configured in Active Directory Federation Services. For example, testuser@domain.com. Click Next.
  6. Enter a password for the new user, specify any options you want to set, and then click Next.
  7. Click Finish.
  8. Run delta synchronization to synchronize the new user to the Office 365 organization  using this PowerShell Cmdlet. Start-ADSyncSyncCycle -PolicyType Delta
  9. Log on to: Office 365 service administration portal
  10. Assign a E1 or E3 license to the new user.

Step6: Install Edge Transport server

The Edge Transport server role is typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization. The Edge Transport server role handles all Internet-facing mail flow, which provides SMTP relay and smart host services for the on-premises Exchange organization. Use Edge Transport servers if you don’t want to expose internal Exchange 2016 Mailbox servers directly to the Internet.

If you already have an Edge Transport server deployed in your on-premises organization, you can skip this checklist step unless you’d like to install additional Edge Transport servers.

Step7: Configure Edge servers

After installing the Exchange 2016 Edge Transport server, or if you already have an Edge Transport server in your on-premises Exchange organization, you must configure the following services and parameters to enable the Edge Transport server to handle secure communications between the on-premises Exchange servers, clients, and Office 365. If you already have an Edge Transport Server, skip this step.

Follow additional guidelines to Edge Transport Server.

Further References on Edge Transport Server.

Step8: Configure DNS

Hybrid requirement DNS record Record type Value
Required for all hybrid deployments autodiscover.domain.com CNAME or A If using CNAME DNS:  mail.domain.com

If using Host A DNS:  External IP address of an Exchange 2016 Mailbox server or firewall

Recommended as a best practice for all hybrid deployments SPF TXT v=spf1 include:spf.protection.outlook.com ~all
ADFS Public record sts.domain.com A Public IP address of the AD FS web proxy server or firewall
Internal record by editing Hosts File located %SystemRoot%\system32\drivers\etc\HOSTS of WAP server sts.domain.com A Internal IP address of the AD FS Servers

Step9: Firewall Configuration

If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you’ll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Hybrid deployment configuration changes may require you to modify security settings for your on-premises network and protection solutions. Exchange 2016 Mailbox servers must be accessible on TCP port 443, and Edge Transport and Mailbox servers must be accessible on TCP port 25. Other Office 365 services, such as SharePoint Online and Lync Online, may require additional network security configuration changes. If you’re using Microsoft Threat Management Gateway (TMG) in your on-premises organization, additional configuration steps will also be needed to allow full Office 365 integration in the hybrid deployment.

Step10: Configure Exchange Web Services

The external fully qualified domain name (FQDN) of your Internet-facing Exchange 2016 Mailbox server needs to be configured on several virtual directories for a hybrid deployment. By completing this checklist step, the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), Outlook Web App (OWA), Exchange Control Panel (ECP), and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories will be reset to the external FQDN of your Internet-facing Exchange 2016 Mailbox server.

Follow additional guidelines to configure web services.

Further References on Web Services.

Step11: Configure MRS Proxy

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

GetWebServicesVirtualDirectory ADPropertiesOnly | Where {$_.MRSProxyEnabled ne $true} | SetWebServicesVirtualDirectory MRSProxyEnabled $true

Step12: Configure Exchange certificates

Digital certificates are an important requirement for secure communications between on-premises Exchange 2016 servers, clients, and Office 365. You need to obtain a certificate that will be installed on Mailbox and Edge Transport servers from a third-party trusted certificate authority (CA).

Before you can configure certificates on Exchange servers, you need to get a certificate from a trusted CA. Complete the following task on an Exchange 2016 Mailbox server if you need to generate a request for a new certificate for use with the hybrid deployment.

Follow additional guidelines to install certificates.

Further References on Exchange Certificates.

Step13: Run Hybrid Configuration wizard

The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on-premises Active Directory and gathering existing Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your hybrid deployment, including secure mail transport options.

You can use the Hybrid Configuration wizard in the EAC on an Exchange 2016 server in your on-premises organization to create and configure the hybrid deployment.

  1. In the EAC on an Exchange 2016 server in your on-premises organization, navigate to the Hybrid, In the Hybrid node, click Configure to enter your Office 365 credentials.
    At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. The account you log into needs to be a Global Administrator in Office 365.
  2. Click Configure again to start the Hybrid Configuration wizard.
  3. On the Microsoft Office 365 Hybrid Configuration Wizard Download page, click Click here to download wizard. When you’re prompted, click Install on the Application Install, Click Next, and then, in the On-premises Exchange Server Organization section, select Detect a server running Exchange 2013 CAS or Exchange 2016. The wizard will attempt to detect an on-premises Exchange 2016 server. If the wizard doesn’t detect an Exchange 2016 server, or if you want to use a different server, select Specify a server running Exchange 2013 CAS or Exchange 2016 and then specify the internal FQDN of an Exchange 2016 Mailbox server.
  4. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next.
  5. On the Credentials page, in the Enter your on-premises account credentials section,  specify a different set of credentials, specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member of the Enterprise Admins security group.
  6. In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.
  7. On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organization and your Office 365 organization to validate credentials and examine the current configuration of both organizations. Click Next when it’s done.
  8. On the Hybrid Features page, select Full Hybrid Configuration and then click Next.
  9. On the Hybrid Domains, select the domain or multiple accepted domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain.
  10. Click Next.
  11. On the Federation Trust page, click Enable and click then Next.
  12. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS.
  13. Click Next after the TXT records have been created and the DNS records have replicated.
  14. On the Hybrid Configuration page, select the Configure my Edge Transport servers for secure mail transport option to configure your on-premises Edge Transport servers for secure mail transport with Office 365. Click Next.
  15. If you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers, select the Enable centralized mail transport check box in the More options section.The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, Office 365 will bypass the on-premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings.You select this option if you want to use your own Spam Filter.
  16. On the Edge Transport Servers page, select the Edge Transport server you want to configure for secure mail transport. click Next. In this section, you have to provide the public IP addresses of edge servers or public FQDN of edge servers.
  17. On the Transport Certificate page, in the Select a reference server field, select Exchange 2016 Mailbox server that has the certificate you configured earlier in the checklist.
  18. In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.
  19. On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter “mail.domain.com”. Click Next.
  20. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.
  21. When the wizard has completed all of the tasks it can perform automatically, it’ll list any tasks that you need to address manually before your hybrid deployment configuration is complete.
  22. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
  23. You’ll probably need to configure the Receive connector on your Edge Transport server by doing the following.
    Open the Exchange Management Shell on your Exchange 2016 Edge Transport server.
    Run the following command to list the Receive connectors on your Edge Transport server. Make note of the Receive connector that’s listening on TCP port 25.Get-ReceiveConnectorRun the following command to configure the Receive connector. Replace the name of the Receive connector in the following command with the name of the connector you identified in the previous step.Set-ReceiveConnector “Edge\Default internal receive connector Edge” -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn “mail.domain.com”24. Additional Steps for Centralised Mailflow or Route all inbound-outbound emails through on-premises servers. You need to enable remote mailbox using enable-remotemailbox and set target address using set-remotemailbox for this each mailbox as user1@domain.mail.onmicrosoft.com where domain is your domain name in Office 365. You must run full sync after this on the AAD Connect Server. You must run start-edgesynchronization –Server EXCH2016MailboxServer on the Edge Transport 2016 Server

Step14: Send Connector and Receive Connector Configuration on the on-premises server

Use the EAC to create an Internet Send connector

  1. In the EAC, navigate to Mail flow > Send connectors, and then click Add . This starts the New Send connector
  2. On the first page, enter the following information: Name: To Office 365 and Type: Internet When you are finished, click Next.
  3. On the next page, verify that MX record associated with recipient domain is selected. When you are finished, click Next.
  4. On the next page, In the Address space section, click Add . In the Add domain dialog box that appears, in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save. This value indicates that the Send connector applies to messages addressed to all external domains. When you are finished, click Next.
  5. On the next page, in the Source server section, click Add . In the Select a Server dialog box that appears, select one or more Edge Transport Servers if you route email through Edge Server if not enter mailbox servers that you want to use to send mail to the Internet. If you have multiple Mailbox servers in your environment, select the ones that can route mail to the Internet. If you have only one Mailbox server, select that one. After you’ve selected at least one Mailbox server, click Add, click OK, and then click Finish.

Use the EAC to Create a Receive Connector to Receive Secure Messages from a Partner

  1. In the EAC, navigate to Mail flow > Receive connectors. Click Add to create a new Receive connector.
  2. On the New receive connector page, specify a name for the Receive connector and then select Frontend Transport for the Role. Since you are receiving mail from a partner in this case, we recommend that you initially route mail to your front end server to simplify and consolidate your mail flow.
  3. Choose Partner for the type. The Receive connector will receive mail from a trusted third party.
  4. For the Network adapter bindings, observe that All available IPV4 is listed in the IP addresses list and the Port is 25. (Simple Mail Transfer Protocol uses port 25.) This indicates that the connector listens for connections on all IP addresses assigned to network adapters on the local server. Click Next.
  5. If the Remote network settings page lists 0.0.0.0-255.255.255.255, which means that the Receive connector receives connections from all IP addresses, click Remove 0.0.0-255.255.255.255 to remove it. Click Add EOP IP Addresses, and Datacentre IP Addresses add the IP address for your partner’s server, and click Save.
  6. Click Finish to create the connector.
  7. Run the below Cmdlets in Mailbox Server

Get-ReceiveConnector “Inbound from Office 365“ | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

  1. Verify Receive Connector using below Cmdlets

Get-ADPermission -Identity “ Inbound from Office 365” -User “NT AUTHORITY\ ANONYMOUS LOGON” | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

  1. Add Datacentre IP Addresses using this Link
  2. Troubleshoot using this link

Step14: Create a test mailbox

You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create a test mailbox in Office 365. If you want to create more than one test mailbox, you’ll have to use this wizard for each test mailbox. You can’t use the wizard to create multiple test mailboxes.

  1. Log into the EAC on an on-premises Exchange 2016 server.
  2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
  3. Expand the menu at the Add  control and select Office 365 mailbox.
  4. On the New Office 365 mailbox page, specify the following settings:
    • First Name   Type the first name of the new user.
    • Initials   Type the initials of the new user.
    • Last Name   Type the last name of the new user.
    • User logon name   Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example, @domain.com.
    • Mailbox type   Choose the type of mailbox to create. For example, User mailbox.
    • Password   Type the password.
    • Confirm password   Retype the password.
    • Make sure the Create an archive mailbox check box is not selected.
  5. Click Save to continue.
  1. Start-ADSyncSyncCycle -PolicyType Delta

Step15: Move or create mailboxes

You can use the remote move migration wizard in the Office 365 tab in the Exchange admin center (EAC) on an Exchange server to move existing user mailboxes in the on-premises organization to Office 365:

  1. Open the EAC and navigate to Office 365 > Recipients > migration.
  2. Click Add  and select Migrate to Exchange Online.
  3. On the Select a migration type page, select Remote move migration and then click Next.
  4. On the Select the users page, click Add , select the on-premises users to move to Office 365 and click Add, and then click OK. Click Next.
  5. On the Enter the Windows user account credential page, enter the on-premises administrator account name in the On-premises administrator name text field and enter the associated password for this account in the On-premises administrator password text field. For example, “Domain\administrator” and a password. Click Next.
  6. On the Confirm the migration endpoint page, verify that the FDQN of your on-premises Mailbox server is listed when the wizard confirms the migration endpoint. For example, “mail.domain.com”. Click Next.
  7. On the Move configuration page, enter a name for the migration batch in the New migration batch name text field. Use the down arrow  to select the target delivery domain for the mailboxes that are migrating to Office 365. In most hybrid deployments, this will be the primary SMTP domain used for both on-premises and Office 365 mailboxes. For example, user@domain.com. Verify that the Move primary mailbox along with archive mailbox option is selected, and then click Next.
  8. On the Start the batch page, select at least one recipient to receive the batch complete report. Verify that the Automatically start the batch and Automatically complete the migration batch options are selected. Click New.
  9. While the mailboxes are being moved, you will see a status of Synching in the migration status for each mailbox moved to Office 365. After the mailbox move request reaches a status of Completed, the mailbox migration process is complete.

Step16: Test hybrid deployment connectivity

Testing the external connectivity for critical Exchange 2016 and Office 365 features is an important step in ensuring that your hybrid deployment features are functioning correctly. The Microsoft Remote Connectivity Analyzer is a free online web service that you can use to analyze, and run tests for, several Exchange 2016 and Office 365 services, including Exchange Web Services, Outlook, Exchange ActiveSync, and Internet email connectivity.

Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’

 Environment:

  • Mailbox hosted on the Exchange Online
  • Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online
  • Centralized Mailflow configured for Exchange 2013
  • Route all emails through on-premises configured for Exchange 2010
  • Accepted domain configured either Managed or Authoritative on the Exchange Online Side 
  • MX Record pointed to third party cloud Antispam or On-prem Antispam/Firewall

 Issue: When you send email from a mailbox hosted in Exchange Online to an internal recipient or an external recipient via on-premises server, you receive a NDR ‘550 5.7.1 Unable to relay’

Root Cause: There are customers who would like to utilize existing investment on the on-premises Antispam filter or use third part cloud based Antispam filter for compliance purpose. Hence these customers configured centralized mailflow on the hybrid configuration wizard which lead to “unable to relay” NDR when they change few configuration and introduce new domain on the Exchange Online. There are many possible reasons why you have been issued with a NDR ‘550 5.7.1 Unable to relay’.

  • You have added multiple federated domains (e..g @domain1.com, @domain2.com ) but these domains (e.g. @domain1.com, @domain2.com) are not in Hybrid Configuration
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) and domains (e.g. @domain1.com, @domain2.com ) have been setup as “Authoritative Domain” instead of “Internal Relay” on the Exchange Online side
  • You have added multiple federated domains (e.g. @domain1.com, @domain2.com ) but you have configured Office 365 Connectors to Send and Receive Email from only One Domain e.g. domain.com. Wild card “*” not configured within the Send Connector of Exchange Online.
  • Microsoft has changed EOP IP addresses and you did not add latest EOP IP Addresses on the Receive Connector of Edge Server
  • You configured an application to use Office 365 SMTP Relay but the Receive Connector of on-premises server has not been configured to accept email from any recipient

 To remediate the root cause, follow the steps.

  1. Copy the Message Header of Original NDR and Paste on the message analyser of https://testconnectivity.microsoft.com/ website. Analyse the message. Find out which IP address the message coming from e.g. EOP APAC IP Address is 104.47.64.0/18. Make sure these EOP IP Addresses are added on the receive connector of the on-premises server. List of EOP IP Addresses are subject to change without notice. Add all EOP IP addresses on the receive connector “Inbound from Office 365”. Refer to Microsoft KB 2750145
  2. Make sure Datacentre IP Addresses are added on the Receive Connector Properties. Refer to TechNet Blog.
  3. View Extended Rights of Receive Connectors of On-premises Server.

 Get-ReceiveConnector | Get-ADPermission | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights,accessrights

     4. Assign Extended Rights to accept email from any recipient.

Get-ReceiveConnector Inbound from Office 365 | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

     5. Open Office 365 Connector on the Office 365 Admin Center and make sure you have entered “*” wild card as the domain

    6. Rectify SPF Record with the following records. If you have DKIM Record and DMARC Record. Rectify those records as well. SPF Record of domain.com looks like this one

 v=spf1 ip4:<Public IP Address of domain.com>, ip4: :<Public IP Address of MX Record>, ip4: :<Public IP Address of Application/devices>, include:spf.protection.outlook.com ~all

   7. Download .NET Framework 4.5 and install .NET Framework. .NET is a Pre-req. Run Hybrid Configuration wizard select desired Federated Domains, Select all CAS Servers, Type the correct public IP addresses of Edge Server, select centralised mailflow, Select Correct certificate. Complete the Wizard.

 8. Open Send Connector on the On-premises Server, Remove all the Hub/CAS servers and add Edge Servers.

 Restart Transport Services from On-premises Server

 9. On a Hybrid Configuration, you must configure Accepted Domain as Authoritative Domain on the On-premises side and Office 365 side as Internal Relay. For Example, domain1.com should be configured as Authoritative Domain on the on-premises side and domain1.com should be configured as Internal Relay on the Exchange Online side.  

 10. Open On-premises Exchange Management Shell and run Start-EdgeSynchronization start syncing Edge Transport Server.

 11. Test mailflow from internal and external sender to internal recipient

 Relevant Articles

Fix email delivery issues for error code 5.7.1 in Office 365

Exchange Online Protection IP addresses

Hybrid Mailflow Best Practices

Set up connectors to route mail between Office 365 and your own email servers

Transport Options Hybrid Deployment

 Transport Routing Hybrid Deployment 

Mailflow Co-existence between G-Suite and Office 365 during IMAP Migration

This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination.

Use case:

  1. Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase.
  2. Customer has on-premises Exchange Server but does not want to create hybrid environment or have a situation where hybrid configuration is not feasible.
  3. Customer plans to migrate mailboxes, calendar, contacts, resources and distribution groups to Exchange Online in phases.
  4. Customer does not want a cutover migration to Exchange Online.

Source Environment:

  1. Email Domain: Domain.com
  2. Migration Method: IMAP
  3. Source Infrastructure: On-premises Microsoft Exchange or Hosted Gmail

Destination Environment:

  1. Office 365 Tenant: domain.onmicrosoft.com
  2. Default Domain: domain.onmicrosoft.com
  3. Email Domain: Domain.com
  4. CatchAll Domain or Subdomain: subdomain.domain.com

Migration Method:

  • Pre-stage: In pre-stage migration, data will be pre-filled to a place holder mailbox then migrate delta changes.
  • Backfill: In backfill method, data will be back filled to a real mailbox after cutover.

Prepare Source Email Domain:

  1. Add Proxy address or alias to all mailboxes.

To add proxy address, create a CSV file with the below header and run the scripts

Name, EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv c:\data.csv | Foreach{

$maileg = Get-Mailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses $_.emailaddress

}

  1. Create target address or forwarding address to all mailboxes. To add target address, create a CSV file with the below header and run the script

CSV Headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

user1@domain.com, user1@subdomain.domain.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress $_.forwardto}

  1. Send & Receive Connector

If you have strict mailflow condition on the on-premises environment or hosted environment, you may have to create a send connector and receive connector to allow Office 365 email in both directions.

  1. MX record still pointed to source environment.

Prepare Exchange Online

  1. Create Office 365 tenant: domain.onmicrosoft.com
  2. Add customer domain e.g. domain.com on the Office 365 portal and validate the domain
  3. Go to Office 365 ECP, Select Mailflow, Click Accepted Domain, Select Domain.com, Click Edit and set the domain to Internal Relay
  4. Go to Office 365 ECP, Select Recipient, Go to Groups, Create a distribution group and add all users to the distribution group. To find a script to do the job, refer to step3 of post migration section of this article. replace remove-distributiongroupmember to add-distributiongroupmember on the script.
  5. Go to Office 365 ECP, Select Mailflow, Connectors, create an Outbound Send Connector to send email from Office 365 to Your organisation email server. When creating this Connector select the smart host option and on the smart host window, type the Public IP Address or FQDN of MX record of domain.com
  6. Go to Office 365 ECP, Select Mailflow, Rules, create a rule to forward any inbound emails coming to @domain.com and member of special distribution group created in step 4 to be forwarded to the send connector you have created in previous steps 5.
  7. Enable Mailflow for subdomain or catchall domain i.e. @subdomain.domain.com Set-AcceptedDomain -Identity domain.com -MatchSubdomains $true

Mailflow during migration phase

When an Exchange Online mailbox user1@domain send mail to user2@domain.com (On-premises/hosted Gmail), as user2 does not exist at Exchange Online side, and the domain: domain.com set as “Internal Relay” under “Accept domain” configuration, so the message will delivery to on-premises/Gmail through special outbound connector.

Post Migration:

Once you have migrated a batch of mailboxes, you have to remove proxy address and forwarding address from that batch of source mailboxes on the source email domain.

  1. Remove Proxy Address from Source Environment

CSV Headers are Name and EmailAddress

User1@domain.com, user1@domain.onmicrosoft.com

Import-Csv C:\CSV\ProxyAddress.csv | Foreach{

$maileg = Get-RemoteMailbox -Identity $_.Name

$maileg.EmailAddresses += $_.emailaddress

$maileg | Set-Mailbox -EmailAddresses @{Remove=$_.EmailAddress} }

 

  1. Remove Forwarding address from Source Environment

CSV headers are Mailbox, ForwardTo

User1@domain.com, user1@domain.onmicrosoft.com

Import-CSV “C:\CSV\Users.csv” | ForEach {Set-Mailbox -Identity $_.mailbox -ForwardingAddress @{Remove=$_.forwardto}}

  1. Remove the batch of mailboxes from the distribution groups once migrated to Office 365.

CSV Headers are

Identity, Members

Accounts, user1@domain.com

Import-Csv “C:\CSV\RemoveMembers.csv” | foreach{Remove-DistributionGroupMember -Identity $_.identity -Member $_.members}

  1. Delete special Distribution Group, Maiflow rule and Outbound Connector created on the step 4, step 5 and step 6 after MX record cutover to Office 365.

 

Why Managed vCenter Provider cannot be called Cloud Provider?

Before I answer the question of the title of this article, let’s start with what is public cloud and how a public cloud can be defined.

In cloud computing, the word cloud (also phrased as “the cloud”) is used as a metaphor for “the Internet,” so the phrase cloud computing means “a type of Internet-based computing,” where different services and applications are delivered to an organization through the Internet.

Cloud computing is a method of computing that relies on sharing computing resources rather than having own dedicated local resources to handle workloads such as an application. In this type of computing, unused resources are released back to the pool of resources and reutilised when resources are in demand.

There may be differences in service and application offered by cloud service provider but almost all cloud service provider offer some common services, automation, compliance and utilities to tenant. Almost all major service providers have common characteristics and some has enhanced characterises when comes to cloud computing:

Example: Microsoft Azure Platform or Amazon Web Services

Common Features:

Shared Hardware: By definition public cloud is a multi-tenant environment, resources are shared among clients. Multiple clients are hosted on the same hardware, storage and network devices as the other tenants in the cloud.

Cost effective: Public clouds bring together greater levels of resource and so can benefit from the largest economies of scale. The centralised operation and management of the underlying resources is shared across all of the subsequent cloud services whilst components, such as servers, require less bespoke configuration. Some mass market propositions can even be free to the client, relying on advertising for their revenue.

Ownership and proprietary obligations: You may curious to know who owns what between your cloud provider and you. Your cloud provider owns the layer of physical hardware which you don’t have any control or say what they buy or replace. But you have the ownership of your data, intellectual properties, virtual servers and application. As long as you pay the bills and you do lawful business on hosted environment, your service provider has no rights to switch off or being regular outage on the virtual servers and application without you being notified or compensated.

Enhanced Features:

Self-management: with the high volume, utility model, self-managed systems are required for this business model to make sense. Advantage here for the tech savvy tenants that like to setup and manage the details of their own domain, servers and application by themselves. In this type of cloud based solution provides client with control of their own data and intellectual properties. Self-service is also provide a sense of ownership to a tenant who is willing to manage their own uses of the service and application and keep track of bills and data they own.

Security: Since public cloud is a multi-tenant environment, physical and logical securities are in place to protect a tenant being visible by another tenant. Security is not just placing a Cisco ASA or Juniper firewall in the front of internet and having some virtual switches in vCenter. This is the security that complies with corporate policies and regulations of each territories, the tenant resides.

Hardware Performance: In the public cloud, you cannot select the physical hardware such as compute, cache, network or storage devices. Your virtual server is placed on whatever hardware and network, the cloud provider designates for you. But you have the choice to buy various types of compute, network, load balancer, virtual IP address and storage based on your requirement such as specific IOPS and latency requirement by your application. You can chose to place virtual server with high IOPS capability and very low latency storage. Off course there will extra cost involve by doing so but you will be at least guaranteed performance of the virtual machine. Example: Azure Storage Classification

Network: Even though public cloud is a shared model but you have the choice to procure a dedicated high bandwidth secure network within the shared network guaranteed by the provider. The service provider also guarantees you the security of this network your company procured from the service provider.Example: Azure ExpressRoute

Utility Model: Public Clouds typically deliver a pay-as-you-go model, where you pay by the hour for the compute resources you use. This is an economical way to go if you’re spinning up & tearing down development servers on a regular basis.

No Contracts: Along with the utility model, you’re only paying by the hour – if you want to shut down your server after only 2 hours of use, there is no contract requiring your ongoing use of the server.

Reliability: The sheer number of servers and networks involved in creating a public cloud and the redundancy configurations mean that should one physical component fail, the cloud service would still run unaffected on the remaining components. In some cases, where clouds draw resource from multiple data centres, an entire data centre could go offline and individual cloud services would suffer no ill effect. There is, in other words, no single point of failure which would make a public cloud service vulnerable

Flexibility: There are many IaaS, PaaS and SaaS services available on the market which follow the public cloud model and that are ready to be accessed as a service from any internet enabled device. These services can fulfil most computing requirements and can deliver their benefits to private and enterprise clients alike. Businesses can even integrate their public cloud services with private clouds, where they need to perform sensitive business functions, to create hybrid clouds. Example: Azure Service fabric

Ultimate scalability: cloud resources are available on demand from the public clouds’ vast pools of resource so that the applications that run on them can respond seamlessly to fluctuations in activity. You can acquire a vast pool of resources on to your domain via self-service portal without engaging the service provider. Example: Azure Big Data

Delivery through internet: The availability of public cloud services through an internet connection ensures that the services are available wherever the client is located. This provides invaluable opportunities to enterprise such as remote access to IT infrastructure or online document collaboration from multiple locations. Examples: Microsoft Office 365.

Hybrid Deployments: If a dedicated server is required to run a high speed and high IO database application that on-premises resources can be integrated from a private cloud to public cloud, in effect, hybridising the solution between virtual servers and dedicated servers. The service provider also provides you an option to hybridise your environment you own.

To answer the question, here is my explanation why Managed vCenter Provider cannot be called Cloud Provider?

A single virtual center server is a management point of this type of service provider mostly managed by the small technology team. This type of provider is acting as a trustee of your data instead of a cloud provider. There are possible security and compliance flaws of the systems you may not aware of. There might be potential many single point of failure you may not aware. The bills you received from this type of service provider you never been verified that you truly used those services and application because there is no self-service mechanism with this unscrupulous service provider. There is potential downtime and service outage with this service provider which you have never been compensated. This type of unscrupulous service provider do not follow any service level agreement or respect the agreement they signed. You are sacrificing your productivity by relying on them to provide you a hosted service which you never received with reliably. You cannot simply call them cloud provider. A term should be introduced saying “Managed vCenter” and “Trustee of Data”.

I may be the blogger who is saying this. But here is the global researcher “Gartner Inc.” has to say on who can be called cloud service provider as on May 2015.

Garnter Magic Quadrent

Related Articles:

Understand “X as a Service” or get stuck in “Pizza box as a Service”

Gartner’s verdict on mid-range and enterprise class storage arrays

Understanding Software Defined Storage (SDS)