In a typical enterprise, there would be multiple Azure subscriptions managed across various tenants. Each tenant would have multiple subscriptions for respective environments. This blog focuses on managing the multiple Azure Subscriptions with Serverless360. Let us take a simple scenario to have a better understanding of how Serverless360 overcome the challenges faced in the Azure portal with the help of Composite Application.
Let us consider a scenario where an organization named Fly Wheel Cab, with multiple systems like Vehicle Management, Driver On-Board Management, Booking Management, and these systems possess multiple environments like Dev, Staging, and production that has respective subscriptions on every tenant as below
Considering the above scenario, there is no single place to manage and monitor all the subscriptions of multiple tenants. When there are multiple resources interacting with other resources in another tenant, it is not possible to group and manage all resources in a single place. Below are some common challenges that most of the Azure users would face with the Azure portal
- No Application Visibility
- No Consolidated Monitoring
- No Deep Integrated tooling
- No Application-level security
In this article, we will see how Serverless360 can solve the above challenges with the help of the Composite Application.
What is a Composite Application?
Manage your Azure resources from different Azure subscriptions and tenants in a logical container, Composite Application. User will get an Application-level view of your Azure Serverless business orchestration with the help of Composite Application
- Logically group all your siloed entities that participate in your business solution into a Serverless Composite Application
- Entities can be from different Azure Resource Groups, Azure Subscriptions, and Azure Regions
- Access all your business orchestrations at one place, Composite Application dashboard. This dashboard offers a comprehensive view of the current state of all entities that constitute business orchestrations.
- Get immediate feedback on the entity status based on the configured monitors at the entity dashboard.
To make a connection between Composite Applications and Azure Subscriptions, Service Principal can be used in Serverless360. Service Principal is an Azure active directory application that requires a contributor level of access.
A Composite Application can have multiple dashboards. Each dashboard consisting of different types of customizable widgets which can be configured and arranged to meet the user need.
Is It Possible to Merge Subscriptions into a Single Subscription in Azure?
Yes, technically with some work around you can merge Azure subscription by shifting the resource group from one subscription to another within the same tenant. Once you have successfully moved all the resource groups, you can delete the empty subscription. Once you move the resource group from one subscription to another, all the access control in user level and application level will be removed.
How Do I Manage Multiple Subscriptions in Azure?
Serverless360 has support to handle multiple subscriptions and tenants within the same portal. So, by just providing different service principal for different subscription, you can effectively manage and monitor multiple subscriptions in Azure from Serverless360.
Can a Single Microsoft Account Be Used to Manage Multiple Azure Subscriptions?
Yes, a single Microsoft account can be used to manage multiple Azure subscriptions. Normally large-scale organizations having a huge foot print in Azure will provide two or more subscriptions for a single user as they may be part of different projects or applications.
Providing Access to Azure Subscription
A Service Principal is an application within Azure Active Directory, which is authorized to access resources or resource groups in Azure. Serverless360 uses the authentication tokens of the Service Principal to manage the resources.
User can assign permissions to the Service Principal that are different than your own Azure account permissions. Typically, these permissions are restricted to exactly what Serverless360 can do.
User needs the following parameters to associate the Service Principal into Serverless360
To associate the Service Principal, user need to create the Service Principal
Steps to create Service Principals
- Log in to the Azure portal and navigate to the “Azure Active Directory”-> App Registrations
- Click on the “New registration” and create the Service Principal
Once the App is created, get Client ID, Subscription ID, Tenant ID, Client Secret to associate it to Serverless360.
To Authorize the Service Principal to Access the Resource Groups
- Navigate to the “Subscriptions” and click on that.
- In the left panel find the “Access Control IAM” and click Add ->Add role Assignment.
- Select the application created and click save.
Associating Service Principal into the Serverless360
Sign up into the Serverless360 and associate the Service principal on clicking the associate Service Principal
Enter the following credentials in Serverless360 and click save
- Subscription Id
- Tenant Id
- Client Id
- Client Secret
In the Service Principal section, the user can add multiple Service Principals of the same tenant or different tenants
Once the Service Principal is associated, create the Composite Application to group all the resources of multiple subscriptions and tenants into a single container. Now users can leverage various operational and support capabilities offered by Composite Applications. Below described some of the key capabilities of Composite Applications.
Service Map will help users visualize how the entities in a composite application relate to each other. This serves as a physical representation of the architecture, the user can derive relationships between the entities that constitute the composite application. It provides a clean dashboard with a full application view and displays the state of each entity based on its monitoring configuration.
Bring the Entities to the Board
In the service map section of the Composite Application, the entities associated with the Composite Application are listed on the left side menu. It is also possible to include a component that is not in the scope of Serverless360 but will be a part of the solution. The required entities can be selected from the left section (palette), which will add the representation of the entity in the right section (diagram pane).
Connect the Entities to Define the Flow
A connection can be made between the entities by clicking and dragging from the center of the representation
Save the Diagram
Once the diagram is saved, the entities will be displayed with the current monitoring status. Access detailed Error.
Edit If Required
The diagram can be edited by clicking the edit option. The issues list will not be displayed while in edit mode.
Infer Entity Status
Service Map indicates the health of the entity with the following color coding
- Healthy- Green
- Warning- Amber
- Error- Red
Click on the entity in warning or error state to fetch the details of the issue as below.
Serverless360 Live Dashboards
Dashboards in Serverless360 can be useful to know more about Azure resources in an application. With the variety of widgets available, users can analyze the azure resources on key metrics from various perspectives.
To know more about the Serverless360 dashboards refer to the blog” https://www.serverless360.com/blog/live-dashboard-azure-serverless-applications”.
Monitoring Capability in Serverless360
Serverless360 helps the enterprises and offers an out of the box monitoring solution that assists the administrators to monitor the distributed azure services from different subscriptions and different tenant.
Types of Monitor
The threshold monitor in Serverless360 sends immediate alerts based on the configuration whenever there is a violation. Users can also schedule the monitor based on the required day and time. Users can also limit the number of alerts to restrict spamming.
The threshold monitor also offers the auto-correct option that makes Azure services be always in an enabled state. Users can simply turn on the auto-correct option and configure the expected state. The threshold monitor will have an eye on the state and convert the state to the expected one if not. This auto healing capability enables the production resources to be always in an enabled state.
Autocorrect Alert Generated from serverless360 in Threshold monitor
The above result is here the Function app state is not matched to the Expected state now the Function app state will be healthy and compliance alert will be generated by the threshold monitor.
Consider if the user needs a health report every two hours, they can create a status monitor and define the hours and notification channels. The status monitor can be configured to automate the daily health check by configuring the required hours.
Data Monitor is a Performance monitor that offers an extensive set of metrics for every azure resource with which the performance, latency and memory consumptions can be monitored and alerted when there is a violation. Below are certain monitoring options that can be done with the help of a Data monitor.
- Evaluate availability of Service Bus Queue / Topic by monitoring on a combination of metrics ‘Server Errors’, ‘User Errors’ and ‘Size’
- Check on the efficiency of Service Bus Queue / Topic by verifying if you are processing the right number of messages in the specified time window hence ensuring that you meet your business requirements
- Check on reliability of the Logic App by monitoring the number failed runs ‘Runs Failed’ every hour
- Get alerted on the consumption of the Logic App, by monitoring if the ‘Total Billable Executions’ exceeds a certain volume, etc. This feature can be of help to Azure portal administrators to ease tasks that an administrator is forced to do on a daily basis, and it is a monotonous/repetitive task.
This feature can also be used by Azure developers to understand if the applications that interact with Azure Service Bus Queue / Topic handle them the right way, by monitoring the User Errors generated.
Consider a business orchestration where a Logic App and Function App play a critical role. Failure in the Logic App or Function App is not acceptable as it would bring the business process down. Serverless360 watch monitor can continuously monitor the Trigger and Run history of an associated Logic App and notify the failure reason through the configured notification channels. In the case of the Function App, the invocation Log will be investigated to identify a failure. Watch monitors proves to notify the failure in the orchestration within the configured minutes (between 5 and 15 mins) of its occurrence.
Using Serverless360 user can manage and monitor the multiple subscriptions across tenants in a single place and it also offers
- Monitoring for Azure resources at the application-level
- Operational capabilities for developers to manage Azure resources.
- Service Map to view whole orchestration that enables support person to identify the issue easily
- Dashboards for better analysis of the Azure resources