Tenant Manager Background

11 Rad Ways Azure Lighthouse Integrates with Azure Services

Written by Hornetsecurity / 10.10.2019 /
Home » Blog » 11 Rad Ways Azure Lighthouse Integrates with Azure Services

Azure Lighthouse is changing how Managed Service Providers (MSPs) operate their business through its model of centralized multi-tenant management. Now, MSPs can run multiple businesses more securely without switching accounts, directories, or subscriptions. This means that all operations can be applied across multiple tenants at scale. MSPs can significantly reduce their operational costs and complexity while reaching more customers and maximizing their revenue. 

Check out the first blog post from Altaro, which covers an overview of the Azure Lighthouse solution, and the second post, which explains the underlying Azure Lighthouse technology. This third post will cover key integrations with Azure services in the control plane and give you some ideas to help you scale your service provider business.

Azure Lighthouse with Existing Azure Services

Since Azure Lighthouse is a new solution offering, not every Azure service is supported yet. The key requirement for integration is that the Azure component must support Azure Delegated Resource Management (ADRM), allowing tenants to assign role-based access control (RBAC) to their service provider. The following list of services is fully supported and should be considered by MSPs to include in their service offerings. The order below is a good way to think through your Azure Lighthouse offerings, starting with the most basic services and ending with more advanced options.

Azure Policy with Azure Lighthouse

For the MSP and tenant partnerships to be successful, one of the fundamental philosophies is to ensure that there is trust between both groups. Azure Policy ensures that all managed resources stay compliant with corporate standards.  With Azure Lighthouse, this can be an effective tool for both parties.  

If a tenant has strict security standards, Azure Policy can ensure that their service provider adheres to them, and this can be particularly important if the tenant is within a regulated industry.  However, many tenants are inexperienced with configuring Azure, so they have delegated their operations to an MSP.  As a service provider, you may already have high operational standards, or part of your offering may be to guarantee compliance within a regulated industry so you can apply your Azure Policy best practices to your tenants’ infrastructure.  This is also a great use case of how Azure Lighthouse allows MSPs to maintain their technical intellectual property (IP) while extending their services to new tenants.

Azure Resource Graph with Azure Lighthouse

Azure Resource Graph is an extension of Azure (Delegated) Resource Manager (ARM/ADRM), which allows service providers to run queries at scale to test for compliance. It provides an Azure PowerShell and Azure CLI interface for MSPs to test against their tenants’ environments across multiple subscriptions. It can verify that Azure Policy rules are enforced correctly and flag any misconfigurations. The results can be sorted with advanced filtering based on resource properties, including by tenant (customer). You can even track changes and configuration drifts across your tenants.

Azure Service Health with Azure Lighthouse

Set up Azure Service Health for your managed accounts to get a global view of the health of your tenants’ services and resources. Service Health also lets you view the Azure infrastructure operated by Microsoft, which your tenants are using.  

You can set up different types of alerting for outages, which can be a useful value-added service for an MSP offering Tier 1 support. Many tenants will want to defer critical support to their MSP.  Even if you have a tenant that has not subscribed to your Tier 1 support, if an outage happens and you can use Azure Service Health to show them that you could have more quickly identified the problem for them, they will be more likely to subscribe to your premium services.

Azure Monitor with Azure Lighthouse

Now that you have set up access and security policies for your tenants, configure Azure Monitor to begin collecting data about their environment.  Even if you do not know how to leverage this information yet, turning it on immediately is a good best practice, so you have the data when you need it. 

You can now view alerts across numerous subscriptions and view activity logs for managed resources. You can also run a single query across all of your tenants to see if an issue or security threat that impacted one customer has a broader impact. If you are an MSP focusing on a specific regulated industry, then having this visibility across multiple customers can give you valuable insight, operational efficiencies, and competitive advantage.

Azure Virtual Network with Azure Lighthouse

Once your tenants’ infrastructure is secure and protected, you may wish to optimize their virtual infrastructure.  Networking is usually one of the more challenging IT management operations, and Azure imposes additional restrictions that may take a specialist to understand. This is another value-added service that MSPs can offer: Azure network administration. Azure Lighthouse allows delegated access to virtual networks and virtual NICs, letting MSPs optimize the traffic, make it resilient to failures, apply security policies, and monitor bandwidth utilization.

Azure Virtual Machines with Azure Lighthouse

Probably the most popular delegated management service will be for Azure Virtual Machines. Tenants can permit MSPs full access to their virtual machines (VMs), except for managing their product licenses via Key Vault. This means that the service provider can deploy VMs, configure storage, networking, and memory, and run post-deployment configuration tasks, scripts, diagnostics, and almost every other aspect of operations. 

The MSP can also log into that VM to configure any guest workloads. Since most Azure workloads run inside Azure VMs, the delegated management services offered through Azure Lighthouse will support almost every tenant virtual machine scenario.

Azure Kubernetes Service (AKS) with Azure Lighthouse

There are a growing number of organizations using containers instead of VMs to run their virtualized services.  Azure Kubernetes Service (AKS) allows organizations to use Azure to manage a Kubernetes cluster, handling all administrative tasks from deployment to monitoring to maintenance. 

Containerization offers numerous resource optimization and consolidation benefits as compared to traditional VMs, yet they are generally considered more complicated to manage. This presents a great opportunity for MSPs to manage Kubernetes as a service for their tenants using Azure Lighthouse.

Azure Security Center with Azure Lighthouse

Perhaps one of the best use cases for MSPs to support their tenants is through the Azure Security Center. This Azure service centrally manages and protects and the Azure resources, bringing together proactive and reactive best practices from Microsoft’s security experts. 

Organizations that need to outsource their IT management usually do not have security experts on their staff, so they are likely to want to offload security management to their MSPs.  The cloud adds additional security challenges since it is changing so rapidly and has a broad attack surface on public infrastructure. Leveraging Azure Security Center is highly recommended for any organization, especially those in regulated industries or protecting sensitive data.

 With Azure Lighthouse, MSPs can monitor all of their tenants from a single interface and apply changes at scale. All of the security data is centrally collected to show industry-wide trends, which MSPs can build into their IP. Some advanced features available to MSPs include the ability to provide just-in-time (JIT) access to VMs, dynamic (adaptive) network hardening, registry change monitoring, and whitelisting only permitted applications or processes.

Azure Backup with Azure Lighthouse

Azure Lighthouse gives MSPs the ability to manage backups for the tenants’ infrastructures using Azure Backup.  Although Azure Backup is fairly easy to use, backups are so important to the business that they often make risk-averse Azure users want to hand off this responsibility to experts.  Service providers can centrally manage backup and restore for their tenants’ Azure VMs and storage.  

Since Azure Backup offers different options around the frequency (RPO), recovery time (RTO), storage retention, and storage redundancy, an MSP can offer a simplified plan like “Gold,” “Silver,” and “Bronze.”  Manage tenants who are in a regulated industry. Storage compliance can be especially important as you will often need to retain all data and destroy specific records after a certain period.

Azure Site Recovery with Azure Lighthouse

One of the most popular Azure features is Azure Site Recovery (ASR). This lets the organization replicate their on-premises Hyper-V or VMware virtual machines to Microsoft Azure, using the public cloud as a disaster recovery site. For MSPs, offering disaster recovery as a service (DRaaS) is a great way to discover new customers who have not yet embraced the public cloud for their daily operations and drive Azure adoption.  

Since ASR requires some settings to be configured in the tenant’s existing datacenter, and those customers are likely using the legacy Windows Server Active Directory, ADRM may not provide an end-to-end delegated solution. The MSP will likely need to be given remote access (or can provide instructions) so that the on-premises configuration can happen to set up the Hyper-V replica on a host or cluster. Once that is set up, then replication using ASR can run and be managed by the service provider using a replicated virtual hard disk and VM running in Azure.

Azure Automation with Azure Lighthouse

Azure Automation may be one of the most valuable services that MSPs can provide through Azure Lighthouse.  This was included last in this list as service providers should set up their service offerings before they start automating them at scale. 

Azure Automation includes process/workflow automation, configuration management, update management, and scheduling for both Windows and Linux. This is where the service provider’s intellectual property (IP) really becomes valuable from custom scripts and processes they’ve created. This could include streamlining deployment, enforcing compliance, dynamically adjusting to infrastructure changes, or simplifying reporting. 

Azure Automation will allow MSPs to differentiate their offerings and create new value for their customers. While Azure Automation supports both public and private management, on-premises management through Azure Lighthouse may still be limited because it requires ADRM and Azure AD.

Wrap-Up

Azure Lighthouse already supports many Azure services, and these will continue to increase in time and with industry adoption.  If there are additional services that you would like to see, post about them in the comments section of this blog and request them through the Microsoft Partner Network (MPN) portal. From this blog series, you should now understand the value of the Azure Lighthouse solution and its foundational technologies using ADRM and AAD, and in the next post, we will review the Azure Marketplace go-to-market strategies.

What are your thoughts so far? Do you see yourself using this within your organization? Do you see it helping you do more Azure business?