Managed Platform
image

What we do?

The simple, safe and fast track to adopting and operating Microsoft Azure

Fellowmind Managed Platform (FMP) is a tenant-wide solution, based on a platform and modules delivered as Software-as-a-Service, maintained by our Platform team, and supported by our Managed Services team. It is based on Fellowmind's best practice and experience from multiple customer engagements and aligned with Enterprise Scale as understood in Microsoft Cloud Adoption Framework (CAF).

All services are distributed to the Azure environments in your tenant through CI/CD pipelines at Fellowmind.

For that reason, Fellowmind Managed Platform (FMP) is not a downloadable package. It is a service comprised of modular software, with quality, support, maintenance, documentation and backing from Fellowmind. It is composed of a Managed Platform with everything included; all the central features and functions, management, governance, automation and scalability.

image

What we do?

Everything you need to fast track your Azure deployments in a scalable and secure manner

The implementation process starts with a design workshop facilitated and executed by our dedicated Fellowmind Managed Platform (FMP) team. The team provides best practices and recommendations, facilitates decisions on your desired configuration, policies, and modules, and then performs an automated implementation in your preferred Azure Region(s)."

To ensure a solid update and customization process, configuration is maintained as code, but separated from the platform code.

As part of our Fellowmind Managed Platform (FMP), we take care of your entire Azure platform. As a result, we have integrated monitoring, security, and governance in the platform.

A selection of key features within the Managed Platform:

  • Resource structure & organization
  • Governance, Security and Compliance controls
  • Management, logging, and patching
  • Cost control and optimization
  • Network topology & connectivity
  • Landing Zone orchestration
image

Business Value

From a business perspective

When viewed from various perspectives, the platform delivers several notable process and technical advantages, as detailed below.

CIO Perspective

  • A standardized delivery which is easy to use, expand and operate
  • Service Catalogs enables self-service to individuals, teams or project manager
  • Fewer critical or high impact cases and shorter time to recovery
  • Avoid the dependency on key-employees
  • Better control over budgets

Architect Perspective

  • Easy to deploy a set of services and servers
  • Integrated into the pipeline developers already use
  • Better security utilizing governance and compliance controls
  • Enables the transformation to native cloud and services
  • Fast track to have compliance and security in place

Operations Perspective

  • Automation saves time and provides consistency and flexibility
  • Version control, tracking and change management ensure quality
  • Automates recovery and deployment
  • Free up time - leaving more time for innovation and improvements
  • SaaS without the vendor lock-in

Services

These are in place to make sure that all modules of the managed platform are stable, secure, and evergreen.

Governance
Fellowmind establishes the tooling needed to support Azure governance, compliance auditing and automated guardrails, as well as provisioning landing zones.
Continuous platform updates
Fellowmind updates the platform on a continuous basis with new features, updates, emergency patches all applied ad-hoc. Detailed feature list of infrastructure can be found in the documentation service.
Resolution of high priority incidents
Fellowmind does resolution of high-priority incidents during office hours, 08:30-16:30 CET/CEST.
Compliance reporting
Fellowmind will send monthly compliance reports on set policies.
Budget reporting
Fellowmind will send monthly budget reports on set budgets.
Platform monitoring and alerting
Fellowmind monitors all services within the platform and handles alerts. Monitoring baseline is documented in the documentation service.
Virtual machine services
  • Fellowmind will continuously update Windows and Linux Operating systems according to chosen patch management strategy.
  • Fellowmind monitors and do proactive maintenance of backups, assign default backup strategy to VMs.
  • Fellowmind onboards virtual machines to Microsoft Defender for Servers and does alert dispatching.
Service management meetings
Fellowmind facilitates quarterly meetings with the purpose giving insights into future and current topics like, cost optimization, features, services and projects. This to identify potentials for the customer to deliver an improved quality of service and more cost effective service.

Deliveries

Fellowmind provides the following deliveries as part of the Managed Platform

Fellowmind delivers a uniform structure of the Azure platform
This means that all applications are built on the same principles, including networks, governance, logs, etc. They are subject to the same policies/rules/security principles based on what is currently Microsoft best practice.
Regulatory Compliance
It's possible to attach specific frameworks to the platform, such as NIS2 etc.
Platform monitoring and alerting
Fellowmind monitors the entire platform unless otherwise agreed, using a large set of standard alarms defined by Fellowmind. These alarms are either tenant wide alarms or platform specific alarms. Additionally, Fellowmind delivers a baseline set of catalog alarms.
Reporting
On a monthly basis, Fellowmind delivers reporting on usage, cost, security and compliance.
Diagnostics and resource logs
All set-up of diagnostics and resource logs on all resources, and their handling, are uniform.
Platform resources
The Managed Platform and its components are continuously updated as Microsoft features and services are updated or when Microsoft introduces new services.
Identity and access management
Identity and access management are governed uniformly. By automating assignment and mapping of Azure Roles with Entra Id Groups.
Documentation
All documentation is hosted as a web app to provide single site for all platform related documentation, uniform way of ordering new service requests, lookinto Roadmap and releases and be used in connection with risk management, controls and compliance.

Responsibilities

These are the responsibilities and how they are divided between the platform and the landing zone

Subject Platform Landingzone
Policy Deploys recommend policies Responsible for compliance in landing zones
Alerts Deploys health and service alerts Deploy specific resource alerts and take action
Network Configures network solution (hub and spoke) and deploy peered VNets *Corp Landing Zones only* Use the peered VNets and request firewall rules when needed
Cost Deploys budgets with thresholds and anomaly detection Adhere to and evaluate budget, request updates
Tags Deploys tags on subscription which is inherited to resources Configure specific values on resources which should not inherit from the subscription (e.g. Different budget code)
Backup Deploys recovery service vault and default backup policies Onboard servers to the recovery service vault
Access Deploys Entra ID groups, configures PIM, and assigns to scopes throughout the Azure hierarchy Add and remove members to groups
Update Deploys Central maintenance configuration schedules and policy Set Azure tag for configuring update management on a per VM basis
Logs Deploys central log analytics workspace and set up data collection rules. Configure diagnostic settings logs for supported Azure PaaS. Can set a default VM tag for default log ingestion Add additional tag on VMs which are to extract extra logs than the default

Architecture

This is the architecture of the Fellowmind Managed Platform

Features

Overview of the managed platform feature and a comparison with the Microsoft provided 'ALZ'

Microsoft Azure Landing Zone reference implementation.
Standard (for all customers)
Optional (based on customer needs)

ALZ = Microsoft ALZ
FM = Fellowmind

GSC (Governance, Security & Compliance)

Feature ALZ FM
(Hierarchy) Idempotent configuration of Management Groups and Subscriptions
(Subscription lifecycle) Management of pre-ordered subscriptions available for immediate use for new Landing Zones
(Policy) Idempotent configuration of Azure Policy Initiatives, Definitions, Assignments, and Exemptions
(Policy) Automated policy remediation
(Subscription lifecycle) Deletion of unused Landing Zones after end of lifecycle using Azure tags
(Subscription lifecycle) Repurpose of decommissioned landing zones for future landing zones
(Resource lifecycle) Automated deletion of resources based on tags to control lifecycle and avoid runaway consumption. (Commonly for Dev/Test)
(RBAC) Idempotent configuration of Entra Id Groups which are assigned to Azure RBAC roles
(RBAC) Removal of Classic Administrator access on subscriptions
(RBAC) Automatic cleanup of direct access created on management groups and subscriptions
(RBAC) Add users and service principals to Entra Id Groups as Group members & owners
(Landing Zone) Landing zone orchestration using Azure Blueprint Assignments
(PIM) Enrollment of Azure Access using Entra Id Group
(PIM) Privileged Identity Management enrollment of Entra Id Role access using Entra Id Group
(Reporting) Monthly report of Azure Consumption for each subscription in excel format
(Reporting) Monthly report of centralized log analytics usage broken down on subscription usage in excel format
(Reporting) Monthly report of centralized log analytics usage broken down on resource type in excel format
(Reporting) Monthly report of Azure Policy compliance for each subscription in excel format
(Reporting) Monthly report of Azure Secure Score for each subscription in excel format
(Reporting) Monthly report of Azure advisor score for each subscription in excel format
(Operations) Patch management enrollment using Azure Tags

Management

Feature ALZ FM
(Patching) Centralized Patch Management for Linux and Windows VMs
(Logging) Central logging for all landing zones
(Logging) Automated Diagnostic Logs Collection for known and supported resources in Azure
(VM Management) Azure AutoManage custom profiles ready to onboard landing zone VMs
(Security) Azure sentinel ready (Online Landing zone)
(Event Management) Centralized alerting for Tenant-wide alerts
(Event Management) Alert Catalogue for common alerts to be used as a reference when building Landing Zones
(Event Management) ITSM Integration
(Operations) Azure Monitor Workbooks for Tenant-wide monitoring
(Operations) Graph queries for Tenant-wide monitoring

Landing Zone

Feature ALZ FM
(Governance) Provisioning of infrastructure baseline in Landing Zones to get started quickly
(Governance) Standardized tagging for Landing Zones
(Connectivity) Network spoke provisioning (Corp Landing Zone only)
(Connectivity) Network hub peering (Corp Landing Zone only)
(Connectivity) Inter-Landing Zone Direct network peering (Corp Landing Zone only)
(Connectivity) Enroll Landing Zone provisioned resources to specific a subnet in the Landing Zone (Using Private Endpoint - Corp Landing Zone only)
(Management) Centralized management of select resources created in Landing Zones
(Management) Landing Zone updates at scale
(Management) Backup policy baseline for Landing Zones
(Management) Azure Advisor baseline configuration for Landing Zones
(Operations) Alert processing architecture for Landing Zones
(Operations) Resource Health Monitoring dispatch for Landing Zones
(Operations) Budgets and threshold notifications for Landing Zones
(Operations) Security event notification for Landing Zones

Connectivity

Feature ALZ FM
(SD-WAN) Connectivity architecture with Azure Virtual WAN or Standalone Resource Implementation (VPN Gateway, Azure Firewall, etc.)
(SD-WAN) Full mesh global hybrid connectivity using SD-WAN
(Network Hub) Standalone Network Resource implementation (Hubs without vWAN)
(Firewall) Regional Azure Firewalls to add security between Landing zone networks and to and from the public internet
(Local Connectivity) to privately linked Azure PaaS Resources in Corp Landing Zones using Azure Private Link and Private Endpoints
(Front Door) A Central Front Door with WAF to provide a globally distributed single-entry point for web applications hosted in landing zones
(Application Gateway) A central Application Gateway with WAF to provide regionally distributed entry points for web applications hosted in landing zones
(DNS) Centralized DNS management for Landing Zones
(DNS) Private DNS Resolver for Landing Zones

Identity

Feature ALZ FM
(Identity) Domain controllers hosted in Virtual Machines, and their associated resources
(Governance) User Access Managed Identity for various Platform modules

Documentation

Feature ALZ FM
(Documentation) Centralized and automated documentation site build on docusaurus
(Documentation) Autogenerated documentation updated hourly
(Product lifecycle) Product roadmap documentation
(Product lifecycle) Product release notes documentation

Azure DevOps

Feature ALZ FM
(DevOps Projects) Create an Azure DevOps Project for each Landing Zone
(DevOps Projects) Entra Id Groups for license and access management to Azure DevOps projects
(DevOps Projects) Configure Azure Resource Manager Service Connections with access to Landing Zone Subscriptions
(DevOps Projects) Configure Azure DevOps project with policies and build validation for GitHub Flow branch strategy
(DevOps Projects) Provision Landing Zones with an IaC repository and multi-stage pipeline baseline
(DevOps Projects) Daily backup of Azure DevOps Repositories with full git history
(Service Connection) Federated identities using Open Id Connect in a Managed DevOps Projects

Azure DevOps Self-Hosted Pipeline Agents

Feature ALZ FM
(DevOps) Self-managed build agent pools for Azure DevOps running on Azure VMs or Containers

Book a demo

Book a demo to get a closer look at the Managed Platform and how we can help your organization. Our team of experts will guide you through the features and benefits, ensuring you get the most out of our services. Whether you're looking to improve efficiency, enhance security, or scale your operations, our demo will provide you with the insights you need to make an informed decision.

Book a Demo