Using Nerdio to Manage Existing Microsoft Azure Deployments 

The Nerdio Admin Portal (NAP) is a multi-tenant, single-pane-of-glass portal that allows MSPs to manage all of their Azure deployments securely in one place and across all aspects of the IT environment. The NAP can manage VMs, storage, networking, backup, autoscaling, users, virtual desktops, Office 365, mailboxes, security, and much more – all in a “3-click or less” console with role-based security.  The customers of MSPs can be full admins with access to all aspects of a customer’s IT environment or they can be limited users (e.g. Tier 1 Support) with access to things like user password resets but not VPN configuration.   

MSPs can also co-manage a customer’s Azure environment with the customer’s internal IT staff.  For example, an end-user account can be given access to the NAP to do both basic and advanced management of just their own environment.  Because the NAP is so simple to use, delegating some basic management capabilities to specific end-users reduces the number of incoming tickets, gives the customer more control that they desire, and speeds up time-to-resolution by allowing the customer to self-serve on some common functions.  All without risking overwhelming the customer with too much technical complexity or exposing Azure with administrative access and risking issues that could be created by an inexperienced user in an otherwise stable environment. 

A common question we get from partners goes something like this: “We’d love to use Nerdio to manage our Azure deployments but have existing customers in Azure.  Can Nerdio be used to manage those?” 

The short answer is, “yes, they absolutely can” and it does require a bit of planning.”

The goal of this article is to outline the steps necessary to configure Nerdio to manage existing Azure resources. 

The Typical Nerdio Manager for MSP Deployment 

Nerdio is designed to be safe and non-disruptive to existing environments.  Therefore, when you provision a new Nerdio account into Azure, it creates a brand new, empty resource group and only manages resources in that one resource group.  You can have a single Azure AD tenant with a single Azure Subscription and segregate customers by resource groups (or by Azure subscriptions or Azure AD tenants).  The resources in each of these groups will be independent and isolated.  Nerdio will manage each deployment in each unique resource group as its own Nerdio account. 

Every Nerdio for Azure deployment is designed to start out as a “greenfield” deployment without any existing legacy information (other than connectivity into an existing Office 365 account).  The goal is to enable an MSP to set up a greenfield Azure environment and conduct a pilot with a customer without disrupting the existing IT infrastructure.  Once the pilot is successful, the Nerdio deployment is “plugged into” an existing IT environment and added to production, making it accessible to users.  Once in production, users, data, and server workloads can be seamlessly moved into the new Nerdio deployment in Azure. 

“Plugging” Nerdio into an existing IT environment 

There are three top level steps involved in plugging a greenfield Nerdio deployment into an existing IT environment. 

  1. Extend the network – this is typically accomplished by setting up a site-to-site VPN between the Nerdio for Azure environment and an existing environment.  It is also possible to use the VNet peering capability of Azure in some cases, as we’ll see below. 
  2. Extend Active Directory – Making the same Active Directory Domain Services available in Azure is fully automated by Nerdio with our Nerdio Hybrid AD™ functionality.  Extending AD into Azure allows the NAP to have visibility into the existing Active Directory, manage user objects, and assign virtual desktops – all without any changes to the existing environment.  Once the AD is extended from the existing environment to Azure, it spans both locations and allows seamless movement of servers from one to the other. 
  3. Move VM workloads – Once network connectivity is established and AD is extended into Azure, servers and data can be moved from the existing environment to Azure using Azure Site Recovery (ASR), another VM replication technology, or Azure Resource Move process, as we’ll see below. 

The result of the 3 steps above is a Nerdio managed Azure environment with connectivity to an existing IT environment, AD visibility, and the ability to move VMs from one environment to the other without the need to re-join the domain or reconfigure the operating system. 

“Plugging” Nerdio into an existing Azure deployment 

It is possible to leverage Nerdio to manage an existing Azure deployment.  Think of it as a special case of a typical process outlined above – create a new Nerdio for Azure greenfield deployment, plug it into an existing Azure deployment, and migrate workloads as appropriate.  However, because both the existing Azure deployment and the new Nerdio deployment are both in Azure, there are some additional tools available to simplify and speed up the process. 

Let’s look at each of the three steps as they relate to this unique scenario. 

1. Extend the network 

 While it is possible to use VPN Gateways and site-to-site VPN connections between virtual networks in Azure, it is far simpler to leverage Azure VNet peering capability.  Azure supports two types of VNet peering: 

  • VNet peering – connecting VNets within the same Azure region 
  • Global VNet peering – connecting VNets across Azure regions 

There are multiple advantages to using VNet Peering instead of site-to-site VPN.  Network traffic is private, low-latency, and high-bandwidth.  That’s because it traverses Azure’s private network backbone instead of leveraging public internet infrastructure. 

VNet peering has all the expected functionality, including no downtime for the VMs when creating the peering, the ability to apply Network Security Groups (NSG) to control traffic flow and access, if needed, and, by default, complete and simple connectivity of all resources in peered networks without additional setup. 

There is a charge associated with using VNet peering.  When data travels within the same Azure region (both inbound and outbound, unlike public internet bandwidth) there is a charge of $0.01/GB of transfer.  To transfer a 100GB virtual disk from the existing virtual network in Azure to the Nerdio deployment will cost about $1.  When peering VNets across Azure regions (Global VNet Peering), the cost is about $0.035/GB in most US regions. 

2. Extend Active Directory 

Extending the Active Directory (not Azure AD – that’s already integrated into Nerdio by default when deployed) from an existing Azure environment into the new Nerdio environment is identical to the process when the source environment is not in Azure.   

Once the VNet peering is in place and VMs in the Nerdio deployment can talk to the VMs in the existing Azure deployment, the Nerdio Hybrid AD engine will create a new domain controller in the Nerdio deployment and extend the existing Active Directory Domain Services.  Once AD is extended and all resources are moved over to the Nerdio deployment to be managed in the NAP, Active Directory FSMO roles can be transitioned over to the new domain controller VM in Nerdio and the existing AD can be de-provisioned. 

3. Move VM workloads 

Since both the source (existing Azure deployment) and destination (new Nerdio deployment) are in Azure, it is possible to use the native resource move functionality  to transfer from source to destination.  This is an easy and seamless process that can be done via the Azure portal or via PowerShell. 

Establishing network connectivity with VNet peering and extending Active Directory with Nerdio Hybrid AD before moving the VMs will allow the process to be seamless.  For example, if one out of five server VMs are moved from source to destination, the moved VM will still be able to talk to its peer VMs in the existing Azure deployment due to VNet peering that’s in place.  Similarly, since the same AD spans both environments, the moved VM will be able to communicate with a local domain controller and authenticate connections without the need to join it to a new AD domain.   

Other Azure resources such as public IP addresses and storage accounts can also be moved via the Azure portal from their source resource group to the new Nerdio one.  

As all VM workloads and other resources are moved over to Nerdio, which can be done in a non-disruptive, phased approach, and FSMO roles are transferred to the new AD DC, the source environment can be simply de-provisioned and VNet peering turned off. 

The result will be a new Nerdio deployment managed via the Nerdio Admin Portal with all the automation and simplification benefits outlined above but using the same data, applications and user objects.  This process allows MSPs to standardize their Azure deployments and automate much of the management, auto-scaling and help desk tasks. 

Microsoft Drops the Cost of Licensing Azure Virtual Desktop (AVD) Deployments by 25%

Although not the case in every single deployment scenario, for the vast majority of Azure Virtual Desktop (AVD) deployments for SMBs, Microsoft has dropped the price by 25%!  As most Managed Service Providers (MSP) cater to the SMB market, this recent development will significantly decrease the cost per-user for the majority of their AVD deployments. 

Here, we discuss real-world virtual desktop deployments, the licensing needs of such deployments, and how a little known announcement Microsoft made a few weeks ago is reducing the cost of AVD licensing by 25%. 

What does a typical virtual desktop deployment look like for an SMB customer from a licensing perspective?  First you need the operating system license, which is either Windows Server plus RDS (in a Remote Desktop Services deployment) or a Windows 10 Enterprise subscription (in a AVD deployment).  We’ll be working with AVD here, so let’s assume that we need a Windows 10 Enterprise subscription to cover the cost of the OS and AVD functionality.  Windows 10 Enterprise E3 is $7/user/month and is the least expensive license that can be used for this purpose. 

What else does a Azure Virtual Desktop user need besides Windows 10?  The Office suite, of course!  Office can be purchased as a standalone product (e.g. Office 365 ProPlus or Office 365 Business) or as part of a package (e.g. Office 365 E3, Office 365 Business Premium, and Microsoft 365).  The tricky thing about Office is that with AVD (and RDS), you’re running it in a multi-session environment where multiple users are using the same virtual machine to launch the Office apps.  To enable such multi-session use, Office relies on a feature called “Shared Computer Activation” (SCA).  Until recently, only Office 365 ProPlus had SCA.  This meant that only enterprise Office 365 packages (e.g. E3, E5, etc.) could be used with AVD because only they include Office 365 ProPlus.   

In addition to Windows 10 Enterprise and Office ProPlus, virtual desktop users typically leverage Exchange Online, OneDrive, SharePoint Online, Teams, and other Office 365 services.  From a licensing perspective, it is always less expensive to purchase an Office 365 package than two or more of its sub-components.  This means that for most virtual desktop users, Office 365 E3 + Windows 10 Enterprise E3 was the most cost-effective option to license all needed functionality.  The cost?  $27/user/month ($20 for E3 and $7 for Windows 10). 

Let’s look at this visually.  You could buy Microsoft 365 E3 and get everything you need in a single package for $32/user/month.  Or, you could mix-and-match components, for example #10 + #11 for $27/user/month. 

Note that the key here is that Office 365 ProPlus must be included since it was the only version that supported SCA.  You can’t buy Office 365 Business Premium for $12.50/user/month, which includes Office 365 Business, since that version would not activate on a multi-session virtual desktop with SCA. 

With all of that in mind, what did the Microsoft announcement change?  Microsoft enabled Shared Computer Activation for Office 365 Business when it is purchased as part of the Microsoft 365 Business package

Prior to the announcement, it was not possible to use this specific package to fully license a virtual desktop deployment because Office 365 ProPlus was still needed for its SCA capabilities.  Now, Microsoft 365 Business can be used to license the entire AVD deployment: Windows 10 + Office suite + Exchange/OneDrive/Teams/SharePoint.  All for $20/user/month, which is $7 less than the best alternative available previously.  This is a 25% reduction in the per-user-per-month cost. One thing to note is that SCA is available for Office 365 Business ONLY when purchased as part of #1.  It is not available with #5 or even #3. 

But wait, there is more! Not only do you get Windows 10 and Office 365 for $20, but you also get Enterprise Mobility + Security (EMS), which is a suite of technologies to help with mobile device management and security.  Customers can have their primary desktop running securely in Azure with AVD and their local PCs, laptops, and mobile devices managed and protected via Intune. 

Microsoft is making many licensing and technology moves in advance of Windows Virtual Desktop entering general availability later this year that are all meant to drive demand for this IT delivery model.  It is likely that AVD with desktop VMs running in Azure and leveraging Microsoft 365 SaaS products will be the most cost-effective IT solution for small and mid-size businesses in the very near future.  This is a tremendous opportunity for the channel and specifically the MSPs who service these customers. 

At Nerdio, we enable MSPs to build successful cloud practices in Microsoft Azure.  Contact us to learn more.

What’s New at Nerdio? June 2019

Today is a big day at Nerdio and it has nothing to do with finding a new partner, attending a great peer-to-peer group, or recording a webinar. It isn’t about a new product feature or a different way to use our product, either. It’s about helping you.

At Nerdio, our mission is to enable Managed Service Providers to build successful cloud practices in Microsoft Azure. When MSPs want to understand their cloud practice options and opportunities, we provide the tools and insights for specific and tangible solutions. Instead of wondering how much to charge or how to deploy and manage a cloud solution, we’ll offer the necessary resources for MSPs to quickly find out how their business can benefit from being built on Microsoft Azure.

We believe that when working with partners, they want two primary daily deliverables:

1. To be understood.

We are techies who love our community of partners that make their living from providing leading technology.
When MSPs find Nerdio, they know someone finally ‘gets’ how complex the subject can be. Nerdio proactively anticipates the questions MSPs have before they ever need to ask them.

2. To be informed.

We regularly curate content and resources for our website and social media presence to stay on top of industry developments and keep our partners aware of the latest Azure information. With Nerdio by their side, the MSP has all the information they need to make the right choice for their business. Every time they interact with Nerdio, they leave having learned something new about Azure.

It makes sense, then, that we have a world-class website that matches our mission statement, therefore allowing MSPs to be understood and be informed.

Today, we re-launch www.getnerdio.com as the primary resource for MSPs to build a successful cloud practice in Microsoft Azure.  You’ll find a clean, modern look which will differentiate Nerdio from the clutter, flash, and generic stock photography seen on so many other sites. You will also be introduced to the “Nerdio Academy” which is an incredibly rich resource designed for the MSP community. It includes best-in-class educational videos, webinars, white papers, and much more designed to help MSPs understand how to build a successful Azure practice — including topics from Windows Virtual Desktop, increasing your margins selling Azure, and deep technical Azure content.  You won’t find this breadth and depth of MSP-focused content anywhere else.

At Nerdio, we aim to be focused, straightforward, empowering, and helpful to our partners.  By doing so, we offer you the definitive Azure solution for the MSP community.