What MSPs Need to Know About Azure Lighthouse

On July 11th, 2019, just three days before Inspire, Microsoft announced the general availability of a new Azure technology called Azure Lighthouse.  Lighthouse promises to provide “capabilities for cross customer management at scale for partners to differentiate and benefit from greater efficiency and automation.”  A great, deep under-the-hood overview of Azure Lighthouse can be found in this blog post by Azure Chief Technology Officer Mark Russinovich.

Although exciting and full of potential, Azure Lighthouse capabilities can be a bit difficult to understand without direct, hands-on experience.  In this article, my goal is to cut through both the marketing and tech speak and answer a few fundamental questions about this technology.

  • What exactly is Azure Lighthouse?
  • How can MSPs leverage Azure Lighthouse?
  • How does Azure Lighthouse fit into Nerdio’s product strategy

What exactly is Azure Lighthouse?

In a word, Azure Lighthouse is “delegated resource management” (I guess that’s not a single word but more of a phrase).  To be more precise, Azure Lighthouse is an Azure Resource Manager capability that lets customers delegate permissions to service providers over scopes, including subscriptions, resource groups, and individual resources, which enable service providers to perform management operations on their behalf. 

Yes, that’s a mouthful so let’s try to break it down and understand it by way of an example.

Imagine that your MSP is not in the technology business but rather in the office building maintenance business.  You’ve signed a contract with a big downtown office building operator (think – Microsoft Azure) that leases office space to their tenants (think – your customers).  These tenants can contract with your firm to take care of their office spaces for them if they want, but don’t have to use you and can just take care of their office themselves.  Your employees, the building engineers (think – techs and engineers), need to go into the the tenant office spaces after hours to maintain the space.  Now, the building hasn’t invested in electronic locks and every office space has a unique physical key that your employees must carry with them to get into the space.  Imagine a big ring of keys that each employee carries containing a key for each customer tenant.

This is how managing Azure looked before Lighthouse.  You had to maintain a set of admin credentials for each customer’s Azure tenant.  They were all independent of each other and you had to switch from one to the next whenever managing multiple customers.

Azure Lighthouse is the cloud equivalent of the big downtown office building installing digital locks throughout and giving your employees a single fob to be able to open a tenant’s door, as long as the tenant authorizes it first.  In Azure, you now have the ability to request your customers’ permission to manage various parts of their environment using your own set of credentials.  Once they grant you this permission, you’ll be able to stay logged into Azure portal with your own username and have visibility and control over multiple customers’ tenants, subscriptions, resource groups and resources.

This is very convenient and more secure.  You no longer have to log in as different users to manage different customers and you have only one set of credentials to protect (e.g. MFA and Conditional Access).  What about those spreadsheets with admin login credentials for each and every customer?  Those can be gone, too!

Here is a hierarchical way to think about this new capability:

  • (NEW with Azure Lighthouse) Partner Azure AD tenant with delegated access to some/all customers’ environments
    • Customer A Azure AD tenant
      • Subscription
        • Resource Group
          • Resources
        • Customer B Azure AD tenant
          • Subscription
            • Resource Group
              • Resources

Prior to Azure Lighthouse, each customer’s Azure AD tenant was completely independent from a management perspective.  Now, your Partner Azure AD tenant can be entitled to manage multiple customers’ Azure AD tenants.

How can MSPs leverage Azure Lighthouse?

So, having a “master key” for all of your customers’ Azure deployment is convenient, but is that all?  What’s the big deal with Azure Lighthouse if all it does is make access to Azure Admin Portal easier?

Although delegated resource management is the core technology of Azure Lighthouse, it enables MSPs and software companies to do some pretty cool things at scale with much more efficiency.  Let’s look at a few examples.

Security policies

Imagine that you’ve created a set of best-practice Azure security policies that you recommend and implement for all of your Azure customers.  Before Lighthouse, you would have to create, evaluate and apply these policies independently for each customer.  Any change to your standard policies would have to be manually applied to every Azure tenant.  Imagine doing that for hundreds or thousands of customers.  This is very inefficient and error-prone.

With Azure Lighthouse, you can have a centralized set of security policies that you create and manage and then can apply to all (or some) of your customers at the same time.  This is much more efficient, automated, and less error-prone.

Patching policies

If you’re monitoring the patching status of your customers Virtual Machines (VMs) using Azure Update Management, doing it inside of individual tenant is laborious.  Imagine being able to view and take action on Update Management event across all customers in one place.

Portal, RestAPI, CLI, PowerShell

Azure Lighthouse is not only for the Azure Portal.  It enables developers and engineers to create software solutions and scripts using all of Azure’s management capabilities, such as CLI, RestAPI, and PowerShell to manage all aspects of customers’ environment.  This creates limitless possibilities for automation software to work efficiently across large customer bases.

How does Azure Lighthouse fit into Nerdio’s product strategy?

At Nerdio we are all about empowering MSPs to build successful cloud practices in Microsoft Azure through our innovative automation software.  Since all of our MSP partners have multiple customers, the challenges outlined above weren’t new to them or Nerdio, and we couldn’t wait for Azure Lighthouse to come out in order to solve these problems.  Therefore, two years ago we created the Nerdio Admin Portal, a multi-tenant, single-pane-of-glass management portal that allows MSPs to manage all aspects of all customers’ Azure environment in one place.

Now, with Azure Lighthouse, we will incorporate this new delegated resource management technology to make the Nerdio Admin Portal even more efficient.  For example, today when you deploy a new customer account with Nerdio, you have to specify that customer’s Azure admin credentials to “plug” Nerdio into the tenant.  Once you do that, the Nerdio Admin Portal manages that tenant going forward and you don’t need to use these credentials again.  With Azure Lighthouse, as partners gain delegated access to their customers’ Azure tenants, we will enable the capability for a partner to simply click the “Add Nerdio For Azure account” button and select a customer name from a list rather than have to provide an individual customer’s Azure credentials.

At Nerdio, we couldn’t be more thrilled to see Microsoft recognize how Azure environments are managed in the real-world – by MSPs, and support these MSPs by making their job easier through automation capabilities that lead to improved efficiency, reduce service delivery costs, and increase profitability.

Contact us to learn more about how Nerdio partners with Microsoft to empower MSPs every single day to succeed with Azure.

Microsoft Azure Reserved Instances Explained

In this article, we will take a detailed look at how Azure Reserved Instances affect the cost of Azure compute consumption.  This is not an introductory article, but more of a 300-level illustration using a specific example to demonstrate the salient points.

Let’s start by defining a few terms: 

  • Azure Reserved Instance (RI) – the ability to pay for Azure compute capacity in a specific Azure region in exchange for a significant discount. 
  • RI Term – the duration of the agreement.  There are only two available terms: 1 year and 3 years.  The 3-year terms provide a deeper discount than an equivalent 1 year term RI. 
  • RI Scope – the scope of an RI is set when the reservation is purchased.  It defines how the RI applies to specific VMs to offset their monthly PAYG cost.  There are two types of scope: 
    • Shared Scope – shared scope RIs can apply to any VM inside of any subscription within a single Azure tenant.   
    • Subscription Scope – subscription scope RIs can apply only to VMs inside of a specific Azure subscription.  Even if there are VMs in other subscriptions that match a specific RI with Subscription Scope, on another subscription it will not offset the monthly cost of that VM.  Only VMs within the subscription where the RI is applied will be offset. 
  • RI Instance Size Flexibility – A feature of Azure RIs that allows a reservation to offset partial cost of a VM or the cost of multiple VMs.  For instance, an RI for a single CPU core VM can offset 50% of the cost of a dual CPU core VM in the same VM size group. 

Let’s see how all this works using an example:

In the example above, we see an Azure tenant with two subscriptions.   

There are 3 Shared Scope reservations 

  • RI-1: E8sv3 (8C/32GB) 
  • RI-2: B4ms (4C/16GB) 
  • RI-3: D2sv3 (2C/8GB) 

There are also 4 Subscription Scope reservations; two in each of the Azure subscriptions. 

  • Subscription A 
    • RI-A1: D2sv3 (2C/8GB) 
    • RI-A2: E4sv3 (4C/32GB) 
  • Subscription B 
    • RI-B1: DS1v2 (1C/3.5GB) 
    • RI-B2: B2ms (2C/8GB) 

Each of the subscriptions has 4 running VMs. 

  • Subscription A 
    • VM-A1: E4sv3 (4C/32GB) 
    • VM-A2: E4sv3 (4C/32GB) 
    • VM-A3: D4sv3 (4C/16GB) 
    • VM-A4: NV6 (6C/56GB) 
  • Subscription B 
    • VM-B1: DS2v2 (2C/7GB) 
    • VM-B2: D8ms (8C/32GB) 
    • VM-B3: E8sv3 (8C/64GB) 
    • VM-B4: D2sv3 (2C/8GB) 

All reservations have a 3-year term and are paid for upfront. 

  • RI-1: $5,257 
  • RI-2: $1,646 
  • RI-3: $968 
  • RI-A1: $968 
  • RI-A2: $2,628 
  • RI-B1: $637 
  • RI-B2: $823 

The total upfront reservation payment for all shared scope and reservation scope RIs is $12,927.

You also have the option to pay for the reservation on a month to month basis rather than all up front.  This comes at no additional cost when compared to the yearly price of the RI.  If you decided to go with monthly payments your monthly cost would be $1,901 compared to the $3055 it would normally cost with full PAYG.  

By purchasing these reservations, the monthly cost of running VMs is offset when there is a matching reservation.  Sometimes the cost is offset completely (as in the case of VM-A1), sometimes it’s offset partially (as in the case of VM-B3), and sometimes there aren’t any RIs available to offset the cost of a VM (as in the case of VM-A4).  

In this example, you can see there is significant savings in using RIs.  Adding up the monthly cost of all 8 VMs and multiplying by 36 months to get the 3-year cost yields $109,980.  However, by utilizing reservations that cost ~$13k, one can save $41,523 or 38% of the 3-year total.  Purchasing additional RIs to offset the remaining monthly cost would result in even greater savings. 

Azure compute reservations are a powerful lever to increase margin for MSPs when creating Azure-based IT solutions.  They are complex and require some planning in advance, but with savings of up to 57% over a 3-year period, RIs are an important tool to MSPs to understand and leverage. 

At Nerdio our mission is to empower MSPs to build and grow their cloud practices in Microsoft Azure. Nerdio’s Azure Cost Estimator is a great place to start in evaluating the magnitude of savings that RIs can provide.