Service Level Description

1. PURPOSE

2. INTRODUCTION

• VM provisioning and management.
  
• VM backups.
  
• Networking management including connectivity, load balancers, and firewalls.
  

3. SUPPORTED AZURE SERVICES

4. MICROSOFT AZURE ARCHITECTURE

4.1 Virtual Machines

• The size, which determines factors such as how many disks you can attach and the processing power. Azure offers a wide variety of sizes to support many types of uses. 
  
• The Azure region where your new VM will be hosted, such as in the US, Europe, or Asia.
  

4.2 Availability Sets

4.3 VM Storage

• Blob Storage stores file data. A blob can be any type of text or binary data, such as a document, media file, or application installer. Blob Storage is sometimes referred to as Object storage.
  
• Table Storage stores structured datasets. Table storage is a NoSQL key-attribute data store, which allows for rapid development and fast access to large quantities of data.
  
• Queue Storage provides reliable messaging for workflow processing and for communication between components of cloud services.
  
• File Storage offers shared storage for legacy applications using the standard SMB protocol. Azure virtual machines and cloud services can share file data across application components via mounted shares, and on-premises applications can access file data in a share via the File service REST API.
  

4.4 Standalone Storage

1. Location – This can be at any of the locations listed in Services link above where Navisite is permitted to sell Azure. 
   
2. Redundancy – Navisite encourages either the Locally Redundant Storage (three copies within one region) or Geo Redundant Storage (three copies within one region and three copies in another region generally in the same political border). GRS is roughly twice the price of LRS but provides an extra layer of redundancy at a relatively low cost.
   
3. “Hot versus Cool” – These are differentiated by SLA; Hot has an 99.9% SLA while Cool is 99%, but Cool is cheaper. More information can be found at https://docs.microsoft.com/en-us/azure/storage/storage-blob-storage-tiers .
   

4.5 Networking

• VNets are completely isolated from one another. That allows you to create disjoint networks for development, testing, and production that use the same CIDR address blocks.
  
• All IaaS VMs and PaaS role instances in a VNet can access the public Internet by default. Navisite can control access by using Network Security Groups (NSGs).
  
• PaaS role instances and IaaS VMs can be launched in the same virtual network and they can connect to each other using private IP addresses even if they are in different subnets without the need to configure a gateway or use public IP addresses.
  
• Azure provides internal name resolution for IaaS VMs and PaaS role instances deployed in your VNet. Navisite can also deploy DNS servers and configure the VNet to use them.
  
• Traffic entering and exiting the virtual machines and PaaS role instances in a VNet can be controlled using Network Security groups.
  
• VNets can be connected to each other, and even to your on-premises datacenter, by using a site-to-site VPN connection, or ExpressRoute connection. 
  

• An external load balancer can provide high availability for IaaS VMs and PaaS role instances accessed from the public Internet.
  
• An internal load balancer can to provide high availability for IaaS VMs and PaaS role instances accessed from other services in a VNet.
  

• Prioritized Routing – An algorithm primarily used in failover scenarios.
  
•   Weighted Routing – An algorithm that allows for distribution to different hosts based on pre-defined priorities. 
• Performance Routing – An algorithm that selects the best route based on latency between the source IP and the hosts.
  
• Geographic Routing – An algorithm that defines hosts based on the geographic region from whence the DNS query originates.  
  

1. Traffic Manager provides DNS resolution, not active routing, so once Traffic Manager determines the host to which a client should connect, that traffic goes straight from client to host without needing to re-enter the Azure environment. 
2. Traffic Manager can be used to distribute traffic between hosts both within and outside of Azure. This allows for load balancing between Azure and other environments during a migration or “cloud bursting” scenario.
   

• The circuit that connects the customer premise to a carrier hotel. Most major telco providers offer this service with connectivity to Azure (Express Route) and AWS (Direct Connect). Navisite cannot directly resell these circuits so they should be obtained by the customer or through Spectrum Enterprise.
  
• A carrier hotel is an aggregation point for connecting customer circuits into the Azure network. There are some telco providers who provide this service directly while others will partner through speciality providers such as Equinix.
  
• The actual Express Route connection is effectively a cross-connect within the carrier hotel and the customer Azure subscription. This is configured by Navisite using routing and other configuration information supplied by the customer and carrier hotel.
  

4.6 License Models

• Pay-as-you-go is a model wherein a customer signs up for an account directly on the Microsoft portal and pays directly by credit card or invoice. This is most common among small companies or startups. Navisite can manage some or all of the Azure resources based on customer requirements.
  
• Enterprise Agreements for large Microsoft customers will frequently include some quantity of Azure credits in addition to the onsite Microsoft licenses. These are generally paid for in advance and this model is generally targeted to mid-to-large customers with a pre-existing Microsoft relationship. Navisite can manage some or all of the Azure resources based on customer requirements. 
  
• The Cloud Service Provider program allows providers like Navisite to provide both the Azure resources and the Azure management in a single package. All Azure resources provided via this model must be managed by Navisite.
  

5. SERVICE DESCRIPTION

5.1 Service Availability

5.2 Design Document Creation

• Detailed description of network connectivity to the customer premise, Navisite hosted services, or other locations
  
• List of applications to be implemented with connectivity requirements
  
• List of Azure services to be used
  
• Specifications for Availability groups
  
• Geographic location for each availability group
  

5.3 Provisioning of Microsoft Azure account

5.4 Network implementation

5.5 DNS Implementation

5.6 Availability Group/Virtual Machine implementation

• Disabling unnecessary services as security measures.
  
• Installing and configuring TCP wrappers on UNIX hosts.
  
• Creating and configuring local user accounts
  

5.7 Blob Storage Implementation

1. Create an Azure subscription for the customer.
   
2. Create Resource Groups for tracking and management of the storage.
   
3. Create Storage Accounts based on the geographies requested by the customer.
   
4. Create Storage Blobs within the Storage Accounts based on the customer requirements.
   
5. Share the credentials and access keys required for accessing the storage blobs with the customer.
   

5.8 Load Balancer Implementation

• Backend pool of VMs to be protected
  
• IP address for unified access
  
• Health probe configurations to determine whether or not a VM is live
  
• Load balancer rules (port/protocol)
  
• Inbound NAT rules (port mapping)
  
• Session persistence
  

5.9 Backup Implementation

5.11 Implementation of the Navisite Monitoring platform

6. MONTHLY SERVICE DESCRIPTION

6.1 Design Updates

6.2 OS Monitoring Services

6.2.1 Navisite Responsibilities / Activities

• 24x7 ping monitoring of Customer servers or virtual instances to determine if they are in an Up or Down state.
  
• The Network Management Platform sends all confirmed error events to the Event Console in the Navisite Service Center (NSC) for further Event Management.
  

6.3 Network Management

6.4 OS Management Service

• Ongoing Operational Management.
  
• Fault Management.
  
• Patch Management.
  
• Backup Services.
  

• Install/de-install OS packages, patches and service packs.
  
• Install and configure SSH for secure access to UNIX/LINUX servers.
  
• Add/change/delete local user accounts.
  
• Change/modify file permissions (read/write/execute commands and user access).
  
• Create file shares on Windows Servers.
  
• Keep Anti-virus engine and data files up to date.
  
• Modify system parameters in accordance with documented application requirements.
  
• Perform changes to TCP Wrappers to enable user access to UNIX hosts.
  
• Keep current with the operating system vendors' latest releases of security maintenance code patches. Subject to Customer notification and approval, Navisite periodically integrates the vendors' latest security patches into production servers.

• Navisite monitors vendor alerts, trusted third party advisories, vulnerability reports, and other sources to identify valid security alerts/issues.
  
• Navisite installs emergency security patches immediately onto a Customer's server if the patch is deemed so important by the vendor, or by industry experts, such that without it either the Customer or the Navisite network - and other Customers' service elements - are exposed to attacks, which threaten their operational integrity. Navisite makes a reasonable attempt to notify affected Customers prior to patch installation (either via email or by phone), but in some circumstances it may be deemed necessary to install these patches before Customer notification occurs. Navisite also makes a reasonable effort to perform this emergency maintenance in the closest available regularly scheduled maintenance window, but in some cases action may be needed immediately.
  
• Navisite's back out plans for emergency patch applications include being able to roll back to the current state of the OS prior to patch application. Any additional restoration of OS functionality, application information, or Customer data that may be necessary due to a security issue is provided under the Unified Backup Service. Refer to the Unified Backup Service SLD for further details.
  

• Using vendor alerts, third party advisories, vulnerabilities reports, and other feedback, patches are collected as they become available, tested, and validated against the Navisite baseline OS system build.
  
• Periodically, but at least once a month, Navisite publishes a list of recommended patches and bundles these patches together in preparation for installation as a Mandatory System Patch Upgrade (MSPU). In addition, this list will be available to our Customers (as either the actual patch or a link to the patch) so that our Customers can review the patch list and determine by their own testing that the patches don't affect their system or application's operation.
  
• Approximately once every quarter Navisite publishes all the patches (or combined major Service Pack or service rollup) that are part of the next MSPU.
  
• Installation of each MSPU is implemented under a scheduled change control with the Customer given 14-day advance notification of the schedule for the change control and at least 28-day advance notification of the contents of the MSPU.
  

6.4.4 Linux Patch Management

• An advisory has been posted for a security flaw in a well-known software module that places a server at undue risk of exploitation within the other security controls placed on a Navisite environment.
  
• There are specific requirements from an operating system or application vendor to apply a patch to fix a problem being experienced on the machine. This will be done after consultation with the client.
  
• A client specifically asks for patches to be applied.

• Refrain from making any changes to the operating system or any other element that is managed by Navisite. Navisite, in turn, will not make any changes to any elements managed by Customer.
  
• Notify the Navisite Service Center (NSC) prior to making any changes that may cause any unnecessary monitoring alarms. Troubleshooting and correcting any alarms caused by Customer's failure to notify Navisite in advance will be billed against the monthly number of support hours.
  
• Ensure compatibility of Customer maintained applications with operating system, server hardware, and architecture.
  
• Request application of non-critical patches.
  

7. RACI's

7.1 Windows Systems Management

7.2 Linux Systems Management