Home Tutorials Designing a Multi-Cloud Environment with IaaS, PaaS, and SaaS  

Designing a Multi-Cloud Environment with IaaS, PaaS, and SaaS [Tutorial] 

cloud computing
14 min read

In this tutorial, you will understand a scenario that describes how to use solutions from different cloud providers and frameworks. You will learn how to interact with and create a design to fit into the requirements that will be as transparent as possible to the end customer. We will conclude the tutorial by designing a real-world scenario with Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), in multi-cloud environments (private, public, and hybrid).

This tutorial is an excerpt from a book written by Florian Klaffenbach, Markus Klein, Suresh Sundaresan titled Multi-Cloud for Architects. This book is a practical step-by-step guide that will teach you to architect effective Cloud computing solutions and services efficiently.

Design guidelines for multi-cloud solutions

Learn Programming & Development with a Packt Subscription

To design a multi-cloud environment you will need:

  • Network connectivity between the different clouds
  • A single identity management solution for all servers
  • Supported application for georedundancy


As virtual machines are complex and not easy to manage, there is often a requirement to bring in flexibility to custom IT services. This is where containerization comes into play. The concept of containers is defined as follows: a container is an infrastructure independent sandbox running in a container environment, without an operating system in the container. You can easily move containers between environments, and you can scale by adding another container to an existing environment.

Items that are usually bundled into a container include the following:

  • Applications
  • Dependencies
  • Libraries
  • Binaries
  • Configuration files
  • Container services have been an approach of different solutions in the past and even came from the community. In the meantime, the following container solutions survived.

Cloud Foundry

Cloud Foundry was mainly developed by VMware and later by Pivotal. As you can see in the following diagram, the basic design is easy to understand. There are different layers of services that are split to scale and communicate between them:

Cloud Foundry provides the ability to run containers independent of the underlying programming language or framework. It provides so-called service brokers that provide a defined connection to existing PaaS solutions from cloud vendors (for example, MySQL from Azure, DB2 from AWS, and so on). It is completely integrated into the CI/CD pipeline of development, and therefore, it has a lot of users from the DevOps parties.


Docker is a software solution that works based on containers. A container is defined as an isolated environment containing applications, tools, configuration files, and libraries. All of them run on a single operating system Kernel without guest operating systems, and we know from virtual machines. If you run container in scale, you will need to define an orchestration solution. In today’s Docker environments provided by public cloud vendors, you will find Kubernetes as the management, orchestration, and scaling solution shown as follows:

As you can see in the preceding diagram, there are different layers that ensure that the Docker Engine can communicate to the rest of the services and provide a defined API, internally and externally. Each of these layers and design parts is responsible for an important part of the product.


OpenShift is a container solution, with Kubernetes as the orchestrator, that runs on the RedHat operating system. It is owned by IBM:

OpenShift is comparable to Docker itself, but it has some modifications that were designed by RedHat. They have been explicitly implemented into the OS itself.


The technical basis for working with containers is a microservice application architecture. This means that each application should be sliced into the smallest possible (but scalable) services. These services are then moved to containers. To scale a specific part of an application, another container is switched on, and a load balancer, sitting before the microservices container, is responsible for integrating the new container into the application life cycle.

The concept of microservices is illustrated in the following diagram:

As you can see in the preceding diagram, there is an application frontend, API services, and a background database in this sample design. So we have services talking to the user and acting as the frontend. There is a layer in between for communication and translation and we can find a third layer, which is the database service itself.

Docker Services as a Service

Depending on the cloud vendor, you will find some, or even all, of the following services as PaaS offerings:

  • Container registries for hosting the container images
  • Container hosts/instances for running the container images
  • Container orchestrators (generally based on Kubernetes) to orchestrate the images

Regardless of the overall design of your cloud solution, you will be able to integrate these from different cloud vendors. This means that you can spread the same containers to different clouds, hosted by different vendors, and decide where you would like to place your registry, and where your Kubernetes orchestrator should have its home address.

Best practices

Regarding best practices for your PaaS container design, you should make sure that you find all the required parts for a solution at one or many public cloud vendors. If we set the networking connectivity with good performance and low latency, for example, there will be no need to, place our container hosts in different environments to provide better availability for customers consuming the cloud services. For example, if a customer is consuming his cloud services from Azure, it could connect to your service within the Azure backbone. If it comes from Amazon Web Services, this may be its connectivity target.

Bear in mind that redundancy requirements cannot be solved with more complexity. Even here, Terraforms can help to design a descriptive language that is cloud independent.

A real-world design scenario

Now let’s take a look at a real-world scenario that involves designing a multi-cloud architecture for a mid-size European company with locations in the United States, Japan, and Moscow, in addition to their worldwide headquarters in Munich. They are working in the medical and health care area and decided to completely move every IT service to the cloud, except their data center in Moscow, as their IT team is located there. But even for this location, their goal is to minimize the on-premises servers and even work in the data center environment using public cloud technology, as this would give them the chance to move the last on-premise servers to a public cloud, if somehow, in the future, their data center needs to move.

As of today, the company is running the following services:

  • Active Directory on Windows Server 2012 R2 with four domain controllers’ in the IT headquarters in Moscow.
  • Each location has two domain controllers’ on-premises.
  • 480 member servers, running Windows Server 2008 and higher.
  • 280 Ubuntu 17 servers.
  • VMware, as a virtualization layer.
  • Each server is a virtual machine; even their firewalls (checkpoint) are virtual machines.
  • The company’s network is MPLS-based, operated by AT&T. They have a central internet breakout in Moscow.
  • There are about 500 SQL server instances running on Windows and Linux. Each of them is already in the most recent release.
  • About 50 servers are running custom installations developed by the company’s development team. They are using Visual Studio for managing their code.
  • About 4200 client devices are being used. Each of them is running Windows 7 and Office 2010. For mobile devices, they are using Apple iPhones.
  • The central solution for business services is SAP, which is currently hosted in their local data center in Germany, and in Moscow as a redundant hot standby environment.
  • They are currently managing their environment by using system center 2012 R2 tools.
  • Their ITSM solution is already running as a SaaS solution in the ServiceNow cloud. This is the only solution that will survive the redesign and even in 2021 and later will run in the ServiceNow cloud.

The CEO has decided to have a cloud-first strategy, and all of the cloud migration must be done by the end of 2021, as all the existing data center contracts would be cancelled by then. In addition, they have already decided to implement a two cloud vendor strategy using Microsoft Azure and Amazon Web Services. AWS should mainly be used by their development team, as the chief of development is a former employee of AWS. The head of IT has decided to move all of the infrastructure services mainly to Microsoft Azure.

Suppose that you are the responsible, external consultant, helping to design the new IT environment.

Solution design

This section will describe the project and the final design of the new company’s IT environment, based on Azure and AWS technology.


One of the most important steps, when starting to use cloud services is to define cloud governance. Regarding which cloud vendor you decide to use, basically, they are all the same.

With Amazon Web Services, the Cloud Adoption Framework looks as follows:

With AWS, as the customer, have to work through each of the points, in order to be happy with your cloud governance.

With Microsoft Azure Services, there is the Azure Governance Scaffold, as follows:

These are the main points that you will need to define your governance and work with Azure properly.

Looking at Azure in more detail, we will need to decide on a concept for the following components:

As you can see in the preceding diagram, there are different portals on the business side (the Enterprise Portal and the Account Portal), and then a third one to manage the technologies themselves (the Management Portal). If you would like to work with code (JSON), the APIS, and CLI, Visual Studio will be your ideal solution to work with.

We will need to merge both of the cloud vendors.

For this example, the governance has already been set and we can have a look at the technology itself.


Looking at the networking portion of the multi-cloud design, the company decided to work with a partner that supports multi-cloud connections. This means that they, themselves, do not have to manage connectivity. This is being done via remote peering with their networking partner. Our company decided to go with Equinix and Interxion. The following diagram shows the Equinix Cloud Exchange Framework:

As you can see in the preceding diagram, the customer has connectivity to Equinix and Equinix will provide the customer with connectivity to the cloud vendors of your choice.

Let’s take a look at Interxion:

Interxion works the same way that Equinix does, and it is another vendor to help you solve your multi-cloud networking configurations. The result will be redundancy and independency and even a connection to the local data center in Moscow without any issues to both cloud vendors.

Identity management

The company has decided to have a single identity management solution based on the technology, they already run on both public clouds, which is Azure Active Directory:

As you can see in the preceding diagram, each cloud service (either public or hybrid, using Azure Stack or a similar service) is using Azure AD as a single IDM solution.

Based on their security policies, the company has decided to go with Azure AD Connect, using pass through authentication (PTA):

The PTA agent is monitoring the IDM queues in the cloud and authenticating the requests locallys transferring back the authentication token.

As Azure AD works with AWS, too, there is single identity management solution in place, as follows:

For their on-premises cloud environment, the company has decided to go with Azure Stack in a connected mode, in order to leverage Azure AD, too. The design is illustrated in the following diagram:

As you can see in the preceding diagram, Azure Stack and Azure behave the same way technologically, and can therefore be integrated into the express route configuration as another Azure cloud.

Modern workplace services

With the basic cloud environment in place, the company has decided to go with Office 365 for all workplace services, on all client devices. They will be migrated to Office applications on the client computers, using Office servers as SaaS directly from the cloud. This will be a seamless migration for the user accounts, and everything will work as usual, even when the migration is taking place:

As the Office 365 license can also be used on iPhones, all of the employees will be fine. Regarding the company’s on-premises exchange server, Skype, and SharePoint, they will move these to Office 365 completely and will get rid of the virtual machines that are present today.

Infrastructure services

Regarding the existing infrastructure services, you have decided to move most of them to Microsoft Azure and to prepare the migration by first identifying which solution can exist as a PaaS, and what needs to reside on a VM in IaaS.

To automatically collect all of the required information, you decide to perform an analysis using Azure Migrate, as follows:

The vCenter Service will be connected to Azure and will host the migration service itself. I will be responsible for synchronizing, and later managing, the switch of each VM from on-premises to the cloud.

For all of the SQL services, there is a solution called Azure SQL Migrate, as follows:

As a result of these cloud services, you will be able to figure out if there are still any virtual machines running SQL. In general, about 80-90% of the SQL servers in the existing design can be moved to PaaS solutions. Using the results of the migration service, you can get an idea of what the cloud SQL solution will look like. It will also help you to work through each migrating step in an informed way.

For the SAP environment that is currently running on-premises, you decide to migrate to SAP HEC on Azure, based on the existing blueprint design of Microsoft, as follows:

About 68% of the VMs can be migrated to Azure seamlessly, without requiring running them as virtual machines anymore. Another 25% of the VMs need to be migrated to Azure using the lift and shift model. The service that you will need to migrate them to Azure is Azure Site Recovery. This service works as follows:

For all of the VMs that need to run in the on-premises data centers that will be left after the move to the cloud, you decide to use Azure Stack. As Azure Stack is the on-premises solution of Azure, the process to migrate the VM is nearly the same. As the company’s CEO has decided that a temporary placement of a virtual machine in a public Azure cloud for migration tasks is fine, you three-step migration:

  1. Migrate the VM from the on-premises VMware to Azure, using Azure Site Recovery
  2. Move the VM from Azure to Azure Stack, using Azure Storage Explorer
  3. Bring the VM online again, on Azure Stack

From a sizing perspective, you decide to use an eight-node Azure Stack environment from the company’s favorite hardware vendor. The sizing has been created using the Azure Stack Capacity Planner. As you can see in the following screenshot, it is an Excel sheet with input and output parameters:

Setting up new cloud services

For each new cloud service that will be deployed, the CIO has decided to go with Terraforms, in order to have a unique description language for all of the resources, regardless of the cloud flavor of a specific vendor. Terraforms provides an easy way to automate the deployment, and to be flexible when moving resources, even between the clouds.

Development environment

As the CDO is a former employee of Amazon Web Services, and as all of the existing development code is in AWS, there is no need for him to change this:

As Jenkins is supported in Azure, too, the development is flexible. The main task is to design the build pipeline using stage environments. If DevOps decides to implement virtual machines for their services, these may also reside on AWS, but due to the underlying single identity and networking design, this really does not matter at all. The only requirement from the CIO is that if the VM is a Windows server and not Linux, it must be placed on Azure, as in Azure, there is an option to save license costs by using Azure Hybrid Benefits.

As you can see in the preceding diagram, there are 41% savings using the Hybrid Benefits and reusing the Windows server licenses in the cloud. So, the plan is to demote a server on-premises and enable it in Azure. With this switch of each VM, you will be able to transfer the license itself.


In this tutorial, we learned how to use solutions from different cloud providers and frameworks and create a design to fit into the requirements that will be as transparent as possible to the end customer.

If you are looking at completely adapting to any Cloud and its services, Multi-Cloud for Architects will be your go-to guide to find perfect solutions irrespective the size of your infrastructure. 

Read Next

Microsoft Cloud services’ DNS outage results in deleting several Microsoft Azure database records
VMware Essential PKS: Use upstream Kubernetes to build a flexible, cost-effective cloud-native platform
MariaDB CEO says big proprietary cloud vendors “strip-mining open-source technologies and companies”