UF Hosting
UFIT works directly with customers to design and implement secure and highly available public cloud services. Each project is unique and the ownership of resources is discussed and determined during the design phase. All public cloud resources are created and managed by UFIT.
To ensure data integrity and security, customers will be given the least amount of access required to manage their services.
Customers sign up for UF Hosting service and receive a UFIT customer number that is used to bill all hosting resources, including public cloud. Bills are sent out monthly by the UFIT Business Center for the amounts due to the public cloud vendors. Access is given to customers to review cloud costs. Due to variability of public cloud service costs, the UFIT Business Center initially secures a onetime customer deposit of 120% of the expected baseline monthly bill. The deposit will be credited back to the customer when service is terminated.
UF has one master payer account that contains all the UF accounts. A new account is created within the UF master payer account for each customer number. All resources and services are created within the customer account.
Billing for each account is rolled up to the master payer account. The UFIT Business Center pays the master payer account bill then retroactively bills each account for their usage each month. Shared costs such as Direct Connect, VPC, Transit Gateway, NAT Gateway, Internet Gateway, Central Audit Logging, Ingress and Egress traffic, etc. are covered by UFIT. Details related to these services are discussed during the design process.
Access to AWS is granted to users through AWS SSO which uses UF Shibboleth with Gatorlink credentials. Additional access may be granted via the creation of local users in AWS IAM for service accounts that need access to AWS services.
Default access is given to Cost Explorer in the console to allow customers to view detailed information about their AWS costs. Additional access to the AWS console is given as required depending upon the service architecture.
UFIT creates a UFAD distribution list that is used in an AWS budget. The AWS budget is configured to generate alerts at 25%, 50%, 75%, 100%, and 140% of the pre-determined monthly budget amount.
Users can use the AWS Cost Explorer to get detailed information about the costs associated with their AWS services.
UFIT has configured a pair of highly available, hosted, 1GB Direct Connects to provide a dedicated network to the campus data centers. This allows access to UF private IP space and if required the internet through UF data centers.
UFIT has configured three VPCs for use through a single Transit Gateway. If your services require the use of a VPC the appropriate one is allocated. Dedicated non-overlapping subnets are created in the UFIT VPC and shared with the appropriate accounts for use.
This VPC utilizes the UF Direct Connect to provide access to private UF IP space. Resources in this VPC cannot access the internet directly from AWS.
This VPC has access to both the UF Direct Connect and an Internet Gateway. Resources in this VPC can access resources on private UF IP space and can access the internet directly.
This VPC only has access to the Internet Gateway. It cannot access resources on private UF IP space.
UF has an Enterprise Agreement with Microsoft that is used for billing purposes. All Azure subscriptions are created under that agreement for billing purposes.
Billing is rolled up under the Enterprise Agreement. The UFIT Business Center pays the bills that come through that agreement and then retroactively bills the accounts for their usage each month. UFIT is responsible for taking the bills and breaking them down per customer so that the UFIT Business Center can bill back each customer appropriately.
Access to Azure services is managed via groups in UF Active Directory ( UFAD ) synced to Office365 Azure AD ( AAD ). Additional IAM objects are created based on the design of the services being deployed.
Default access is given to the "Cost Management and Billing" interface in the Azure portal.
A budget will be created for each account/subscription based on what services will be deployed. Alerts from that budget will be emailed to the customer and to UFIT staff.
The default thresholds for budget alerts are 90% and 100%. These can be adjusted as needed per account.
UFIT intends to deploy multiple network postures to Azure. Those postures would be:
This would be a vNet with subnets that would behave in the same way as subnets and VLANs within the on-campus data centers. This would allow resources deployed in this vNet to access resources on campus using private IP addresses. Resources deployed in this vNet cannot access the internet directly via Azure but will instead go back through campus.
Subnets in this vNET would only have access to the public internet. Access to UF private IP space would not be allowed.
Currently, the only network posture available within Azure is the Internet Only posture.
UFIT has established an Organizational account with Google within GCP. This is considered the top-level account where all billing happens for all Google services.
GCP Projects are created for each customer under this GCP Organization. In some cases, multiple projects are created based on limitations within GCP and the number of type of resources that can be deployed per project.
Billing is rolled up to the Organizational account within GCP. UFIT Business center pays those bills and then retroactively bills the UFIT departments for those services in the same way that it is done with AWS and Azure.
Access is managed via groups in UFAD that are synced to Google Workspaces.
A budget will be created for each project based on what services will be deployed. Alerts from that budget will be emailed to the customer and to UFIT staff.
The default thresholds for budget alerts are 90%, 100%, and 140%. These can be adjusted as needed per account.
UFIT intends to deploy multiple network postures to GCP as the they are needed. Those postures would be:
This would be a VPC with subnets in it that would behave in the same way as subnets and VLANs within the on-campus data centers. This would allow resources deployed in this vNet to access resources on campus using private IP addresses. Resources deployed in this vNet cannot access the internet directly via Azure but will instead go back through campus.
Subnets in this VPC would only have access to the public internet. Access to UF private IP space would not be allowed.
Currently, the only network posture available within GCP is the Internet Only.