Are you trying to decide whether AWS or Azure is the better choice for your organization? After years of working with both, I think I’ve only now realized what the most important architectural difference is between the two systems. This is the one distinction that should frame your thinking about the entire Azure or AWS cloud. Understanding this difference will also help you determine which cloud is better for your requirements.
Stated simply, the big difference between the two cloud systems is that Azure is fundamentally built on a cloud-scale directory and AWS is not. The fact that everything in Azure depends on Azure Active Directory (Azure AD) is an architectural difference that matters across every other service AWS and Azure offer.
For the purposes of argument, let’s put aside our preferences and prejudices. Sure, both clouds have their advantages (AWS is less costly; Azure excels at platform-as-a-service or PaaS) and disadvantages (Azure support and performance are questionable; AWS is focused on next-gen applications to the detriment of enterprise users). Don’t get me wrong. All those differences matter — your organization may choose one or the other (or both) for any number of reasons that make sense in your business. At the end of the day, many factors go into an organization’s preference for one cloud system over the other, including institutional and personal preference.
But the inescapable presence of Azure AD in Azure means that from merely logging in (Azure requires an Azure AD tenant) to creating resources interactively or by DevOps process, Azure AD is present in everything you do. By contrast, you can simply use an Amazon retail account to log into AWS. You are not necessarily required to interact with an ever-present directory. Some will argue that AWS IAM is the Azure AD of AWS. It’s not. And the contrast between the two has enormous implications.
This difference between the two clouds has its roots in how the two services came to market. Microsoft originally envisioned Azure as what I call “.Net in the sky” — in other words, as a massively scalable application platform. AWS started with storage and almost immediately discovered a vibrant market for operating system virtualization (infrastructure-as-a-service or IaaS). While these two polar opposite designs have converged over the decade, give or take, that the two systems have been available, the original “design ethos” of Azure hasn’t changed. As the two services converge — Azure getting better at IaaS and AWS getting better at PaaS — the presence (or absence) of an integrated, cloud-scale directory becomes the most significant differentiator, depending on your organization’s needs and preferences.
If you accept that Microsoft’s original intent in Azure was to be a cloud-scale app platform, integrated directory services are a required feature to support those applications. That’s why the Azure AD directory is at the heart of Azure. (And, thanks to AD Connect, it’s the Trojan horse Microsoft uses to ease enterprises’ migration to the cloud.) As AWS grew from S3 to EC2 and beyond, this need wasn’t as important, at least in the beginning. And that’s why directory services in AWS are add-ons.
The technological impacts of these early design decisions are plain. Consider this description of AWS Directory Service. Note the three main FAQs:
1. What do I get?
2. How can I use it?
3. What are the key features?
These FAQs describe an option, not an AWS pre-req. AWS Directory Service is an IaaS service (Active Directory running on Windows Server domain controllers) in which AWS suffers the pain of managing the directory. It’s useful, cost-effective and scalable…but it’s not fundamental to using AWS.
By contrast, here’s what Microsoft says about Azure AD tenants:
In Azure Active Directory a tenant is representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Office 365.
IOW, no Azure AD tenant — no cloud presence. It’s not optional in Azure and for some users (especially smaller Office 365 users), it may not even be apparent. I must have an Azure AD even if all I want to do is run a single Linux VM. In AWS, I don’t need anything like this if all I want is a quick EC2 instance.
This bedrock contrast between Azure and AWS became apparent to me recently as I worked on building the templates used to create an Azure multi-tenant application for a client. I had to master the DevOps intricacies of deploying a multi-tenant application to Azure AD and it struck me that in all the work I’d done over the years in AWS, I’d never had to integrate apps with a cloud-scale identity service as a prerequisite to deploying the application. That realization lead to the idea in this post: that an integrated, cloud-scale directory is the essential difference between the two clouds. Further, this so impacts the cloud service that any comparison between Azure and AWS is incomplete if it doesn’t consider this fact first.
So, instead of speeds and feeds in a comparison of Azure or AWS, ask yourself this question: “Do I want to start with an integrated directory in my cloud environment?” Your response to that question should be the starting point for your evaluation and comparison of AWS and Azure.
What do you think? I’d love to know. Feel free to leave a comment below or contact me.
Leave a Reply