TOGAF and ITIL

I recently earned the Open Group Certified TOGAF 9 Foundation and the ITIL Foundation certifications. Like others before me, I found points of integration between TOGAF and ITIL. However, I found it difficult to define the points of integration.

Here are a few resources that I recommend. Also, I recommend that readers keep in mind that authors often build upon the works of those who came before them.

Link Description Published
White Paper This white paper describes the development of TOGAF (The Open Group Architecture Framework) and ITIL® as a background to discussions about the potential overlap in the

processes they both describe. It does not describe the models themselves.

Sept, 2009
Webinar Traditionally, ITIL and TOGAF professionals have been part of different teams within an organization. Due to the ongoing alignment of business and IT, these professionals now often find themselves on the same team. Because of this crossover, there is a growing trend towards organization of work based on multiple best practice models. Aug, 2013
White Paper This White Paper traces the development of The Open Group Architecture Framework (TOGAF®) and ITIL® as a background to discussions about the potential overlap in the processes they both describe. It does not give an account of the models themselves. Aug, 2013
SlideShare This slide deck attempts to offer some concrete guidance on how Architectural activities and outputs can be integrated into the ITIL framework. The focus is on integrating into ITIL processes. Sept, 2014

Most of the time, I see an image showing the relationship like the one below. You can see the image in the first White Paper that I listed above. It shows a dividing line between ITIL and TOGAF as they cross domains and roles. The image implies that there is no overlap. This is because of the perspective. That is, ITIL was developed to support Service Management and TOGAF was developed to support organizations in the development of Enterprise Architecture. The focus of ITIL is therefore on services, whereas TOGAF is focused on architecture. Thus, the perspectives are different. The definition of perspective is a “point of view”. ITIL and TOGAF view business and information technology from different points of view. Thus, it is difficult to find overlap because of this difference.

I have also seen an image that shows more detail about the domains and implies overlap. This image describes the scope of ITIL and TOGAF. It implies some overlap. I understand that it is high-level; but I still want more details. The first White Paper and the Webinar includes the image below.

The following image provides specific points of overlap or connections. The Webinar includes the image below.

The Webinar seems to focus on a progression from enterprise architecture to solution design. This is one way to look at the relationship – and I do not think it is wrong. However, it seems to imply that there is a separation.

This SlideShare presentation provides a similar analysis as above; but it goes much further. Below is the primary view of TOGAF and ITIL provided by the author. The SlideShare presentation provides specific details where there is overlap between TOGAF and ITIL. This is what I felt was missing in previous analysis. I cannot do justice to explaining the detail provided in the presentation. It is quite extensive and well-thought out. Honestly, I have to keep coming back and reviewing the content to understand it.

Summary

There are well-defined points of integration or overlap between TOGAF and ITIL. There was an evolution of thought over this relationship. The SlideShare presentation summarizes this evolution and provides an excellent and detailed explanation of the integration or overlap. Of course, the new problem is when do you use TOGAF or ITIL? Perhaps both at times? Or perhaps it does not matter?

The next topic that I am pondering is agile enterprise architecture.

Creating a Point to Site VPN Connection to an Azure Virtual Network

In an earlier blog post on Creating an Azure VM with an Empty Data Disk, I created an Azure virtual machine in an Azure virtual network. In this blog post, I will create a Point to Site (P2S) VPN Connection to an Azure Virtual Network (Vnet). I will follow these steps:

  1. Generate and export certificates for Point-to-Site using PowerShell
  2. Run a PowerShell script to create the Vnet, add the VPN, and upload the public key information
  3. Connect to the Vnet from my desktop using a VPN connection
  4. Update the PowerShell script in my previous blog to create the VM in the front end subnet

My goal is to install an IBM Domino server on the data drive of the VM and then replicate Notes databases to it. I want to use a VPN connection to secure the data transfer.

Below is an architecture diagram of what I want to create (with some pending pieces).

Generate and Export Certificates for Point-to-Site using PowerShell

I followed the instructions on this website to generate and export certificates for Point-to-Site VPN using PowerShell.

I used example 1 in the second step to generate a client certificate.

I exported the root certificate public key (.cer) to a folder named AzureVPN on my C: drive.

I update the PowerShell script in the next section to reference the root certificate that I exported.

PowerShell Script

I used the PowerShell script posted in this Microsoft document Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell. I recommend that readers open this document as it contains details that I will not include. For example, the document contains the details on generating the certificates. I made some minor changes to the script. For example, I added comments and Write-Host statements. I moved a few more declarations to the top of the script.

I still need to configure a DNS server or just remove the -DnsServer
10.2.1.3
configuration from the script. I hope to come back to this at a later date.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go
# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3

# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup

# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet

# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"

# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64

# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64

# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green  


Connect to the Vnet from My Desktop

I get the public IP address of my Vnet: 104.43.209.61

I open the Point-to-site configuration for the VNet1GW virtual network gateway in Azure.

I click on Download VPN Client.

I click on Open.

Windows Explorer opens with three folders displayed. I open the WindowsAmd64 folder.

Note: You may have to copy the downloaded VPN zipped folder to another folder on your drive so that you can Run as Administrator.

I right-click on the VpnClientSetupAmd64 software and select Run as administrator.

I click Yes on the VNetDomino1 screen.

The VNetDomino1 VPN connection appears in the Network Settings \ VPN list.

 

I install the VpnServerRoot certificate stored in the Generic folder.

The Certificate Import Wizard screen appears. I leave the default settings as is and click Next. I repeat on the following screens.

I click OK on the final screen.

I return to Settings and select the VNetDomino1 connection.

I click on the connection and select Advanced Options. I click Edit and update the settings.

I save the settings.

I click on Connect.

I click on Connect on the next screen that appears.

The Connection Manager needs elevated privileges. I click on Continue.

The VPN connects!

I open the VPN configuration to see the settings.

I did have some trouble getting this VPN connection to work. But the steps above seem to be the final solution.

Update the PowerShell Script in My Previous Blog

I need to remove the creation of the public IP address, resource group, virtual network, subnet, and put the VM in the front end subnet.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go

# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
 
# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
 
# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup
# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet
 
# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip
 
# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
 
# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool
 
# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
 
# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64
 
# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green 

Connecting to the Virtual Machine via RDP

Below is the network interface configuration for the virtual machine.

I open the virtual machine record in Azure.

I click on .

The RDP connection record opens.

I keep the settings as is and click on .

I click Open.

I click on Connect.

Connecting to …

The connection is made and I enter credentials. These are the same credentials I entered when the PowerShell script ran to create the VM.

I click Yes to continue.

The RDP connection is made and the Windows Server desktop is displayed.

I can see both drives (C and D) in Files Explorer.

Setting the D: Drive for Permanent Storage.

I initialize the D: drive.

I then follow the step-by-step instructions here to use the D: drive as a data drive on a Windows VM.

The VM now has three drives. The Temporary Storage drive is used for paging files. The Data Volume drive will be used for running the Domino server (i.e. permanent storage).

I wish that this drive configuration was easier to perform. In the future, I will use an ARM template after getting this configuration right.

Next Steps

I need to install the Domino server software, add the server to my domain, and replicate Notes databases to it. I won’t post a blog on how to do that. I suspect that it only interests a handful of people. 😉

Resources

My previous blog post on Creating an Azure VM with an Empty Data Disk.

Click here to read more about planning virtual networks.

Click here to watch a YouTube video presenting a step by step tutorial on creating an Azure VPN point to site setup. This video was published in December, 2016; but it was very helpful to me. However, I followed a slightly different process and included links to the websites that had the steps that I followed.

Click here to read the source document titled “Connect an on-premises network to Azure using a VPN gateway” that contains the Microsoft Visio network diagram.

Click here for steps on how to generate and export certificates for Point-to-Site VPN using the Azure portal.

Click here for steps on how to add a second root certificate to give VPN access to a second computer. First generate a new root certificate. Then follow steps 9 to 11.

Using WorkBoard to Manage Objectives and Key Results for Enterprise Architecture

In an earlier blog, I described how a user can use WorkBoard in Microsoft Teams. In this blog, I am writing about how WorkBoard can be used to define the objectives of enterprise architecture and the associated metrics. TOGAF 9.1 states that enterprise architectures must meet the “strategic, interim, and tactical business objectives and aspirations”. Normally, key elements of the Architecture Vision — such as the enterprise mission, vision, strategy, and goals — are documented as part of a wider business strategy or enterprise planning activity.

There are some tools specifically developed for managing the goals and metrics of enterprise architecture. I’m not performing a comparison with those tools in this blog posting.

What are the Objectives of Enterprise Architecture?

One of the challenges of defining the objectives of enterprise architecture is that they seem to end up being the objectives of IT operations. That is not exactly how it is supposed to be.

TOGAF 9.1 identifies the business strategy, business goals, and business drivers of the organization in Phase A: Architecture Vision. These are assumed to be defined outside of the enterprise architecture activity. I found an article titled Enterprise IT Architecture: Goals, Trends and Perspectives published online on http://www.SandHill.com. The authors provided prospective strategic IT goals (or objectives):

  • Implementing a new business process management methodology
  • Automating and optimizing primary business processes
  • Supporting new products
  • Adapting IT systems to meet new market requirements
  • Estimating required investments in technology modernization
  • Calculating potential financial and efficiency returns from the strategic IT plan

I have a few other enterprise architecture objectives that I want to see included:

  • Improve social collaboration between employees and with outside partners and customers
  • Improve usability of mobile devices with business and web applications for employees and customers

Note: This is not a comprehensive list of goals or objectives by any means. However, I found the article interesting since it also described using the Zachman framework for analysis of an enterprise IT strategy.

Each of these goals (or objectives) could fit into one or more work streams. At least, I am calling them work streams here because that is how they fit into what WorkBoard provides.

  • Operational productivity: improve efficiency to create a quick return on investment
  • Optimization of business processes: include an analysis of the entire process, not just its separate parts
  • Mass customization: Customer involvement results in greater levels of client and market satisfaction

What are the Metrics (or Key Results) for the Objectives?

The metrics should be sufficiently clear so that the vision phase (in TOGAF 9.1) may scope the business outcomes and resource requirements, and define the outline enterprise business information requirements and associated strategies of the enterprise architecture work to be done. For example, these may include:

  • Business requirements
  • Cultural aspirations
  • Organization intents
  • Strategic intent
  • Forecast financial requirements

I used metrics from the following online articles:

12 critical metrics for IT success from cio.com

7 Key Enterprise Architecture Metrics from scribd.com

Obtaining Enterprise Architecture Metrics – Part 1 from microsoft.com (Sadly, this blog post written by Mike Walker is no longer available.)

WorkBoard and OKRs

WorkBoard uses Key Results in place of metrics. The image on the right comes from the Elevate Business Performance with OKRs document published by Workboard Inc.

You can see the flow from Objective to Insight.

However, you don’t see that OKRs (Objectives – Key Results) can be related by using work streams.

My Sample Objective – Key Results (OKRs)

I created a list of OKRs in the table below. These are examples and you should configure OKRs that match your organization’s strategic objectives.

Objective Key Results Rating (examples) Work Stream
Continuous improvement of online services Online application performance. The average time it takes to render a screen or page. Less than 1 second Operational Productivity
Continuous improvement of online services Online application availability. The percentage of time the application is functioning properly. 100% Operational Productivity
Continuous improvement of online services Production incidents. The number of production problems by severity. Zero Operational Productivity
Reducing costs by leveraging common solutions and rationalizing processes, technology, and data. Architectural Integrity. The percent of applications on preferred technologies, another indication of how difficult applications are to maintain 100% Operational Productivity
Improve enterprise architecture delivery Project satisfaction. The average score from post project surveys completed by business partners. 100% Optimization of business processes
Improve enterprise architecture delivery Project delivery. The percentage of projects delivered on time. 100% Optimization of business processes
Improve enterprise architecture delivery Project cost. The percentage of projects delivered within the cost estimate. 100% Optimization of business processes

I also would like to compare the OKRs that I have with other enterprise architects. I suppose that some of the common tools will come with a more complete sample list.

Entering OKRs into WorkBoard

I entered the OKRs into WorkBoard. The three main objectives are displayed below.

I click on the first objective and it expands to display the key results.

I can also open the objective to see the Key Results, Work streams, and Comments.

I click on and I can see all of the work streams. The new workstreams that I created are displayed.

I click on Operational Productivity and the display changes.

I click on the 2 Objectives tab and the two objectives for the Operational Productivity work stream are displayed.

Microsoft Teams

I want to see what information that I can add from WorkBoard to the Enterprise Architecture tab in the Contoso IT channel.

I add Workboard to the Contoso IT team.

I select the Enterprise Architecture channel and click on Set up for the Tab.

I click on the Boards.

I select Operational Productivity. This is the same work stream that I displayed earlier in Workboard. I click Save to continue.

The Operational Productivity board view is displayed – just like I can see it in Workboard.

I can add tabs to display the other work streams, too.

Next I add the Business Review to a new tab in Microsoft Teams. Now I can see exactly what I saw in Workboard. I may not even have to go to the Workboard site.

Next Steps

I need a more robust and complete list of OKRs for enterprise architecture. At least, a better list to start with. Still, I feel like Workboard can be used to manage this information for enterprise architects.

Conclusion

I have added sample OKRs for enterprise architecture. Then I added tabs in Microsoft Teams for a work stream and a business review. I can continue my enterprise architecture work on Workboard from within Microsoft Teams.

It looks like Workboard can be used for managing enterprise architecture OKRs.