Basic Requirements - Microsoft Azure
This section discusses the MX-ONE requirements and recommendations for Azure.
MX-ONE Server requirements
For MX-ONE server requirements (vCPU, Memory, etc) please check the Virtualization - Description, Hyper-V and Azure section and IOPS Disk and Network Bandwidth Requirements documents.
Azure VM sizes
Azure supports different sizes for Linux virtual machines.
MX-ONE was tested with Azure General Purpose Dsv3-series (D4s_v3 and D8s_v3) for system with low and medium traffic and Compute optimized Fsv2-series (F4s_v2 and F8s_v2) for system with high traffic requirements.
Monitoring
Azure offers graphic tools to monitor the VM performances (figure below), so it is recommended that the partner/customer monitor the MX-ONE VMs to verify if the VM used is correct.
Disks
Azure Premium SSD disks are recommended as they are designed to production and performance sensitive workloads. For additional information about Azure disk types please check Premium SSD in Azure documentation site.
Another important Azure article regarding disks is Azure premium storage: design for high performance.
Scale up or down VMs.
Azure offers the possibility of scale the VM vertically (up and down) via VM resize, this function can be used by MX-ONE, however the MX-ONE VM will be restarted and the traffic will be disconnected, so if scale up or down is required, it is highly recommended, and possibly to be done during low or no traffic hours.
Dedicated host
Azure offers dedicated host, which is a service that provides dedicated physical servers. Azure Dedicated Hosts is highly recommended for customers that require control of their environment and run 24 x 7 x 365.
Mitel recommends the Azure Dedicated Hosts service for MX-ONE system, because the customer/partner can control the load in that specific physical server avoiding resource starvation (vCPU and memory).
Connectivity between on-premises and Azure
The figure below shows the typical on-premises and Azure network connectivity. In this case, the Azure Express Route service is used.
This option is recommended by Mitel, because it provides better network connectivity (latency, jitter, etc) than other types of connections available in Azure.
Latency
Voice over IP systems requires low latency, so the maximum supported Round Trip Delay is 150 ms between MX-ONE components. E.g. MX-ONE Service Node and a SIP Phone on-premises, MX-ONE Service Node and Mitel Common Gateway (EX and GX) on-premises, MX-ONE Service Node and Media Server on-premises. Therefore, it is recommended to deploy MX-ONE image in the nearest located Azure DC. Monitoring of latency can be achieved with MPA (Mitel Performance Analytics) and should be considered in lack of other network monitoring tools.
Availability - MX-ONE Redundancy
The MX-ONE redundancy options are not available in Azure. To have availability in MX-ONE system, the Azure built-in resources must be used. The resources provided by Azure are for example Availability and Azure Dedicated Hosts.
- Availability - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/availability
- Azure Dedicated Hosts - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/dedicated-hosts#groups-hosts-and-vms
Select the Availability options and Availability zone required by the customer that will use the MiVoice MX-ONE system.
Under Advanced selected Host group select Azure Dedicated Hosts in the customer Azure subscription, if available.
Gateway Calls - Forced Gateway
Media Servers using forced gateway calls require a dedicated VM in Azure. So, a stand-alone Media Server needs to be used.
Security Requirements
In a cloud environment the security is a shared responsibility between the customer and the cloud provider, so Mitel highly recommends that the MX-ONE system is deployed using the available security mechanisms provided by MX-ONE as well as the Azure security best practices.
Connections
TLS setup is configurable in MX-ONE and it has four levels (low, medium, high, and modern security level).
Mitel highly recommend that the whole system is deployed using modern security level, which means TLS 1.3 (SIP signaling) and HTTPS with TLS 1.3 (VDP) for protecting data in transit.
It is also recommended that data at rest is encrypted when that is available.
Secure media (SRTP) is also highly recommended when this option is allowed.
It is highly recommended that Provisioning Manager and Service Node Manager are setup to use TLS 1.3 only.
Certificates
Mitel recommends the use of certificates Issued by well-known CA authorities. In case customer has its own CA (banks, authorities, etc.) a possibility to import customer's Root CA and issuer exists, but it's solely customer's responsibility.
Firewall
It is highly recommended the use of firewalls between the enterprise and Azure as well as Session Border Controller (SBC) for SIP phones used by remote workers (Tele-worker solution).
Mitel MBG was tested as part of this solution, however the MBG was sitting in the enterprise side and not in Azure.
Mitel does not recommend that MX-ONE services (SIP or management) are directly exposed in the Internet without the proper setup. All tests executed in Mitel´s laboratories/Azure used only private IP addresses and public IP addresses were deleted from the standard Azure setup.
The required ports for MX-ONE, SIP Phones and Mitel applications are described in the MX-ONE document System Planning, chapters "IP Protocols and Ports" and "Proprietary Protocols".
Phone Models
Mitel recommends the use of SIP phones family 68XX and 69XX for system that are connected in Azure, because they support TLS 1.3 for signaling encryption as well as 802.1x network authentication.
Mitel Applications
Please verify if the Mitel application that needs to be integrated with MX-ONE is Azure ready, before starting to deploy it.