tag line

moving IT to the cloud with service not servers

Saturday, 15 April 2017

Recreating the local admin role in G Suite

Delegating management privileges to a section of the G Suite organisational tree is a common requirement for deployments that scale across districts or educational trusts.

When a single branch of the organisational tree contains a entire school with thousands of user accounts the ability to create a local admin who can manage that branch without having access to other parts of the tree becomes a useful facility. Unfortunately the local admin role isn’t one of the built-in options provided by G Suite  - you have to make your own.

The ability to assign users to roles is managed through the Admin roles icon on the console. The same dialog allows ‘super’ users to select individual permissions from a set of fixed options to create custom roles.

The trick to creating the new local admin role is to avoid any permission that only operates at the root level. Some objects, such as groups can only be managed at the organisational  level. Therefore selecting the groups permission immediately restricts you managing at the top level which is not what we want. When you assign users to roles with root permissions the option to select an OU will be fixed to All Orgs.

So what permissions can be applied at the branch level?  The interface gives no obvious indication but it turns out there are quite a few.. as well as a couple of things that can trip you up.

The current list of permissions that can be applied at the sub-organisational level are shown here.

Selecting all the permissions listed in the dialog creates a role that can manage the user and chromebook objects under a specific node in the organisational tree.

The local admin can also update the organisational tree, deploy applications to chromebooks and even manage network policies. The role does not have the ability to update any policy relating to the core application set (Drive, GMail, Classroom etc..) or any policy affecting the organisation as a whole such as domains and security.

A couple of points worth noting:

The permission to manage User Chrome policies works in two different modes depending on whether the organisation has purchased Chromebook licences or not.

If the organisation does not have Chromebook licences you need to select the option below.

Once Chromebook licences have been added a new option appears under Services and you should transfer the rights to this node (see below).

If the organisation has purchased licences and uses the first option without ticking in the new permissions the User Chrome Management dialog will hang when the local admin user tries to access it.

The second point is less obvious.

If you check in the ChromeOS permission within Services it will fix permissions at the root level which is something  we are trying to avoid.

However if you only check in the  individual sub-options under ChromeOS and leave ChromeOS unchecked you’ll find that the OU drop down is still available (above). This is a subtle difference but it allows you to delegate the rights to manage Chromebooks to a single node in the organisational tree.

Interestingly you can also reuse the policy for all your local admins. When you hit the Assign Admins button the dialog gives you Assign More as an option (below).  You can add multiple user accounts within this dialog  – each batch of users can  point to  a different node in the organisational tree.

It’s also possible to enter the same user account multiple times so long the user is assigned to  a different node in the organisational tree. Using this method the user will find they are able to access more than one sub-organisation in the tree which is useful if a single account is responsible for managing multiple schools. 

Currently the only way to update the allocated sub-OU is to delete and recreate the assignment. 

If the new local administrator navigates to admin.google.com they’ll  be presented with a dashboard containing just the Device management and Users icons. The whole organisational tree is visible but the custom role works like a filter. Users can only view and manage user accounts and chromebooks that fall under the allocated sub-OU for the role.

The method described would be appropriate for a district or multi school trust but could equally apply to a single school where the super administrator wishes to delegate admin rights for an intake year or class group. 

The rights as shown are fairly liberal but can be reduced without affecting the ability to be assigned to an specific sub-OU.

My thanks go to Aled Owain Jones, Technical Support Officer for Conwy County Borough Council, Wales for working through these examples with me.

Sunday, 19 March 2017

Should education learn to love hybrid IT?

Hosting local servers and running a serverless school might sound like a contradiction but it isn't because every site needs local compute to provide edge security, wireless access and move data packets around the network.

It’s not the tin-box itself that’s the problem but the way it’s managed and maintained.

Take for instance your firewall, content filter or core switch. You turn it on and it just works. It has a web-interface that’s easy to access and update. It’s possible that the device is taking software updates directly from the internet and sending status updates back to base to be proactively managed.  An annual subscription fee ensures that if it goes wrong the supplier will replace it with the same or improved model.

At this point it’s no longer a server but an appliance. It’s simple to manage and not your problem if it goes wrong.

What if your remaining on-premise server estate could work in the same way and could be managed and financed the same way as your cloud resources.  What would a Hybrid IT  appliance actually look like?

First, like all SaaS subscription services there is little or no up front costs. The school doesn’t own the hardware, that would remain the property of the supplier and the school just pays for the service. Basic functions such as Active Directory and file and print  are built in, along with network services such as DNS and DHCP.  It also has extended facilities such as edge security and content filtering, all managed through a simple to use web console without any visibility of an underlying operating system.

The school has the ability to configure each service but the management of the device remains solely the responsibility of the supplier. They have control of resource allocation, security, OS patching, backup and recovery. Backup images and configurations are streamed to the cloud as a background process without any user interaction. Loss of the device due to a local disaster simply triggers a replacement device and a recovery from cloud storage under an SLA agreement.

This new type of hybrid device is designed to work alongside SaaS and to complement its function. The school is likely to be running Microsoft Office365 or Google G Suite for Education so most of the heavy lifting of email and shared storage is already in the cloud.  The appliance will take advantage of this and be pre-configured to link the onsite and cloud directories and use cloud storage as a backup repository.

The school never has to invest in underutilised capacity because the cloud service absorbs any immediate growth and since the school doesn’t own the device there is no replacement cycle to plan for.  Over time the the role of the device many change, requiring smaller or larger capacities. In this case it’s a simple case of arranging a swap out and an update to the subscription terms.

The appliance has enough spare capacity to host a dedicated virtual server if you need to run a print management system, SIS or VLE making it adaptable to specific requirements.

In this case the responsibility for patching and maintaining the image returns to the local IT support team who really should be planning for SaaS alternatives rather messing about with local operating systems !

Is any of this realistic ?

The Linux Schools Project has a well established offering that covers some of these areas. The server distribution is known as Karoshi and can be installed on most hardware platforms but it’s still locally managed.

Recently a fully featured commercial offering has emerged from Zynstra that embraces the subscription model. At a technical level the offering works pretty much as described above.

While the device itself delivers an comparable service to local server farm the school does not own the hardware and has no visibility of the underlying operating system - delivering an on premise service without the hassle of maintaining on-premise hardware.

In this way schools can remove the roadblocks that often stand in the way of full cloud migrations by keeping some workloads local while funding and managing the service in same way as SaaS, with many of the same advantages.

A marriage made in the clouds in fact.

Friday, 17 February 2017

Microsoft as a Service

Note: Microsoft is planning to make an announcement that's likely to effect this strategy on May 2nd 2017.

Is it possible to run a school with Microsoft technologies without managing any servers at all ?

We're not just talking about on-premise servers but ANY servers, including those concealed in offsite datacenters or running on an IaaS platform like Microsoft Azure.  A true Microsoft ‘serverless school’ has no domain controllers, no Hyper-V farms, no Remote Desktop, no SCCM, no ADFS, no servers for imaging, patching, antivirus or backup. In fact no servers at all. 

Can it be done ?

Last year the answer was ‘maybe’ but it’s clear that the message now coming out of Redmond is ‘definitely’ and reading between the lines it might be the template for the future.

In terms of the functions mentioned above everything can now be replaced by a “Software as a Service” solution provided by Microsoft and of course with SaaS there are no servers to manage.

Active Directory (AD) is the easiest one to replace because Microsoft has been running a cloud service for years now. It’s called Azure Active Directory (AAD) and every tenant of Office365 already runs an instance of this service. Extending ADD using Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy any domain controllers at all.

At the moment this strategy has a licencing cost that few schools could absorb but that's easily solved because all new Windows 10 devices have the ability to link to AAD directly rather than to traditional AD using a process called Azure AD join. Once enrolled the management of these devices is through  InTune rather than group policy or SCCM as Microsoft moved to adopt an MDM approach in order to capture a wider range of platform types.

Patching and the security of the Windows10 devices will be managed directly by Microsoft through the new feature update service while the servers… of course there are no servers. Microsoft Office client apps will use a new facility ominously called “modern authentication” which uses the SAML federation service in AAD to provide a Single-Sign-On experience.

None of this is very new but two announcements have raised the stakes.

Microsoft recently launched Intune for Education, a version of the device management service that’s specifically aimed for schools. The emphasis is on ease of use and contains a policy set tailored for education which defines some useful predefined functions such as online testing. Apps are drawn directly from the Windows Store and admins will be able to control which apps students and teachers can see and install. Included in the bundle is School Data Sync a tool that channels data from a selection of common Student Information System into WAAD to provision online classrooms and teacher/student accounts.

When placed alongside Office365 for Education, which features all the standard Microsoft productivity tools as well as OneNote and Microsoft Classroom it’s clear that this strategy is pitched directly at countering the cloud centric approach of Google's G Suite for Education.

The second move was the announcement of a simplified version of Windows 10 that's designed to run Microsoft’s Universal apps from the Windows Store and is rumoured to be free for vendors to install. This is pitched to challenge the success that Chromebooks have enjoyed in the education space and clearly validates the cloud first approach.

The Roadmap for Education,
As a complete solution you are unlikely to see this setup running a school in the near future and it might be that Microsoft is just throwing sand around to buy enough time to reorganise the delivery model and licencing plans.

Whatever the situation the point is this;

The future for IT does not require servers and now both Microsoft and Google are painting the same picture.

From the Microsoft viewpoint this strategy is a difficult sell to education. The model is so radically different from the one they have been licensing, supporting and deploying in schools for over thirty years, the pitch could easily be coming from another company. Just sorting out the licensing will be a massive chore although they have have already made a start on that.

How much of the current on-premise investment can be carried forward into the brave new world of “Microsoft as a Service” is debatable and while the IT team are heaving servers and Windows 7 clients into the dumpster they just might just decide to look at G Suite for Education rather than wait for Microsoft's offering to mature because it's now clear that both are offering the same vision of the future.

From Google's perspective having Microsoft challenging them in so many areas is a move that shouldn't be underestimated.  Redmond may not be the first to the party but they always seem to leave with the girl!

Monday, 6 February 2017

The Serverless School - Hall of Fame.

Talking to educationists in my day job and at meet-ups and shows it's clear that, without any fanfare or fuss or even much technical assistance, quite a few schools have already made the move to 'go serverless' .

In some cases the move was prompted by financial pressures but most often it was just the realisation that the incumbent system wasn't delivering on the early promise and was now just a drag on innovation and change.

Going forward I plan to feature some of the stories with a view explaining how it was achieved from a technical point of view but also the motivation behind the change.

Most of these sites are in the UK but if you have a story you'd like to share regarding your school please drop me a line from the contact panel and I'll feature it on the blog.

The first of these is a school in the north of England that's taking a whole new approach right across the board.

XP School - Doncaster - UK

Wednesday, 1 February 2017

Wire, wire everywhere..

If you are planning a school network with a view to supporting mobility and a SaaS resource like G Suite for Education then one of the technical aspects that's often overlooked is the physical wiring. In this respect we are referring to the sockets on the wall that you plug your network cable into.

How many do you need, how are they connected and where are they best located?

At this point the thought might hit you: “What’s a network cable? I haven’t used one of them for years.”  You might also reflect that although everyone around you seems to be consuming the internet at a furious pace, your home and your favourite coffee shop doesn't come with any network sockets at all. So why does your school need hundreds and sometimes thousands of them ?

The fact is that most modern client devices are wireless based and the technology has progressed to the point where Chromebooks, iPads, Android tablets MS Surface devices don’t even have a standard RJ45 network port. Without purchasing an adapter you couldn’t plug them into the wall even if you wanted too.

When you consider that the cost of providing each of those sockets (after you have taken into account the cable, terminations, installation, testing and switching) is around £100 you get some idea of how much money was wasted by the ‘just in case’ approach that was common in the pre-wireless days but which is still around today.

It wouldn't be so bad if this was the limit of the wasted resources but it's not. In the UK guidelines require that all network points installed into a new build are active. This results in the bank of unused ports being matched by an even more expensive rack of unused switches all linked by underutilised but costly high bandwidth interconnects.

The irony of the situation is that most of the traffic is only heading towards the web anyway so after zipping across a 10Gbs backbone it’s then forced down a low bandwidth pipe because, after purchasing all the switching and redundant network sockets, the school doesn't have the budget for a decent internet link.   Crazy doesn't even come close.

While it’s clear that a new build school could save a significant amount of money by adopting a design with far fewer outlets that’s optimised for wireless, this strategy also has some lessons for schools looking to upgrade their internal infrastructure.

The normal approach is to launch an expensive hardware replacement program in the hope that bigger and faster will deliver the required change.

But how does this help when all the exciting, and transformative learning resources are no longer on the internal network?  You're just going nowhere quicker!

The aim should be to get clients onto the wireless network and then out onto the internet as fast as possible and this simple objective doesn’t require a mass of cabling and switching hardware.

So what's the plan ?

Invest in a good managed wireless network. For the features on offer there are some great deals around at the moment using the new IEEE 802.11ac standard. Check out vendors other than the established names. Don't pay for features unless you plan to use them.

Make sure you have quality cables running to high level locations. If necessary lay new cable to those sites pulling it back to a PoE capable switch at the core rather than spending money on maintaining low level ports that nobody will be using. Incorporate IP CCTV into this plan if you have it.

Look at the rest of the network. What else could be moved to wireless? Digital signage is a good candidate along with softphones on personal mobiles instead of fixed desk IP phones.

Where are the areas that still need fixed ethernet?  Administration offices, front desk, the teacher walls and maybe specialised technology and media devices. However your plan should be focusing on providing a solid wireless signal across the school before looking at areas that would benefit from a fixed network port.

If you have printers liberally scattered about you won’t have any money to fix the network anyway because the budgets already allocated to paper, laser cartridges, leasing contracts  and print management licences.

If you are still left with hundreds of devices still requiring an RJ45 socket (really!) there is a cheap solution - reuse some of the switches you already have. When your fixed clients are consuming SaaS resources, a 10/100 switch will be just as fast as a 1Gbs model because in a serverless school the internet connection becomes the constraining factor not the speed any particular switch or interconnect. Just don’t plug any wireless access points into them.

Now while some of these suggestions may not be practical or directly applicable to your situation the fact remains that one of the main reasons why networking is so expensive is because we are still patching like it’s 1999.

Just don’t do it.

Wednesday, 18 January 2017

Could Google Cloud Platform deliver desktops to schools?

One of the main challenges to be faced when moving to a serverless architecture is how to handle legacy Microsoft Windows applications.

Although it's now commonplace to see mobile apps and SaaS resources replacing Windows applications there are circumstances where the curriculum demands a specific Windows application or a suitable alternative just doesn’t exist.

Even before cloud services emerged, schools found themselves in a similar position trying to run resource hungry programs on ageing client PC’s. In this case the standard response was to deploy Microsoft Remote Desktop Service (RDS), Citrix XenApp or to trial a VDI solution if the school where happy to take complexity and cost to whole new level.

This approach provides a solution but it’s not ideal for a number of reasons.

The remote desktop approach requires additional server images and only adds to hardware and licensing costs. The design is likely to hit a bottleneck when scaled up and the investment is wasted if the Windows applications are accessed infrequently or simply retired.

Some of these issues can be reduced by running servers directly from an IaaS platform such as MS Azure but that doesn’t reduce the complexity and it can prove costly if the inefficiencies are not addressed.

If we accept the fact that we need to support Windows desktops on a range of platforms and this is unlikely to change for some time, what would be the ideal solution ?
  • No requirement for additional hardware or server images to maintain.
  • Easy to manage and configure
  • Customisable with curriculum software.
  • Accessible from a wide range of platforms with zero install
  • Access anywhere.
  • No scaling limitations both up and down.
  • Cost effective, cheap or free.
The majority of this list can be covered by cloud services that deliver desktops on demand, otherwise known as Desktop as a Service (DaaS). In this case each desktop is represented by a single computer running in the cloud, accessed by the student across the network from whatever platform is appropriate for the task. With DaaS there are no servers to maintain, it’s simple to configure and both accessibility and scalability are baked in.

So DaaS can tick off the first six points quite easily. Where the wheels come off is point seven - cost.

Currently DaaS services are aimed squarely at the business market which means it's expensive for education.
In a business situation if a desktop user generates revenue then DaaS can be absorbed as a simple overhead cost. José may well be the next Mark Zuckerberg but he’s only fourteen at the moment and not yet pulling in the bucks!
Another complication is that DaaS cost model assumes that the desktop is linked to a single named user and is used productively for the whole working day, over an extended period of time.

A school has a completely different usage pattern and may access a desktop intensively for a few hours a day and then not at all for a week before repeating the pattern over three months and then breaking up for a six week summer holiday.

So at superficial level DaaS doesn’t look like an practical option for education but let's look at the problem a little closer.

DaaS is not being asked to replace the bootable image in daily use in the ICT suite or student mobile device. This is likely to be MS Windows but in 2017 could just as easily be iOS, macOS or ChromeOS or Android.

However DaaS could be used to deliver a pre-defined set of Windows apps to a class group to meet a specific teaching requirement. This could be as simple as the MS Office suite for a school that runs Chromebooks or iPads or it could be a specialised Windows application that's required for the assessment of a single course. In both cases maintaining a complex backend infrastructure just to deliver a few legacy Window apps is simply inefficient, although it's also true that paying for an underutilised DaaS desktop is just as bad.

So what vendor options do you currently have ?

Microsoft is currently re-branding it own DaaS offering around a Citrix Cloud service at the moment so it’s difficult to know what that might look like. If I had to guess, it will slick, fully featured and very expensive. The jury's out on that that but it could be an option.

Note: VDI on Azure has now been launched.

The current leader in the DaaS market place is Amazon with WorkSpaces a fully managed, secure desktop computing service which runs on the AWS cloud.  It offers two subscription methods. The first is a simple flat fee per month and the second a metered tariff per hour on top of a reduced monthly charge.
All the estimates below are based on a machine running a Windows 10 experience with 1 vCPU, 2 GB Memory and 10 GB storage.
The flat fee per desktop is currently £20.33 pcm which works out at £609.76 to deliver a desktop to thirty named students over a month. Unless your school is sponsored by an oil producing nation that's unlikely to be attractive. Other DaaS providers offer desktops at a similar cost level.

The second Amazon option is more interesting.

Taking the same class size and including a charge for running the lab for 20 hours per month the costs fall to around £285 pcm.  While the cost is heading on the right direction the problem now lies with starting the image so it’s available for the class and shutting it down afterwards to avoid eating into the budget.
Fraser Speirs at the Cedars School has used some innovative techniques to show how this might be done.
For a school that runs an image for a limited number of hours a month the majority of the cost rests with the fixed monthly fee which will be charged even if the image is not started. Therefore the AWS cost structure, although an improvement, still doesn’t align with the requirements of education which is a simple flat rate pay-as-you go model.

This is where Google Cloud Platform (GCP) comes in because that's exactly how it works - a simple per-minute billing for each running instance and when you run the same numbers through this model the results are quite startling.

The thirty user lab running the same Windows instance for twenty hours now costs £48 pcm probably the same amount of money it would cost to licence, maintain, power and cool the on-premise server farm.

Let's look at some other advantages.

There’s no overhead in maintaining a library of images. Unlike Amazon Workspaces a student could have multiple desktops, each matched to a specific task. The example we have been employing uses a Windows desktop but one image could easily be a Linux development environment.

The images could maintain the user settings between each session so the student can immediately pick up where they left off. Running persistent desktops in a VDI environment has significant overheads.

In a Google environment you could run stateless images and then force the user to authenticate with the Chrome browser to pull down a user policy while mapping the student's Google Drive locally using Google Drive Sync. This action generates a fair amount of network traffic but remember the data isn’t travelling over the internet but across Google’s insanely fast datacenter backbone. In this way all the files generated on the workspace would be immediately available to any device in the school providing a seamless datastore between the two environments.

Lastly you could take the Google integration theme one step further and pull the information you need to setup the classes directly from Google Classroom. How cool would that be?

Pick a class- pick an image - pick a time, all managed by the teaching team.
Another approach could be -  here’s a budget, schedule what you like, when you want it.

Lets keep going...
  • Split location teaching - not a problem.
  • Take the “ICT suite” on field trips and work in the evening - easy.
  • Classes by limited by the size of the ICT suite - not any more.
  • Differentiated learning environments - it’s a breeze.
  • Ageing PC suite with XP- replace with Chromebases and move teaching apps to DaaS desktops.

There are a few catches of course.

Unlike Amazon WorkSpaces which has a very slick front end to provision and allocate these desktops nothing like this exists for GCP in the way I’ve described. Amazon WorkSpaces also has a built in network protocol (PCoIP) and client plugins which provides an enhanced user experience.

It would be impractical to expect a school to manually build, maintain, allocate and schedule these images but the salient fact is that GCP currently provides the technology and the charging structure for such a service to be created.

It only needs an enterprising team to provide the user access layer and management and this would become really interesting. Even at twice the price it would still remain an attractive option.

Available internet bandwidth is always a factor when assessing SaaS but this is now a core resource for most schools and should attract the same level of investment as on-premise hardware did in the past. Money spent on connectivity benefits everything not just a few applications or subject areas.

Schools can gain a genuine benefit from adopting SaaS but there's always a fixed set of Windows applications that stalls the progress towards a fully serverless solution by requiring local servers and storage.

If you can migrate these desktops and applications to the cloud the savings to be gained in reducing the overhead costs of local infrastructure could be used to fund the initiative.

There are still a few problems, not all of them technical but lifting this particular roadblock would be a huge step towards a serverless future.

Of course such a service may already exist. If so I’d be happy to use it!

Monday, 2 January 2017

Why moving servers to the cloud doesn't work.

It's a safe bet that 2017 will see increasing levels of hype around the adoption of cloud services for both business and education.

In the UK, schools are being encouraged to move in this direction by policy guidelines  issued by the Department of Education while at the same time licence changes from Microsoft are aimed at making MS Azure more attractive when compared with the on-site options.

Throughout the year Google will continue to work actively in this arena, promoting their cloud service (G Suite for Education and Google Classroom) as well as other initiatives such as Expeditions. At the BETT show, to be held in London later this month its likely that the vast majority of new software will be launched as cloud based applications (SaaS) rather than local server installs. It all appears to be heading in one direction.

Building a new school using cloud services is one challenge but migrating an existing school raises a whole range of issues. Most sites have long standing dependencies on locally installed software and legacy systems for both administration and teaching which makes this a far more difficult task.  Faced with this scenario it's tempting to simply take the existing server estate and replicate to an IaaS platform like Microsoft Azure.

Job done, your school is in the cloud with all the boxes ticked.

Because many school servers already run on virtualized server platforms such as Microsoft Hyper-V or VMWare this seems like a low risk solution and in some respects it is but it comes with one major drawback - it doesn’t work.

This is not a particular shortcoming of MS Azure but more a set of constraints that you face when moving workloads to Infrastructure As A Service (IaaS) by simply replicating the onsite architecture.

This might come as a bit of a surprise. Isn’t the whole point of the blog an attempt to reduce the number of on-premise servers and move to the cloud. It’s The Serverless School after all  - so what's going on.

Why wouldn't rebuilding the onsite infrastructure in the cloud bring the benefits we expect ?

It doesn't change anything.
Migrating servers to the cloud is not a catalyst for change. The servers are off site but same problems remain. Some pinch points are removed such as remote access, expansion capacity and the hardware upgrade cycle but you are still managing services in a similar way and it’s pretty much the same system.

Shifting to the cloud without anybody noticing it's a significant technical achievement but for a school it just represents a missed opportunity. Moving systems to an IaaS platform is not a transformative process.

Its slowww.
Actually users will notice a change - it’s going to be slower. Placing servers on the end of a wire that carries less than 10% of the throughput of a local connection is going to have an impact. SaaS applications don’t have the same problem because they have been designed to perform on low-bandwidth internet connection. In contrast the user experience provided by a locally installed application when accessing files or loading user profiles relies heavily on a responsive data connection and when that doesn't exist the results can be ugly.

The bill please.
Onsite servers are very inefficient. In most schools they are only used for about eight hours even when they are working utilise only a fraction of the total capacity. Throughout the whole day they’ll be consuming energy to heat them up and more energy to cool them down. They also require support, backup systems, redundant capacity and every five years they’ll need replacing. Migrating servers to an IaaS platform seems an obvious solution. So you rebuild or migrate your servers to IaaS and all it well... and then you get the monthly invoice.
OMG - why is it so expensive ?
IaaS appears costly because it’s measured against a misleadingly low value for on-site computing. On premise always looks cheap because most of the costs are hidden, unrecognised or simply not taken into account.

When you move your server estate to IaaS you see the true cost of under utilising processing power and storage and it can be quite a shock. IaaS is a great deal if your servers are working 24/7 to provide a service but if you export your inefficiencies to the cloud you simply get stuck with a check for doing nothing.

There are workarounds some of these problems of course.

You can rationalise the number of servers and consolidate some of the services onto a single image.
"You started with six virtual servers but after the VLE install, the backup upgrade, the reporting software and the other stuff you 'need' you now have twelve although you’re not sure what they all do."
You could introduce some scheduling software in order to keep the cost down as well as keeping some of the core services local to speed things up, but now you have two systems, one on-site and one in the cloud and you're sure whether you have halved your problem or doubled it.

By the time you’ve re-engineered everything to make it work in the same way as it did on-premise wouldn’t it be simpler to consider a SaaS based solution.

Other considerations when moving VM infrastructure to the Cloud
Serverless School Serverless Serverless