Azure Training Day – Slightly Structured Notes


Image result for Microsoft Azure

Azure Training Day

Microsoft Canberra – October 4th, 2016

Introduction

A brief overview of the Azure Platform, starting from Infrastructure up.

36 Azure Regions, 28 Azure Compute. Most regions paired for redundancy.

500+ new releases in the past12 months, exceptional rate of change.

Additional stats – the platform is very busy. 150 billion SQL Azure queries/day; 1 out of 4 VMs are running Linux. 715 million AzAD users.

Gartner puts Azure into the Leader ranking for 19 categories.

Terminology overview, Packaged vs. IaaS, PaaS and SaaS.

“How much does it cost to run on Azure?”

Azure Pricing calculators – Demo

VM Option – asks for host OS as it incorporates licensing cost

Different pricing available based on alternative licensing, e.g. MSDN, E3/E5 Enterprise licensing.

Hybrid Cloud options – multiple.

· Storage

· Backup/DB

· Consistency

· App int (Service Bus)

· Identity (AzAD)

· Cloud management (Operations)

· Connectivity (VPN, ExpressRoute)

Microsoft Cloud – Trustworthy Computing

Data centres have specific features by design; relates to all aspects of running a data centre, redundant power, perimeter fencing and seismic detectors. Internal security, 2FA, cameras, biometric access etc.

Public endpoints are segregated from VPN and ExpressRoute access points. Network perimeter defences include DDoS protection, active threat management etc.

Billing

PowerBI supported; can define user dashboards and use natural language querying.

Identity and Access Management

Single Sign On – Based on Azure Active Directory

– Azure Active Directory Connect

Option 1: Sync – Hash on-premise password, AzAD synch’d

Option 2: On-premise password storage &auth (AD FS) with basic details synch’d to AzAD

[Option 3: Only on-premise ADFS using WS-Fed supported Azure applications]

2FA support can be selective, depending on the home realm, route etc.

Azure can detect realms and redirect to an ADFS farm.

2FA support can vary based on device, e.g. biometrics, Text + PIN

SSO to external applications via browser plugin. Integrates into AzAD so that users can be granted/removed from corporate account access.

Azure Active Directory Application Proxy

Manage auth in the cloud, pass auth’d users through to DMZ applications with an access token.

Azure Active Directory Domain Services

A hosted version of Active Directory (AzAD = auth), this is a PaaS version of AD DS. Join machines to a cloud-hosted AD DS. Supports Group Policy, etc.

B2B – Trust with other organisations

AzAD to AzAD = ADFS Trust

B2C – Register and Manage Users

Can allow social media identities, Microsoft Accounts, AzAD, etc. Handles account management, Password resets, 2FA etc.

AzAD Join for Windows 10

Connect devices to AzAD, On-premise AD. Enforce policies (GPO-style?), check patch levels. Non-conformity can restrict access to apps, certs, etc.

Privilege Identity

Reporting on use of credentials, stale rights etc.

Cloud App Discovery

Telemetry from user’s web habits (SaaS), metrics for app usage etc.

Microsoft Azure Storage

– Blobs

– Files (SMB) – with restrictions (accessed +only within region)

– Tables

– Queues

Haveibeenpwned as an example of the speed of Azure Tables.

Blobs:

– Highly durable and scalable

– Geographical redundancy (rules dictate how geo partnerships are defined, e.g. must be >600 kms away from each other)

– Premium storage (e.g. SSD) SLAs

– “Cool storage” – low cost, slower disk, good for archiving

– Storage encryption at rest

o Managed service

o 256-bit AES

– Azure Disk Encryption

o BYO encryption

o Uses Azure KeyVault

o Windows and Linux

– Upload huge data sets: import/export service

– Can export through same mechanism

– Encrypted through the process

– StorSimple

– Hybrid solution. On premise application (infra), exposes iSCSI endpoints

– Device determines where data should be stored (cloud or on-premise)

– Transparent

Storage accounts – can’t blend storage quality (standard OR premium)

Azure Networking

Hybrid Routing Scenarios

– Secure point-to-site

– VPN (site-to-site)

– ExpressRoute (dedicated link)

ExpressRoute circuits – determines what goes over private, public routes. Tailor peering for most optimal performance. Recommend Office365 over Microsoft Peering.

VNet Peering

(Finally) Directly link to VNets in the same region. Internal AZ backbone, no gateway. Low latency, no throughput constraints.

Networking

– No static IP assignment

– Reserve IPs (like a DHCP reservation)

– Forced tunnelling

– No console access

– Virtual Network adapters

– Virtual Network appliances

– Load balanced IPs per virtual machine

– Create public/private virtual networks

– IPv6 in some regions

Compute VMs (IaaS)

– H series CPU nodes*

– N series* with high end GPUs

– High end remote visualization

– F series

– G series

A, D, DV2 (same price as D but better), F, N, H, G from basic to beefiest.

On demand re-provisioning to up/downscale. Billing by up time, by the minute.

*Not in Oz yet

VM Scale Sets

Realtime scale out based on templates. Scale up maybe possible.

Dev-Test Labs

Self-service, template driven, create and tear down. CI support. Good for cheap load testing.

Availability Sets – tell the Azure Fabric where resources shouldn’t share a single point of failure.

Classic Model (V1) vs Resource Manager (V2)

V2 Model – uses resource groups

New work should use Resource Manager!

Containers

E3 vs E5

AzAD Premium

Operations Management Suite

Enable a unified view of all your IT assets whether on-premises or in the cloud.

Manage Azure or AWS, Windows or Linux, VMware or OpenStack

• Log Analytics

• Automation

• Backup

• Site Recovery

• System Center*

Note: I took a break from making notes during the Azure Web API section.

Data/Insights

SQL Azure

– Can use existing transaction logs to estimate (Database Throughput Unit) DTU requirements

– Lots of scale options

Supports Availability Groups, can select any other region as secondary. Has built-in threat analytics to detect unusual behaviour, e.g. potential SQL injection attacks.

Cloud-Hybrid options available including Stretch DB (SQL 2016 only) however relies on a compliant DB schema (uses DB sharding).

Performance tooling analyses long running queries. Still in preview.

T-SQL support – not quite mirrors on premise support. See https://azure.microsoft.com/en-us/documentation/articles/sql-database-transact-sql-information/

Azure Media Services

CDN support, built for scale

Traffic Manager

Geo-routing getting people to their closest instance. Smart routing.

Slide Deck: http://aka.ms/azuredd

Azure Trials: http://aka.ms/try-azure


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 17 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>