Developing Solutions for Azure - Best Practices
•
0 likes•14 views
Developing Solutions for Azure - Best Practices
Recommended
Recommended
More Related Content
Similar to Developing Solutions for Azure - Best Practices
Similar to Developing Solutions for Azure - Best Practices (20)
More from Fisnik Doko
More from Fisnik Doko (7)
Recently uploaded
Recently uploaded (20)
Developing Solutions for Azure - Best Practices
- 1. Developing solutions for Azure Best practices FISNIK DOKO
- 2. Hello! Fisnik Doko • Azure Cloud Solution Architect • Microsoft Trainer • Speaker • https://youracclaim.com/users/fisnik-doko/badges
- 3. Content • Azure App Service • Azure Functions • API Management • Application Gateway • Azure Static Web App • Azure Key Vault • Azure Service Bus • Storage account • Azure SQL Database • Azure PostgreSQL • Azure Cosmos DB • Azure Redis Cache • Azure Container Registry • Azure Container Instances • Azure Kubernetes Service • Application Insights
- 4. Azure App Service • Multiple languages and frameworks • Managed production environment • Containerization and Docker • DevOps optimization • Global scale with high availability • Deployment slots • Security and compliance • API and mobile features • Serverless code • Visual Studio and Visual Studio Code integration Staging Production swappable QA Test Dev
- 5. Best practices • App Services and Functions should be deployed within virtual network using Premium tier App Service Plan • Use Private Endpoint to secure inbound traffic to the Application Gateway • Set the minimum TLS version to 1.2 • Set the app to only be accessible over HTTPS • Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application • Disable Anonymous access • Disable FTP access • Threat protection should be enabled on Azure App Service plans • Remote Debugging should be turned off for App Services • Choose to store application secrets in Key Vault and retrieve them at runtime
- 6. Azure Functions Run code based on HTTP requests Schedule code to run at predefined times Azure Durable Functions • Write stateful functions in a stateless environment • Manages state, checkpoints, and restarts • Defines an Orchestrator function • Workflows are defined in code • Calls other functions synchronously or asynchronously • Checkpoint progress whenever function awaits
- 7. Best practices Avoid long-running functions: • Functions that run for a long time can time out Use queues for cross-function communication: • If you require direct communication, consider Durable Functions or Azure Logic Apps Write stateless functions: • Functions should be stateless and idempotent • State data should be associated with your input and output payloads Code defensively: • Assume that your function might need to continue from a previous fail point
- 8. API Management • Policies • API documentation • Rate limiting access • Health monitoring • Modern formats like JSON • Connections to any API • Security • Analytics APIM Modern API Legacy API
- 9. Application Gateway • OWASP Protection • Prevention mode • End to end SSL • WAF policies • Autoscaling • URL-based routing • Rewrite headers • Application Gateway Ingress Controller • Logs • Private and public IP
- 10. Azure Static Web App • Globally distributed content • Integration with serverless APIs powered by Azure Functions • Access to a variety of authentication providers • First-class GitHub and Azure DevOps integration • Free SSL certificates, which are automatically renewed
- 11. Azure Key Vault • Restrict access to Key Vaults from only trusted IPs, service endpoints or virtual networks • Enable soft delete to allow recovery of deleted vaults and key vaults objects or a defined amount of time before it gets deleted permanently • Enable purge protection to ensure that vaults or objects cannot be purged until the retention period has passed • Turn on diagnostic loggings for Key Vaults and alert on suspicious activities Azure Key Vault
- 12. Azure Service Bus • Supports larger messages sizes of 256 KB (standard tier) or 100 MB (premium tier) per message • Supports both at-most-once and at-least-once delivery • Guarantees first-in, first-out (FIFO) order • Can group multiple messages in one transaction • Supports role-based security • Does not require destination components to continuously poll the queue
- 13. Storage account • Every request made against a storage service must be authenticated • RBAC (Role Based Access Control) should be used to access storage accounts • Data in transit between the client and Azure Storage must be encrypted • Enable Virtual network service endpoint and allow access to storage from the specific network only • Storage Accounts Keys must be regenerated on a regular basis • Disable the option to “allow blob public access” if this is not required • Usage of Shared Access Signatures should be kept as minimum as possible • HTTPS must be used in the request URL
- 14. Azure SQL Database • An Azure Active Directory administrator should be provisioned • Auditing & Threat detection features should be enabled • Azure Transparent Data Encryption (TDE) must be enabled • The connections to Azure SQL databases should be restricted by the internal firewall • Audit logging should be enabled on Azure SQL databases • Azure Defender for SQL must be enabled on subscription level
- 15. Azure PostgreSQL (Single Server) • Enable Enforce SSL connection • An Azure Active Directory administrator must be provisioned • Audit logging should be enabled • Enforce TLS Connections for PostgreSQL Database servers. By default, Azure Database for PostgreSQL does not enforce a minimum TLS version (the setting TLSEnforcementDisabled) • Public network access to the database should be disabled or at least restricted • Use Azure PostgreSQL Flexible Server !
- 16. Azure Cosmos DB Build or modernize scalable, high-performance apps A fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates and patching Column family Document Graph Turnkey global distribution Elastic scale-out of storage and throughput Guaranteed low latency at the 99th percentile Comprehensive SLAs Five well-defined consistency models Table API Key-value MongoDB
- 17. Azure Redis Cache • Fully Managed Service • High Performance • Built-in Reliability • Flexible Scaling • Open Source Compatible • Consider more keys and smaller values • Choose an appropriate tier
- 18. Azure Container Registry • Managed Docker registry service • Stores and manages private Docker container images • Building images in Container Registry • Use Premium tier to enable Private Endpoints Repository Container Registry New container image build agent Local machine ACR BUILD
- 19. Azure Container Instances Simplest way to run a container in Azure: • Doesn’t require IaaS provisioning • Doesn’t require the adoption of a higher-level service Ideal for one-off, isolated container instances: • Simple applications • Task automation • Build jobs Supports Linux and Windows containers Supports direct mounting of Azure Files shares Container can be provisioned with public IP address and DNS name
- 20. Azure Kubernetes Service • AKS Kubernetes must always be updated to the latest version • RBAC must be enabled including limiting the access of users • Application configuration such as access credentials, keys and other secret data have to be separated from the application configuration and injected via Kubernetes secrets • Restrict access to Kubernetes Services to Authorized IPs or utilize a private AKS cluster • Make use of networking policies between pods in the AKS cluster • Enable Azure Defender for Kubernetes and Azure Defender for Container Registries on subscription level • Utilize a private container registry to store container images • Containers images and runtime should be scanned against vulnerabilities
- 21. Application Insights Extensible application performance monitoring service Can be used to: • Monitor a live web application • Automatically detect performance anomalies • Diagnose issues by using analytical tools • Understand real-world user behavior by using custom queries and metric visualizations
- 22. 22
Editor's Notes
- Azure App Service is a fully managed platform as a service (PaaS) offering for developers. Here are some key features of App Service: Multiple languages and frameworks - App Service has first-class support for ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can also run PowerShell and other scripts or executables as background services. Managed production environment - App Service automatically patches and maintains the OS and language frameworks for you. Spend time writing great apps and let Azure worry about the platform. Containerization and Docker - Dockerize your app and host a custom Windows or Linux container in App Service. Run multi-container apps with Docker Compose. Migrate your Docker skills directly to App Service. DevOps optimization - Set up continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through test and staging environments. Manage your apps in App Service by using Azure PowerShell or the cross-platform command-line interface (CLI). Global scale with high availability - Scale up or out manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service SLA promises high availability. https://docs.microsoft.com/en-us/azure/app-service/overview Image link: https://azure.microsoft.com/en-in/services/app-service/#security
- Avoid long running functions Large, long-running functions can cause unexpected time-out issues. A function can become large due to many Node.js dependencies. Importing dependencies can also cause increased load times that result in unexpected time-outs. Dependencies are loaded both explicitly and implicitly. A single module loaded by your code may load its own additional modules. Cross function communication Durable Functions and Azure Logic Apps are built to manage state transitions and communication between multiple functions. If you are not using Durable Functions or Logic Apps to integrate with multiple functions, it is generally a best practice to use storage queues for cross function communication. The main reason is storage queues are less costly and much easier to provision. Write functions to be stateless Functions should be stateless and idempotent if possible. Associate any required state information with your data. For example, an order being processed would likely have an associated state member. A function could process an order based on that state while the function itself remains stateless. Write defensive functions Assume that your function could encounter an exception at any time. Design your functions with the ability to continue from a previous fail point during the next execution.
- API documentation. Documentation of APIs enables calling clients to quickly integrate their solutions. API Management allows you to quickly expose the structure of your API to calling clients through modern standards like Open API. You can have more than one version of an API. With multiple versions, you can stage app updates as your consuming apps don't have to use the new version straight away. Rate limiting access. If your API could potentially access a large amount of data, its a good idea to limit the rate at which clients can request data. Rate limiting helps maintain optimal response times for every client. API Management let you set rate limits as a whole or for specific individual clients. Health monitoring. APIs are consumed by remote clients. So it can be difficult to identify potential problems or errors. API Management lets you view error responses and log files, and filter by types of responses. Modern formats like JSON. APIs have used many different data exchange formats over the years from XML to CSV and many more. API Management enables you to expose these formats using modern data models like JSON. Connections to any API. In many businesses, APIs are located across different countries and use different formats. API Management lets you add all of these disparate APIs into single modern interface. Analytics. As you develop your APIs, it's useful to see how often your APIs are being called and by which types of systems. API Management allows you to visualize this data within the Azure portal. Security. Security is paramount when dealing with system data. Unauthorized breaches can cost companies money, time lost in reworking code, and reputational loss. Security tools that you can use with Azure API management include OAuth 2.0 user authorization, and integration with Azure Active Directory. https://docs.microsoft.com/en-us/learn/modules/publish-manage-apis-with-azure-api-management/2-create-an-api-gateway
- When exposing a Web Application towards the Internet, always place a Web Application Gateway or Azure Front Door in front of the Web App. The Web Application Firewall (WAF) must be enabled on the Application Gateway whenever using public endpoints for web applications. The WAF must be configured to use the latest OWASP ruleset core rule set. The WAF must be configured to “detect and block” or in the so called “prevention mode”. It is acceptable to have the WAF configured in “detect and log” for finetuning purposes and for investigating issues for a temporary period. Once the beforementioned activities have concluded, “detect and block” must be activated again. Always ensure that traffic to the backend systems is re-encrypted, once it has been terminated by the Application Gateway to ensure end-to-end encryption. Transform http traffic to https using redirection Application Gateways should have both private and public IP address Enable Application Insights Enable diagnostic settings
- Static web apps are commonly built using libraries and frameworks like Angular, React, Svelte, or Vue. These apps include HTML, CSS, JavaScript, and image assets that make up the application. When using a traditional web server architecture, these files are served from a single server along side any required API endpoints. Additional Talk: With Static Web Apps, developers can use modular and extensible patterns to deploy apps in minutes while taking advantage of the built-in scaling and cost-savings offered by serverless technologies. Pre-rendering static content (including HTML, CSS, JavaScript, and image files) and leveraging global content distribution to serve this content removes the need for traditional web servers generating the content with every request. Moving dynamic logic to serverless APIs unlocks dynamic scale that can adjust to demand in real time and can empower developers to access the benefits of microservices as they evolve and extend individual app components. https://docs.microsoft.com/en-us/learn/modules/publish-app-service-static-web-app-api/1-introduction?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.azure-static-web-apps&pivots=angular https://techcommunity.microsoft.com/t5/apps-on-azure-blog/introducing-app-service-static-web-apps/ba-p/1394451 Azure Static Web Apps is a service that automatically builds and deploys full stack web apps to Azure from a code repository. The workflow of Azure Static Web Apps is tailored to a developer's daily workflow. Apps are built and deployed based off code changes. When you create an Azure Static Web Apps resource, Azure interacts directly with GitHub or Azure DevOps to monitor a branch of your choice. Every time you push commits or accept pull requests into the watched branch, a build is automatically run and your app and API is deployed to Azure. https://docs.microsoft.com/en-us/azure/static-web-apps/overview?WT.mc_id=dotnet-00000-cephilli Globally distributed web hosting puts static content like HTML, CSS, JavaScript, and images closer to your users Integrated API support provided by Azure Functions First-class GitHub and Azure DevOps integration where repository changes trigger builds and deployments. Free SSL certificates, which are automatically renewed Unique preview URLs for previewing pull requests https://docs.microsoft.com/en-us/learn/modules/publish-app-service-static-web-app-api/1-introduction?ns-enrollment-type=LearningPath&ns-enrollment-id=learn.azure-static-web-apps&pivots=angular Image link: https://docs.microsoft.com/en-us/shows/on-net/getting-started-with-azure-static-web-apps (@05:51)
- Microsoft Azure Key Vault is a cloud service that works as a security-enhanced secrets store. Key Vault allows you to create multiple security-enhanced containers, called vaults. These vaults are backed by hardware security modules (HSMs). Vaults help to reduce the chance of accidentally losing security information by centralizing the storage of application secrets. Vaults also control and log the access to anything stored in them. Azure Key Vault is designed to support any type of secret, such as a password, database credential, API key, or certificate. Software or HSMs can help to protect these secrets. Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates, providing the features required for a robust certificate lifecycle management solution. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then seamlessly migrate them to production keys. Security administrators can grant (and revoke) permission to keys as needed.
- A Service Bus queue is a simple temporary storage location for messages. A sending component adds a message to the queue. A destination component picks up the message at the front of the queue. Under ordinary circumstances, each message is received by only one receiver. Queues decouple the source and destination components to insulate destination components from high demand. Additional Talk: A queue responds to high demand without needing to add resources to the system. However, for messages that need to be handled quickly, creating additional instances of your destination component can allow them to share the load. Each message is handled by only one instance. https://docs.microsoft.com/en-us/learn/modules/implement-message-workflows-with-service-bus/2-choose-a-messaging-platform The key advantages of Service Bus queues include: Supports larger messages sizes of 256 KB (standard tier) or 100 MB (premium tier) per message versus 64 KB for Azure Storage queue messages. Supports both at-most-once and at-least-once delivery. Choose between a very small chance that a message is lost or a very small chance it's handled twice. Guarantees first-in, first-out (FIFO) order. Messages are handled in the same order they are added. Note that although FIFO is the normal operation of a queue, the default FIFO pattern is altered if the organization sets up sequenced or scheduled messages or during interruptions like a system crash. Can group multiple messages in one transaction. If one message in the transaction fails to be delivered, all messages in the transaction aren't delivered. Supports role-based security. Does not require destination components to continuously poll the queue. https://docs.microsoft.com/en-us/learn/modules/implement-message-workflows-with-service-bus/2-choose-a-messaging-platform Image link: https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-portal
- A storage account is a container that groups a set of Azure Storage services together. Only data services from Azure Storage can be included in a storage account (Azure Blobs, Azure Files, Azure Queues, and Azure Tables). The following illustration shows a storage account containing several data services. A storage account is an Azure resource and is part of a resource group. The following illustration shows an Azure subscription containing multiple resource groups, where each group contains one or more storage accounts. https://docs.microsoft.com/en-us/learn/modules/create-azure-storage-account/2-decide-how-many-storage-accounts-you-need
- https://learn.microsoft.com/en-us/azure/azure-sql/database/features-comparison?view=azuresql
- https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-compare-single-server-flexible-server
- As a fully managed service, Azure Cosmos DB takes database administration off your hands with automatic management, updates and patching. It also handles capacity management with cost-effective serverless and automatic scaling options that respond to application needs to match capacity with demand. Azure Cosmos DB is a globally distributed and elastically scalable database. It has a guaranteed low latency that is backed by a comprehensive set of Service Level Agreements (SLAs). Consistency can sometimes be an issue when you are working with distributed systems, but Azure Cosmos DB alleviates this situation by offering you five different consistency levels: strong, bounded staleness, session, consistent prefix, and eventual. All of the above is supported by a multi-model Azure Cosmos DB's approach, which provides you with the ability to use document, key-value, wide-column, or graph-based data. The final choice you have is how to access and manipulate your data. Azure Cosmos DB was built to support multiple different models, and you can continue to use industry standard APIs if they are already part of your application or database design. https://docs.microsoft.com/en-us/azure/cosmos-db/introduction#:~:text=As%20a%20fully%20managed%20service,to%20match%20capacity%20with%20demand. https://docs.microsoft.com/en-us/learn/modules/choose-api-for-cosmos-db/2-identify-the-technology-options Image link: https://devblogs.microsoft.com/cosmosdb/
- Azure Cache for Redis Fully managed, open source–compatible in-memory data store to power fast, scalable applications Fully managed service Enjoy a fully managed version of the popular open-source Redis server with a turnkey caching solution. Harness the benefits without the need to become an expert in deploying and managing it. High performance Azure Cache for Redis achieves superior throughput and latency performance by storing data in memory instead of on disk. It consistently serves read and write requests within single-digit milliseconds, delivering exceedingly fast cache operations to scale data tiers as application loads increase. Built-in reliability Standard and Premium tiers include a redundant pair of virtual machines (VMs) configured for data replication to ensure maximum reliability. Premium caches also can replicate data across Azure regions as part of an application’s disaster-recovery implementation. Flexible scaling With three tiers, Azure Cache for Redis fits your needs. Start with any cache size and scale up to a larger one later without any service downtime or scale down a cache within the same tier. Enterprise-grade security Azure Cache for Redis supports industry-standard SSL to secure your data in transit and Azure Storage disk encryption at rest. Premium caches can be placed in your own Azure Virtual Network (VNet) so that you can further restrict traffic routes to and from your cache through your VNet topology and access policies. Open source compatible At its core, Azure Cache for Redis is backed by the open-source Redis server and natively supports data structures such as strings, hashes, lists, sets and sorted sets. If your application uses Redis, it will work as-is with Azure Cache for Redis. Source: https://azure.microsoft.com/en-in/services/cache/
- Container Registry is a managed Docker registry service based on the open-source Docker Registry 2.0. Create and maintain Azure container registries to store and manage your private Docker container images. Use container registries in Azure with your existing container development and deployment pipelines. Use Azure Container Registry Build (ACR Build) to build container images in Azure. Build on demand, or fully automate builds with source code commit and base image update build triggers.
- Containers are becoming the preferred way to package, deploy, and manage cloud applications. Container Instances offers the fastest and simplest way to run a container in Azure, without having to manage any virtual machines and without having to adopt a higher-level service. Container Instances is a good solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend Azure Kubernetes Service (AKS).
- Like the previous slide, this is a short introduction to the Azure Kubernetes service. Subsequent topics go into the detail around the architecture, networking and deployment, etc. Examples of the health monitoring and maintenance tasks that AKS performs include Kubernetes version upgrades and patching.
- Application Insights is an extensible application performance management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and understand what users actually do with your app.