7. PaaS
A platform of
services for
hosting a
custom
solution
IaaS
A way to run
virtual servers
in the cloud
with full
control
SaaS
A complete
software
solution
8. Who manages what?
Infrastructure
as a Service
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
ManagedbyMicrosoft
Youscale,make
resilient&manage
Platform
as a Service
Scale,Resilienceand
managementbyMicrosoft
Youmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
On Premises
Physical / Virtual
Youscale,makeresilientandmanage
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Software
as a Service
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Scale,Resilienceand
managementbyMicrosoft
Windows Azure
Virtual Machines
Windows Azure
Cloud Services
10. • Azure Resource Manager provides a method for
grouping and managing Azure resources
• The advantages include:
• Manage resources as a group
• Reuse solutions and consistently deploy resources
• Quickly deploy and re-deploy large solutions
• Define dependencies and resource deployment order
• Use role-based access control for permissions
• Logically organize resources by using tags
11. • Resource groups enable logical groupings of
resources
• Resources are assigned to a resource group when
created
• Some resources can be moved between resource
groups
12. • Virtual networks and subnets
• Network interfaces
• IP addresses (private and public)
• Virtual network-based DNS and Azure DNS
• Azure Load Balancer
• Application Gateway
• Traffic Manager
• Network security groups
• User-defined routes
• Forced tunneling
• Virtual network connectivity
• Virtual network gateways
13. • An IP address space with one or more subnets:
• Private:
• 10.x.x.x
• 172.16.x.x – 172.31.x.x
• 192.168.x.x
• Public (supported, but rarely used)
• IP addresses:
• Private – allocated to VM NICs or internal load balancers
• Public – assigned to VM NICs or load balancers
• DNS name resolution:
• Default – Internet names and names within the virtual network
• Custom – cross-premises, cross-virtual networks, custom domains
15. Azure virtual machines support:
• Windows Server:
• All currently supported versions (CSA required for older ones)
• All roles and features, except:
• DHCP, Direct Access, RMS, Windows DS
• iSNS, MPIO, NLB, PNRP, SNMP, Storage Manager for SANs, WINS,
Wireless LAN Service
• Linux:
• CentOS, CoreOS, Debian, Oracle Linux, Red Hat, SUSE,
openSUSE, and Ubuntu
• Windows Server software:
• FIM, MIM, SharePoint Server, SQL Server, System Center, and
more
16. • General purpose:
• Balanced CPU-to-memory ratio
• A0-A7, Av2, D, Dv2, Dv3, DS, DSv2, Dsv3 series
• Compute optimized:
• High CPU-to-memory ratio
• Fs and F series
• Memory optimized:
• High memory-to-CPU ratio
• D, Dv2, DS, DSv2, Ev3, Esv3, Ms, G, and GS series
• Storage optimized:
• High-performance disk I/O
• Ls series
• GPU:
• Graphic Processing Unit support
• NV and NC series
• High performance compute:
• Fastest CPUs and optional high-throughput RDMA
• H series and A8-A11
17. • Azure VMs in an availability set:
• Logical grouping of two or more Azure VMs
• Must be assigned during Azure VM deployment
• Up to 3 fault domains
• Up to 20 update domains
• 99.95% availability SLA
• Considerations:
• Add multiple virtual machines to the same availability set
• Place application tiers in separate availability sets
• Combine availability sets with load balancing
• Standalone VMs:
• 99.9% availability SLA if using Premium storage disks
18. • Web Apps:
• Near instant deployment
• SSL and Custom Domain Names available in some tiers
• WebJobs provide background processing for independent scaling
• Can Scale to larger machines without redeploying applications
19. • SQL-as-a-Service Offering:
• Fully managed
• Automatically replicated
• Compatible with existing TDS-capable software:
• Visual Studio
• SQL Server Management Studio
• Entity Framework
• Managed using existing tools, the CLI, PowerShell or
the Portal
• Performance measured in a predictable manner:
• Database Throughput Units (DTUs)
20. • Azure provides money-backed SLAs for IaaS
services:
• Two Instances or more in an Availability Set = 99.95%
• Single Instance VM using Premium Storage = 99.9%
• Decisions should based on cost and availability
requirements
21. • Single instance VM would gain 99.9% SLA if it
complies with:
• Premium Storage for all Operating System Disks and
Data Disks
• Any single instance VM without Premium storage
receives no SLA
22. • Availability Sets provide assurance that any
multiple instance VM will be available 99.95%
of the time
Availability Sets cater
for planned and
unplanned
maintenance using
Update Domains and
Fault Domains
24. • Azure Load Balancer:
• Internal load balancer
• Internet-facing load balancer
• To configure:
• Assign a front-end IP
• Public for an Internet-facing load balancer
• Private for an internal load balancer
• Assign back-end address pool
• Create load-balancing rules
• Create inbound NAT rules (optional)
• Create health probes
• Application Gateway
• Traffic Manager
25. • Azure Functions:
• Build on WebJobs Technology
• Available in Consumption and App Service Plan billing
modes
• Can be deployed using Scripts or Pre-Compiled
• Managed and Edited directly in the portal:
• Supports CI from GitHub or VSO if preferred
26. • Azure Functions features no-code triggers that
can invoke a function based on changes in the
following services:
• Azure:
• Storage Blobs
• Cosmos DB
• Storage Tables
• Mobile Apps
• Office 365 Files
• Third-Party:
• Twilio
• SendGrid
27. • Automation workflow solution:
• No-code designer for rapid creation of integration
solutions
• Pre-built templates to simplify getting started
• Out-of-box support for popular SaaS and on-premises
integrations
• BizTalk APIs available to advanced integration solutions
• JSON-based workflow definition:
• Can be deployed using ARM templates
28.
29.
30.
31.
32.
33. Plan
1 Monitor + Learn
ReleaseDevelop +
Test
2
Development Production
4
3
DevOps
34.
35.
36.
37. Centrally manage users and access to
Azure, O365, and hundreds of pre-
integrated cloud applications
Build Azure AD into your web and
mobile applications
Can extend on-premises directories to
Azure AD through synchronization
End Users
Active Directory
Azure
Active Directory Cloud Apps
38. Protect sensitive data and applications
both on-premises and in the cloud with
Multi Factor Authentication
Can use Active Directory (on-premises)
with Azure Active Directory (in cloud) to
enable single sign-on, a single directory,
and centralized identity management
Multi Factor Authentication can be
implemented with Phone Factor or with
AD on-premises
Active Directory
Microsoft Azure
Active Directory
39.
40. Virtual Machines:
Data drives – full disk encryption through BitLocker
Boot drives – partner solutions
SQL Server – Transparent Data Encryption
Files & folders - EFS in Windows Server
Storage:
Bitlocker encryption of drives for import/export of
data
Server-side encryption of Blob Storage using AES-256
Client-side encryption w/.NET and Java support
StorSimple with AES-256 encryption
Applications:
Client Side encryption through .NET Crypto API
RMS SDK for file encryption by your applications
Editor's Notes
Brief Introduction with image
Brief Introduction with image
Use the following examples of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) services, and ask the students to suggest others:
Microsoft Office 365. This service is a good example of a SaaS offering. It offers a complete software app that Microsoft delivers through the cloud.
Azure Web apps and Azure SQL Database. These services are good examples of PaaS services. They both offer a platform for building application solutions (a website and a relational database, respectively) but do not require any configuration and management at the underlying operating-system level.
Note: Sometimes SQL Database is described as a Database as a Service offering, which is a specific subset of PaaS for database management solutions.
Azure Virtual Machines. This service is a good example of an IaaS solution. It enables you to host servers in the cloud with full control over the operating system and virtual hardware.
Identify the continual evolution of various IT functions into packaged services, such as Identity as a Service (IDaaS) and Disaster Recovery as a Service (DRaaS).
Introduce the tools and their primary purposes.
Explain Azure Resource Manager and its primary components.
Explain resource groups, the function they provide within Azure Resource Manager, and the ways in which you can create and modify them.
Use this first topic as an introduction to the networking features in Azure.
Note: This topic has one additional slide.
Point out that Azure virtual networks can function as extensions of on-premises networks. Compare these two types of networks.
Slide script:
With Azure, you can literally create a virtual “datacenter” in the Cloud. You can do this by leveraging a feature called Virtual Network (VNET) which allows you to create a logically isolated section of Azure and treat it like your own network. You can customize the network configuration for a VNET - create subnets, assign private IP addresses and bring your own DNS server if you wish. Within a virtual network for example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can enable VNETs to connect to other VNETS. And, you can securely connect your Azure Virtual Network to on-premises infrastructure (we’ll look at options for securely connecting next).
AZURE:
Provides logical isolation while enabling customer control via Virtual Networks
Azure does not enable internet access by default
Azure enables access from the internet and remote devices through Private IP addresses isolated from other customers
Azure networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-premises data centers with Azure VMs. Azure blocks unauthorized traffic to and within Microsoft data centers using a variety of technologies such as firewalls, NATs, partitioned Local Area Networks and physical separation of back-end servers from public-facing interfaces.
Network isolation. Network isolation prevents unwanted tenant-to-tenant communications, and access controls block unauthorized users from the network. Virtual machines do not receive inbound traffic from the Internet unless customers configure them specifically to do so.
Virtual Networks. A customer can choose to assign multiple deployments within a subscription to a virtual network and allow those deployments to communicate with each other through private IP addresses. Each virtual network is isolated from other virtual networks.
Encrypting communications. Built-in cryptographic technology enables customers to encrypt communications within and between deployments, between Microsoft Azure regions, and from Microsoft Azure to on-premises data centers. Encryption can be configured to protect administrator access to virtual machines through remote desktop sessions and remote Windows PowerShell. Access to the Microsoft Azure Management Portal is encrypted by default using HTTPS. Customers can use an optional Express Route private fiber link into Microsoft Azure data centers to keep their traffic off the Internet.
Firewalls:
Azure blocks unauthorized traffic to and within Microsoft datacenters, using a variety of technologies such as firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces.
Azure Virtual Networks use a combination of logical isolation, firewalls, access controls, authentication, and encryption to protect customer data in-transit.
The mechanisms for administrators to manage network security on their Azure private networks are in the Azure Cloud Access Layer, which is comparable to the edge of a corporate network that faces the Internet. The Cloud Access Layer includes a firewall, load-balancer, and network address translation (NAT) functionality managed by the customer administrator.
Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer
Isolates traffic and provides intrusion defense through a distributed firewall
CUSTOMER:
Creates Virtual Networks with Subnets and Private IP addresses. You retain control over the network topology and configuration, and manage it in the same way you would your on-premises infrastructure.
Enables communications between their Virtual Networks
Can brings their own DNS
Can domain join their Virtual Machines
Virtual Network makes it easier to build cloud applications hosted in a hybrid environment, maintaining secure connections with on-premises infrastructure without the creation of custom codes. For example, a web application hosted in Azure can securely access an on-premise SQL Server database server or authenticate users against an on-premise Active Directory service.
Security Groups
A Network Security Group consists of a set of access control rules that describe traffic filters.
Provides control over network traffic flowing in and out of customer services in Azure
Provides segmentation within a Virtual Network for multi-tier applications
Enables access control rule changes to be applied across Virtual Networks to thousands of machines in seconds
Identify workloads that are both suitable and unsuitable for Azure VMs. Review the Windows Server roles and features that have special considerations for Azure VMs.
Describe the categories of Azure VM sizes.
Explain how availability sets allow for greater availability of Azure VMs that use the same or similar configurations. Explain the concept of fault domains and update domains in the context of availability sets. Identify the considerations for configuring availability sets. Point out that there is a 99.9% availability Service Level Agreement (SLA) available for individual VMs if they use Premium storage.
Recap Web Apps positioning in Azure compared to VMs.
DTUs are used to describe the capacity for a specific tier and performance level. DTUs are designed to be relative so that you can directly compare the tiers and performance levels. For example, the Basic tier has a single performance level (B) that is rated at 5 DTU. The S2 performance level in the Standard tier is rated at 50 DTU. This means that you can expect ten times the power for a database at the S2 performance level than a database at the B performance level in the Basic tier.
Introduce availability.
Reflect on What an Azure region is.
Many datacenters sometimes a fair distance apart.
Also discuss the reason for requirements to achieve the SLA.
Discuss what it is.
How it works for azure fabric updates.
What about VM updates?
How faults are dealt with – look at maximum update and fault domains within regions – they differ.
Discuss multiple tier apps, including those with multiple services IaaS, PaaS etc.
Worth whiteboarding the architecture and implications of each approach.
Provide an overview of Azure load-balancing solutions.
Talk about how WebJobs evolved to Functions.
Position Functions against the closest competitor, AWS Lambda.
Logic apps are designed for code-free or code-minimal automation and integration scenarios.
They provide:
No code designer for rapid creation of integration solutions.
Dozens of pre-built templates to get started.
Out of box support for popular SaaS and on-premises apps.
Use with custom API apps of your own.
Biztalk APIs for expert integration scenarios.
You can think of Logic Apps as being like toy bricks for integration- you select your bricks and snap together an app.
For example, you could use the Twitter Connector to read tweets of interest and write them to SQL Database using the Microsoft SQL Connector.
Or, you could use the Azure Service Bus Connector to queue processing that you will run on HDInsight against some big data, and then send the result via an SMS message using the Twilio connector.
All of this is performed by configuring the connectors, declaratively instead of by writing code.
Slide script:
Azure Active Directory is a comprehensive identity and access management solution for the cloud that provides a robust set of capabilities to manage users and groups and help secure access to applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. It combines core directory services, advanced identity governance and application access management. Azure Active Directory also offers a rich standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
AZURE:
Uses Azure AD to govern access to the management portal with granular access controls for users and groups on subscription or resource groups
Provides enterprise cloud identity and access management
Enables single sign-on across cloud applications
Offers Multi-Factor Authentication for enhanced security
CUSTOMER:
Centrally manages users and access to Azure, O365, and hundreds of pre-integrated cloud applications
Builds Azure AD into their web and mobile applications
Can extend on-premises directories to Azure AD through synchronization
Slide script:
Azure Active Directory (Azure AD) provides an easy way for your business to manage identity and access, both in the cloud and on-premises. Your users can use one work or school account for single sign-on to any cloud and on-premises web application, using their favorite device, including iOS, Mac OS X, Android, and Windows devices. Your organization can protect sensitive data and applications both on-premises and in the cloud with integrated multi-factor authentication ensuring secure local and remote access. Or extend your on-premises directories so that information workers can use a single organizational account to securely and consistently access their corporate resources.
You can use Two Factor Authentication or DevOPs access to your production services. For Two Factor Authentication, you can implement it with Phone Factor or with AD on-premises.
Slide script:
Customers are responsible for ensuring that data stored in Azure is encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to choose the solution that best meets their needs.
Virtual Machines:
Data drives – full disk encryption through BitLocker
Boot drives – partner solutions
SQL Server – Transparent Data Encryption
EFS in Windows Server (?)
Storage:
Client Side encryption through .NET Crypto API
Bitlocker encryption of drives for import/export of data
Storage Service Encryption gives option to encryption blob storage with AES-256 using MS managed keys.
On the roadmap to encrypt other storage services such as Tables, files etc using MS Managed Keys (Chlorine timeframe)
On the roadmap to offer customer managed keys with key vault integration (mostly in Argon timeframe)
Storage client side .NET and Java library to encrypt data within client application before uploading to Azure Storage (more on Client side encryption)
StorSimple:
Encrypts data using AES-256
Applications:
RMS SDK for data encryption by your applications