ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
•Download as PPTX, PDF•
0 likes•236 views
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
Similar to ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS (20)
More from European Collaboration Summit
More from European Collaboration Summit (20)
Recently uploaded
Recently uploaded (20)
ECS19 - Mustafa Toroman, Sasa Kranjac - SOUP TO NUTS: MICROSOFT AZURE POWERCLASS
- 3. ♡ ♡
- 4. • • • • •
- 5. • Sasha Kranjac • Azure and Security Expert @ Kranjac - IT Training & Consulting • @SasaKranjac • Microsoft Azure MVP • MCSE, MCP, MCSA, MCITP, Microsoft Certified Trainer (MCT), MCT Regional Lead, Certified Ethical Hacker (CEH), Certified EC-Council Instructor (CEI)
- 6. AM COFFEE LUNCH PM COFFEE 10:45 - 11:15 12:15 - 13:15 14:35 - 15:15
- 7. PaaS A platform of services for hosting a custom solution IaaS A way to run virtual servers in the cloud with full control SaaS A complete software solution
- 8. Who manages what? Infrastructure as a Service Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime ManagedbyMicrosoft Youscale,make resilient&manage Platform as a Service Scale,Resilienceand managementbyMicrosoft Youmanage Storage Servers Networking O/S Middleware Virtualization Applications Runtime Data On Premises Physical / Virtual Youscale,makeresilientandmanage Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime Software as a Service Storage Servers Networking O/S Middleware Virtualization Applications Runtime Data Scale,Resilienceand managementbyMicrosoft Windows Azure Virtual Machines Windows Azure Cloud Services
- 9. • Azure portal • PowerShell • Azure Automation • Azure CLI • Visual Studio
- 10. • Azure Resource Manager provides a method for grouping and managing Azure resources • The advantages include: • Manage resources as a group • Reuse solutions and consistently deploy resources • Quickly deploy and re-deploy large solutions • Define dependencies and resource deployment order • Use role-based access control for permissions • Logically organize resources by using tags
- 11. • Resource groups enable logical groupings of resources • Resources are assigned to a resource group when created • Some resources can be moved between resource groups
- 12. • Virtual networks and subnets • Network interfaces • IP addresses (private and public) • Virtual network-based DNS and Azure DNS • Azure Load Balancer • Application Gateway • Traffic Manager • Network security groups • User-defined routes • Forced tunneling • Virtual network connectivity • Virtual network gateways
- 13. • An IP address space with one or more subnets: • Private: • 10.x.x.x • 172.16.x.x – 172.31.x.x • 192.168.x.x • Public (supported, but rarely used) • IP addresses: • Private – allocated to VM NICs or internal load balancers • Public – assigned to VM NICs or load balancers • DNS name resolution: • Default – Internet names and names within the virtual network • Custom – cross-premises, cross-virtual networks, custom domains
- 14. Customer 2 Isolated Virtual Networks Customer 1 Subnet 1 Deployment X Deployment Y VLAN-to-VLAN Subnet 2 Subnet 3 DNS Server Microsoft Azure
- 15. Azure virtual machines support: • Windows Server: • All currently supported versions (CSA required for older ones) • All roles and features, except: • DHCP, Direct Access, RMS, Windows DS • iSNS, MPIO, NLB, PNRP, SNMP, Storage Manager for SANs, WINS, Wireless LAN Service • Linux: • CentOS, CoreOS, Debian, Oracle Linux, Red Hat, SUSE, openSUSE, and Ubuntu • Windows Server software: • FIM, MIM, SharePoint Server, SQL Server, System Center, and more
- 16. • General purpose: • Balanced CPU-to-memory ratio • A0-A7, Av2, D, Dv2, Dv3, DS, DSv2, Dsv3 series • Compute optimized: • High CPU-to-memory ratio • Fs and F series • Memory optimized: • High memory-to-CPU ratio • D, Dv2, DS, DSv2, Ev3, Esv3, Ms, G, and GS series • Storage optimized: • High-performance disk I/O • Ls series • GPU: • Graphic Processing Unit support • NV and NC series • High performance compute: • Fastest CPUs and optional high-throughput RDMA • H series and A8-A11
- 17. • Azure VMs in an availability set: • Logical grouping of two or more Azure VMs • Must be assigned during Azure VM deployment • Up to 3 fault domains • Up to 20 update domains • 99.95% availability SLA • Considerations: • Add multiple virtual machines to the same availability set • Place application tiers in separate availability sets • Combine availability sets with load balancing • Standalone VMs: • 99.9% availability SLA if using Premium storage disks
- 18. • Web Apps: • Near instant deployment • SSL and Custom Domain Names available in some tiers • WebJobs provide background processing for independent scaling • Can Scale to larger machines without redeploying applications
- 19. • SQL-as-a-Service Offering: • Fully managed • Automatically replicated • Compatible with existing TDS-capable software: • Visual Studio • SQL Server Management Studio • Entity Framework • Managed using existing tools, the CLI, PowerShell or the Portal • Performance measured in a predictable manner: • Database Throughput Units (DTUs)
- 20. • Azure provides money-backed SLAs for IaaS services: • Two Instances or more in an Availability Set = 99.95% • Single Instance VM using Premium Storage = 99.9% • Decisions should based on cost and availability requirements
- 21. • Single instance VM would gain 99.9% SLA if it complies with: • Premium Storage for all Operating System Disks and Data Disks • Any single instance VM without Premium storage receives no SLA
- 22. • Availability Sets provide assurance that any multiple instance VM will be available 99.95% of the time Availability Sets cater for planned and unplanned maintenance using Update Domains and Fault Domains
- 23. When planning multiple tier applications use multiple Availability sets, one per tier
- 24. • Azure Load Balancer: • Internal load balancer • Internet-facing load balancer • To configure: • Assign a front-end IP • Public for an Internet-facing load balancer • Private for an internal load balancer • Assign back-end address pool • Create load-balancing rules • Create inbound NAT rules (optional) • Create health probes • Application Gateway • Traffic Manager
- 25. • Azure Functions: • Build on WebJobs Technology • Available in Consumption and App Service Plan billing modes • Can be deployed using Scripts or Pre-Compiled • Managed and Edited directly in the portal: • Supports CI from GitHub or VSO if preferred
- 26. • Azure Functions features no-code triggers that can invoke a function based on changes in the following services: • Azure: • Storage Blobs • Cosmos DB • Storage Tables • Mobile Apps • Office 365 Files • Third-Party: • Twilio • SendGrid
- 27. • Automation workflow solution: • No-code designer for rapid creation of integration solutions • Pre-built templates to simplify getting started • Out-of-box support for popular SaaS and on-premises integrations • BizTalk APIs available to advanced integration solutions • JSON-based workflow definition: • Can be deployed using ARM templates
- 33. Plan 1 Monitor + Learn ReleaseDevelop + Test 2 Development Production 4 3 DevOps
- 37. Centrally manage users and access to Azure, O365, and hundreds of pre- integrated cloud applications Build Azure AD into your web and mobile applications Can extend on-premises directories to Azure AD through synchronization End Users Active Directory Azure Active Directory Cloud Apps
- 38. Protect sensitive data and applications both on-premises and in the cloud with Multi Factor Authentication Can use Active Directory (on-premises) with Azure Active Directory (in cloud) to enable single sign-on, a single directory, and centralized identity management Multi Factor Authentication can be implemented with Phone Factor or with AD on-premises Active Directory Microsoft Azure Active Directory
- 40. Virtual Machines: Data drives – full disk encryption through BitLocker Boot drives – partner solutions SQL Server – Transparent Data Encryption Files & folders - EFS in Windows Server Storage: Bitlocker encryption of drives for import/export of data Server-side encryption of Blob Storage using AES-256 Client-side encryption w/.NET and Java support StorSimple with AES-256 encryption Applications: Client Side encryption through .NET Crypto API RMS SDK for file encryption by your applications
Editor's Notes
- Brief Introduction with image
- Brief Introduction with image
- Use the following examples of Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) services, and ask the students to suggest others: Microsoft Office 365. This service is a good example of a SaaS offering. It offers a complete software app that Microsoft delivers through the cloud. Azure Web apps and Azure SQL Database. These services are good examples of PaaS services. They both offer a platform for building application solutions (a website and a relational database, respectively) but do not require any configuration and management at the underlying operating-system level. Note: Sometimes SQL Database is described as a Database as a Service offering, which is a specific subset of PaaS for database management solutions. Azure Virtual Machines. This service is a good example of an IaaS solution. It enables you to host servers in the cloud with full control over the operating system and virtual hardware. Identify the continual evolution of various IT functions into packaged services, such as Identity as a Service (IDaaS) and Disaster Recovery as a Service (DRaaS).
- Introduce the tools and their primary purposes.
- Explain Azure Resource Manager and its primary components.
- Explain resource groups, the function they provide within Azure Resource Manager, and the ways in which you can create and modify them.
- Use this first topic as an introduction to the networking features in Azure.
- Note: This topic has one additional slide. Point out that Azure virtual networks can function as extensions of on-premises networks. Compare these two types of networks.
- Slide script: With Azure, you can literally create a virtual “datacenter” in the Cloud. You can do this by leveraging a feature called Virtual Network (VNET) which allows you to create a logically isolated section of Azure and treat it like your own network. You can customize the network configuration for a VNET - create subnets, assign private IP addresses and bring your own DNS server if you wish. Within a virtual network for example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can enable VNETs to connect to other VNETS. And, you can securely connect your Azure Virtual Network to on-premises infrastructure (we’ll look at options for securely connecting next). AZURE: Provides logical isolation while enabling customer control via Virtual Networks Azure does not enable internet access by default Azure enables access from the internet and remote devices through Private IP addresses isolated from other customers Azure networking provides the infrastructure necessary to securely connect VMs to one another and to connect on-premises data centers with Azure VMs. Azure blocks unauthorized traffic to and within Microsoft data centers using a variety of technologies such as firewalls, NATs, partitioned Local Area Networks and physical separation of back-end servers from public-facing interfaces. Network isolation. Network isolation prevents unwanted tenant-to-tenant communications, and access controls block unauthorized users from the network. Virtual machines do not receive inbound traffic from the Internet unless customers configure them specifically to do so. Virtual Networks. A customer can choose to assign multiple deployments within a subscription to a virtual network and allow those deployments to communicate with each other through private IP addresses. Each virtual network is isolated from other virtual networks. Encrypting communications. Built-in cryptographic technology enables customers to encrypt communications within and between deployments, between Microsoft Azure regions, and from Microsoft Azure to on-premises data centers. Encryption can be configured to protect administrator access to virtual machines through remote desktop sessions and remote Windows PowerShell. Access to the Microsoft Azure Management Portal is encrypted by default using HTTPS. Customers can use an optional Express Route private fiber link into Microsoft Azure data centers to keep their traffic off the Internet. Firewalls: Azure blocks unauthorized traffic to and within Microsoft datacenters, using a variety of technologies such as firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces. Azure Virtual Networks use a combination of logical isolation, firewalls, access controls, authentication, and encryption to protect customer data in-transit. The mechanisms for administrators to manage network security on their Azure private networks are in the Azure Cloud Access Layer, which is comparable to the edge of a corporate network that faces the Internet. The Cloud Access Layer includes a firewall, load-balancer, and network address translation (NAT) functionality managed by the customer administrator. Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer Isolates traffic and provides intrusion defense through a distributed firewall CUSTOMER: Creates Virtual Networks with Subnets and Private IP addresses. You retain control over the network topology and configuration, and manage it in the same way you would your on-premises infrastructure. Enables communications between their Virtual Networks Can brings their own DNS Can domain join their Virtual Machines Virtual Network makes it easier to build cloud applications hosted in a hybrid environment, maintaining secure connections with on-premises infrastructure without the creation of custom codes. For example, a web application hosted in Azure can securely access an on-premise SQL Server database server or authenticate users against an on-premise Active Directory service. Security Groups A Network Security Group consists of a set of access control rules that describe traffic filters. Provides control over network traffic flowing in and out of customer services in Azure Provides segmentation within a Virtual Network for multi-tier applications Enables access control rule changes to be applied across Virtual Networks to thousands of machines in seconds
- Identify workloads that are both suitable and unsuitable for Azure VMs. Review the Windows Server roles and features that have special considerations for Azure VMs.
- Describe the categories of Azure VM sizes.
- Explain how availability sets allow for greater availability of Azure VMs that use the same or similar configurations. Explain the concept of fault domains and update domains in the context of availability sets. Identify the considerations for configuring availability sets. Point out that there is a 99.9% availability Service Level Agreement (SLA) available for individual VMs if they use Premium storage.
- Recap Web Apps positioning in Azure compared to VMs.
- DTUs are used to describe the capacity for a specific tier and performance level. DTUs are designed to be relative so that you can directly compare the tiers and performance levels. For example, the Basic tier has a single performance level (B) that is rated at 5 DTU. The S2 performance level in the Standard tier is rated at 50 DTU. This means that you can expect ten times the power for a database at the S2 performance level than a database at the B performance level in the Basic tier.
- Introduce availability. Reflect on What an Azure region is. Many datacenters sometimes a fair distance apart. Also discuss the reason for requirements to achieve the SLA.
- Discuss what it is. How it works for azure fabric updates. What about VM updates? How faults are dealt with – look at maximum update and fault domains within regions – they differ.
- Discuss multiple tier apps, including those with multiple services IaaS, PaaS etc. Worth whiteboarding the architecture and implications of each approach.
- Provide an overview of Azure load-balancing solutions.
- Talk about how WebJobs evolved to Functions. Position Functions against the closest competitor, AWS Lambda.
- Logic apps are designed for code-free or code-minimal automation and integration scenarios. They provide: No code designer for rapid creation of integration solutions. Dozens of pre-built templates to get started. Out of box support for popular SaaS and on-premises apps. Use with custom API apps of your own. Biztalk APIs for expert integration scenarios.
- You can think of Logic Apps as being like toy bricks for integration- you select your bricks and snap together an app. For example, you could use the Twitter Connector to read tweets of interest and write them to SQL Database using the Microsoft SQL Connector. Or, you could use the Azure Service Bus Connector to queue processing that you will run on HDInsight against some big data, and then send the result via an SMS message using the Twilio connector. All of this is performed by configuring the connectors, declaratively instead of by writing code.
- Slide script: Azure Active Directory is a comprehensive identity and access management solution for the cloud that provides a robust set of capabilities to manage users and groups and help secure access to applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. It combines core directory services, advanced identity governance and application access management. Azure Active Directory also offers a rich standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules. AZURE: Uses Azure AD to govern access to the management portal with granular access controls for users and groups on subscription or resource groups Provides enterprise cloud identity and access management Enables single sign-on across cloud applications Offers Multi-Factor Authentication for enhanced security CUSTOMER: Centrally manages users and access to Azure, O365, and hundreds of pre-integrated cloud applications Builds Azure AD into their web and mobile applications Can extend on-premises directories to Azure AD through synchronization
- Slide script: Azure Active Directory (Azure AD) provides an easy way for your business to manage identity and access, both in the cloud and on-premises. Your users can use one work or school account for single sign-on to any cloud and on-premises web application, using their favorite device, including iOS, Mac OS X, Android, and Windows devices. Your organization can protect sensitive data and applications both on-premises and in the cloud with integrated multi-factor authentication ensuring secure local and remote access. Or extend your on-premises directories so that information workers can use a single organizational account to securely and consistently access their corporate resources. You can use Two Factor Authentication or DevOPs access to your production services. For Two Factor Authentication, you can implement it with Phone Factor or with AD on-premises.
- Slide script: Customers are responsible for ensuring that data stored in Azure is encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to choose the solution that best meets their needs. Virtual Machines: Data drives – full disk encryption through BitLocker Boot drives – partner solutions SQL Server – Transparent Data Encryption EFS in Windows Server (?) Storage: Client Side encryption through .NET Crypto API Bitlocker encryption of drives for import/export of data Storage Service Encryption gives option to encryption blob storage with AES-256 using MS managed keys. On the roadmap to encrypt other storage services such as Tables, files etc using MS Managed Keys (Chlorine timeframe) On the roadmap to offer customer managed keys with key vault integration (mostly in Argon timeframe) Storage client side .NET and Java library to encrypt data within client application before uploading to Azure Storage (more on Client side encryption) StorSimple: Encrypts data using AES-256 Applications: RMS SDK for data encryption by your applications