Category Archives: cloud computing

Azure Network Topology Document Extracts and Notes

Posted on by

Azure Network Topology

  • Two core approaches: traditional and Azure Virtual WAN
  • The above document has a topology diagram for each model.
FeatureTraditional Azure Network TopologyAzure Virtual WAN Network Topology
HighlightsCustomer-managed routing and security

An Azure subscription can create up to 50 vnets across all regions.

Vnet Peering links two vnets either in the same region or in different regions and enables you to route traffic between them using private IP addresses (carry a nominal charge).

Inbound and outbound traffic is charged at both ends of the peered networks. Network appliances such as VPN Gateway and Application Gateway that are run inside a virtual network are also charged.

Azure Virtual Network Pricing  		A Microsoft-managed networking service providing optimized and automated branch to branch connectivity through Azure.

Virtual WAN allows customers to connect branches to each other and Azure, centralizing their network and security needs with virtual appliances such as firewalls and Azure network and security services.

Azure Virtual WAN Pricing
DeploymentCustomized deployment with routing and security managed by the customer

Virtual Network documentation

Plan virtual networks

Tutorial: Filter network traffic with a network security group using the Azure portal
Microsoft-managed service

Virtual WAN documentation

Tutorial: Create an ExpressRoute association to Virtual WAN – Azure portal

– Other tutorials include site-to-site and point-to-site connections
InterconnectivityTraffic between two virtual networks across two different Azure regions is expected. Full mesh network across all Azure regions is not required.Global connectivity between vnets in these Azure regions and multiple on-premises locations.
IPsec TunnelsFewer than 30 IPsec Site-to-Site tunnels are needed.More than 30 branch sites for native IPsec termination.
Routing PolicyFull control and granularity for manually configuring your Azure network routing policy.Not applicable
Data CollectionCollects data from servers and Kubernetes clusters.Collects data from servers and Kubernetes clusters.
Data StorageStores data in Log Analytics workspace or customer’s own storage account.Stores data in Log Analytics workspace or customer’s own storage account.
Data Analysis and VisualizationUses Log Analytics for analysis and visualization of collected data.Uses Azure Monitor for analysis and visualization of collected data.

Additional Information

WHERE TO START AZURE

Posted on by

If you have basic understanding of cloud computing, while new to Azure, I recommend starting with the following:

I believe less is more. The above should be sufficient to get you situated.

Azure Landing Zone Document Extracts and Notes

Posted on by

What is an Azure landing zone? – Cloud Adoption Framework

Landing zone implementation options – Cloud Adoption Framework

“A migration landing zone is an environment that’s been provisioned and prepared to host certain workloads. These workloads are being migrated from an on-premises environment into Azure.”

Deploy a CAF Foundation blueprint in Azure

“The CAF Foundation blueprint does not deploy a landing zone. Instead, it deploys the tools required to establish a governance MVP (minimum viable product) to begin developing your governance disciplines. This blueprint is designed to be additive to an existing landing zone and can be applied to the CAF Migration landing zone blueprint with a single action.”

Get help building a landing zone – Cloud Adoption Framework

“Getting your Azure landing zone (ALZ) done right and on time is important. Working with a certified Azure partner is a great way to get the support you need to build your ALZ.”

  • Option 1 – use Azure Migrate and Modernize.
  • Option 2 – find a partner offer for a landing zone in our marketplace.

Azure landing zone FAQ

Azure Storage/Files/File Sync/Defenses for Ransomware Attack Document Extracts and Notes

Posted on by
Service Description Documentation/Note
Azure Storage Account
  • An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, and tables.
  • The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS.
Azure Storage Types
  • Azure Blobs: A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.
  • Azure Files: Managed file shares for cloud or on-premises deployments.
  • Azure Elastic SAN (preview): A fully integrated solution that simplifies deploying, scaling, managing, and configuring a SAN in Azure.
  • Azure Queues: A messaging store for reliable messaging between application components.
  • Azure Tables: A NoSQL store for schemaless storage of structured data.
  • Azure managed Disks: Block-level storage volumes for Azure VMs.
Access to Azure Storage
Microsoft Defender for Cloud

 

Microsoft Defender for Storage
  • Azure Defender for Cloud is a cloud-native application protection platform (CNAPP) with a set of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities.
  • Defender for Cloud combines the capabilities of
    • Cloud security operations (DevSecOps),
    • Cloud security posture management (CSPM), and
    • Cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads
  • Azure Defender for Storage is a cloud-native security solution that provides malware scanningthreat protection, security alerts, etc. for your data stored in Azure Blob Storage and Azure Files .
Azure Defenses for Ransomware Attack
Azure Storage Access Tiers Hot tier

  • An online tier optimized for storing data that is accessed or modified frequently. The hot tier has the highest storage costs but the lowest access costs.

Cool tier

  • An online tier optimized for storing data that is infrequently accessed or modified. Data in the cool tier should be stored for a minimum of 30 days. The cool tier has lower storage costs and higher access costs compared to the hot tier.

Cold tier

  • An online tier optimized for storing data that is infrequently accessed or modified. Data in the cold tier should be stored for a minimum of 90 days. The cold tier has lower storage costs and higher access costs compared to the cool tier.

Archive tier
  • Azure Blob Storage documentation
  • Setting the access tier is only allowed on Block Blobs. They are not supported for Append and Page Blobs.
  • When your data is stored in an online access tier (either hot, cool or cold), users can access it immediately.
  • The hot, cool, and cold tiers support all redundancy configurations.

 
Azure Files
Azure File Sync
  • Most frequently accessed files are cached on your local server and your least frequently accessed files are tiered to the cloud.
  • With cloud tiering enabled, this feature stores only frequently accessed (hot) files on your local server. Infrequently accessed (cool) files are split into namespace (file and folder structure) and file content. The namespace is stored locally and the file content stored in an Azure file share in the cloud.
  • Azure File Sync is ideal for distributed access scenarios. For each of your offices, you can provision a local Windows Server as part of your Azure File Sync deployment. Changes made to a server in one office automatically sync to the servers in all other offices.
  • Azure File Sync is backed by Azure Files, which offers several redundancy options for highly available storage. Because Azure contains resilient copies of your data, your local server becomes a disposable caching device, and recovering from a failed server can be done by adding a new server to your Azure File Sync deployment.

 

 
Azure NetApp Files
  • It is an Azure native, first-party, enterprise-class, high-performance file storage service.
  • It provides NAS volumes as a service for which you can create NetApp accounts, capacity pools, select service and performance levels, create volumes, and manage data protection.
Azure Backup Policy
Azure File Alert Settings

Why Azure Arc

Posted on by

For IT decision makers, here’s why it’s pertinent to consider Azure Arc:

  • An integrated management and governance solution that is centralized and unified, providing streamlined control and oversight.
  • Securely extending your on-prem and non-Azure resources into Azure Resource Manager (ARM), empowering you to:
    • Define, deploy, and manage resources in a declarative fashion using JSON template for dependencies, configuration settings, policies, etc.
    • Manage Azure Arc-enabled servers, Kubernetes clusters, and databases as if they were running in Azure with consistent user experience.
    • Harness your existing Windows and Azure sysadmin skills honed from on-premises deployment.
  • When connecting to Azure Arc-enabled servers, you may perform many operational functions, just as you would with native Azure VMs including these key supported actions:
    • Govern
    • Protect
      • Secure non-Azure servers with Microsoft Defender for Endpoint, included through Microsoft Defender for Cloud, for threat detection, vulnerability management, and proactive monitoring for potential security threats. Microsoft Defender for Cloud presents the alerts and remediation suggestions from the threats detected.
    • Configure
    • Monitor
      • Keep an eye on OS, processes, and dependencies along with other resources using VM insights. Additionally collect, store, and analyze OS as well as workload logs, performance data, and events. Which may be injected into Microsoft Sentinel real-time analysis, threat detection, and proactive security measures across the entire IT environment.
October 10, 2023 is the date the support for Windows Server 2012 and 2012 R2 ends. January 9, 2024 is the date the support for Windows Server 2012 and 2012 R2 ends.

Extended Security Updates (ESUs) is enabled by Azure Arc. IT can seamlessly deploy ESUs through Azure Arc in on-premises or multi-cloud environments, right from the Azure portal. In addition to providing a centralized management of security patching, ESUs enabled by Azure Arc is flexible with a pay-as-you-go subscription model compared to the classic ESU offered through the Volume Licensing Center which are purchased in yearly increments.

To test it out, follow Quickstart – Connect hybrid machine with Azure Arc-enabled servers.

Azure OpenAI Document Extracts and Notes

Featured

Posted on by

OVERVIEW

  • Azure OpenAI is a service provided by Microsoft Azure that allows users to access OpenAI’s powerful language models, including the GPT-3, Codex, and Embeddings model series. Users can access the service through REST APIs, Python SDK, or a web-based interface in the Azure OpenAI Studio.
  • Azure OpenAI Service gives customers advanced language AI with OpenAI
    • GPT-4, GPT-3, Codex, and DALL-E
    • Models with the enterprise security and privacy of Azure.
  • Azure OpenAI co-develops the APIs with OpenAI, ensuring compatibility and a smooth transition from one to the other
  • Azure OpenAI Infographic

Comparing Azure OpenAI and OpenAI

  • Enterprise-grade security with role-based access control (RBAC) and private networks
  • Essentially Security, Privacy, and Trust
  • Microsoft values a customer’s privacy and security of data. When using Azure AI services, Microsoft may collect and store data to improve the session experience and supportability of models. However, customer data is anonymized and aggregated to protect individual privacy.
  • Microsoft does not use customer data for fine-tuning or customizing models for individual users.
  • Microsoft Responsible AI Standard (PDF Download)

Responsible AI

  • For building AI systems according to six principles:
    • Fairness and Inclusiveness
      • Make the same recommendations to everyone who has similar symptoms, financial circumstances, or professional qualifications.
    • Reliability and Safety
      • Operate as originally designed, respond safely to unanticipated conditions, and resist harmful manipulation.
    • Privacy and Security
      • Restrict access to resources and operations by user account or group.
      • Restrict incoming and outgoing network communications.
      • Encrypt data in transit and at rest.
      • Scan for vulnerabilities.
      • Apply and audit configuration policies.
      • Microsoft has also created two open-source packages that can enable further implementation of privacy and security principles: SmartNoise and Counterfit
    • Transparency and Accountability
      • The model interpretability component provides multiple or global, local, and model explanations/views into a model’s behavior.
      • The people who design and deploy AI systems must be accountable for how their systems operate.

SECURITY AND PRIVACY

  • Azure OpenAI Service automatically encrypts your data when it’s persisted to the cloud, using FIPS 140-2 compliant 256-bit AES encryption.
  • By default, Microsoft-managed encryption keys are used, but you also have the option to use customer-managed keys (CMK) for greater control over encryption key management.
  • The Files API allows customers to upload their training data stored in Azure Storage, within the same region as the resource and logically isolated with their Azure subscription and API Credentials. Uploaded files can be deleted by the user via the DELETE API operation.
  • With Azure OpenAI, customers get the security capabilities of Microsoft Azure while running the same models as OpenAI. Azure OpenAI offers private networking, regional availability, and responsible AI content filtering.
    • Azure OpenAI Service contains neural multi-class classification models aimed at detecting and filtering harmful content; the models cover
      • four categories: hate, sexual, violence, and self-harm across
      • four severity levels: safe, low, medium, and high.
    • The default content filtering is default to filter at the medium severity threshold for all four content harm categories for both prompts and completions. That means that content that is detected at severity level medium or high is filtered, while content detected at severity level low is not filtered by the content filters. The configurability feature is available in preview and allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels.

AZURE OPENAI MODELS

Azure OpenAI provides access to models with various capabilities. The following is a list of the models and their descriptions:

  • GPT-4 (8k/32k): A set of models that improve on GPT-3.5 and can understand as well as generate natural language and code.
  • GPT-3 (4k/16k): A series of models that can understand and generate natural language. This includes the new ChatGPT model.
  • DALL-E: A series of models that can generate original images from natural language.
  • Codex: A series of models that can understand and generate code, including translating natural language to code.
  • Embeddings: A set of models that can understand and use embeddings. An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Currently, we offer three families of Embeddings models for different functionalities: similarity, text search, and code search.

AZURE OPENAI ON YOUR DATA

With Azure OpenAI GPT-35-Turbo and GPT-4 models, enable them to provide responses based on your data. You can access Azure OpenAI on your data using a REST API or the web-based interface in the Azure OpenAI Studio to create a solution that connects to your data to enable an enhanced chat experience.

Per the document, Azure OpenAI on your data, Azure OpenAI Service supports the following file types:

File typeExtension
Text.txt
Markdown.md
HTML.html
Word.docx
PowerPoint.pptx
PDF.pdf
CSV.csv
TSV.tsv
Excel.xlsx
JSON.json
JSONL.jsonl

QUICKSTART

Previous models were text-in and text-out, meaning they accepted a prompt string and returned a completion to append to the prompt. However, the GPT-35-Turbo and GPT-4 models are conversation-in and message-out.

TRAIN MODEL

TOKEN

  • Azure OpenAI processes text by breaking it down into tokens. Tokens can be words or just chunks of characters. For example, the word “hamburger” gets broken up into the tokens “ham”, “bur” and “ger”, while a short and common word like “pear” is a single token. Many tokens start with a whitespace, for example “ hello” and “ bye”.
  • The total number of tokens processed in a given request depends on
    • the length of your input,
    • output and
    • request parameters.

The quantity of tokens being processed will also affect your response latency and throughput for the models.

Azure OpenAI Pricing

  • Pricing will be based on the pay-as-you-go consumption model with a price per unit for each model, which is similar to other Azure AI Services pricing models.

Azure Service Availability

  • SLA: This describes Microsoft’s commitments for uptime and connectivity for Microsoft Online Services covering Azure, Dynamics 365, Office 365, and Intune.

Quota and Limits

PLAYGROUND

The system role also known as the system message is included at the beginning of the array. This message provides the initial instructions to the model. You can provide various information in the system role including:

  • A brief description of the assistant
  • Personality traits of the assistant
  • Instructions or rules you would like the assistant to follow
  • Data or information needed for the model, such as relevant questions from an FAQ

You can customize the system role for your use case or just include basic instructions. The system role/message is optional, but it’s recommended to at least include a basic one to get the best results.

Azure AD has become Microsoft Entra ID

Posted on by

Per Microsoft’s Announcement on July 11th, the net is

“To simplify our product naming and unify our product family, we’re changing the name of Azure AD to Microsoft Entra ID. Capabilities and licensing plans, sign-in URLs, and APIs remain unchanged, and all existing deployments, configurations, and integrations will continue to work as before. Starting today, you’ll see notifications in the administrator portal, on our websites, in documentation, and in other places where you may interact with Azure AD. We’ll complete the name change from Azure AD to Microsoft Entra ID by the end of 2023. No action is needed from you.

Chart outlining all the product name changes that come with the renaming of Azure AD to Microsoft Entra ID.

Here are some key resources:

AzureRM to be retired on February 29, 2024

Posted on by

Just so you know,

  • After February 29, 2024, AzureRM PowerShell modules will continue to be available to customers, however will not be supported by Microsoft. 
  • Know your options for updating your scripts from AzureRM to Az PowerShell modules.
  • To automatically update scripts, reference this quickstart guide.
  • May want to upgrade sooner than later since Az PowerShell module runs cross-platform and supports all Azure services including Azure authentication mechanisms.

Deploying Azure VM with a Generalized VHD file Using Azure Portal

Posted on by

Assuming one has already

  • logged in Azure portal
  • had a generalized vhd stored in an Azure storage account,

  1. Create an image with a target vhd file by

searching and find the image service

adding a vm image

browsing and selecting an intended vhd file to create a vm image

  1. Create a vm with the image by

form the Images page, selecting/clicking the target image

creating a vm with the image from the image overview page

 Test RDP

From the vm overview page, start and connect to the VM

  • If RDP does not start a dialogue as the following,

use RUN command to review and validate the VM RDP settings, as needed

  • If experiencing a credential issue,

reset the user password or create new user credential

 

Azure CLI for Deploying Customized Azure VMs

Posted on by 
:'
This Azure CLI script is for ad hoc deploying customized Azure vms for testing including
- specified numebrs of vms and
- optionally a Bastion subnet for RDP/SSH over TLS directly with the Azure portal

To deploy,
1. Update the CUSTOMIZATION section, as preferred
2. Start an Azure Cloud Session,
   https://docs.microsoft.com/en-us/azure/cloud-shell/overview
3. Set the target subscription, if different form the current one
4. Copy and paste the statements of CUSTOMIZATION and STANDARDIZED ROUTINE to the Azure Cloud Shell session

© 2020 Yung Chou. All Rights Reserved.
'

# Session Start
az login

az account list -o table
subName='mySubscriptionName'
az account set -s $subName

################
# CUSTOMIZATION
################
prefix='da'

totalVMs=1
vmSize='Standard_B2ms'
region='southcentralus'
#az vm list-skus --location $region --output table
bastionSubnet='no'

# osType is a required setting
vmImage='ubuntults'
osType='linux'
#vmImage='win2016datacenter'
#vmImage='win2019datacenter'
#osType='windows'

# For testing
adminID='hendrix'
adminPwd='4testingonly!'
:'
Password must have the 3 of the following:
1 lower case character, 1 upper case character, 1 number and 1 special character

# if to interactively set
read -p "How many VMs to be deployed " totlaVMs
read -p "Enter the admin id for the $totalVMs VMs to be deployed " adminUser
read -sp "Enter the password for the $totalVMs VMs to be deployed " adminPwd
'
ipAllocationMethod='static'

# Use '' if not to open a service port
ssh=22
rdp=3389
http=80
https=443

#################################
# STANDARDIZED ROUTINE FROM HERE
#################################
echo "
Prepping for deploying:
$totalVMs $osType $vmImage vms in $vmSize size
each with $ipAllocationMethod public IP adderss
and port $ssh $rdp $http $https open
"

tag=$prefix$(date +%M%S)
echo "Session tag = $tag"

rgName=$tag
#echo "Creating the resource group, $rgName..."
az group create -n $rgName -l $region -o table
#az group delete -n $rgName --no-wait -y

# VIRTUAL NETWORK
vnetName=$rgName'-net'
subnetName='1' # 0..254
nsgName=$rgName'-vnet-nsg'
nsgRule=$rgName'-TestOnly'
priority=100

#echo "Creating the vnet, $vnetName..."
az network vnet create -g $rgName -n $vnetName -o none \
  --address-prefixes 10.10.0.0/16 \
  --subnet-name $subnetName --subnet-prefixes "10.10.$subnetName.0/24" 

# Bastion subnet
if [ $(echo $bastionSubnet | tr [a-z] [A-Z]) == 'YES' ]
then
  #echo "Adding the Bastion subnet..."
  az network vnet subnet create --vnet-name $vnetName -g $rgName -o none \
    -n AzureBastionSubnet --address-prefixes 10.10.99.0/24
fi

# NSG
#echo "Creating a NSG, $nsgName, associated with the vnet, $vnetName..."
az network nsg create -g $rgName -n $nsgName -o none
#echo "Creating a NSG rule, $nsgRule, associated with the NSG ,$nsgName..."
az network nsg rule create -g $rgName \
  --nsg-name $nsgName \
  -n $nsgRule \
  --protocol Tcp \
  --access Allow \
  --priority $priority \
  --destination-port-ranges $ssh $rdp $http $https \
  --description '*** FOR TESTING ONLY, NOT FOR PRODUCTION ***' \
  --verbose \
  -o table

# VM
time \
for i in `seq 1 $totalVMs`;
do

  vmName=$tag'-vm'$i
  echo "Prepping deployment for the vm, $vmName..."

  osDiskName=$vmName'-OSDisk'
  nicName=$vmName'-nic'
  vmIP=$vmName'-ip'

  az network public-ip create -g $rgName -n $vmIP \
    --allocation-method $ipAllocationMethod \
    --verbose \
    -o none
  echo "Allocated the $ipAllocationMethod public IP, $vmIP"

  az network nic create -g $rgName \
    -n $nicName \
    --vnet-name $vnetName \
    --subnet $subnetName \
    --network-security-group $nsgName \
    --public-ip-address $vmIP \
    --verbose \
    -o table
  echo  "Created the $nicName with the $ipAllocationMethod public IP, $vmIP"

  # CREATE VM AND RETURN THE IP
  if [ $(echo $osType | tr [a-z] [A-Z]) == 'LINUX' ]
  then
    echo "Configuring the Linux vm, $vmName, with password access"
    linuxOnly='--generate-ssh-keys --authentication-type all '
  else
    linuxOnly=''
  fi

  echo "Creating the vm, $vmName now..."
  pubIP=$(
    az vm create -g $rgName -n $vmName -l $region --size $vmSize \
      --admin-username $adminID --admin-password $adminPwd \
      --image $vmImage --os-disk-name $osDiskName \
      $linuxOnly \
      --nics $nicName \
      --query publicIpAddress \
      --verbose \
      -o tsv
  )
  #az vm show -d -g $rgName -n $vmName -o table
  echo  "
  Voilà! The VM, $vmName, has been deployed with the $ipAllocationMethod public IP, $pubIP
  "

done

# Deployed Resources
#az network vnet show -n $vnetName -g $rgName -o table
#az network vnet subnet list --vnet-name $vnetName -g $rgName -o table
#az network nic list -g $rgName -o table
az vm list -g $rgName -o table -d

# Clean up
:' To clean deployed resources
az group delete -n $rgName --no-wait -y
'