This is something I had wanted to do for a while. Finally did welcome Charles Joy, a Principal Program Manager on the Azure Stack team, back to the show and we discussed the recent release of Microsoft Azure Stack Technical Preview 1. It’s a fun episode. Enjoy it.
This wave of TechNet events focuses on Azure (IaaS) V2, namely Azure Resource Manager or ARM. It is part of IT Innovation series currently delivered in US metros and many other geo-locations in the spring of 2016. For those outside of the US, go to http://aka.ms/ITInnovation to find out events near you. Come and have some serious fun in learning.
The presentations, available in PDF format, and the following lab material are included in this zip file.
GitHub repository for Lab Files if using your own machine
If you are not using the hosted virtual machine and are using your own workstation, any custom files the lab instruction call out can be found in a GitHub repository. The repository is located here: https://github.com/AZITCAMP/Labfiles.
Required software will be called out throughout the lab.
Any additional software that you require will be called out in the lab. The following software may be useful when working with Azure in general.
Recently, as hacking has become a business model and identity theft an everyday phenomenon, there is increasing hostility in Internet and an escalating concerns for PC and network securities. No longer is a long and complex password sufficient to protect your assets. In addition to a strong password policy, adding MFA is now a baseline defense to better ensure the authenticity of an examined user and an effective vehicle to deter fraud.
Furthermore, the increasing online ecommerce transactions, the compliance needs of regulated verticals like financial and healthcare, the unique business requirements of market segments like the gaming industry, the popularity of smartphones, the adoption of cloud identity services with MFA technology, etc. all contribute to the growth of MFA market. Some market research published in August of 2015 reported that “The global multi-factor authentication (MFA) market was valued at USD 3.60 Billion in 2014 and is expected to reach USD 9.60 Billion by 2020, at an estimated CAGR of 17.7% from 2015 to 2020.”
While mobility becomes part of the essential business operating platform, a cloud-based authentication solution offers more flexibility and long-term benefits.The is apparent The street stated that
“Availability of cloud-based multi-factor authentication technology has reduced the maintenance costs typically associated with hardware and software-based two-factor and three-factor authentication models. Companies now prefer adopting cloud-based authentication solutions because the pay per use model is more cost effective, and they offer improved reliability and scalability, ease of installation and upgrades, and minimal maintenance costs. Vendors are introducing unified platforms that provide both hardware and software authentication solutions. These unified platforms are helping authentication vendors reduce costs since they need not maintain separate platforms and modules.”
Depending on where IT is and where IT wants to to be, the initial investment may be consequential and significant. Adopting various technologies and cloud computing may be necessary, while facing resistance to change in corporate IT cultural.
The following is not an exhaustive list, but some important facts, capabilities and considerations of Windows MFA.
MFA helps ensure the authenticity of a user. MFA by itself nevertheless cannot stop identity theft since there are various ways like key logger, phishing, etc. to steal identity. Still, as hacking has become a business model for some underground industry, and even a military offense, and credential theft has been developed as a hacking practice, it is not an option to operate without a strong authentication scheme. MFA remains arguably a direct and effective way to deter identity theft and fraud.
And the emerging trend of employing biometrics, instead of a password, with a key-based credential leveraging hardware and virtualization-based security like Device Guard and Credential Guard in Windows 10 further minimizes the attack surface by ensuring hardware boot integrity and OS code integrity, and allowing only trusted system applications to request for a credential. Device Guard and Credential Guard together offers a new standard in preventing PtH which is one of the most popular types of credential theft and reuse attacks seen by Microsoft so far.
Above all, going forward we must not consider MFA as an afterthought and add-on, but an immediate and imperative need of a PC security solution. IT needs to implement MFA sooner than later, if not already.
In the last few months, I have taken a few opportunities to talk about deploying an application as a service. This is a subject with many aspects in connecting the concepts of cloud computing, application deployment process and IT operations. I find it also encompasses great frequently run routines for automation with Azure PowerShell.
Here I share the material which I have integrated into IaaS workshops I have recently delivered.
- Part 1 is the user experience which is also supplemented with published videos. (Channel 9)
- Part 2 highlights the PowerShell scripts I wrote to deploy the sample application. (Channel 9)
This connection is very easy to understand and implement. Point-to-Site (or P2S) here refers as a connection between a single device (namely a connection point) and an Azure virtual network (vnet) site.
A P2S connection requires a subnet defined within the target Azure vnet site. If to examine from a connected Azure vnet site, a connecting device automatically allocates an IP within the defined P2S subnet and connects to the site via a VPN connection.
Technically, a P2S connection is specific to, not the physical but logical device which is the OS instance which a connecting physical device is running on, since the connection is based on a-private-and-a-public key pair generated with the OS. At this time, Azure P2S supports only self-signed certificates, and the x.509 certificate (i.e. a public key) of an employed key pair resides in a target Azure vent site, while the certificate of PFX format (i.e. a certificate exported with a private key) should be installed at a connecting device. An administrator can configure an Azure P2S connection by:
- First enabling P2S connectivity and defining a P2S subnet associated with a target Azure vnet site
- Generating an x.509/PFX certificate pair
- Uploading the x.509 certificate to the site
- Distributing to and installing the PFX certificate on intended (logical) devices
- Initiating a connection from a logical device
Although one x.509-and-PFX-certificate-pair is sufficient to establish a P2S connection between an Azure vnet site with multiple devices by uploading an x.509 certificate to a target Azure vent site and employing/installing the associated PFX file on all connecting devices. The best practices is to employ a unique certificate pair for each connecting device to better secure the P2S environment.
Here are the Azure documentation page and complementary videos to walk through the processes and operations to
- Create a virtual network and a VPN gateway (video)
- Create your certificates (video)
- Configure your VPN client (video)
One noticeable difference of Azure Infrastructure Services (IaaS) V2 from Azure IaaS V1 (or classic Azure IaaS as I call it) is the employment of Azure “Resource Group” templates. A resource group not only is a newly introduced artifact in Azure, but denotes a fundamental shift on automating, deploying, and managing IT resources. This change signifies the arrival of a declarative programming/scripting model for the better. I will walk through an application deployment with Azure resource group templates in an upcoming post. In this memo, the focus is on distinguishing these two programming/scripting models.
Imperative vs. Declarative
Traditionally, within a logical unit of work (or simply a transaction) the conventional wisdom is to define how to implement a business logic by programmatically referencing parameter values, verifying the dependencies, examining variables at runtime, and stepping through a predefined data flow accordingly. This is a so-called imperative programming model which uses assignments, conditions/branching and looping statements to serialize operations for establishing the state of a program at runtime, i.e. an instance. An imperative programming model is to describe virtually “how” to reach “what.” A vivid example is that C-family programming languages are based on an imperative model. An imperative model like the following pseudo code specifies the steps (i.e. how) to ensure the operability of attaching a database to a SQL server (in other words, what) by ensuring the SQL server is first up and running, i.e. ready, before attaching an intended database. The implementation logic is to repeated a routine of waiting for a specified period of time, checking the status of a target resource, until the target resource is ready for an intended operation.
Wait 30 seconds and check the SQL server status again, till it is up and running
Then attach the database
At the same time, a declarative programming model is to describe business logic based on ‘what it is and not how to do it.’ For instance, rather than programming a loop to periodically check the status of if a target SQL server is up and running like what an imperative model does as depicted by the above example, a declarative model will simply state the dependency on a target SQL server, i.e. what the state must meet, before attaching an intended database and let the system (here I use the system as an umbrella team of other components) to implement how to enforce this pre-requisite. The following illustrates a declarative approach.
This database has a dependency of the hosting SQL server
The above states the dependency, i.e. what it is, and delegates the implementations carried out later.
What vs. How
Notice that an imperative model is to specify both the what and the how of a deployment. At the same time, a declarative model implies a logical separation and focuses on the what and leave the how later. In layman’s term, imperative vs. declarative is simply an approach of how vs. what, respectively.
For simple operations, one may not be advantageous over the other. For large amount of operations or tasks with high concurrency and noticeable complexities, the orchestrations can be too overwhelming to productively implement with an imperative model. This is increasingly what IT pros are facing in a cloud setting where operations are intermittent, concurrent, and carried out on hundreds or thousands of various application instances with inter- and intra-dependencies among themselves at an application layer and a system level.
A declarative model states what a target state is and the system will make it so, i.e. enforce it as stated. Employing an declarative model will fundamentally simplify how an administrator carries out application deployment and automation with increased consistency, persistency, and predictability.
As IT is transitioning into cloud computing, the number of VMs will continue to increase while the deployment environment is likely becoming hybrid and complex, adopting a declarative programming model is, in my view, critical and inevitable.
Essentially, IT has become such a highly integrated and increasingly complex environment, which is particularly true in an emerging IT model where cloud computing combined with hybrid deployment scenarios. Programmatically describing how to establish a state in runtime can quickly overwhelm programming logic and make an implementation based on imperative model very costly to develop and maintain. Shifting to a declarative programming model is strategic and becoming “imperative” for IT.
Call to Action
Recognizing the presented opportunity, IT pros should make this shift from imperative to declarative scripting models sooner than later. Employ a declarative model as a vehicle to improve the capabilities and productivity of application deployments, to facilitate and maximize ROI of transitioning to cloud in an IT organization. To get started, there are already abundant information of Azure IaaS V2 available including:
- Azure Quickstart Templates Documentation
- Azure Quickstart Templates Github Repository
- App deployment as a service (classic Azure IaaS or an imperative model sample)
- App deployment as a service (Azure IaaS V2 or a declarative model sample ) (upcoming post, subscribe the feed to get the update)
- Desired State Configuration (DSC)
In addition, those who are new to Azure IaaS may find the following resources helpful:
And for those who would like to review cloud computing concepts, I recommend:
This is a lab delivered in the spring of 2015 for Microsoft US IT Camps, Extend Your Datacenter to Azure, which is a whole day event with hands-on experience on deploying and migrating workloads to Azure. This lab is specifically for IT pros to experience an automatic deployment of a business function/application, instead of deploying just VMs. The ability to deploy VMs are important and essential. Deploying VMs are however not the ultimate goal of moving to cloud. As I have addressed elsewhere, cloud goes way beyond virtualization and deploying VMs, instead it is about the anytime readiness and on-demand abilities to grow and shrink resource capacities based on demands, i.e. being elastic. And this lab does just that to prove this concept using Azure and PowerShell.
The script is published in github and one can run the script as it is and without making changes. In the recording below, I walked through the steps to acquire and run the script. The intent is to run it as a service, i.e. on demand, to deploy application instances from zero to running instances. Notice this script is for learning and testing Microsoft Azure and PowerShell. It does hard-code and not encrypt employed password, has very limited error handling, is not intended for production use.
For those who are not familiar with the essentials of Microsoft Azure Infrastructure Services, compliance, pricing, and cost structure, here are additional resources:
- Azure 101 Series for establishing basic building blocks of Microsoft Azure Infrastructure Services
- Azure 102 Series for installing Microsoft Azure PowerShell module
- Azure compliance, pricing, and cost information
This is a project for Microsoft Virtual Academy that I had the pleasure to work with Shri (Shriram Natarajan, a Program Manager in Windows Azure Pack team) and had a wonderful time and learned much from him.
Windows Azure Pack, one of my favorite subjects on transforming your private cloud into a customer-centric IT as a service hub. The idea is to offer customers a solution platform such that they can self-serve on consuming, establishing, and managing IT capabilities including network, storage, and compute on demand regardless if resources are on-premises, deployed in Azure, or hosted in a 3rd party facility. The enabler, Windows Azure Pack, places an abstraction to present VMM-based private cloud with a Azure-like interface and experience, while integrating and consolidating at the middleware layer to enable on-premises, Azure, and 3rd-party resources to be managed with a consistent experience.
The first step in this strategic approach is to experience and asses Windows Azure Pack relevant to your unique IT environment. Which is what this project is about.
Subscription and Service Limits, Quotas, and Constraints (http://aka.ms/Limits)
This is a must-bookmarked page to find out, for instance:
- Total cpu cores a subscription can consume
- The number of endpoints a VM can have.
- The bandwidth an Azure website may provide.
- Total VMs a virtual network may host.
- Total TB per storage account
- Maximum of objects in Azure Active Directory
Azure Pricing Model (http://aka.ms/AzurePricing)
This is where to find detailed Azure pricing information of Azure services with options like pay-as-you-go, Microsoft resellers, and enterprise agreements. A good reference this is. Keep it handy.
Azure Pricing Calculator (http://aka.ms/Calculator)
This is a what-if analysis tool. How will the costs be different when changing your deployment plan from 3 small Linux VMs to 2 Large ones, deploying Oracle Weblogic server with A5 instead of A8, and replacing locally-redundant storage with geo-redundant storage? Just drag the slide bar on each category and one can realizing the combined baseline costs form the number shown under full calculator.
Azure SLAs (http://aka.ms/AzureSLAs)
Do examine the SLAs from a cloud vendor including those of Microsoft’s. Cloud computing is emerging and the business model continues evolving. SLAs are not all created equal. Pay attention to the fine print. Understand what does and what does not count as an outage and when there is one how a subscriber is compensated. Following your flow of data, the overall SLA is the service with the lowest SLA along the path.
Azure Support Options (http://aka.ms/AzureSupportOptions)
Support costs will have impact on the business values of an application throughout the lifecycle. Not just the support subscription costs, but also the associated activities to initiate, monitor, manage, and document support activities.
Azure Compliance Page (http://aka.ms/AzureCompliance)
For some industries, if it is not compliant, there is really no point of investigating the cost of a solution. If compliance is a requirement, investigate early. For Azure, this page lists out all the achieved certificates. Pay attention to those referenced links like Azure HIPAA Implementation Guidance. Some specifically document the implementations for a cloud applications to become compliant.
Cloud is about the ability to deliver instant gratification, and grow or shrink the capacity based on demand. Those days of rolling out a patch in 6 weeks, deploying a branch office in 3 months, building a cluster in two weeks, are long gone. The delivery needs to be on demand, in the next hour, within a half-day, or something relatively quick.
At the same time, cloud is not an one-size-fits-all platform. And there are legitimate reasons not to deploy resources in cloud. Get all the facts, learn how cloud works, and assess the risks. Know what you pay for, set a realistic expectation, then cloud responsibly and happily.
So where to start? Learning by practicing is what I recommend. For those who do not subscribe MSDN which offers Azure monthly usage credit, sign up a 30-day free trial at http://aka.ms/Azure200 and follow http://aka.ms/Azure101Series and http://aka.ms/Azure102Series to start making cloud work for you. Use Azure as your datacenter, your global networks, and your colossal storage drive in cloud.