This is something I had wanted to do for a while. Finally did welcome Charles Joy, a Principal Program Manager on the Azure Stack team, back to the show and we discussed the recent release of Microsoft Azure Stack Technical Preview 1. It’s a fun episode. Enjoy it.
This wave of TechNet events focuses on Azure (IaaS) V2, namely Azure Resource Manager or ARM. It is part of IT Innovation series currently delivered in US metros and many other geo-locations in the spring of 2016. For those outside of the US, go to http://aka.ms/ITInnovation to find out events near you. Come and have some serious fun in learning.
The presentations, available in PDF format, and the following lab material are included in this zip file.
GitHub repository for Lab Files if using your own machine
If you are not using the hosted virtual machine and are using your own workstation, any custom files the lab instruction call out can be found in a GitHub repository. The repository is located here: https://github.com/AZITCAMP/Labfiles.
Required software will be called out throughout the lab.
Any additional software that you require will be called out in the lab. The following software may be useful when working with Azure in general.
Recently, as hacking has become a business model and identity theft an everyday phenomenon, there is increasing hostility in Internet and an escalating concerns for PC and network securities. No longer is a long and complex password sufficient to protect your assets. In addition to a strong password policy, adding MFA is now a baseline defense to better ensure the authenticity of an examined user and an effective vehicle to deter fraud.
Furthermore, the increasing online ecommerce transactions, the compliance needs of regulated verticals like financial and healthcare, the unique business requirements of market segments like the gaming industry, the popularity of smartphones, the adoption of cloud identity services with MFA technology, etc. all contribute to the growth of MFA market. Some market research published in August of 2015 reported that “The global multi-factor authentication (MFA) market was valued at USD 3.60 Billion in 2014 and is expected to reach USD 9.60 Billion by 2020, at an estimated CAGR of 17.7% from 2015 to 2020.”
While mobility becomes part of the essential business operating platform, a cloud-based authentication solution offers more flexibility and long-term benefits.The is apparent The street stated that
“Availability of cloud-based multi-factor authentication technology has reduced the maintenance costs typically associated with hardware and software-based two-factor and three-factor authentication models. Companies now prefer adopting cloud-based authentication solutions because the pay per use model is more cost effective, and they offer improved reliability and scalability, ease of installation and upgrades, and minimal maintenance costs. Vendors are introducing unified platforms that provide both hardware and software authentication solutions. These unified platforms are helping authentication vendors reduce costs since they need not maintain separate platforms and modules.”
Depending on where IT is and where IT wants to to be, the initial investment may be consequential and significant. Adopting various technologies and cloud computing may be necessary, while facing resistance to change in corporate IT cultural.
The following is not an exhaustive list, but some important facts, capabilities and considerations of Windows MFA.
MFA helps ensure the authenticity of a user. MFA by itself nevertheless cannot stop identity theft since there are various ways like key logger, phishing, etc. to steal identity. Still, as hacking has become a business model for some underground industry, and even a military offense, and credential theft has been developed as a hacking practice, it is not an option to operate without a strong authentication scheme. MFA remains arguably a direct and effective way to deter identity theft and fraud.
And the emerging trend of employing biometrics, instead of a password, with a key-based credential leveraging hardware and virtualization-based security like Device Guard and Credential Guard in Windows 10 further minimizes the attack surface by ensuring hardware boot integrity and OS code integrity, and allowing only trusted system applications to request for a credential. Device Guard and Credential Guard together offers a new standard in preventing PtH which is one of the most popular types of credential theft and reuse attacks seen by Microsoft so far.
Above all, going forward we must not consider MFA as an afterthought and add-on, but an immediate and imperative need of a PC security solution. IT needs to implement MFA sooner than later, if not already.
In the last few months, I have taken a few opportunities to talk about deploying an application as a service. This is a subject with many aspects in connecting the concepts of cloud computing, application deployment process and IT operations. I find it also encompasses great frequently run routines for automation with Azure PowerShell.
Here I share the material which I have integrated into IaaS workshops I have recently delivered.
- Part 1 is the user experience which is also supplemented with published videos. (Channel 9)
- Part 2 highlights the PowerShell scripts I wrote to deploy the sample application. (Channel 9)
This connection is very easy to understand and implement. Point-to-Site (or P2S) here refers as a connection between a single device (namely a connection point) and an Azure virtual network (vnet) site.
A P2S connection requires a subnet defined within the target Azure vnet site. If to examine from a connected Azure vnet site, a connecting device automatically allocates an IP within the defined P2S subnet and connects to the site via a VPN connection.
Technically, a P2S connection is specific to, not the physical but logical device which is the OS instance which a connecting physical device is running on, since the connection is based on a-private-and-a-public key pair generated with the OS. At this time, Azure P2S supports only self-signed certificates, and the x.509 certificate (i.e. a public key) of an employed key pair resides in a target Azure vent site, while the certificate of PFX format (i.e. a certificate exported with a private key) should be installed at a connecting device. An administrator can configure an Azure P2S connection by:
- First enabling P2S connectivity and defining a P2S subnet associated with a target Azure vnet site
- Generating an x.509/PFX certificate pair
- Uploading the x.509 certificate to the site
- Distributing to and installing the PFX certificate on intended (logical) devices
- Initiating a connection from a logical device
Although one x.509-and-PFX-certificate-pair is sufficient to establish a P2S connection between an Azure vnet site with multiple devices by uploading an x.509 certificate to a target Azure vent site and employing/installing the associated PFX file on all connecting devices. The best practices is to employ a unique certificate pair for each connecting device to better secure the P2S environment.
Here are the Azure documentation page and complementary videos to walk through the processes and operations to
- Create a virtual network and a VPN gateway (video)
- Create your certificates (video)
- Configure your VPN client (video)
One noticeable difference of Azure Infrastructure Services (IaaS) V2 from Azure IaaS V1 (or classic Azure IaaS as I call it) is the employment of Azure “Resource Group” templates. A resource group not only is a newly introduced artifact in Azure, but denotes a fundamental shift on automating, deploying, and managing IT resources. This change signifies the arrival of a declarative programming/scripting model for the better. I will walk through an application deployment with Azure resource group templates in an upcoming post. In this memo, the focus is on distinguishing these two programming/scripting models.
Imperative vs. Declarative
Traditionally, within a logical unit of work (or simply a transaction) the conventional wisdom is to define how to implement a business logic by programmatically referencing parameter values, verifying the dependencies, examining variables at runtime, and stepping through a predefined data flow accordingly. This is a so-called imperative programming model which uses assignments, conditions/branching and looping statements to serialize operations for establishing the state of a program at runtime, i.e. an instance. An imperative programming model is to describe virtually “how” to reach “what.” A vivid example is that C-family programming languages are based on an imperative model. An imperative model like the following pseudo code specifies the steps (i.e. how) to ensure the operability of attaching a database to a SQL server (in other words, what) by ensuring the SQL server is first up and running, i.e. ready, before attaching an intended database. The implementation logic is to repeated a routine of waiting for a specified period of time, checking the status of a target resource, until the target resource is ready for an intended operation.
Wait 30 seconds and check the SQL server status again, till it is up and running
Then attach the database
At the same time, a declarative programming model is to describe business logic based on ‘what it is and not how to do it.’ For instance, rather than programming a loop to periodically check the status of if a target SQL server is up and running like what an imperative model does as depicted by the above example, a declarative model will simply state the dependency on a target SQL server, i.e. what the state must meet, before attaching an intended database and let the system (here I use the system as an umbrella team of other components) to implement how to enforce this pre-requisite. The following illustrates a declarative approach.
This database has a dependency of the hosting SQL server
The above states the dependency, i.e. what it is, and delegates the implementations carried out later.
What vs. How
Notice that an imperative model is to specify both the what and the how of a deployment. At the same time, a declarative model implies a logical separation and focuses on the what and leave the how later. In layman’s term, imperative vs. declarative is simply an approach of how vs. what, respectively.
For simple operations, one may not be advantageous over the other. For large amount of operations or tasks with high concurrency and noticeable complexities, the orchestrations can be too overwhelming to productively implement with an imperative model. This is increasingly what IT pros are facing in a cloud setting where operations are intermittent, concurrent, and carried out on hundreds or thousands of various application instances with inter- and intra-dependencies among themselves at an application layer and a system level.
A declarative model states what a target state is and the system will make it so, i.e. enforce it as stated. Employing an declarative model will fundamentally simplify how an administrator carries out application deployment and automation with increased consistency, persistency, and predictability.
As IT is transitioning into cloud computing, the number of VMs will continue to increase while the deployment environment is likely becoming hybrid and complex, adopting a declarative programming model is, in my view, critical and inevitable.
Essentially, IT has become such a highly integrated and increasingly complex environment, which is particularly true in an emerging IT model where cloud computing combined with hybrid deployment scenarios. Programmatically describing how to establish a state in runtime can quickly overwhelm programming logic and make an implementation based on imperative model very costly to develop and maintain. Shifting to a declarative programming model is strategic and becoming “imperative” for IT.
Call to Action
Recognizing the presented opportunity, IT pros should make this shift from imperative to declarative scripting models sooner than later. Employ a declarative model as a vehicle to improve the capabilities and productivity of application deployments, to facilitate and maximize ROI of transitioning to cloud in an IT organization. To get started, there are already abundant information of Azure IaaS V2 available including:
- Azure Quickstart Templates Documentation
- Azure Quickstart Templates Github Repository
- App deployment as a service (classic Azure IaaS or an imperative model sample)
- App deployment as a service (Azure IaaS V2 or a declarative model sample ) (upcoming post, subscribe the feed to get the update)
- Desired State Configuration (DSC)
In addition, those who are new to Azure IaaS may find the following resources helpful:
And for those who would like to review cloud computing concepts, I recommend:
This is a lab delivered in the spring of 2015 for Microsoft US IT Camps, Extend Your Datacenter to Azure, which is a whole day event with hands-on experience on deploying and migrating workloads to Azure. This lab is specifically for IT pros to experience an automatic deployment of a business function/application, instead of deploying just VMs. The ability to deploy VMs are important and essential. Deploying VMs are however not the ultimate goal of moving to cloud. As I have addressed elsewhere, cloud goes way beyond virtualization and deploying VMs, instead it is about the anytime readiness and on-demand abilities to grow and shrink resource capacities based on demands, i.e. being elastic. And this lab does just that to prove this concept using Azure and PowerShell.
The script is published in github and one can run the script as it is and without making changes. In the recording below, I walked through the steps to acquire and run the script. The intent is to run it as a service, i.e. on demand, to deploy application instances from zero to running instances. Notice this script is for learning and testing Microsoft Azure and PowerShell. It does hard-code and not encrypt employed password, has very limited error handling, is not intended for production use.
For those who are not familiar with the essentials of Microsoft Azure Infrastructure Services, compliance, pricing, and cost structure, here are additional resources:
- Azure 101 Series for establishing basic building blocks of Microsoft Azure Infrastructure Services
- Azure 102 Series for installing Microsoft Azure PowerShell module
- Azure compliance, pricing, and cost information