The Azure Portal A to Z
This is a post about the Azure platform at large. It attempts to explain it in its entirety, using the Azure portal as the launching point for discussion. There are currently around 26 separate menu selections from the portal itself.
Each one of these menu items can be considered a career in itself. Think about machine learning, networking, big data, and much more.
Even though I am an insider at Microsoft, and have access to some of the product engineering teams, I am constantly challenged with keeping up. The rate of innovation now taking place can boggle the mind.
I created this post so that you could evaluate your own knowledge and find gaps or weaknesses. At the end of the post I try to do a little more drilling down into identity and storage, but I'm still scratching the surface. I hope you find this useful and I look forward to your comments.
Deck built by Bruno Terkaly
- Principal Software Engineer
- Microsoft
- Mobile/Cloud/Startup/Enterprise
Understanding the whole platform
- Can you explain to a call all the different parts in the Azure portal?
Microsoft engineering is on fire
- Microsoft's cloud offering, Azure, is growing at an exponential pace
Number speak for themselves
- The scale of the 19 public data centers is remarkable
This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
- There is a newer, more modern portal at https://portal.azure.com (in preview)
Azure Web Sites
- Represents the most automated way to run websites
- A migration assistant can aid in moving existing web sites over
- This is essentially platform as a service
Virtual Machines
- The core for infrastructure as a service
- This is where you provision linux and windows virtual machines
- You choose your hardware, your operating system, and configure networking and storage
- The high-end G5 machine is a 32 core, incredibly powerful piece of hardware
Mobile Services
- Brings together a bunch of disparate services all in one place
- It's about identity, storage, web services, and more
Mobile Services
- This is platform as a service
- Has built-in health, monitoring, and patching
- Operates the concept of upgrade and fault domains
- Skills up and down very easily
- Simple deployment model, directly from visual studio
SQL Database
- This is a relational database as a service
- Extremely economical
- Works with all the traditional tools, like SQL server management studio
Storage
- Azure includes a variety of triply replicated, scalable, high performance data stores
- All of them have a rest interface to support virtually any language or environment
- Some include high performance options like azure premium storage
The Portal
- This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
HDInsight
- This is Microsoft's big data offering
- Based on the HortonWorks implementation
- Typically means you are programming in hive and pig
Media Services
- This is about making media consumable from mobile and web
- It is about streaming and encoding at scale
- It is about DRM
- There is also audio to text services
Service Bus
- The Service Bus is about messaging
- It is about connecting computers, punching through firewalls
- It supports the Pub/Sub Model with multiple producers and multiple message consumers
- It supports sending push notifications through the Apple Push Notification Network, Google Push Notifications, Windows Notifications
Visual Studio Online
- Supports the DevOps playing a role in building, deployment, load testing
- Store test results for future analysis
Cache
- The name Redis means REmote DIctionary Server
- Redis is a data structure server
- It is open-source, networked, in-memory, and stores keys with optional durability
- The development of Redis has been sponsored by Pivotal Software since May 2013;[1] before that, it was sponsored by VMware
The Portal
- This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
- There is a newer, more modern portal at https://portal.azure.com (in preview)
BizTalk Services
- Typically use for B2B scenarios
- Enables companies to automate business processes
- Uses adapters which are tailored to communicate with different software systems used in an enterprise
- It is about enterprise application integration, business process automation, business-to-business communication, message broker and business activity monitoring
Recovery Services
- Data recovery is critical
- There is a Windows backup is as well as the DPM backup agent
- You can use Microsoft system Center to back up data to Windows Azure
- You will need to use or set up a certificate to work with Azure recovery services backup
- This allows you to back up on premises Windows server to Azure
- It involves a certificate ( download the vault credential)m the installation of a backup agent, and some simple configuration
CDN
- A global solution for delivering high-bandwidth content
- You can cash blobs or static web content
- Better performance and user experiences for your users
- Be prepared for instant high load, such as what occurs during a product launch
Automation
- Automate frequent, time-consuming, error-prone cloud management tasks
- Handle processes that span tools, systems, and departmental silos
Scheduler
- CDNManages the schedule for scripting
- Coordinates the schedule among the many Azure services
- A cloud scale Cron job, doesn't execute code, but invokes a service which executes code
- Used indirectly versus service within Azure and directly by developer to invoke a service
- Invoke big data jobs within HDInsight
The Portal
- This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
API Management
- Good for companies that want to sell an API or accelerate the adoption of your API by developers
- Examples include making phone calls, sending SMS messages
- Expose data and services for your products to other business partners
- Create an integrated experience within portals
- Make it easy to discover and use and have managed access
- Supports authentication, throttling, rate limiting, quota setting
Machine Learning
- Machine learning is a scientific discipline that explores the construction and study of algorithms that can learn from data
- One great way to think about machine learning is to break down analytics into 3 questions: What happened?, What will happen? What should I do next?
- Relevant to information workers, IT professionals, and data scientists
Networks
- Extend your data Center into the cloud
- Isolate/segregate networks to improve security (only VM's and services within the same virtual network can identify or connect to each other)
Traffic Manager
- Monitors your endpoints to validate ongoing availability
- Remap your domain name to route traffic manager domain name servers
Remote App
- Azure RemoteApp helps employees stay productive anywhere, and on a variety of devices - Windows, Mac OS X, iOS, or Android
- Your company's applications run on Windows Server in the Azure cloud, where they're easier to scale and update
- Employees install Microsoft Remote Desktop clients on their Internet-connected laptop, tablet, or phone'and can then access applications as if they were running locally
- Quickly ramp up and ramp down for seasonal workers
The Portal
- This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
- There is a newer, more modern portal at https://portal.azure.com (in preview)
Management Services
- Empower administrators to easily manage your entire cloud infrastructure from one place
- View the status of a variety of wonders Azure services
- You incident notifications and log files
Active Directory
- Secure your web applications, web services, as well as mobile applications
- Make use of REST API based identity Services, WS-Federation, SAML 2.0, OAuth 2.0, OpenID Connect
Marketplace
- If you're an ISV, sell your products and services to a global audience
- Published an application service in the Azure Marketplace
- Publish a virtual machine image in the Azure Marketplace
StorSimple
- Azure StorSimple is an efficient, cost-effective, and manageable solution that eliminates many of the issues and expense associated with enterprise storage and data protection
- It uses a proprietary device (the Microsoft Azure StorSimple device) and integrated management tools to provide a seamless view of all enterprise storage, including cloud storage
- 60-80% Lower Total Cost of Ownership (TCO)
- Reduced cost associated with: Cloud integration, Data management, Media management, Data center resources
Settings
- Specify co-administrators for your subscription
- You how many cores, cloud services, and storage counts you have used so you know how much you have left
The Portal
- This is the portal that were walking through
- It currently has 26 separate menu selections to choose from
- There is a newer, more modern portal at https://portal.azure.com (in preview)
Azure: Security, Privacy and Compliance
- Azure invests heavily into security, privacy, and compliance
- We will review how Azure reduces exposure, saves time, and improves global coverage
Goals / Mission Statement
- The goal is for businesses to spend less time engineering solutions for compliance purposes
SOC 2 Audits
- SOC 2 is focused on financial controls in Azure is SOC 2 compliant
- Microsoft has retained a large public accounting firm as its auditor
Why Azure is Secure
- 24 hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as environmental threats
- Monitoring and logging. Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment and providing timely alerts. In addition, multiple levels of monitoring, logging, and reporting are available to provide visibility to customers
- Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure
- Antivirus/Antimalware protection. Microsoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware and other malicious software and provide real time protection. Customers can also run antimalware solutions from partners on their Virtual Machines
- Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of Azure
- Zero standing privileges. Access to customer data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data center access to the systems that store customer data is strictly controlled via lock box processes
- Isolation. Azure uses network isolation to prevent unwanted communications between deployments, and access controls block unauthorized users. Virtual Machines do not receive inbound traffic from the Internet unless customers configure them to do so
- Azure Virtual Networks. Customers can choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses
- Encrypted communications. Built-in SSL and TLS cryptography enables customers to encrypt communications within and between deployments, from Azure to on-premises datacenters, and from Azure to administrators and users
- Private connection. Customers can use ExpressRoute to establish a private connection to Azure datacenters, keeping their traffic off the Internet
- Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to implement the methods that best meets their needs
- Identity and access. Azure Active Directory enables customers to manage access to Azure, Office 365 and a world of other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security
Certifications
- There are a vast number of certifications that Azure has secured
Bonus Material
- Mobile applications are becoming increasingly popular in the enterprise
- This next section will focus on some of the solutions available to solve authentication challenges for mobile applications
Mobile Applications
- Mobile applications are becoming increasingly popular in the enterprise
- This next section will focus on some of the solutions available to solve authentication challenges for mobile applications
Options for secure mobile
- I have authored several articles in MSDN magazine around this topic
- To the content here can be seen in its entirety at MSDN magazine
Thinking about LOB Apps
- Key Characteristics of LOB/Mobile Apps
- Identity as a key pillar
Options for secure mobile
- Another important concern when running applications on personal devices is Network Location Awareness (NLA)
- This means when a request comes in for a protected network resource, you can determine whether that request originated from outside the corporate network
- NLA provides an extra layer of protection because it helps enforce additional rules, such as multi-factor authentication for requests generated outside the corporate network
- To implement network location transparency typically means you create some sort of proxy Web service in a DMZ
- A DMZ is a network that exposes an organization's external-facing services to a larger and untrusted network, like the Internet
- You can use these proxies to trigger additional rules and insulate private resources on a network from outside access
Identity Landscape
- The enterprise identity landscape is large and complex
- First, you have a variety of software technology to solve identity challenges
- You need to take into account the identity stakeholders and what type of devices you wish to support
- Then there are some industry-standard protocols and token formats that you need to adhere to
BYOD - Registering Device
- How to ensure secure, encrypted communication between corporate resources and the device itself
- In the enterprise there needs to enforce some type of control over personal devices
- But it is too to force users to fully domain join their devices
- A less-extreme version of control is called a workplace join
- Installing a device certificate as part of the provisioning process
- Step 1 is to authenticate a user against a trusted directory service
- Successful device provisioning (or registration) results in a JSON-based token on the device
- The token can be used to ensure secure communication between users and the corporate network
Azure Mobile Services
- Simple provisioning and management of tables for storing app data
- Integration with notification services to deliver push notifications to your app
- Integration with well-known identity providers for authentication
- Granular control for authorizing access to tables
- Custom business logic on the server
- Integration with other cloud services
- Supports the ability to scale a mobile service instance
- Service monitoring and logging
Azure Mobile Services
- Azure mobile services provides an easy workflow to provision secure mobile applications in the enterprise
- Tokens can be saved directly to the key store of a mobile device so that a user does not need to continually login
Azure Mobile Services
- Azure mobile services provides an easy workflow for iOS, android and Windows devices
- The portal even provide some starter projects that are supported in Xcode, android studio, and Visual Studio
- Azure mobile services provides constructs for identity, database storage, and web service back ends
Active Directory Trust Relationships
- The traditional approach of using trust relationships documented here
- This can be a cumbersome process but does provide many advantages, like single sign-on
Configure Active Directory
- When provisioning your Azure mobile service backend, there are a few questions to answer
- In return you will receive some metadata that you can encode directly into your mobile application
- Allowed tenants, the app is only going to accept from this tenant.
- Client id from the web app registration, app within the tenant
- App url is what msdn magazine wants to expose
- Add a user, or dirsync
- Users from that domain have access to the app url
- App is inside of tenant, giving to members of tenant
- You could map a user from another tenant
A deeper example
- Here is an example scenario whereby free text search is provided to a variety of rest capable client's
- The specific diagram leverages Azure search, which is one of the services available similar to ElasticSearch
- Notice that there are a variety of authentication mechanisms
- Also notice that there is an abstraction layer of the web service that brokers the conversation to some of the other services within Azure
Applications to Support Multiple Companies
- Azure active directory led to set up a variety of tenants or directory entries for specific companies
ADFS versus Directory Sync
- Azure active directory provides directory sync, which enables you to take your on premises identities and migrate them to the cloud, offloading authentication away from your on premises infrastructure
- This diagram also illustrates the use of ADFS 2.0, which can provide a single sign-on token directly from your on premises infrastructure. This may not be the ideal approach since it forces you to expose your corporate infrastructure to external applications
Directory Sync - Authenticating in the Cloud
- Directory sync is a feature of Azure active directory that allows you to take your on premises identities and store them up in Azure data center, allowing applications from the Internet to authenticate, keeping your on premises directory services safe
Using Hybrid Connections
- Hybrid connections are another technology from Microsoft that allows you to expose corporate resources to cloud hosted applications or mobile applications from the Internet
- Websites and Mobile Services can access existing on-premises data and services securely
- Multiple Websites or Mobile Services can share a Hybrid Connection to access an on-premises resource
- Minimal TCP Ports are required to access your network
- Applications using Hybrid Connections access only the specific on-premises resource that is published through the Hybrid Connection
- Can connect to any on-premises resource that uses a static TCP port, such as SQL Server, MySQL, HTTP Web APIs, and most custom Web Services
- Can be used with all frameworks supported by Azure Websites (.NET, PHP, Java, Python, Node.js) and Azure Mobile Services (Node.js, .NET)
Using Service Bus Relays
- The Azure service bus provides a relay mechanism, that makes it possible to have a peer-to-peer connection between two endpoints protected by firewalls
Storage Overview
- Azure Storage Options
- There are many types of storage options for the MS cloud. We will focus on Azure tables
- Here is what we'll cover:
- When to use Azure Tables
- When are the appropriate to consider
- Understanding that Azure Tables are collection of entities
- Access Azure Tables directly or through a cloud application
- Key Features of Azure Tables
- Relationship between accounts, Tables, and entities
- Efficient Inserts and Updates
- Designing for scale
- Query Design and Performance
- Understanding Partition Keys
- How data is partitioned
- Coding considerations
- Azure Table Query Concepts
- Understanding TableServiceEntity/TableServiceContext
- Additional Resources
Tables, Blobs, Queues, DBs
- Understanding core pillars of storage
Tables - When to use
- When to use Azure tables
- These are some typical use case scenarios for using Azure tables
- Azure tables are optimized for capacity and performance (scale)
Tables - When to use
- Azure Tables - When Appropriate
- SQL Database does not scale infinately
- If your code requires strong relational semantics, Azure tables are not appropriate. They don't allow for join statements
- You can think of Azure tables as nothing more than a collection of objects. Note that each entity (similar to a row in a table) could have different attributes. In the diagram above, the second entity does not have a city property
- One of the beauties of Azure Tables is that your can replicate across data centers, aiding in disaster revocery
Tables - Conceptual
- Tables: A collection of entities
- A table is a collection of entities
- An entity is like an object. It has name/value pairs
- An entity is kind of like a row in a relational database table, with the caveat that entities don't need to have the exact same attributes
Tables - Rest-enabled
- Accessing Azure Table Storage From Azure
- Any application that is capable of http is capable of communicating with Azure tables. That is because Azure tables are REST-based. This means a Java or PHP application can directly perform CRUD (create, read, update, delete) operations on an Azure Table
Tables - Service Orientation
- Accessing Azure Table Storage From Azure
- Azure cloud applications can be hosted in the same data center as the Azure Table Storage. The compelling point here is that the latency from the cloud application is very low and can read and update the data at very high speeds
Tables - Partition Key / Row Key
- Designing For Scale
- The Partition Key and RowKey are required properties for each entity. They play a key role on how the data is partitioned and scaled. They also determine performance for various queries. As mentioned previously, they also play a role in transactions (transactions cannot span Partition Keys)
- How to issue efficient queries will be addressed later in this post
Anonymous
January 11, 2015
What is the cost involved in learning Azure? Google Apps have a free price to try everything locally. How about Azure?Anonymous
January 12, 2015
Is there a reason why you chose to not publish this as a downloadable PPT as well?Anonymous
January 15, 2015
Is there any difference in the portal experience for Azure in Open?Anonymous
January 23, 2015
The growth of Azure features is amazing! Thanks for the tour.Anonymous
January 31, 2015
good one. I am looking for the same in PPT? Pls share if you dont mind. thanks.Anonymous
March 17, 2015
@BNC: Try the free trial azure.microsoft.com/.../free-trial