Azure Virtual Datacentre – Free eBook

Related image

Governance in Azure is a hot topic and I often find myself talking to customers about Azure Enterprise Scaffold which is a prescriptive approach to subscription governance. I noticed today that a new (free) eBook has been released by the Azure Customer Advisory Team (AzureCAT). This book discusses how hosting on a cloud infrastructure is fundamentally different from hosting on a traditional on-premises infrastructure, and provides detail about how you can use the Azure Virtual Datacentre model to structure your workloads to meet your specific governance policies.

The first part of the eBook discusses three essential components; Identity, Encryption and Software Defined Networking with compliance, logging, auditing and reporting running across all these areas. It goes into detail about the technologies available in Azure that can help you to achieve this, for example Microsoft Compliance Manager, Availability Zones and other features such as Global VNet peering which I’ve discussed in other blog posts. It also talks about new and upcoming features such as confidential computing through TEE as well as virtual machine capabilities such as Secure Boot and Shielded VMs. There are many more areas discussed in the book which is well worth reading.

The second part of the eBook brings this to life using Contoso as an example case study and this helps you to visualise and understand how you could interpret it for your organisation. The final part of the book discusses the cloud datacentre transformation, and how this is an on-going process to modernise an organisations IT infrastructure. It talks about the balance between agility and governance and discusses some common workload patterns.

This looks to be a great read (kudos to the AzureCAT team!) to make what is a difficult area easier to understand, and also provides a great model to pin design considerations against. Look forward to reading it in more detail later! The book can be downloaded at the following link: https://azure.microsoft.com/en-us/resources/azure-virtual-datacenter/en-us/

Recap of key Azure features from Ignite Part 2

… continuation of the Part 1 post which can be found here

The following post summarises the recap of the remaining 5 features that I found interesting from the announcements at the Ignite conference.

Azure Top 10 Ignite Features

5. Global Virtual Network Peering (preview)

Inter-VNet peering is a technology that allows you to connect a VNet directly to another VNet, without having to route that traffic via a gateway of some sort. Bear in mind that VNets are isolated until you connect them via a gateway, this feature allows you to essentially peer the VNet with another VNet thus removing the complexity of routing that traffic via a gateway and/or back on-premises. In addition, it allows you to take advantage the Microsoft backbone with low latency and high bandwidth connectivity. Inter-VNet peering is available to use today, however is constrained to a particular region (I.e. you can only peer VNets that exist within UK South, for instance – not between UK South and UK West).

virtual network peering transit

Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

Global VNet peering addresses that and allows you to peer between regions thus gaining global connectivity, without having to route via your own WAN. This feature is currently in preview in selected regions (US and Canada)

4. New Azure VM Sizes

Many new virtual machine sizes have been announced recently, factoring in differing workload types (e.g. for databases) as well as more cost effective virtual machines. A large number of organisations see Azure IaaS as a key platform allowing them to scale workloads that still require complete control over the operating system.

The announcements around Ignite were mainly focused around SQL server and Oracle type workloads that require high memory and storage, but are not typically CPU intensive. Some of the latest specifications, e.g. DS, ES, GS and MS provide constrained CPU counts to 1/4 or 1/2 of the original VM Size.

An example of this would be the Standard GS5 which comes with 32vCPU, 448GB memory, 64disks (up to 256TB total), and the new GS5-16 which comes with 16 and 8 active CPU respectively.

Another interesting VM type announced recently would be the B-series (burstable VMs) which allows credits to be recovered and applied back to your monthly totals for unused CPU. One to review!!

3. Planned VM maintenance

Maintenance in Azure has long been a bug bear of many customers. If you are operating a single virtual machine (which to be fair, you should think about architecting differently anyway…Smile) then at any time Microsoft may perform updates on the underlying hypervisors that run the platform. If your virtual machine is in this update domain then it will be restarted… and certain data (i.e. that stored in cache) may be lost.

Planned VM maintenance helps greatly here as it provides better visibility and control into when maintenance windows are occurring. Even allowing you to proactively start maintenance early at a suitable time for your organisation. You can create alerts, and discover which VMs are scheduled for maintenance ahead of time. In addition, you can choose between VM preserving and VM restarting/re-deploy state to better manage the recovery of the VM post maintenance.

As stated above, this problem goes away if you can re-architect your application accordingly with HA in mind. Plan to use Azure Availability Zones (AAZ) when they come out of preview and if not, look into regional availability and/or introduction of traffic manager and load balancers into your application.

2. Azure Migrate (preview)

Another great announcement was the introduction of a new capability called Azure Migrate, which is currently in preview. This service is similar to the Microsoft Assessment and Planning (MAP) kit however is very Azure focused (whereas MAP tended to be all about discovery and then light-weight Azure assessments).

The tool provides visibility into your applications and services and goes one step further to map the dependencies between applications, workloads and data. Historically, those working with Azure for a while will remember using tools like OMS to achieve this inter-dependency, or mapping it out themselves in pain staking fashion. A brief overview of the tool console is provided in the figures below:

Blog1Blur

Source: https://azure.microsoft.com/en-gb/blog/announcing-azure-migrate/

The tool is currently in preview, and is free of charge for Microsoft Azure customers (at time of writing). It is appliance based, and discovers virtual machines and performs intelligence such as “right-sizing” to the correct Azure VM type (thus saving costly IaaS overheads!!). It maps the multi-tier app dependencies and is a much deeper and richer capability set than MAP.

… and finally… drumroll please…

1. Azure Stack

I wrote a lengthy post on Azure Stack recently for the organisation I work for; Insight UK, and that post can be found here. Azure Stack was and is a big announcement from Microsoft and demonstrates their commitment to the Enterprise in my opinion. Microsoft have firmly recognised the need to retain certain workloads on-premises for a variety of reasons, from security/compliance through to performance, etc.

The Azure Stack is Microsoft’s true Hybrid Cloud platform and is provided by four vendors at present in HPe, Dell, Lenovo and Cisco. It provides a consistent management interface from the public Azure Cloud to on-premises, ensuring your DevOps/IT teams can communicate with applications in the same way irrespective of location. It allows for consistent management of both cloud native applications and legacy applications.

Image result for Azure Stack microsoft

Source: https://blogs.technet.microsoft.com/uktechnet/2016/02/23/microsoft-azure-stack-what-is-it/

Provided as either a four, eight or twelve node pre-configured rack, the software is locked down by Microsoft and only they can amend or provide updates. In addition the Stack firmware and drivers and controlled by the manufacturer and remain consistent with the software versions.

The hardware is procured directly from the vendor and then the resources are charged in a similar way to the public Azure cloud. The stack offers either a capacity based model or pay as you go, and can even operate in offline mode (great example with Carnival Cruise Ships)…

.. thanks for reading! – that’s my top 10 summary of Azure related announcements that came out of the Ignite conference in 2017. There is many more announcements and features and I hope to get more time to lab and write about them in the near future!

Update: Azure VNet Service Endpoints – Public Preview Expanded

I blogged about Virtual Network Service Endpoints (VNSE) recently after it was announced in preview mid September. From the earlier post;

Virtual Network Service Endpoints is a new feature to address situations whereby customers would prefer to access resources (Azure SQL DBs and Storage Accounts in the preview) privately over their virtual network as opposed to accessing them using the public URI.

Typically, when you create a resource in Azure it gets a public facing endpoint. This is the case with storage accounts and Azure SQL. When you connect to these services you do so using this public endpoint which is a concern for some customers who have compliance and regulatory concerns OR just want to optimise the route the traffic takes.

Initially this feature was restricted to the US and Australian regions. I missed the announcement last week that this feature has been expanded into all Azure regions (still in preview) – which is great news. I have introduced the preview of this feature to several customers recently and they saw great advantages in being able to address resources from a storage and SQL perspective privately rather than with a public URI and considered this something that would increase their opportunities in  the Azure space.