Azure the Microsoft Azure Cloud Platform Zorans Class

Azure the Microsoft Azure Cloud Platform Zoran’s Class 04 -December-2015 Bill H my ELLO nam e is Wi Bill Wilder, Finomial CTO @codingoutloud@gmail. com blog. codingoutloud. com linkedin. com/in/billwilder • Except where noted contents © 2014 Development Partners Software Corporation • http: //www. devpartners. com • lde r

Don’t Mess with the Zoran R

Questions during or after? @codingoutloud

Azure is a Toolbox Image credit: https: //www. flickr. com/photos/richardstep/7437999566

Azure is a BIG Toolbox Azure Image credit: https: //www. flickr. com/photos/richardstep/7437999566

f o h t d a e e r r B Azu Amount we’ll touch on

Compared to What? Similar to AWS Similar to Google Compute + App. Engine

… but different

Cloud Computing Data (as a Service) Data Runtime Middleware O/S O/S Virtualization Servers Storage Networking Middleware Servers O/S Virtualization Servers Storage Networking Managed by vendor Data Managed by vendor Applications You manage Applications Software (as a Service) Applications Runtime You manage Platform Infrastructure You manage Packaged Software

Azure Services Compute Virtual Machines Cloud Services Websites Mobile Services Batch Network Services Express. Route Virtual Network Traffic Manager Data Services Storage SQL Database HDInsight Cache Backup Site Recovery Machine Learning Stor. Simple Document. DB Azure Search Data Factory Stream Analytics Operational Insights App Services Media Services Service Bus Push Notifications Scheduler Biz. Talk Services Active Directory Multi-Factor Authentication Automation CDN API Management Remote. Application Insights https: //manage. windowsazure. com https: //portal. azure. com

http: //www. gartner. com/technology/reprints. do? id=1 -1 IMDMZ 8&ct=130819&st=sb Iaa. S According to Gartner Aug 2013

http: //www. gartner. com/technology/reprints. do? ct=140108&id=1 -1 P 502 BX&st=sb Paa. S According to Gartner Jan 2014

Reality is Resource-Constrained “Security is always a tradeoff; it must be balanced with the cost. ” - Bruce Schneier http: //www. schneier. com/essay-207. html @Bill Wilder 14

Reality is Resource-Constrained “_______ is always a tradeoff; it must be balanced with the cost. ” - Common Sense Wisdom http: //www. schneier. com/essay-207. html @Bill Wilder 15

Members of Microsoft Azure Security Team @Bill Wilder 16

Defenses Inherited by Azure Applications Spoofing Tampering/ Disclosure Repudiation Denial of Service VM switch hardening VLANs Top of Rack Switches Custom packet filtering Certificate Services Shared-Access Signatures Elevation of Privilege Partial Trust Runtime Monitoring Diagnostics Service HTTPS Configurable scale-out Hypervisor custom sandboxing Virtual Service Accounts Sidechannel protections @Bill Wilder 17

Defense in Depth Approach Layer Data Application* Host Defense-in-Depth § Strong storage keys for access control § SSL support for data transfers between all parties § Front-end. NET framework code running under partial trust § Windows account with least privileges § Hardened version of Windows Server 2008 OS for both VM Host and VM Guest operating systems § Host boundaries enforced by external hypervisor Network § Host firewall limiting traffic to VMs § VLANs and packet filters in routers Physical § World-class physical security § ISO 27001 and SAS 70 Type II certifications for datacenter processes @Bill Wilder 18

SQL Database • Column-level Encryption • Always Encrypted

Azure Active Directory

Key Management • Azure Key Vault

Client Encryption • Azure Storage SDK + Azure Active Directory + Azure Key Vault

t n i o ! P r y e e b K m e r to Azure is a Toolbox

Azure is a Toolbox • • • Code your app Deploy your app Host your app source code Host your app database Manage and Monitor your app User management Integration (hybrid cloud) Dev/Test Automate Operations And much more…

Code Your App • Visual Studio integration & cross-platform tooling • Platform support for Paa. S and Iaa. S • Fast-start templates for creating a web site in many languages / toolkits • Supports many frameworks and languages – REST – ASP. NET, Node. js, Python, Java, PHP, …

Deploy Your App • Visual Studio Online (VSO) • Continuous Deployment (CD) from VSO, github, others

Monitor Your App: App Insights • Monitoring support • Alerting support • Services for gathering logs – “pets vs. cattle” • Application Insights

Automating Automation: Run. Books • • • I have stuff to automate … … with Power. Shell On a schedule or ad hoc Might have sensitive credentials Might require auditing

A Tale of Two Portals

Where’s Azure? A global map: http: //azuremap. blob. core. wind ows. net/apps/bingmap-geojson -display. html

Azure “Geo” Coming to India http: //www. business-standard. com/article/news-ians/microsoft-s-private-preview-of-cloud-services-from-india-in-july-115060401040_1. html http: //news. microsoft. com/en-in/microsoft-announces-commercial-cloud-services-from-local-datacenters-by-end-2015/ “Microsoft Announces Commercial Cloud Services from Local Datacenters by End 2015” “Microsoft's private preview of cloud services from India in July”

Concrete Example Modern App Pattern

Microsoft Azure Compute Options • HDInsight (Hadoop) – specialized: big data • Run. Books service for automation/scripting • Mobile Services – specialized: devices • Virtual Machines – most flexible • Web Sites – most convenient • Cloud Services – most scalable, most efficient

Microsoft Azure Compute Options • HDInsight (Hadoop) – specialized: big data • Run. Books service for automation/scripting • Mobile Services – specialized: devices • Virtual Machines – most flexible • Web Sites – most convenient • Cloud Services – most scalable, most efficient ! e r u t a e F w e N • Azure Service Fabric

Cloud Services • Build highly scalable apps and • • services Multi-tier, multi-instance architectures Can be combined with other compute services Stateless node, horizontal scaling approach Automated management

Cloud Services Web Roles “Service Model” Worker Roles • 1+ types • Deployment • 1+ types • Windows Package • Windows Server • Config: VM sizes & Server • Running IIS instance counts, • Could run settings, endpoints, Tomcat, etc. certs…

Service Bus Queue • Durable – won’t lose your data • Reliable – backed by SLA and ops team • Scalable – Internet scale • Approachable – REST + SDKs • Feature rich – supports “at least once” and “at most once” delivery guarantees, pinning, suspend, & more… • See also: Azure Storage Queue

Scalable Architecture Web Role Instances Service Bus Queue Worker Role Instances

QCW Example: User Uploads Photo www. pageofphotos. com Web Server Reliable Queue Reliable Storage Compute Service

QCW [on Azure] WE NEED: • Compute (VM) resources to run our code üWeb Roles (IIS) and Worker Roles (w/o IIS) • Reliable Queue to communicate üAzure Storage Queues • Durable/Persistent Storage üAzure Storage Blobs & Tables; WASD

QCW on Azure: User Uploads a Photo www. pageofphotos. com push Web Role (IIS) pull Azure Queue Worker Role Azure Blob UX implications: user does not wait for thumbnail (architecture!)

download_blob_to_file. py from azure. storage import * blob_service = Blob. Service( account_name = az_storage_account_name, account_key = az_storage_account_key) stream = blob_service. get_blob( blob_container_name, blob_name) with open(file_path, 'w') as f: f. write(stream)

QCW enables Responsive UX • Response to interactive users is as fast as a work request can be persisted • Time consuming work done asynchronously • Comparable total resource consumption, arguably better subjective UX • UX challenge – how to express Async to users? – Communicate Progress – Display Final results – Long Polling/Web Sockets (e. g. , Signal. R or Node. io)

QCW enables Scalable App • Decoupled front/back provides insulation – Blocking is Bane of Scalability – Order processing partner doing maintenance – Twitter down – Email server unreachable – Internet connectivity interruption • Loosely coupled, concern-independent scaling – (see next slide) – Get Scale Units right – Key to optimizing operational CO$T$

General Case: Many Roles, Many Queues Web Role (Admin) Web Role (Public) Role (IIS) Queue Type 1 Queue Type 2 Queue Type 3 Worker Role Type 1 Worker Role Worker Role Worker Type. Role 2 Type 2 • Scaling best when Investment α Benefit • Optimize for CO$T EFFICIENCY • Logical vs. Physical Architecture depends on current scale

Reliable Queue & 2 -step Delete var url = “http: //pageofphotos. blob. core. windows. net/up/<guid>. png”; queue. Add. Message( new Cloud. Queue. Message( url ) ); (IIS) Web Role Queue Worker Role var invisibility. Window = Time. Span. From. Seconds( 10 ); Cloud. Queue. Message msg = queue. Get. Message( invisibility. Window ); (… do some processing then …) queue. Delete. Message( msg );

QCW requires Idempotent • Perform idempotent operation more than once, end result same as if we did it once • Example with Thumbnailing (easy case) • App-specific concerns dictate approaches – Compensating action, Last write wins, etc. • PARTNERSHIP: division of responsibility between cloud platform & app – Far cry from database transaction

QCW expects Poison Messages • A Poison Message cannot be processed – Error condition for non-transient reason – Use dequeue count property • Be proactive – Falling off the queue may kill your system • Determine a Max Retry policy per queue – Delete, put on “bad” queue, alert human, …

Azure is a Toolbox Azure Image credit: https: //www. flickr. com/photos/richardstep/7437999566

App Toolbox Azure • Compute Producer: VM, Cloud Service Web Role, Service Fabric, Web Site • Compute Consumer: VM, Cloud Service Worker Role, Service Fabric, Web Job • Storage: SQL DB, Azure Storage Blob, Azure Storage Table, Document DB • Messaging: Service Bus, Azure Storage Queue • Telemetry: App Insights • Management: portal. azure. com

More Tools Azure • Compute Producer: VM, Cloud Service Web Role, Service Fabric, Web Site, Console app on your laptop • Compute Consumer: VM, Cloud Service Worker Role, Service Fabric, Web Job • Storage: SQL DB, Azure Storage Blob, Azure Storage Table, Document DB, My. SQL, Mongo, … • Messaging: Service Bus, Azure Storage Queue, Rabbit. MQ, … • Telemetry: App Insights, New Relic, App. Dynamics, … • Management: portal. azure. com, …

QCW requires “Plan for Failure” • VM restarts will happen – Hardware failure, O/S patching, crash (bug) • Bake in handling of restarts into our apps – Restarts are routine: system “just keeps working” – Idempotent support needed important – Event Sourcing (commonly seen with CQRS) may help • Not an exception case! Expect it! • Consider N+1 Rule

What’s Up? Reliability as EMERGENT PROPERTY Typical Site Any 1 Role Inst Operating System Upgrade Application Code Update Scale Up, Down, or In Hardware Failure Software Failure (Bug) Security Patch Overall System

What about the DATA? • You: Azure Web & Worker Roles – Taking user input, dispatching work, doing work – Follow a decoupled queue-in-the-middle pattern – Stateless compute nodes • Cloud: “Hard Part”: persistent, scalable data – Azure Queue & Blob Services – Three copies of each byte – Geo-replicated to sister data center – Busy Signal Pattern – Scalability targets: https: //msdn. microsoft. com/enus/library/azure/dn 249410. aspx

? Questions? Comments? More information?