Event Notes - Aidan Finn, IT Pro

Microsoft Ignite 2018: Implement Cloud Backup & Disaster Recovery At Scale in Azure

Speakers: Trinadh Kotturu, Senthuran Sivananthan, & Rochak Mittal

Site Recovery At Scale

Senthuran Sivananthan

Real Solutions for Real Problems

Customer example: Finastra.

BCP process: Define RPO/RTO. Document DR failover triggers and approvals.
Access control: Assign clear roles and ownership. Levarage ASR built-in roles for RBAC. Different RS vault for different BU/tenants. They deployed 1 RSV per app to do this.
Plan your DR site: Leveraged region pairs – useful for matching GRS replication of storage. Site connectivity needs to be planned. Pick the primary/secondary regions to align service availability and quota availability – change the quotas now, not later when you invoke the BCP.
Monitor: Monitor replication health. Track configuration changes in environment – might affect recovery plans or require replication changes.
DR drills: Periodically do test failovers.

Journey to Scale

Automation: Do things at scale
Azure Policy: Ensure protection
Reporting: Holistic view and application breakdown
Pre- & Post- Scripts: Lower RTO as much as possible and eliminate human error

Demos – ASR

Rochak for demos of recent features. Azure Policies coming soon.

Will assess if VMs are being replicated or not and display non-compliance.

Expanding the monitoring solution.

Demo – Azure Backup & Azure Policy

Trinadh creates an Azure Policy and assigns it to a subscription. He picks the Azure Backup policy definition. He selects a resource group of the vault, selects the vault, and selects the backup policy from the vault. The result is that any VM within the scope of the policy will automatically be backed up to the selected RSV with the selected policy.

Azure Backup & Security

Supports Azure Disk Encryption. KEK and BEK are backed up automatically.

AES 256 protects the backup blobs.

Compliance

HIPAA
ISO
CSA
GDPR
PCI-DSS
Many more

Built-in Roles

Cumulative:

Backup reader – see only
Backup Operator: Enable backup & restore
Backup contributor: Policy management and Delete-Stop Backup

Protect the Roles

PIM can be used to guard the roles – protect against rogue admins.

JIT access
MFA
Multi-user approval

Data Security

PIN protection for critical actions, e.g. delete
Alert: Notification on critical actions
Recovery: Data kept for 14 days after delete. Working on blob soft delete

Backup Center Demo

Being built at the moment. Starting with VMs now but will include all backup items eventually.

All RSVs in the tenant (doh!) managed in a central place.

Aimed at the large enterprise.

They also have Log Analytics monitoring if you like that sort of thing. I’m not a fan of LA – I much prefer Azure Monitor.

Reporting using Power BI

Trinadh demos a Power BI reporting solution that unifies backup data from multiple tenants into a single report.

Microsoft Ignite–Building Enterprise Grade Applications With Azure Networking’s Delivery Suite

Speakers: Daniel Grickholm & Amit Srivastava

I arrived late to this session after talking to some product group people in the expo hall.

Application Gateway Demo

We see the number of instances dynamically increase and cool down – I think there was an app on Kubernetes in the background.

Application Gateway

Application gateway ingress controller for AKS v2.

Attach WAG to AKS clusters.
Load balance from the Internet to pods
Supports features of K8s ingress resource – TLS, multisite and path-based

Demo: we see a K8s containers app published via the WAG. The backend pool is shown – IPs of containers. Deleting the app in K8s removes the backend pool registration from the WAG (this fails in the demo).

Web Application Firewall

Demo – WAF

App behind a firewall with no exclusion parameters. Backend pool is a simple PHP application. Second firewall is using the same backend VM as a backend pool – a scan exclusion is set up to ignore any field which matches a “comments” string. The second one allows a comment post, the other one does not.

Get performance closer to the customer. Runs in edge sites, not the azure data centers.

Once you hit an edge site via front door, you are on the Azure WAN.

ADN = application delivery network

Big focus on SLA HA and performance. Built for Office.

5 years old and mature.

Can work in conjunction with WAG, even if there is some overlap, e.g. SSL termination.

What will be in the next demo:

Has an app for USA in Central US. Another for UK deployed in UK South. Shows the front door creation – Name/resource group, Configuration screen during creation is a bit different for Azure. Create a global CName and session affinity in fron end hosts. Create backends – app service, gateways, etc. You can set up host headers for custom domains, priority, port translation, priority for failover, weight for load balancing. You can add health probes to the backend pools, to a URL path, HTTP/S, and set the interval. Finally you create a routing rule; this maps frontend hosts to backend pools. You can set if it should be HTTP and/or HTTPS.

Skips to one he created earlier. When he browses the two apps that are in it, he is sent to the closest instance – in central US. You can set up rules to block certain countries.

You can implement rate limiting and policies for fairness.

You can implement URL rewrites to map to a different path on the web servers.

This is like traffic manager + WAG combined at the edges of the Azure WAN.

Front Door load balances between regions. WAG load balances inside the region – that’s why they work together.

Microsoft Ignite 2018: Office in Virtual Desktop Environments

Speakers: Gama Aguilar-Gamez & Sandeep Patnik

Goal: Make Office 365 Pro Plus a first class experience in virtualized environments.

Windows Virtual Desktop

The only mutli-user Windows 10 experience – note that this is RDmi and it also supports session hosts.
Optimized for Office 365 Pro Plus
Deploy and scale in minutes

Windows 10 Enterprise Multi-User

Scalable multi-user modern Windows user experience with Windows 10 Enterprise security
Windows 10
Multiple users
Win32, UWP
Office 365 Po Plus
Semi-Annual Channel

This is a middle ground between RDSH on Windows Server and VDI on Windows 10.

Demo

The presentation is actually being run from a WVD VM in the cloud. PowerPoint is a published application – we can see the little glyph in the taskbar icon.

User Profile Disks

High performance persistence of cached user profile data across all Office 365 apps and services.

Outlook OST/PST files – will be improved for GA of WVD. Support for UNC paths
OneDrive sync roots
OneNote notebook cache

Improving Outlook Start Up

Virtual environment friendly default settings
Sync Inbox before calendar for faster startup experience
Admin option to reduce calendar sync window
Reduce the number of folders that are synced by default
Windows Desktop Search is no per-user

See Exchange Account Settings to configure how much past email should be synced

Windows Desktop Search

Enables the full Outlook search experience that users expect
Per user index files are stored in the user profile for each roaming
No impact to CPU usage at steady state, minimal impact at sign in

With 100 users in a machine signing in simultaneously, enabling Windows Search has a 0.02% impact on the CPU.

Demo

Desktop of the remote machine is stretched across multiple displays – this demo is with a published desktop hosted in Windows 10 multi-user. Windows Desktop search is enabled. Instant search results in Outlook. OneDrive sync is working in a non-persistent machine – fully functional enabling the full collaboration experience in O365. Selective Sync works here too. Sync is cloud-cloud so the performance is awesome. In Task Manager, we see 3 users signed into a single Windows 10 VM via RDS.

OneDrive

Co-authoring and collaborative capabilities in wXP, powered by OneDrive.
OneDrive sync will run in non-persistent environments
Files on-demand capabilities
Automatically populate something

Support

Search products stay in sync with each other
Office 365 Pro Plus will always be supported with Win 10 SAC
Office 365 Pro Plus won Windows Server 2016 will be supported through October 2025

Best Practices

Outlook:

The OST file should be stored on local storage.
Outlook deployed with the primary mailbox in cached echange mode with the OST file stored on network storage, and an aggressive archiving strategy to an online archive mailbox
Outlook deploy in cached exchange mode with slider set to one month.

Office 365:

Licensing token roaming: Office 365 Pro-Plus 1704 or newer. You can configure the licensing token to roam with the users profile or be location on a shared folder on the network. This especially helpful for non persistent VDI scenarios.
SSO recommended. We recommend using SSO for good and consistent user experience. SSO reduces how often the users are prompted to sign in for activation. With SSO configured, Office activates with the credentials the user uses to sign into Windows if the user is also licensed for O365 Pro Plus.
If you don’t use SSO, consider using roaming profiles.

Preview

Public preview later 2018.

GA early 2019.

Q&A

If you want to use RDSH on Windows Server 2019 then Office 365 Pro Plus is not supported. You would have to use persistent Office 2019 so you get a lesser product. The alternatives are RDSH on Windows Server 2016 or Windows 10 Multi User (Azure).

Widows 10 Multi User is only available in Azure via Windows Virtual Desktop.

A lot of the above optimization, such as search indexing, rely on the user having a persistent profile on the latest version of Windows 10. So if that profile is a roaming profile or a UPD, then this works, in RDS or on physical,

Microsoft Ignite 2018–Functions Deep Dive

Functions v2.0 GA

New functions quick starts by language
Updated runtime built on .NET Core 2.1
.Net functions loading changes
New extensibility model
Run code form a package
Tooling updates: CLI, Visual Studio and VS Code
Durable functions GA

Differences From v1.0

There is a long list online:

Moved from .Net Framework 4.7.1 to .NET Core 2.1
Added assembly violation
Supports more Node.js
Languages are external to the host
Supports webhooks as triggers
Single language per function app instead of multiple
Use just application insights for observing code performance

Binding and Integrations

SDK functions: HTTP/Timer
Storage
Service Bus
Event Hubs
Cosmos DB
Event Grid
And more

And then lots of bullet point to explain architecture that didn’t really explain it. A picture tells a thousand words.

Planning Network Security For Your Mission-Critical Workloads With Virtual Networks

Speakers: Anitha Adusumilli and Mario Lopez

Networking ensure that data remains in your private space in the cloud. So it’s not just a VM thing.

Understanding Cloud Challenges

Dynamic, scalable workloads – no fixed network perimeter
Attack vectors based on application access patterns
Risk of data exposure to exploits, with a mix of IaaS, PaaS, and SaaS services

Cloud network security is evolving as the apps change!

Planning Network Security in Azure

Similar controls as on-premises.
Pick your network security offerings
Layer and scale
More flexible than on-premises – faster to deploy/tear down
Azure offers managed services

You can build a vNet and add subnets as security boundaries. You can add peered vNets locally and in other regions. And you might have external connections via VPN/ExpressRoute.

There are a mixture of Azure-native and third-party security offerings.

Application access Patterns

Use these to decide what network security solution to pick. Probably will be a mixture of the below.

Service endpoints
NSGs
ASGs
User-defined routes
DDoS Protection
WAF
Azure Firewall
NVAs

Security with Azure Services

VMs don’t need public IPs. However, when you use Azure services, they have public IPs, e.g. Azure SQL. This might require you to allow outbound connections that you might not have done before. Anyone with rights for default deployments can access from anywhere. But if you add services to the VNet, via service endpoints, and apply services firewalls, e.g. Azure SQL, then you can restrict access to these platform services.

Two patterns:

Add services to a VNet where the VNet is all that can access the service
Add services to a VNet to allow private access, but public access is also possible.

Pattern 1: Deploy services into VNet

Example, App Services Environment (ASE) is deployed into a subnet.

Security:

NSGs
NVAs
User-defined routing can control direction of traffic, e.g.a private deployment can only route via a gateway (forced tunnelling)
Services in Azure might require outbound access from your VNet. Use Service Tags to limit outbound traffic to local service.

New service tags:

Azure Webapps will be getting preview support soon – an alternative to P2S VPN.

Pattern 2: Service Endpoints

Extend VNet identity to the service
Secure your critical Azure resources to only your VNet
Traffic remains on the Microsoft backbone

How to Secure Your Resources Using Service Endpoints

Normal flow in new setup:

Set endpoint on your endpoint
Lock your service resource to your subnet

One-Time Migration:

Step 1: Add VNet rule without endpoint
Set endpoint on subnet
Remove the public IP setting

All scenarios: Remove “Allow All Azure Services” or “Allow All” settings.

Service Endpoint: Scaling Security

Resource locked to a VNet: No access to other VNets or Internet or on-premises.
Permit more VNets: Turn on service endpoints on VNets and add under “virtual Networks” on resource
Permit on-premises: Add the on-prem NAT IPs under “firewall” on resource.

Careful – locking network access down can prevent Azure services, such as backup. There are docs for these workarounds – ask Anitha Adusumilli.

Stitching Services Together

Secure Azure resources to managed service subnets with endpoints
More

Securing VNet traffic: Services Tags in NSGs

Restrict network access to just the azure services your use.
Maintenance of IP addresses for each tag provided by Azure (Service Tags)
Support for global and regional tags (varies by service)

Service endpoints: Data-Exfiltration Risk

NSG service tags not enough to prevent data exfiltration from VNet
Access to unauthorized accounts possible

Option 1: filtering with Azure Firewall or NVAs

Service endpoints bypass NVAs for service traffic, if set on originating subnet
Optionally, continue using NVAs for auditing/filtering service traffic
More

Service Endpoint Policies

Prevent unauthorized access to storage accounts
Restrict vnet access to specific azure storage accounts
Granular access control over service endpoints
West Central US and West US2 today

Demo: Service Endpoint Policies

She has a VNet with a subnet. Service endpoints is turned on for Storage (all) in the subnet. She only wants to allow access to a single storage account. Adds that storage account to the subnet’s service endpoint. Logs into VM in the subnet and runs Storage Explorer. Can access files in the configured storage account. Another storage account can also be accessed. Goes to Service Endpoint Policies – a top level resource like NSGs. Adds a new policy, adds it to resource group and names it. Sets a scope – all storage accounts, all accounts in resource group, or specific storage account – picks the allowed storage account. Associates the policy with the subnet – like NSG. Now in the VM, only the authorized storage account can be accessed in Storage Explorer.

Switch to Mario for part 2.

Securing Access From Internet

DDoS attacks
Web Application Vulnerabilities

New in DDoS Standard

Attack analysis
Rapid Response – Specialized rapid response team support during active attacks (via support ticket). Custom mitigation policy configuration.
Azure Security Center Integration – intelligent DDoS protection virtual network recommendation

New in WAF

They’re flattening the number of subnets using ASGs – tiers of app in one subnet but rules based on on ASGs instead of subnets. Subnets then deployed for Edge/DMZ and app. Using ASGs for micro-segmentation.

Putting it All Together

Microsoft Ignite 2018–Azure Service Fabric Mesh: The Serverless Microservices Platform

Speakers: Chacko Daniel and Deep Kapur.

This is a true dev session … but I’m here and I haven’t written an original line of programming since 1998. Why am I here? Because Service Fabric is cool and it fascinates me. If I wrote code, Service Fabric (along with functions for atomic trigger/action pieces and app services for interface) would be my choice.

Introduction to Service Fabric

Mission critical workloads
Used for Azure SQL, Power BI, Cosmos DB, IoT Hub, Event Hub, Skype, Cortana, and more.

Offerings

Service Fabric on Windows/Linux – bring your own infrastructure
Azure Service Fabric – runs on dedicated VM scale sets
Azure Service Fabric Mesh – serverless

Future of Application Development

Polyglob services connected by L7 networks
Multi OS environments
Deploy anything in a container
Bring your own network to connect to to your other services
State management and other stuff

Service Fabric Mesh (Public Preview Currently)

Focus on applications
Microservice and container orchestration
Pay for only what you use
Intelligent traffic routing
Azure manages all infrastructure
Auto-scaling on demand
Security and compliance
Health and monitoring

Mesh Resource Provider Architecture

Inventory Manager takes your input. Cluster allocator finds resources to run your code.

What Can You Use It For?

Ideal for cloud-native applications

Any language, any framework
Libraries to integrate with your favourite languages
Easy H/A state storage with reliable collections
Intelligent traffic routing and connectivity

Enable app modernization:

Deploy anything and everything in a container
Bring your own network
More

Demo

An app runs on a SF cluster. Each app is made up of 1+ services. A service can be made HA by running it on many nodes in the SF cluster (replicas or load balanced).

There is a mesh application resource. In the summary we see the services that make up the app, and how many replicas there are of each service. He opnes one service and we see the replica(s), numbered normally as 0,1,2,etc. The status shows a summary of recent events. In Details we see the physical consumption of the service, the ports (endpoints) it listens to, environment variables. In Logs we can see a screen output of app log data.

Service Fabric Resource Model

Applications and services
Networks
Gateways
Secrets
Volumes
Routing rules

Simple declarative way to define an application.

Applications and Services Resouces

Services describe how a set of containers run:

Container image, environment variables, CPU/MEMory, etc
And more

Gateway and Networks

Connecting two networks together:

L4: TCP
L7: HTTP/S

It’s a way of connecting the outside world, Internet or another network you own, to the isolated network of the SF cluster.

This is a service fabric gateway, not a VNet gateway.

Secrets Resource

Bad way: environment variable.

Better way: Use KeyVault.

Inline is in the public preview today, e.g. connection strings. Secrets by reference (key vault) is coming.

Volume Resource

General purpose file storage.The container can attach volumes. Read and write files using normal disk I/O file APIs. Backed by Azure File storage or Service Fabric volume disk. The SF volume disk is on the cluster and is faster – it is replicated to nodes where your service has a replica (stateful service).

Demo Application Architecture

Cloud based polyglob application demo that they have built. All built on Linux contianers

Front End – reactive.
Backend: .NET Core and Node.js.
Work gets dropped into a queue.
A Worker picks up the queue and stores data in persistent storage

Overview over.

They show us a JSON that is used to deploy the SF mesh application: Microsoft.ServiceFabricMesh/applications. Azure Files is being used as file storage. Secrets are being stored inline. A volume disk is also being used for file storage and they define a mount path in the Linux containers of /app/data. There are front end (1), backend (2) and worker services (3) in the application.

Auto Scaling

Horizontal scaling of services based on:

CPU
Memory
Application provided custom metrics (later)

Application Upgrade

He uses on-PC Azure CLI (PowerShell also available) to push a code upgrade to the SF application.

Routing Rules Resource

Services talk to each other inside the application by hostname.
They do not implement platform-specific discovery APIs
Not not deal with network level details.
Are unaware of the implementation details of other services

Intelligent traffic routing:

Done using “Envoy”
Advanced HTTP/S traffic routing with load balancing
Proxy handles partition resolution and key hashing

Diagnostics and Monitoring

Use your favourite APM platform to monitor apps inside containers, e.g. Azure Application Insights
Containers write out stdout/stderr logs to a data volume – can be sucked up by Application Insights
Azure Monitor for platform events and container metrics

Reliable Collections – Low Latency Storage

Reliable collections allow you to persist state with failover. Uses transactional storage. Storage on a network introduces a “cost”, e.g. latency. Low latency storage is often preferred.

Demo: Scale-Out

Dumps a load of pictures of cats & dogs. Worker numbers increase from 1 to 40 in seconds for 3 services (120 containers). The pictures are categorized and tagged on the fly.

Pricing

You pay for what you use. Container compute duration:

Cores per second
Memory in GB per second

Costs depend on the region. Container costs are the same in Azure, irrespective of the Azure offering you get them from. So you choose a container offering based on suitability, not price.

Stateful resources:

Volume disk: disk size, Max IOPS/Throughput per disk). Paid for per month.

Reliable collections:

Biller per hour based on: size of the reliable collection and the amount of provisioned IOPS.

Recap

What they see: Gaming, media sharing, mission critical business SaaS, IoT data processing for millions of devices, low latency storage applications.

Roadmap

Managed service ID
Secrets from key vault
Routing rules to/from applications
Applications across availability zones
Persisted state via reliable collections and volume drives
Bring your own network to connect to other systems
Tooling integration

GA is planned for early next year – probably Build 2019. The preview is free to use.

Go live licenses will be given to early adopters.

Microsoft Ignite 2018–Azure Migrate

I arrived late for this session because I was in a meeting. They were doing a demo of Azure Migrate.

Azure Migrate fo Discovery And Assessment

Agentless discovery
TCO calculation
Right-size and suitability
Azure Platform

The are “announcing” support for Hyper-V – it’s still in limited private preview.

Third Party Solutions

Cloudamize is just an assessment tool

Indepth performance analysis
Right-size compute and stoage options.
TCO calculations
Agentless
Assessments for migration to Azure SQL
Integrates into ASR to do the migration

Migration solutions:

ASR
Zerto
CloudEndure

Azure Site Recovery (ASR)

Easy to onboard – appliance wizard for VMware
Broad coverage for Windows and Linux
UEFI support for VMware and physical machines – converted to BIOS
W2008 32-bit support

They do a demo of Zerto for migrations. Then they demo CloudEndure.

Futures

They’re trying to simplify the process. Starting a limited private preview:

Assess > Migrate & modernize > optimize > secure & manage.

Going to use the new tabbed UI in the Azure Portal. You can import and assessment into a migration. Pick the ready machines that you want to migrate, optionally apply HUB and overrise VM sizing, OS disk, and availability set membership. This migration experience will ideally be used by the 3rd parties too.

Microsoft Ignite 2018–Microsoft Information Protection

Speakers:

Questions to Microsoft

My data is scattered. I might not even know where it is.
I cannoit create unified policies for my data security
How do I protect PII for GDPR, etc.

Microsoft Information Protection is a suite of solutions, designed from the ground up, to protect data no matter where it is.

750 regulatory bodies around the world making up to 200 new data security decisions every month.

2025 – 165 zetabytes of data to manage and secure.

Microsoft Information Protection

Discover
Classicy
Protect
Monitor

Across:

Devices
Apps
Cloud services
On-premises

MS Solution

Unified solution to discover, classify and label
Automatically apply policy-based actions
Proactive monitoring to identify risks
Broad coverage across locations

The Way The MS Solution Was

Point solutions in market today:

O365 information protection
Windows information protection
Azure information protection

An incomplete solution because they are point solutions.

MIP unifies these solutions. A new unified UI.

Specialised Workspaces

Microsoft 365 Security Center: security.microsoft.com
Microsoft 365 Compliance Center compliance.microsoft.com

Clients

Obvious support on Windows Office. Now on Office/Mac and coming to Office/Mobile. Should be GA on all clients by the end of the year.

SharePoint Online will be showing labels, etc when creating sites/groups. Can apply retention labels in SharePoint Online too – auto-classification will determine if a retention policy should be applied.

Beyond Office 365

Windows Information Protection is a Win10 feature. Difference between company and personal data. Can apply rules to company data. Data (since 1809) will understand MIP labels applied to a file. If you try to copy/paste info from a protected file to Twitter, for example, Windows 10 will prevent that. Or if you try to attach the file in Outlook personal, or Gmail, etc. It will also prevent a copy to USB – no more superglue!

Compatibility for Existing AIP Customers

New M365 E3 customer can configure labels using the SCC portal. Can try out MIP-enabled AIP add in on Windows. Support coming to Mac and Mobile.
M365 or existing AIP customer can use AIP portal.

Customers will be transitioned over time.

Azure Information Protection Scanner

Scan:

File server shares
SharePoint Server 2010, 2013, 2016

Can discover data and force labelling/protection of documents.

I got bored here – “demos” that were just screenshots on PowerPoint. Weak!

Microsoft Ignite 2018–Windows Server 2019 Deep Dive

Speaker: Jeff Woolsey

Azure

Hybrid is a first-thought thing in MS. It’s not bolted on. How do they make Azure one-click away for customers who need to connect.

Azure Pillar #2 is hybrid. Windows Server 2019 pillar #1 is Hybrid.

Admin Center

1.7 million servers under management since it launched a few months ago. All new features in Windows Server are in this free download. MMC development has stopped. It’s also the portal to hybrid. Feedback driven evolution. Partner solutions built in – Fujitsu and DataON for hardware management highlighted. SquaredUp SCOM and Azure monitoring highlighted. RiverBed highlighted too. HPE is in development (looks limited compared to Fujitsu and DataON). Lenovo has something coming too. No mention of Dell/EMC who are stuck in the 1990s Sad smile

Still a place for System Center – bare metal deployment, application monitoring, etc.

Hybrid

The Azure Network Adapter. If you have a machine in an isolated location that needs to connect to an Azure vNet then one click in Admin Center and it creates a point-to-site VPN connection to an existing gateway. ASR is a one-click replication. Azure Backup now can be enabled on WS2012+ without installing MARS via Admin Center. W2008 R2 still requires a manual MARS installation. Very simplified deployment for file/folder and system state backup from the OS.

Azure Update Management

Extending Windows Update management from Azure to on-premises. This was a very complex deployment in the past. But through Admin Center it’s a short wizard.

Storage Replica TO Azure

This is in preview. You create a VM in Azure via Admin center, join it to a domain, etc via Admin Center. That’s the target. Then replication magically happens – didn’t see the required networking piece here so it might be a bit of an over-simplification.

Hyper-Converged Infrastructure

Hyper-converged is a play in server hardware modernisation – performance, security, support, etc. A video from Lenovo on their XClarity server management solution, that also integrtes into Admin Center – in preview today.

Storage Class Memory

Flash first came by USB. Then it moved to SAS/SATA. Then to PCI. Then NVMe to make it faster. Moving closer to the processor to reduce latency and increase performance. Storage Class Memory is next to the processor in a DIMM socket. It can be configured to look like storage, memory, or a mix of both. Can be an “insanely high speed cache”.

Demo on HCI by Cosmos Darwin. Previous demo in 2016 was 6.69million IOPS from 16 servers. This year they tested with Intel hardware (Optane) to get more performance. They deployed 12 nodes running with just these drive (2 per node) s for caching and NVMe for capacity. Also used future version Xeons. 100 TB of usable storage with free PCI slots and drive bays. The caching devices are striped at the memory controller level. Each NVMe is 8 TB each. They fire up VMs on one node and hit 1 million IOPS. Turn on node 2 and hit 2 million IOPS. Then they power up all 12 nodes VMs and hit 13 million IOPS from 24 U of servers. The growth was linear.

System Insights

Via Admin Center
Predictive capabilities for Windows Server 2019 locally on the server.
Predictive analytics
In the charts, it shows historical metrics, and projects how this will continue into the future.
Suggested actions, e.g. Extend volume Azure File Sync, Disk cleanup
Transform reactive emergencies into proactive management experiences.

Storage Migration

Customers find moving data to be hard. Means that old OS versions are hanging around. Need data to move, shares to move, folder/share ACLs, EFS, IP address, computer naming, etc must be possible to move. Storage Migration Service allows you to move data to Azure or file servers. It has support back to W2003 and up to WS2019 as a source. It inventories the source server. It then copies the data over to target server. Cutover hides the source server, freezes it, and transfers names/addresses to the new server so it becomes the active file server. You can export a CSV file with a log of every file transfer transaction with all the file attributes.

Azure File Sync

Modernize the file server to give it virtually bottomless capacity in Azure. 100 TiB per share support.

Storage

Admin center integratin
Deduplication with ReFS
Mirror accelerated parity
Storage class memory support
Cluster sets: a cluster of clusters with hundreds of nodes in a single unified namespace
Industry leading scale

Cosmos Darwin comes back out. Storage Spaces Direct isn’t just for VMs. Another scenario is a backup target where customers want larger capacity. Now it supports 4 PB of raw storage in a single cluster. With cluster sets, that increases. 4 PB is wikipedia in every language with the complete edit history 50 times. Demo of QCT servers with 527 drives – 72 dives per physical server. 3.64 PB of raw capacity. QCT is selling this today. They’ve benchmarked with Veeam, doing 25 GB/s of sustained data writes per hour.

Scales are up. 400 TB per server, 64 volumes per cluster.

Software-Defined Networking

Virtual network peering
Encrypted subnets
Egress bandwidth metering
IPv6 support, single and dual stack
Fabric ACLs, SDN ACL logging
Gateway performance improvements

Management is coming. Windows Admin Center management for Software-defined networking. Add network Controller to Admin Center. Then add subnets. SDN for mere mortals. SDN monitoring is coming to Admin Center too.

Security

Shielded VMs.

Password Protection with Windows Server AD

Central risk: Passwords. Azure AD solved this issue in Premium. This has been projected down into ADDS. You get the same password checking on-prem that you can in the cloud. A free download that can be installed on WS2012 R2 domain controllers and later. Password enforcement will be the same in the cloud as in on-prem. Can be deployed in audit or enforcement modes. The agent on the DC talks to a proxy service and the proxy talks to the cloud. You register the proxy with the cloud and then install the agent on DCs. And then cloud-based enforcement starts to work. You can define your own weak password lists.

Features on Demand

Server Core numbers are allegedly increasing because of Admin Center.
What if I have to go to the VM and I need local tools.
What it s/w installer won’t install on Server Core?
Features on Demand is Server Core with an additional ISO of around 340 MB.
It’s to support those apps that won’t install.
It also adds local debugging and tools.
When installed you get MMC.EXE, Event Viewer, File Explorer, Device Manager, Resource Monitor, Performance Monitor, PowerSehll ISE, Faulover Cluster Manager.
Internet Explorer is in a special ISO by itself.

Exchange Server 2019 supports Core out of the box. SQL Server supports Core already.

Best practices:

Start with Windows Server Core with Admin Center – best way for server hygene
Add FOD – use it – remove it.
Finally use Windows Server with Full Desktop

Looking Forward

A new release of Windows Server and Admin Center every 2 weeks for Insiders.
There is the semi-annual channel for application innovation twice per year.
The next LTSC will be out in 2-3 years time.

Real World Architecture Considerations for Azure–How To Succeed And What To Avoid

Speakers: Tiago Barbosa and Will Eastbury

FastTrack For Azure’s Approach To Azure

FYI, FastTrack is an architectural assistance service for large customers:

Architectural review sessions and/or design/solution reviews
Apply the FastTrack review and guidance framework
Inform and disseminate information from the Azure Architecture Center

Design patterns
Anti-patterns
Reference Architecture
Best practices

Where to Start?

Purpose: What is the reason of this – high-level functional requirements. What will this solution do?
Success criteria: How do you measure success? What is the direction?
Stakeholders: Are there internal or external customers involved with an SLA too?

What do we Consider?

Business objectives of the solution
Pillars of software quality
Functional aspects
Availability and resilience
Performance and scalability
Governance, etc
Dev/test/
Security and ID
Cost design
Other general observations
Service specific aspects

Things To Understand

Start with simplicity and low overall cost
Add tiering and scalability
Add multi-region failover and HA

General Good Practice

Determine the budget and NFRs of the solution
Understand the Azure storage performance envelope
Scale OUT, NOT up.

Choose the Compute Stack Options

IaaS
PaaS
Serverless

Move as close to serverless as you can (me).

Infrastructure Patterns

Some high-level diagrams similar to flow charts that document processes.

I got bored here.

What to Avoid – Scalability

Avoid: Keep creating new instances of shred objects
Avoid: Sharing infrastructure between test and production environments

What to Avoid – Performance

Avoid: Lack of caching or use excessive caching of stale data
Avoid: Ignore the differences in cloud latency envelope

What to Avoid – Resiliency

Avoid: High SLA, single-region deployment in Azure
Avoid: Lack of strategy for resilience within services
Avoid: Ignore single points of failure even for low SLA

What to Avoid – DevOps

Avoid: Lack of continuous integration
Lack of telemetry insight

What To Avoid – Anti-Patterns

Busy database: Offload business logic to database consumes valuable CPU. Do it in app layer.
Busy front-end: Offload processing to background thread to save front-end performance. Don’t consume front-end CPU.
Select * from everywhere: Querying more data than needed slows performance.
Blocking I/O: Wasting CPU because the thread is locked while waiting on a result.

Customer Story – Flybe

A budget airline in the UK.

I stopped listening here.