Microsoft Ignite 2018–Functions Deep Dive

Functions v2.0 GA

  • New functions quick starts by language
  • Updated runtime built on .NET Core 2.1
  • .Net functions loading changes
  • New extensibility model
  • Run code form a package
  • Tooling updates: CLI, Visual Studio and VS Code
  • Durable functions GA

Differences From v1.0

There is a long list online:

  • Moved from .Net Framework 4.7.1 to .NET Core 2.1
  • Added assembly violation
  • Supports more Node.js
  • Languages are external to the host
  • Supports webhooks as triggers
  • Single language per function app instead of multiple
  • Use just application insights for observing code performance

Binding and Integrations

  • SDK functions: HTTP/Timer
  • Storage
  • Service Bus
  • Event Hubs
  • Cosmos DB
  • Event Grid
  • And more

And then lots of bullet point to explain architecture that didn’t really explain it. A picture tells a thousand words.

Planning Network Security For Your Mission-Critical Workloads With Virtual Networks

Speakers: Anitha Adusumilli and Mario Lopez

Networking ensure that data remains in your private space in the cloud. So it’s not just a VM thing.

Understanding Cloud Challenges

  • Dynamic, scalable workloads – no fixed network perimeter
  • Attack vectors based on application access patterns
  • Risk of data exposure to exploits, with a mix of IaaS, PaaS, and SaaS services

Cloud network security is evolving as the apps change!

Planning Network Security in Azure

  • Similar controls as on-premises.
  • Pick your network security offerings
  • Layer and scale
  • More flexible than on-premises – faster to deploy/tear down
  • Azure offers managed services

You can build a vNet and add subnets as security boundaries. You can add peered vNets locally and in other regions.  And you might have external connections via VPN/ExpressRoute.

There are a mixture of Azure-native and third-party security offerings.

Application access Patterns

Use these to decide what network security solution to pick. Probably will be a mixture of the below.

  • Service endpoints
  • NSGs
  • ASGs
  • User-defined routes
  • DDoS Protection
  • WAF
  • Azure Firewall
  • NVAs

Security with Azure Services

VMs don’t need public IPs. However, when you use Azure services, they have public IPs, e.g. Azure SQL. This might require you to allow outbound connections that you might not have done before. Anyone with rights for default deployments can access from anywhere. But if you add services to the VNet, via service endpoints, and apply services firewalls, e.g. Azure SQL, then you can restrict access to these platform services.

Two patterns:

  • Add services to a VNet where the VNet is all that can access the service
  • Add services to a VNet to allow private access, but public access is also possible.

Pattern 1: Deploy services into VNet

WIN_20180926_14_29_30_Pro

Example, App Services Environment (ASE) is deployed into a subnet.

Security:

  • NSGs
  • NVAs
  • User-defined routing can control direction of traffic, e.g.a private deployment can only route via a gateway (forced tunnelling)
  • Services in Azure might require outbound access from your VNet. Use Service Tags to limit outbound traffic to local service.

New service tags:

WIN_20180926_14_35_13_Pro

Azure Webapps will be getting preview support soon – an alternative to P2S VPN.

Pattern 2: Service Endpoints

  • Extend VNet identity to the service
  • Secure your critical Azure resources to only your VNet
  • Traffic remains on the Microsoft backbone

WIN_20180926_14_38_42_Pro

How to Secure Your Resources Using Service Endpoints

Normal flow in new setup:

  1. Set endpoint on your endpoint
  2. Lock your service resource to your subnet

One-Time Migration:

  1. Step 1: Add VNet rule without endpoint
  2. Set endpoint on subnet
  3. Remove the public IP setting

All scenarios: Remove “Allow All Azure Services” or “Allow All” settings.

Service Endpoint: Scaling Security

  • Resource locked to a VNet: No access to other VNets or Internet or on-premises.
  • Permit more VNets: Turn on service endpoints on VNets and add under “virtual Networks” on resource
  • Permit on-premises: Add the on-prem NAT IPs under “firewall” on resource.

Careful – locking network access down can prevent Azure services, such as backup. There are docs for these workarounds – ask Anitha Adusumilli.

Stitching Services Together

  • Secure Azure resources to managed service subnets with endpoints
  • More

Securing VNet traffic: Services Tags in NSGs

  • Restrict network access to just the azure services your use.
  • Maintenance of IP addresses for each tag provided by Azure (Service Tags)
  • Support for global and regional tags (varies by service)

Service endpoints: Data-Exfiltration Risk

  • NSG service tags not enough to prevent data exfiltration from VNet
  • Access to unauthorized accounts possible

Option 1: filtering with Azure Firewall or NVAs

  • Service endpoints bypass NVAs for service traffic, if set on originating subnet
  • Optionally, continue using NVAs for auditing/filtering service traffic
  • More

Service Endpoint Policies

  • Prevent unauthorized access to storage accounts
  • Restrict vnet access to specific azure storage accounts
  • Granular access control over service endpoints
  • West Central US and West US2 today

Demo: Service Endpoint Policies

She has a VNet with a subnet. Service endpoints is turned on for Storage (all) in the subnet. She only wants to allow access to a single storage account. Adds that storage account to the subnet’s service endpoint. Logs into VM in the subnet and runs Storage Explorer. Can access files in the configured storage account. Another storage account can also be accessed. Goes to Service Endpoint Policies – a top level resource like NSGs. Adds a new policy, adds it to resource group and names it. Sets a scope – all storage accounts, all accounts in resource group, or specific storage account – picks the allowed storage account. Associates the policy with the subnet – like NSG. Now in the VM, only the authorized storage account can be accessed in Storage Explorer.

Switch to Mario for part 2.

Securing Access From Internet

  • DDoS attacks
  • Web Application Vulnerabilities

New in DDoS Standard

  • Attack analysis
  • Rapid Response – Specialized rapid response team support during active attacks (via support ticket). Custom mitigation policy configuration.
  • Azure Security Center Integration – intelligent DDoS protection virtual network recommendation

New in WAF

WIN_20180926_15_07_06_Pro

WIN_20180926_15_08_26_Pro

WIN_20180926_15_08_26_Pro

WIN_20180926_15_15_40_Pro

WIN_20180926_15_17_22_Pro

WIN_20180926_15_19_01_Pro

They’re flattening the number of subnets using ASGs – tiers of app in one subnet but rules based on on ASGs instead of subnets. Subnets then deployed for Edge/DMZ and app. Using ASGs for micro-segmentation.

WIN_20180926_15_21_36_Pro

WIN_20180926_15_23_09_Pro

Putting it All Together

WIN_20180926_15_29_01_Pro

Microsoft Ignite 2018–Azure Service Fabric Mesh: The Serverless Microservices Platform

Speakers: Chacko Daniel and Deep Kapur.

This is a true dev session … but I’m here and I haven’t written an original line of programming since 1998. Why am I here? Because Service Fabric is cool and it fascinates me. If I wrote code, Service Fabric (along with functions for atomic trigger/action pieces and app services for interface) would be my choice.

Introduction to Service Fabric

  • Mission critical workloads
  • Used for Azure SQL, Power BI, Cosmos DB, IoT Hub, Event Hub, Skype, Cortana, and more.

Offerings

  • Service Fabric on Windows/Linux – bring your own infrastructure
  • Azure Service Fabric – runs on dedicated VM scale sets
  • Azure Service Fabric Mesh – serverless

Future of Application Development

  • Polyglob services connected by L7 networks
  • Multi OS environments
  • Deploy anything in a container
  • Bring your own network to connect to to your other services
  • State management and other stuff

Service Fabric Mesh (Public Preview Currently)

  • Focus on applications
  • Microservice and container orchestration
  • Pay for only what you use
  • Intelligent traffic routing
  • Azure manages all infrastructure
  • Auto-scaling on demand
  • Security and compliance
  • Health and monitoring

Mesh Resource Provider Architecture

Inventory Manager takes your input. Cluster allocator finds resources to run your code.

WIN_20180926_10_52_55_Pro

What Can You Use It For?

Ideal for cloud-native applications

  • Any language, any framework
  • Libraries to integrate with your favourite languages
  • Easy H/A state storage with reliable collections
  • Intelligent traffic routing and connectivity

Enable app modernization:

  • Deploy anything and everything in a container
  • Bring your own network
  • More

Demo

An app runs on a SF cluster. Each app is made up of 1+ services. A service can be made HA by running it on many nodes in the SF cluster (replicas or load balanced).

There is a mesh application resource. In the summary we see the services that make up the app, and how many replicas there are of each service. He opnes one service and we see the replica(s), numbered normally as 0,1,2,etc. The status shows a summary of recent events. In Details we see the physical consumption of the service, the ports (endpoints) it listens to, environment variables. In Logs we can see a screen output of app log data.

Service Fabric Resource Model

  • Applications and services
  • Networks
  • Gateways
  • Secrets
  • Volumes
  • Routing rules

Simple declarative way to define an application.

Applications and Services Resouces

Services describe how a set of containers run:

  • Container image, environment variables, CPU/MEMory, etc
  • And more

Gateway and Networks

Connecting two networks together:

  • L4: TCP
  • L7: HTTP/S

It’s a way of connecting the outside world, Internet or another network you own, to the isolated network of the SF cluster.

This is a service fabric gateway, not a VNet gateway.

Secrets Resource

Bad way: environment variable.

Better way: Use KeyVault.

Inline is in the public preview today, e.g. connection strings. Secrets by reference (key vault) is coming.

Volume Resource

General purpose file storage.The container can attach volumes. Read and write files using normal disk I/O file APIs. Backed by Azure File storage or Service Fabric volume disk. The SF volume disk is on the cluster and is faster – it is replicated to nodes where your service has a replica (stateful service).

Demo Application Architecture

Cloud based polyglob application demo that they have built. All built on Linux contianers

  • Front End – reactive.
  • Backend: .NET Core and Node.js.
  • Work gets dropped into a queue.
  • A Worker picks up the queue and stores data in persistent storage

Overview over.

They show us a JSON that is used to deploy the SF mesh application: Microsoft.ServiceFabricMesh/applications. Azure Files is being used as file storage. Secrets are being stored inline. A volume disk is also being used for file storage and they define a mount path in the Linux containers of /app/data. There are front end (1), backend (2) and worker services (3) in the application.

Auto Scaling

Horizontal scaling of services based on:

  • CPU
  • Memory
  • Application provided custom metrics (later)

Application Upgrade

He uses on-PC Azure CLI (PowerShell also available) to push a code upgrade to the SF application.

Routing Rules Resource

  • Services talk to each other inside the application by hostname.
  • They do not implement platform-specific discovery APIs
  • Not not deal with network level details.
  • Are unaware of the implementation details of other services

Intelligent traffic routing:

  • Done using “Envoy”
  • Advanced HTTP/S traffic routing with load balancing
  • Proxy handles partition resolution and key hashing

Diagnostics and Monitoring

  • Use your favourite APM platform to monitor apps inside containers, e.g. Azure Application Insights
  • Containers write out stdout/stderr logs to a data volume – can be sucked up by Application Insights
  • Azure Monitor for platform events and container metrics

Reliable Collections – Low Latency Storage

Reliable collections allow you to persist state with failover. Uses transactional storage. Storage on a network introduces a “cost”, e.g. latency. Low latency storage is often preferred.

Demo: Scale-Out

Dumps a load of pictures of cats & dogs. Worker numbers increase from 1 to 40 in seconds for 3 services (120 containers). The pictures are categorized and tagged on the fly.

Pricing

You pay for what you use. Container compute duration:

  • Cores per second
  • Memory in GB per second

Costs depend on the region. Container costs are the same in Azure, irrespective of the Azure offering you get them from. So you choose a container offering based on suitability, not price.

Stateful resources:

  • Volume disk: disk size, Max IOPS/Throughput per disk). Paid for per month.

Reliable collections:

  • Biller per hour based on: size of the reliable collection and the amount of provisioned IOPS.

Recap

What they see: Gaming, media sharing, mission critical business SaaS, IoT data processing for millions of devices, low latency storage applications.

Roadmap

  • Managed service ID
  • Secrets from key vault
  • Routing rules to/from applications
  • Applications across availability zones
  • Persisted state via reliable collections and volume drives
  • Bring your own network to connect to other systems
  • Tooling integration

GA is planned for early next year – probably Build 2019. The preview is free to use.

Go live licenses will be given to early adopters.

Microsoft Ignite 2018–Azure Migrate

I arrived late for this session because I was in a meeting. They were doing a demo of Azure Migrate.

Azure Migrate fo Discovery And Assessment

  • Agentless discovery
  • TCO calculation
  • Right-size and suitability
  • Azure Platform

The are “announcing” support for Hyper-V – it’s still in limited private preview.

Third Party Solutions

Cloudamize is just an assessment tool

  • Indepth performance analysis
  • Right-size compute and stoage options.
  • TCO calculations
  • Agentless
  • Assessments for migration to Azure SQL
  • Integrates into ASR to do the migration

Migration solutions:

  • ASR
  • Zerto
  • CloudEndure

Azure Site Recovery (ASR)

  • Easy to onboard – appliance wizard for VMware
  • Broad coverage for Windows and Linux
  • UEFI support for VMware and physical machines – converted to BIOS
  • W2008 32-bit support

They do a demo of Zerto for migrations. Then they demo CloudEndure.

Futures

They’re trying to simplify the process. Starting a limited private preview:

Assess > Migrate & modernize > optimize > secure & manage.

Going to use the new tabbed UI in the Azure Portal. You can import and assessment into a migration. Pick the ready machines that you want to migrate, optionally apply HUB and overrise VM sizing, OS disk, and availability set membership. This migration experience will ideally be used by the 3rd parties too.

Microsoft Ignite 2018–Microsoft Information Protection

Speakers:

Questions to Microsoft

  • My data is scattered. I might not even know where it is.
  • I cannoit create unified policies for my data security
  • How do I protect PII for GDPR, etc.

Microsoft Information Protection is a suite of solutions, designed from the ground up, to protect data no matter where it is.

750 regulatory bodies around the world making up to 200 new data security decisions every month.

2025 – 165 zetabytes of data to manage and secure.

Microsoft Information Protection

  • Discover
  • Classicy
  • Protect
  • Monitor

Across:

  • Devices
  • Apps
  • Cloud services
  • On-premises

MS Solution

  • Unified solution to discover, classify and label
  • Automatically apply policy-based actions
  • Proactive monitoring to identify risks
  • Broad coverage across locations

The Way The MS Solution Was

Point solutions in market today:

  • O365 information protection
  • Windows information protection
  • Azure information protection

An incomplete solution because they are point solutions.

MIP unifies these solutions. A new unified UI.

Specialised Workspaces

  • Microsoft 365 Security Center: security.microsoft.com
  • Microsoft 365 Compliance Center compliance.microsoft.com

Clients

Obvious support on Windows Office. Now on Office/Mac and coming to Office/Mobile. Should be GA on all clients by the end of the year.

SharePoint Online will be showing labels, etc when creating sites/groups. Can apply retention labels in SharePoint Online too – auto-classification will determine if a retention policy should be applied.

Beyond Office 365

Windows Information Protection is a Win10 feature. Difference between company and personal data. Can apply rules to company data. Data (since 1809) will understand MIP labels applied to a file. If you try to copy/paste info from a protected file to Twitter, for example, Windows 10 will prevent that. Or if you try to attach the file in Outlook personal, or Gmail, etc. It will also prevent a copy to USB – no more superglue!

Compatibility for Existing AIP Customers

  • New M365 E3 customer can configure labels using the SCC portal. Can try out MIP-enabled AIP add in on Windows. Support coming to Mac and Mobile.
  • M365 or existing AIP customer can use AIP portal.

Customers will be transitioned over time.

Azure Information Protection Scanner

Scan:

  • File server shares
  • SharePoint Server 2010, 2013, 2016

Can discover data and force labelling/protection of documents.

I got bored here – “demos” that were just screenshots on PowerPoint. Weak!

Microsoft Ignite 2018–Windows Server 2019 Deep Dive

Speaker: Jeff Woolsey

Azure

Hybrid is a first-thought thing in MS. It’s not bolted on. How do they make Azure one-click away for customers who need to connect.

Azure Pillar #2 is hybrid. Windows Server 2019 pillar #1 is Hybrid.

Admin Center

1.7 million servers under management since it launched a few months ago. All new features in Windows Server are in this free download. MMC development has stopped. It’s also the portal to hybrid. Feedback driven evolution. Partner solutions built in – Fujitsu and DataON for hardware management highlighted. SquaredUp SCOM and Azure monitoring highlighted. RiverBed highlighted too. HPE is in development (looks limited compared to Fujitsu and DataON). Lenovo has something coming too. No mention of Dell/EMC who are stuck in the 1990s Sad smile

Still a place for System Center – bare metal deployment, application monitoring, etc.

Hybrid

The Azure Network Adapter. If you have a machine in an isolated location that needs to connect to an Azure vNet then one click in Admin Center and it creates a point-to-site VPN connection to an existing gateway. ASR is a one-click replication. Azure Backup now can be enabled on WS2012+ without installing MARS via Admin Center. W2008 R2 still requires a manual MARS installation. Very simplified deployment for file/folder and system state backup from the OS.

Azure Update Management

Extending Windows Update management from Azure to on-premises. This was a very complex deployment in the past. But through Admin Center it’s a short wizard.

Storage Replica TO Azure

This is in preview. You create a VM in Azure via Admin center, join it to a domain, etc via Admin Center. That’s the target. Then replication magically happens – didn’t see the required networking piece here so it might be a bit of an over-simplification.

Hyper-Converged Infrastructure

Hyper-converged is a play in server hardware modernisation – performance, security, support, etc. A video from Lenovo on their XClarity server management solution, that also integrtes into Admin Center – in preview today.

Storage Class Memory

Flash first came by USB. Then it moved to SAS/SATA. Then to PCI. Then NVMe to make it faster. Moving closer to the processor to reduce latency and increase performance. Storage Class Memory is next to the processor in a DIMM socket. It can be configured to look like storage, memory, or a mix of both. Can be an “insanely high speed cache”.

Demo on HCI by Cosmos Darwin. Previous demo in 2016 was 6.69million IOPS from 16 servers. This year they tested with Intel hardware (Optane) to get more performance. They deployed 12 nodes running with just these drive (2 per node) s for caching and NVMe for capacity. Also used future version Xeons. 100 TB of usable storage with free PCI slots and drive bays. The caching devices are striped at the memory controller level. Each NVMe is 8 TB each. They fire up VMs on one node and hit 1 million IOPS. Turn on node 2 and hit 2 million IOPS. Then they power up all 12 nodes VMs and hit 13 million IOPS from 24 U of servers. The growth was linear.

System Insights

  • Via Admin Center
  • Predictive capabilities for Windows Server 2019 locally on the server.
  • Predictive analytics
  • In the charts, it shows historical metrics, and projects how this will continue into the future.
  • Suggested actions, e.g. Extend volume Azure File Sync, Disk cleanup
  • Transform reactive emergencies into proactive management experiences.

Storage Migration

Customers find moving data to be hard. Means that old OS versions are hanging around. Need data to move, shares to move, folder/share ACLs, EFS, IP address, computer naming, etc must be possible to move. Storage Migration Service allows you to move data to Azure or file servers. It has support back to W2003 and up to WS2019 as a source. It inventories the source server. It then copies the data over to target server. Cutover hides the source server, freezes it, and transfers names/addresses to the new server so it becomes the active file server. You can export a CSV file with a log of every file transfer transaction with all the file attributes.

Azure File Sync

Modernize the file server to give it virtually bottomless capacity in Azure. 100 TiB per share support.

Storage

  • Admin center integratin
  • Deduplication with ReFS
  • Mirror accelerated parity
  • Storage class memory support
  • Cluster sets: a cluster of clusters with hundreds of nodes in a single unified namespace
  • Industry leading scale

Cosmos Darwin comes back out. Storage Spaces Direct isn’t just for VMs. Another scenario is a backup target where customers want larger capacity. Now it supports 4 PB of raw storage in a single cluster. With cluster sets, that increases. 4 PB is wikipedia in every language with the complete edit history 50 times. Demo of QCT servers with 527 drives – 72 dives per physical server. 3.64 PB of raw capacity. QCT is selling this today. They’ve benchmarked with Veeam, doing 25 GB/s of sustained data writes per hour.

Scales are up. 400 TB per server, 64 volumes per cluster.

Software-Defined Networking

  • Virtual network peering
  • Encrypted subnets
  • Egress bandwidth metering
  • IPv6 support, single and dual stack
  • Fabric ACLs, SDN ACL logging
  • Gateway performance improvements

Management is coming. Windows Admin Center management for Software-defined networking. Add network Controller to Admin Center. Then add subnets. SDN for mere mortals. SDN monitoring is coming to Admin Center too.

Security

Shielded VMs.

Password Protection with Windows Server AD

Central risk: Passwords. Azure AD solved this issue in Premium. This has been projected down into ADDS. You get the same password checking on-prem that you can in the cloud. A free download that can be installed on WS2012 R2 domain controllers and later. Password enforcement will be the same in the cloud as in on-prem.  Can be deployed in audit or enforcement modes. The agent on the DC talks to a proxy service and the proxy talks to the cloud. You register the proxy with the cloud and then install the agent on DCs. And then cloud-based enforcement starts to work. You can define your own weak password lists.

Features on Demand

  • Server Core numbers are allegedly increasing because of Admin Center.
  • What if I have to go to the VM and I need local tools.
  • What it s/w installer won’t install on Server Core?
  • Features on Demand is Server Core with an additional ISO of around 340 MB.
  • It’s to support those apps that won’t install.
  • It also adds local debugging and tools.
  • When installed you get MMC.EXE, Event Viewer, File Explorer, Device Manager, Resource Monitor, Performance Monitor, PowerSehll ISE, Faulover Cluster Manager.
  • Internet Explorer is in a special ISO by itself.

Exchange Server 2019 supports Core out of the box. SQL Server supports Core already.

Best practices:

  1. Start with Windows Server Core with Admin Center – best way for server hygene
  2. Add FOD – use it – remove it.
  3. Finally use Windows Server with Full Desktop

Looking Forward

  • A new release of Windows Server and Admin Center every 2 weeks for Insiders.
  • There is the semi-annual channel for application innovation twice per year.
  • The next LTSC will be out in 2-3 years time.

Real World Architecture Considerations for Azure–How To Succeed And What To Avoid

Speakers: Tiago Barbosa and Will Eastbury

FastTrack For Azure’s Approach To Azure

FYI, FastTrack is an architectural assistance service for large customers:

  1. Architectural review sessions and/or design/solution reviews
  2. Apply the FastTrack review and guidance framework
  3. Inform and disseminate information from the Azure Architecture Center

  • Design patterns
  • Anti-patterns
  • Reference Architecture
  • Best practices

Where to Start?

  • Purpose: What is the reason of this – high-level functional requirements. What will this solution do?
  • Success criteria: How do you measure success? What is the direction?
  • Stakeholders: Are there internal or external customers involved with an SLA too?

What do we Consider?

  • Business objectives of the solution
  • Pillars of software quality
  • Functional aspects
  • Availability and resilience
  • Performance and scalability
  • Governance, etc
  • Dev/test/
  • Security and ID
  • Cost design
  • Other general observations
  • Service specific aspects

Things To Understand

  • Start with simplicity and low overall cost
  • Add tiering and scalability
  • Add multi-region failover and HA

General Good Practice

  • Determine the budget and NFRs of the solution
  • Understand the Azure storage performance envelope
  • Scale OUT, NOT up.

Choose the Compute Stack Options

  1. IaaS
  2. PaaS
  3. Serverless

Move as close to serverless as you can (me).

Infrastructure Patterns

Some high-level diagrams similar to flow charts that document processes.

I got bored here.

What to Avoid – Scalability

  • Avoid: Keep creating new instances of shred objects
  • Avoid: Sharing infrastructure between test and production environments

What to Avoid – Performance

  • Avoid: Lack of caching or use excessive caching of stale data
  • Avoid: Ignore the differences in cloud latency envelope

What to Avoid – Resiliency

  • Avoid: High SLA, single-region deployment in Azure
  • Avoid: Lack of strategy for resilience within services
  • Avoid: Ignore single points of failure even for low SLA

What to Avoid – DevOps

  • Avoid: Lack of continuous integration
  • Lack of telemetry insight

What To Avoid – Anti-Patterns

  • Busy database: Offload business logic to database consumes valuable CPU. Do it in app layer.
  • Busy front-end: Offload processing to background thread to save front-end performance. Don’t consume front-end CPU.
  • Select * from everywhere: Querying more data than needed slows performance.
  • Blocking I/O: Wasting CPU because the thread is locked while waiting on a result.

Customer Story – Flybe

A budget airline in the UK.

I stopped listening here.

Backup Your Data With Microsoft Azure Backup

Speakers: Saurabh Sensharma & Shivam Garg

Saurabh starts. He shows a real ransomware email. The ransom was 1.7 bitcoins for 1 PC or 29 bitcoins for all PCs. Part of the process to restore was to send files to the attacker to prove decryption works. The two files the customer sent contained customer data! Stuff like this has GDPR implications, brand, etc.

Secure Backup is Your Last Line of Defense

Azure Backup – a built-in service. Lower and predictable TCO. Can be zero-infrastructure. And it offers trust-no-one encryption and secure backups.

Shivam comes up. He’s going to play the role of the customer in this session.

Question: Backup is decades old – what has changed?

Digital transformation. People using the cloud to transform on-prem IT, even if it stays on-prem.

Shivam: Backup should be like a checkbox. Customers want a seamless experience. Backup should not be a distraction.

Azure Backup releases you from the management of a backup infrastructure. Azure Backup is built on:

  • Scalability
  • Availability
  • Resilience

Shivam: What does this “built-in” mean if I have a three-tier .Net app running in the cloud?

We see a demo of restoring a SQL Server database in an Azure VM. We see the point-in-time restore will be an option because there are log backups. Saurabh shows the process to backup SQL Server in Azure VMs. He highlights “auto-protect” – if the instance is being protected then all the databases (even new ones that are created later) are backed up.

Saurabh demos creating a new VM. He highlights the option to enable backup during the VM creation – something many didn’t know was possible when this option wasn’t in the VM creation process. VMs are backed up using a snapshot in local storage. 7 of those are kept, and the incremental is sent to the recovery services vault. If you want to restore from a recent backup, you can restore very quickly from the snapshot.

A new restore option is coming soon – Replace Existing (virtual machine). They place the existing disks of the VM into a staging location – this gives them a rollback if something goes wrong. Then the disks of the VM are replaced from backup. So this solves the availability set issue.

Under the Covers – SQL

Anything that has a native backup engine is referred to as enlightened. Azure Backup talks to the SQL Backup Engine using native APIs via Azure Backup plugin for SQL (VM extension). They ask SQL Backup Engine to create the backup APIs. Data is temporarily stored in VM storage. And then there is a HTTPS transfer using incremental backups to the RSV where they are encrypted at rest using SSE.

It’s all built-in. No manual agents, no backup servers, etc.

Non-Enlightened VM Workloads

E.g. MySQL in a VM. Azure Backup can call a pre-script. This can instruct MySQL to freeze transactions to disk. When you recover, there’s no need to do a fixup. A snapshot of the disks is taken, enabling a backup. And then a post-script is called and the database is thawed. Application providers typically share these on GitHub.

VM Backup

An extension is in every Azure VM. The extension associates itself to a backup policy that you select in the RSV. A command is sent to the backup extension. This executes a snapshot (VSS for Windows). It’s an Instant Recovery Snapshot in the VM storage. A HTTPS transfer to SSE storage as incremental blocks.

Azure Disk Encryption

KEK and BEK keys are stored in Azure Keyvault. These are also protected when you backup the VM. This ensures that the files can be unlocked when restored.

Up to 1000 VMs can be protected in a single RSV now.

Azure VM Restore

VM restore options:

  • Files
  • Disks
  • VM
  • Replace Disks

Replace Disks (new):

  1. They snapshot copy the VMs disks to a staging location. This allows roll backup if the process is broken.
  2. They replace the disks by restore.

This (confirmed) is how restoring a VM will allow you to keep availability set membership.

Azure File Sync

The MS sync/tiering solution. Everything is stored in the cloud. So you can move on-prem backup for file servers to the cloud. Demo of deleting a file and restoring it. Saurabh clicks Manage Backups in the Azure File Share and clicks File Recovery and goes through the process.

When the backup API triggers a backup of Files, it pauses sync to create a snapshot. After the snapshot, the sync resumes. Now they have a means to a file consistent backup.

On-Prem Resources

There is no Azure File Sync in this scenario, but they want to use cloud backup without a backup server. This scenario is Azure Backup MARS agent with Windows Admin Center. A demo of enabling Azure Backup protection via the WAC.

Deleting Backup

  1. Malware cannot delete your backups because this task requires you to manually generate a PIN in the Azure Portal (human authentication)
  2. If a human maliciously deletes a backup, Azure Backup retains backups for 14 days. And it will send an email to the registered notification address(es).

Security

  • Security PIN for critical tasks
  • Azure Disk Encryption support
  • SSE encryption with TLS 1.2
  • RBAC for roles
  • Alerts in the portal and via notifications
  • On-server encryption (on-prem) before transport to Azure

Rich Management

Questions:

  • What’s my storage consumption?
  • Are my backups healthy?
  • Can I get insights by looking at trends?

This is the sort of stuff that normally requires a lot of on-prem infrastructure. Azure leverages Azure features, such as a Storage Account. No infrastructure, enterprise-wide, and it uses an open data model (published online on docs.microsoft.com) that anyone can use (Kusto, etc). You can also integrate with Service Manager, ServiceNow, and more (ITSM).

Custom reports.

And ….. cross-tenant support! Yay! This is a big deal for partners. It’s a PowerBI solution. It’s a content pack that you can import. It ingests Azure reporting data from a storage account.

Once you set this up, it takes up to 24 hours to get data moving, and then it’s real-time after that.

Roadmap

Cloud resources:

  • Azure VM abckup – Standard SSD, resource improvements, 16+ disks, cross-region support
  • Azure Files Backup: Premium Files, 5 TB+ shares, ACL, secondary backups.
  • Workloads: SAP Hana, SQL in Azure VM GA.

Availability Zones:

  • ZRS
  • Recovery from cross-zone backups

And more that I couldn’t grab in time.

Microsoft Ignite 2018–Azure Compute

Speaker: Corey Sanders

95% of Fortune 500 building on Azure. Adobe is building on open source – one of the biggest PostgreSQL customers. NeuroIntiative using GPUs to simulate drug tests for treatments for Alzheimer’s.

There’s no one way to use Azure. Find the bits you want to use and deploy them in a good way that suits.

Infrastructure for Every Workload

54 announced regions. Availability Zones in US, Europe, and Asia, more regions coming soon.

New VM Portfolio

NDv2: 8 x NVIDIA Tesla V100 NVLINK GPUs, 40 Intel SkyLake cores, 672 GB RAM, AI, ML, and HPC workloads.

NVv2: Tesla M60 GPU. Premium SSD suppor, up to 448 GB RAM, CAD, Gaming 3D design

HB: Highest memory bandiwidth in the cloud. 60 AMD EPYC cores, 100 Gbps Infiniband. Memory bandwidth intensive HPC workloads.

HC: Up to 3.7 Ghz clock speed. 44 Intel SkyLake cores, 100 Gbps Infiniband. CPU intensive HPC workloads.

Storage

200 trillion objects. 160 trillion transactions per month.

Standard SSD is GA. Ultra SSD in preview – sub millisecond latency, up to 160,000 IOPS and 2,000 MB/s throughput.

A demo of Ultra SSD. Opens up an E64s_v3 VM with Ultra SSD. Run IOMETER. Gets nearly 80,000 IOPS and .6 millisecond latency. That’s a single disk! Now for demo 2 with a new VM type. Runs IOMETER. Gets 161,000 IOPS on a single ultra SSD without striping or caching – durable writes. Double the performance of the competition.

There will be a single VM SLA for VMs running Ultra SSD.

Networking

100,000 miles of fibre to connect the 54 regions with 130+ edge sites.

ExpressRoute Global Reach allows you to connect your connections together to use the MS WAN as your WAN. Virtual WAN is GA. Front Door uses those edge as a globally available secure entry point to web services in Azure. And Azure ExpressRoute Direct offers 100 Gbps connections to Azure.

SAP

24 TB RAM physical machines. 12 TB RAM VMs on the way. 20+ certified solution architectures on Azure.

Containers

Reasons:

  • Agility
  • Portability
  • Density
  • Rapid Scale

A new feature in Kubernetes (K8s) to allow burst capacity based on Azure Container Instances called Virtual Node. The node is a VM that can be loaded up with ACIs when demand spikes. You get per-second billing to deal with unusual loads.

Hybrid

Microsoft offers the only true consistent hybrid experience. Azure Stack, DevOps, data, AD, and security/management.

A key piece of this is Windows Server 2019, which has hybrid built in. Hybrid: Azure Backup, ASR, Storage Migration Services, Azure Network Adapter

Erin Chapple comes out to demo Windows Admin Center.

Windows Server 2008/R2

End of life coming January 2020, and for SQL Server on July 9, 2019. If you migrate these to Azure, you’ll get 3 years of free security fixes – you’ll have to pay if you stay on-premises.

Edge

Microsoft has announced availability of the first Azure Sphere dev kit.

Data Box Edge is also announced. You can pre-process data on-prem before moving it to the cloud. It has FPGAs (or whatever) built in.

Azure Stack will support more nodes in the coming weeks. Event hubs and Blockchain deployment coming in preview this year.

Security & Management

Starts with the physical and software security of Azure and extends out to the edge and on-premises. 1.2 billion devices and 750,000 user authentications offer a lot of data for analysis.

  • 85+ compliance offerings.
  • 40+ industry specific regulated offerings
  • Trusted, responsible, and inclusive cloud

New announcements:

  • Confidential computing is a new series of VMs – DC-Series. The data is protected even from Azure when being processed by the CPU.
  • Azure Firewall is GA.
  • Azure Security Center improvements.

Governance

Governance normally restricts and slows down. Azure Policy doesn’t slow you down. A new addition, Blueprints, plans out deployments that are known and trusted. DevOps can deploy a blueprint to stay within the guardrails. It’s ARM template + Policy, resource group(s), and RBAC.

In a demo, we see a new Azure Policy feature – the ability to remediate variance.

Migration

CTO of JB Hunt, Gary Downy comes on stage. A trucking company that also does last mile and rail transport. Facing disruptive technologies such as driver-less and a shortage of drivers. They had on-prem systems but they wouldn’t scale with the business. Now they use Azure DevOps, Git, and Kubernetes for most of their systems.

Start with assessment. Then migrate. Then optimize and transition into management & security (ownership).

Tools:

  • Azure Migrate now supports Hyper-V and VMware.
  • Azure Database Migration Service which does Azure SQL, MySQL, PostreSQL, and MongoDB.

 

Microsoft Ignite 2018–Azure Keynote

I am live blogging this session. Please press refresh to see more.

Speakers: Scott Guthrie, Julia White, and probably a cast of others.

Julia White

She repeats some stuff we’ve already heard.

Scott Guthrie

The man in charge of Azure and Windows Server comes out. You can use entry level, burstable machines. There are big machines for high end, and hardware-enhanced machines.

Storage

New disk option, Ultra SSD, delivers twice the performance of the next competitor, and scales up to 64,000 and 160,000 IOPS with sub-millisecond latency.

4500 peering locations and 10,000,000+ miles of fibre networking in the Microsoft WAN. ExpressRoute offering speeds up to 100 Gbps, which is industry leading. Front Door is a new service to give you a secure global entry point for globally distributed apps. It uses Azure’s intelligent routing and offers CDN. Azure WAN and Azure Firewall are also GA.

Azure Data Box, the secure ruggedized disk box is GA and has some new options. Heavy expands from the normal 100 TB to 1 PB capacity. Edge is a new category of appliance to use data locally with it being stored in the cloud. It has offline capabilities.

There is purpose-build hardware in Azure for NetApp, Cray, and SAP. 24 TB RAM bare-metal machines for SAP. 12 TB RAM VMs coming soon.

Windows Server 2019

Windows Server 2019 is announced. Bits coming in October. Native hybrid cloud features. New security enhancements including Defender Threat Protection. Better container images and app compat.Lower cost storage with Storage Spaces Direct.

Windows Virtual Desktop

Windows 10 multi-user support for this new MS hosted Windows 10 solution. It appears to be O365 licensed with Azure VM consumption. RI can be applied for discounts. In the end, it’s just RDS.

Azure Stack

On-prem Azure, with the usual explanations. Available in 92 countries via the 5 partners. Video and demo of a mini- ruggedized Azure Stack kit from Dell for disaster relief and similar touch-environment scenarios. Uses drones as recon devices with edge AI. Next up, an engineer with a HoloLens goes “on site”. A remote expert can see what she can see and help her do the work. It ties in with Dynamics to find and recommend an expert.

Linux

RedHat is one of their “deepest partners”. A joint OpenShift on Azure is coming to Azure Stack.

Security + Management

Azure Security Center is the central dashboard for managing security in Azure and in hybrid. A new Security Score is being shared through ASC to measure your deployments.

Blueprints are being announced. It’s a combination of ARM template, resource group, RBAC, and Policy in one “template” that you associate with a management group.

Julia White came back out with a Walmart guy to do chat show time. Yawn.

Azure Migrate

It now supports Hyper-V.

Azure Learn

Free step-by-step tutorials. Hands-on learning and coding environments. Knowledge checks and achievements.

Serverless Based Computing

Built in HA, security, parching by MS.

Jeff Hollan comes out to do a demo of app migration/modernization. In Visual Studio, he clicks a menu to add Docker support for an existing set of code. He can choose Windows or Azure. VS builds a docker container to run the application, and runs it on his PC to live debug it. He set a break point and while the container is running, he can step through the code in VS. Can be published to K8s from VS too. A dashboard that is built from 10s of thousands of data sources requires batch jobs. To make it live built, he’s going to use Functions v2.0 GA today in Azure. It offers twice the performance of Functions v1.0.  As serverless, it can scale to the 10s of thousands of instances that happen every second.

GitHub

Largest developer community in the world. 28 million unique developers and 85 million code repositories. Will be allowed to stay open and independent.

Azure DevOps

Next gen VSTS. Boards, Pipelines, Test Plans, Artifacts, Lab Services, and Repos – all in Azure.

Data & AI

SQL Server 2019 public preview available. Leverage hardware acceleration. Data classification and labelling, e.g. GDPR. Data masking and hardware encryption.

Azure SQL Managed Instances GA.

Cosmos DB is one of the fastest growing services in Azure. I am not surprised – the scale and HA are fantastic. All the APIx are GA. Multi-master write support (now GA) with anti-entropy makes it easier to built widely dispersed planet-scale apps. Reserved Capacity will reduce costs by up to 65%. A new lower cost entry option for smaller databases is announced.

Some new analytic service called Azure Data Explorer for exploration, and querying structured and unstructured data. Can query live data like log telemetry. Scale from GBs to PBs.