Spark the future.
May 4 – 8, 2015Chicago, IL
Taking a Deep Dive into Microsoft Azure IaaS CapabilitiesDrew McDaniel (Azure Program Manager)Mahesh Thiagarajan (Azure Program Manager)
BRK3505
Agenda
What is IaaS and IaaS v2
IaaS templates
Security and cost mgmt.
Complex application templates
Debugging deployments
Unified Azure Stack
Overview of Virtual Machine ServicesCompute resourcesVirtual machinesVM extensions
Storage resourcesStorage accounts (blobs)
Networking resourcesVirtual networksNetwork interface cards (NICs)Load balancersIP addressesNetwork Security Groups
Management models for IaaSClassic Model (v1) Resource Manager (V2)
Storage Account
Virtual Network
Cloud Service
Subnet-1Disk (blob)
VM w/ IP
Address
Resource Group
VM NICVM IP
Address
Load Balancer w/ IP
Address Load Balanc
er
DependsOn
ReferenceReference
Backend Pool (NICs)
LB IP Addres
s
Reference
Coming Soon…Gateways (VPN)ExpressRoute
Network Security Group
VNetSubnet
Storage
Account
Disk (blob)
ReferenceReference
Premium Storage
Up to 32 TB of storage per VM
64,000 IOPS per VM
50,000 IOPS per disk
~5 ms read/write (no cache)
less than 1ms read latency (cache)
Virtual Machine
Uncached
Disk
CachedDisk
LocalDisk
Disk Provisioning
Disk Provisioning
SSD Provisioning
Premium Storage Blobs
VM/Network Provisioning ServerSSD
Cache HitCache Miss
5k IOPS, 200MB/s
5k IOPS, 200MB/s
4k IOPS, 32MB/s
3,200 IOPS, 32MB/s
Standard_DS1
Standard_DS1 with 2 P30 Disks
Virtual machine building blocksOS & data disk imagesWindows base OSsLinux base OSsPre-installed applicationCommunity images
VM ExtensionsSecurityDeploymentConfigurationOthers
• Visual Studio debuggers• Diagnostics agents• Monitoring agents• Access recovery• Docker extension• Backup helper
Demo: Deploy 40 VM application tier
Resource Groups
Manage resources as a single unit
Role based access and control (RBAC) on groups or resources
Billing integrated tagging on groups or resources
Resource Groups
RESOURCE GROUP
Single Resource Group
Single or multiple resource groups?
Front End VMs
Back End VMs
Virtual Network
Storage Account
RG3: Front End VMs
RG4: Back End VMs
RG2: Virtual
Network
RG1:Storage Account
Multiple Resource Groups
Azure Templates can:• Ensure Idempotency
• Simplify Orchestration
• Simplify Roll-back
• Provide Cross-Resource Configuration and Update Support
Azure Templates are: • Source file, checked-in
• Specifies resources and dependencies (VMs, WebSites, DBs) and connections (config, LB sets)
• Parametized input/output
Instantiation of repeatable config.Configuration Resource Group
Power of Repeatability
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
Key Improvements: Azure Virtual Machines (v2)
Massive and parallel deployment of Virtual Machines
3 Fault Domains in Availability Sets
Custom URLs for Custom Script VM Extensions for VMs
SSH-2 RSA Format Support for SSH keys for Linux VMs
Azure Key Vault Increased Security
over Keys Applications get no
direct access to Keys Level 2 Certified
HSMs
Azure Key Vault Integration with Virtual Machines
Create Azure Key Vault
Reference Certificates
Push Keys to Key Vault
Simplified Manageability of Applications on IaaS
Upgrade
• complexity made simple
• master template can be used to rollout upgrades
• imperative APIs, client tools support to update resources
Manageability, Auditing
• operations can be tracked upto 90 days
• management Locks to lock down resources from deletion
Wide range of Quickstart Templates
Indexed on Azure.com Github Repo Community & Microsoft contributed
Integration of IaaS with Azure Services
Getting Started with Azure Templates
Demo: Simple IaaS Template
Enterprise Resource Management
Resource Tags Name-value pairs assigned to resources
or groups Subscription-wide taxonomy Each resource can have up to 15 tags
Tagging Tips• Notes: Simple note for VM• Creator: track the “owner” of a VM• Department/Cost center: who pays• Environment: production vs. pre-production
vs. test
Access Control: RBAC
What is RBAC
allows secure access with granular permissions to resources
assignable to users, groups or service principals
built-in roles make it easy to get started
20
Role Definitions
• describes the set of permissions (e.g. read actions)
• can be used in multiple assignments
Role Assignments
• associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group)
• always inherited – subscription assignments apply to all resources
Role Based Access Control
Granular Scopes
/subscriptions/{id}/resourceGroups/{name}/providers/…/virtualmachines/{vmname}
subscription level – grants permissions for all resources in the sub
resource group level – grants permissions for all resources in the group
resource level – grants permissions to the specific resource
Demo: Tagging and RBAC
Cost Management
Azure Cost Management
Usage API and RateCard API enable IT Financial Management (ITFM) of Azure.
Usage API – REST API to provide customers and partners programmatic access to azure consumption data.
• Hourly and Daily aggregations
• Azure 1st party and 3rd party (Azure Marketplace) data available
• Includes usage for all Azure offer types
• Includes resource tags• Resource metadata (service,
service type..) included• Supports Azure RBAC
RateCard API – REST API to provide customers and partners programmatic access to all resource details and pricing for non-EA offers.
• Gets list of all available Azure resources
• Localized Resource metadata (service, service type..) available
• included quantities available• Support for graduated pricing as well
as flat rate pricing• No support for EA offers• Pre-tax rates• Supports Azure RBAC
Reach out to the Azure Billing Feedback alias: [email protected]
Division
Arch & Design
Assembly
Engineering
Materials
Production Eng.
Shipping
Tag by
Divisio
n
Partner 1: Cloud Cruiser (booth# 220)Simplify Your Cost Allocation with Azure Tags and Cloud Cruiser
Partner 2: Cloudyn (booth# 4)Keeping your cost & usage under control
Demo: Usage Data
Complex Templates
Architecting Complex Applications on IaaS
Infrastructure
• Templates for different environments (eg: Dev, Test, Prod)
• orchestration of multiple infrastructure tiers (eg: VMs, VNETs)
• orchestration across multiple azure resources (eg: VMs, Websites) In-VM Configuration
• common scripts/recipes that can be shared across multiple VMs
• app-specific scripts that will be used for application setup
adminUserName
adminPassword
storageAccountname
region
virtualNetworkName
addressPrefix
subnetName
subnetPrefix
jumpbox
tshirtSize
osFamily
Architecting Complex Applications using Templates
SharePoint on Azure Virtual Machines (v2)
WFE1
WFE2
WFE-LB
App1
App2
App Tier-LB
SQL1
SQL2
SQLInternal LB
AD1
AD2
AD LB
Witness
Admin Site, Port 2000
newStorageAccountName
adminUsername
adminPassword
adVMSize
assetLocation
sqlServerServiceAccountUserName
sharePointSetupUserAccountUserName
sharePointFarmAccountUserName
configDatabaseName
…
spSiteTemplateName
SharePoint on Azure Virtual Machines
Demo: SharePoint Farm Template
Debugging Templates
Debugging OverviewTemplate validationUse tool with JSON validation (Examples: Visual Studio, Atom w/ JSONLint, or others )Leverage Test-AzureResourceGroupTemplate
Resource group loggingPortal: Browse Resource Groups <Group> EventsPowerShell: Get-AzureResourceGroupLogAzure CLI: azure group log show
Azure Rest API ExplorerView individual resources as they are deployed: https://resources.azure.com
Demo: Template Debugging
Consistent Management Layer
Curated Extensio
ns
SummaryVirtual Machines service with Resource ManagerFaster Scalability, Larger overall deploymentsAbility to make parallel configuration changes
Templates further simplify IaaSOne-click deployment of the most complex applicationsRepeatable deployments with “config as code”
Delegation and management with RBAC and taggingRBAC through AAD users or groupsBilling integrated tagging
Unified Azure Stack
Related SessionsSession Code
Title Time
BRK3450 Microsoft Azure Marketplace: Images, Extensions, Docker and More
Tuesday, May 5, 10:45AM
BRK2491 Getting Started with Microsoft Azure IaaS Tuesday, May 5, 1:30PM
BRK3473 Introducing Microsoft Azure DNS Tuesday, May 5, 1:30PM
BRK2707 Roles Based Access Control for Microsoft Azure Tuesday, May 5, 3:15PM
BRK3124 SharePoint 2013 and Azure IaaS: Better Together Tuesday, May 5, 3:15PM
BRK3178 Exchange on IaaS: Concerns, Tradeoffs and Best Practices
Tuesday, May 5, 3:15PM
BRK3733 Deploying Hyper Scale Application on Microsoft Azure Wednesday, May 6, 9:00AM
BRK3705 Running Large Scale Batch and High Performance Computing Applications with Azure Batch
Wednesday, May 6, 1:30PM
BRK3480 Java on Microsoft Azure: What’s New along with Tips, Tricks and Tools
Wednesday, May 6, 3:15PM
BRK3725 Deploying and Running Linux and Non Microsoft Solutions Stack on Azure
Wednesday, May 6, 3:15PM
Related SessionsSession Code
Title Time
BRK4453 Deploying, Organizing and Securing Applications with the Azure Resource Manager
Wednesday, May 6, 5:00PM
BRK3722 Managing Linux and Windows on Microsoft Azure with Chef
May 7th, 9:00AM
BRK3470 Virtual Networking and Security in Microsoft Azure May 7th, 9:00AM
BRK3702 Running Docker Containers on Microsoft Azure May 7th, 10:45AM
BRK4379 Azure for IaaS on Azure Pack May 7th, 1:30PM
BRK4700 Unleashing Microsoft Azure Networking APIs May 7th, 3:15PM
BRK1454 Hybrid Partnerships: Enabling On-Premises Scenarios in Microsoft Azure
May 7th, 3:15PM
BRK4450 Understanding Which Workloads are Ideal for Azure Premium Storage
May 7th, 5:00PM
BRK3452 Running Linux in Microsoft Azure Friday, May 8th, 10:45AM
Appendix
Datacenter extension reference architecture diagram
Save time by downloading and using the interactive diagram today from http://aka.ms/derad.
Watch the 45 minute walkthrough video at http://aka.ms/derad-video.
Mouse hovers expose detailed information about each object.
Finding all the information to learn how to extend your on-premises datacenter infrastructure to Azure can be time-consuming.
Mouse clicks on most objects open detailed design or implementation articles about them.
Includes cross Azure subscription and virtual network connections, as well as connecting them to an on-premises network.
Ignite Azure Challenge Sweepstakes
Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!
Aka.ms/MyAzureChallenge
Enter this session code online: BRK3505
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.