Spark the future.

May 4 – 8, 2015Chicago, IL

Taking a Deep Dive into Microsoft Azure IaaS CapabilitiesDrew McDaniel (Azure Program Manager)Mahesh Thiagarajan (Azure Program Manager)

BRK3505

Agenda

What is IaaS and IaaS v2

IaaS templates

Security and cost mgmt.

Complex application templates

Debugging deployments

Unified Azure Stack

Overview of Virtual Machine ServicesCompute resourcesVirtual machinesVM extensions

Storage resourcesStorage accounts (blobs)

Networking resourcesVirtual networksNetwork interface cards (NICs)Load balancersIP addressesNetwork Security Groups

Management models for IaaSClassic Model (v1) Resource Manager (V2)

Storage Account

Virtual Network

Cloud Service

Subnet-1Disk (blob)

VM w/ IP

Address

Resource Group

VM NICVM IP

Address

Load Balancer w/ IP

Address Load Balanc

er

DependsOn

ReferenceReference

Backend Pool (NICs)

LB IP Addres

s

Reference

Coming Soon…Gateways (VPN)ExpressRoute

Network Security Group

VNetSubnet

Storage

Account

Disk (blob)

ReferenceReference

Premium Storage

Up to 32 TB of storage per VM

64,000 IOPS per VM

50,000 IOPS per disk

~5 ms read/write (no cache)

less than 1ms read latency (cache)

Virtual Machine

Uncached

Disk

CachedDisk

LocalDisk

Disk Provisioning

Disk Provisioning

SSD Provisioning

Premium Storage Blobs

VM/Network Provisioning ServerSSD

Cache HitCache Miss

5k IOPS, 200MB/s

5k IOPS, 200MB/s

4k IOPS, 32MB/s

3,200 IOPS, 32MB/s

Standard_DS1

Standard_DS1 with 2 P30 Disks

Virtual machine building blocksOS & data disk imagesWindows base OSsLinux base OSsPre-installed applicationCommunity images

VM ExtensionsSecurityDeploymentConfigurationOthers

• Visual Studio debuggers• Diagnostics agents• Monitoring agents• Access recovery• Docker extension• Backup helper

Demo: Deploy 40 VM application tier

Resource Groups

Manage resources as a single unit

Role based access and control (RBAC) on groups or resources

Billing integrated tagging on groups or resources

Resource Groups

RESOURCE GROUP

Single Resource Group

Single or multiple resource groups?

Front End VMs

Back End VMs

Virtual Network

Storage Account

RG3: Front End VMs

RG4: Back End VMs

RG2: Virtual

Network

RG1:Storage Account

Multiple Resource Groups

Azure Templates can:• Ensure Idempotency

• Simplify Orchestration

• Simplify Roll-back

• Provide Cross-Resource Configuration and Update Support

Azure Templates are: • Source file, checked-in

• Specifies resources and dependencies (VMs, WebSites, DBs) and connections (config, LB sets)

• Parametized input/output

Instantiation of repeatable config.Configuration Resource Group

Power of Repeatability

SQL - A Website VirtualMachines

SQL-AWebsite[SQL CONFIG] VM (2x)

DEPENDS ON SQLDEPENDS ON SQL

SQLCONFIG

Key Improvements: Azure Virtual Machines (v2)

Massive and parallel deployment of Virtual Machines

3 Fault Domains in Availability Sets

Custom URLs for Custom Script VM Extensions for VMs

SSH-2 RSA Format Support for SSH keys for Linux VMs

Azure Key Vault Increased Security

over Keys Applications get no

direct access to Keys Level 2 Certified

HSMs

Azure Key Vault Integration with Virtual Machines

Create Azure Key Vault

Reference Certificates

Push Keys to Key Vault

Simplified Manageability of Applications on IaaS

Upgrade

• complexity made simple

• master template can be used to rollout upgrades

• imperative APIs, client tools support to update resources

Manageability, Auditing

• operations can be tracked upto 90 days

• management Locks to lock down resources from deletion

Wide range of Quickstart Templates

Indexed on Azure.com Github Repo Community & Microsoft contributed

Integration of IaaS with Azure Services

Getting Started with Azure Templates

Demo: Simple IaaS Template

Enterprise Resource Management

Resource Tags Name-value pairs assigned to resources

or groups Subscription-wide taxonomy Each resource can have up to 15 tags

Tagging Tips• Notes: Simple note for VM• Creator: track the “owner” of a VM• Department/Cost center: who pays• Environment: production vs. pre-production

vs. test

Access Control: RBAC

What is RBAC

allows secure access with granular permissions to resources

assignable to users, groups or service principals

built-in roles make it easy to get started

20

Role Definitions

• describes the set of permissions (e.g. read actions)

• can be used in multiple assignments

Role Assignments

• associate role definitions with an identity (e.g. user/group) at a scope (e.g. resource group)

• always inherited – subscription assignments apply to all resources

Role Based Access Control

Granular Scopes

/subscriptions/{id}/resourceGroups/{name}/providers/…/virtualmachines/{vmname}

subscription level – grants permissions for all resources in the sub

resource group level – grants permissions for all resources in the group

resource level – grants permissions to the specific resource

Demo: Tagging and RBAC

Cost Management

Azure Cost Management

Usage API and RateCard API enable IT Financial Management (ITFM) of Azure.

Usage API – REST API to provide customers and partners programmatic access to azure consumption data.

• Hourly and Daily aggregations

• Azure 1st party and 3rd party (Azure Marketplace) data available

• Includes usage for all Azure offer types

• Includes resource tags• Resource metadata (service,

service type..) included• Supports Azure RBAC

RateCard API – REST API to provide customers and partners programmatic access to all resource details and pricing for non-EA offers.

• Gets list of all available Azure resources

• Localized Resource metadata (service, service type..) available

• included quantities available• Support for graduated pricing as well

as flat rate pricing• No support for EA offers• Pre-tax rates• Supports Azure RBAC

Reach out to the Azure Billing Feedback alias: azurebillingfeed@microsoft.com

Division

Arch & Design

Assembly

Engineering

Materials

Production Eng.

Shipping

Tag by

Divisio

n

Partner 1: Cloud Cruiser (booth# 220)Simplify Your Cost Allocation with Azure Tags and Cloud Cruiser

Partner 2: Cloudyn (booth# 4)Keeping your cost & usage under control

Demo: Usage Data

Complex Templates

Architecting Complex Applications on IaaS

Infrastructure

• Templates for different environments (eg: Dev, Test, Prod)

• orchestration of multiple infrastructure tiers (eg: VMs, VNETs)

• orchestration across multiple azure resources (eg: VMs, Websites) In-VM Configuration

• common scripts/recipes that can be shared across multiple VMs

• app-specific scripts that will be used for application setup

adminUserName

adminPassword

storageAccountname

region

virtualNetworkName

addressPrefix

subnetName

subnetPrefix

jumpbox

tshirtSize

osFamily

Architecting Complex Applications using Templates

SharePoint on Azure Virtual Machines (v2)

WFE1

WFE2

WFE-LB

App1

App2

App Tier-LB

SQL1

SQL2

SQLInternal LB

AD1

AD2

AD LB

Witness

Admin Site, Port 2000

newStorageAccountName

adminUsername

adminPassword

adVMSize

assetLocation

sqlServerServiceAccountUserName

sharePointSetupUserAccountUserName

sharePointFarmAccountUserName

configDatabaseName

…

spSiteTemplateName

SharePoint on Azure Virtual Machines

Demo: SharePoint Farm Template

Debugging Templates

Debugging OverviewTemplate validationUse tool with JSON validation (Examples: Visual Studio, Atom w/ JSONLint, or others )Leverage Test-AzureResourceGroupTemplate

Resource group loggingPortal: Browse Resource Groups <Group> EventsPowerShell: Get-AzureResourceGroupLogAzure CLI: azure group log show

Azure Rest API ExplorerView individual resources as they are deployed: https://resources.azure.com

Demo: Template Debugging

Consistent Management Layer

Curated Extensio

ns

SummaryVirtual Machines service with Resource ManagerFaster Scalability, Larger overall deploymentsAbility to make parallel configuration changes

Templates further simplify IaaSOne-click deployment of the most complex applicationsRepeatable deployments with “config as code”

Delegation and management with RBAC and taggingRBAC through AAD users or groupsBilling integrated tagging

Unified Azure Stack

Related SessionsSession Code

Title Time

BRK3450 Microsoft Azure Marketplace: Images, Extensions, Docker and More

Tuesday, May 5, 10:45AM

BRK2491 Getting Started with Microsoft Azure IaaS Tuesday, May 5, 1:30PM

BRK3473 Introducing Microsoft Azure DNS Tuesday, May 5, 1:30PM

BRK2707 Roles Based Access Control for Microsoft Azure Tuesday, May 5, 3:15PM

BRK3124 SharePoint 2013 and Azure IaaS: Better Together Tuesday, May 5, 3:15PM

BRK3178 Exchange on IaaS: Concerns, Tradeoffs and Best Practices

Tuesday, May 5, 3:15PM

BRK3733 Deploying Hyper Scale Application on Microsoft Azure Wednesday, May 6, 9:00AM

BRK3705 Running Large Scale Batch and High Performance Computing Applications with Azure Batch

Wednesday, May 6, 1:30PM

BRK3480 Java on Microsoft Azure: What’s New along with Tips, Tricks and Tools

Wednesday, May 6, 3:15PM

BRK3725 Deploying and Running Linux and Non Microsoft Solutions Stack on Azure

Wednesday, May 6, 3:15PM

Related SessionsSession Code

Title Time

BRK4453 Deploying, Organizing and Securing Applications with the Azure Resource Manager

Wednesday, May 6, 5:00PM

BRK3722 Managing Linux and Windows on Microsoft Azure with Chef

May 7th, 9:00AM

BRK3470 Virtual Networking and Security in Microsoft Azure May 7th, 9:00AM

BRK3702 Running Docker Containers on Microsoft Azure May 7th, 10:45AM

BRK4379 Azure for IaaS on Azure Pack May 7th, 1:30PM

BRK4700 Unleashing Microsoft Azure Networking APIs May 7th, 3:15PM

BRK1454 Hybrid Partnerships: Enabling On-Premises Scenarios in Microsoft Azure

May 7th, 3:15PM

BRK4450 Understanding Which Workloads are Ideal for Azure Premium Storage

May 7th, 5:00PM

BRK3452 Running Linux in Microsoft Azure Friday, May 8th, 10:45AM

Appendix

Datacenter extension reference architecture diagram

Save time by downloading and using the interactive diagram today from http://aka.ms/derad.

Watch the 45 minute walkthrough video at http://aka.ms/derad-video.

Mouse hovers expose detailed information about each object.

Finding all the information to learn how to extend your on-premises datacenter infrastructure to Azure can be time-consuming.

Mouse clicks on most objects open detailed design or implementation articles about them.

Includes cross Azure subscription and virtual network connections, as well as connecting them to an on-premises network.

Ignite Azure Challenge Sweepstakes

Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!

Aka.ms/MyAzureChallenge

Enter this session code online: BRK3505

NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.