Azure News 2017 – Week 38

AAD Managed Service Identity, B-Series burstable VMs & Web App for Containers and Azure App Service on Linux are all part of Azure News this week playing catch-up from the last two weeks, bundled in together through here. All on the Need to Know podcast.

Introducing Azure AD Managed Service Identity

A common challenge in cloud development is managing the credentials used to authenticate to cloud services and keeping credentials out of code, but not anymore, Azure Active Directory Managed Service Identity (MSI) preview helps. MSI gives your code an automatically managed identity for authentication to Azure services, so that credentials are kept out of code.

What is Managed Service Identity?

Your code needs credentials to authenticate to cloud services, but you want to block the visibility of those credentials as much as possible. Azure Key Vault {could} store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault and you need a credential, a classic bootstrap problem.

However, with the magic of Azure and Azure AD, MSI provides a “bootstrap identity”.

When you enable MSI for an Azure service like Virtual Machines, App Service, or Functions, Azure creates a Service Principal for the instance of the service in Azure AD and injects the credentials (client ID and certificate) for the Service Principal into the instance of the service.

More Info.

Introducing Azure confidential computing

Microsoft Azure is the first cloud to offer new data security capabilities with a collection of features and services called Azure confidential computing. Confidential computing offers protection that previously has been missing from public clouds, encryption of data while in use. This means that data can be processed in the cloud with the assurance that it is always under customer control.

  • Data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data
  • Malicious insiders with administrative privilege or direct access to hardware on which it is being processed
  • Hackers and malware that exploit bugs in the operating system, application, or hypervisor

With Azure confidential computing, your data in Azure will be safe in transit and at rest, howeverwhen data is “in the clear,” which is required for efficient processing, the data is protected inside a Trusted Execution Environment (TEE – also known as an enclave). TEEs ensure there is no way to view data or the operations inside from the outside, and if the code is altered or tampered, the operations are denied and the environment is disabled.

Trusted Execution Environment

Microsoft are announcing the use of confidential computing for Azure SQL Database and SQL Server.

You can try out Azure confidential computing through the Early Access program..

More Info.

Introducing B-Series, our new burstable VM size

There is now the preview of the B-Series Azure Virtual Machines, a new Azure VM family that provides the lowest cost of any existing size with flexible CPU usage. For some web servers or some other such environments, the CPU performance can be very bursty. These workloads will run for a long time using a small fraction of the CPU performance possible and then spike to needing the full power of the CPU due to incoming traffic or required work.

With Azure’s current VM sizes, while running in these low points, you are still paying for the full CPU, just so that you can handle the high and bursty points.

The B-Series offers a cost effective way to deploy these workloads that do not need the full performance of the CPU continuously and to accommodate the bursts. While B-Series VMs are running in low resource utilisation, your VM instance builds up credits. When the VM has accumulated enough credit, as the usage demand increases, the resource utilisation can happy burst up to 100% of the vCPU.

These VM sizes allow you to pay and burst as needed, (using Intel® Haswell 2.4 GHz E5-2673 v3 processors or better). This level control gives you extreme cost flexibility and flexible value.

As an example, the B VM family, Standard_B8ms has 8 CPUs with 135% baseline performance shared across all of the 8 CPUs. If your application leverages 4 of the 8 cores working on batch processing and each of those 4 CPUs are running at 30% utilisation, you are only using half of the total amount of CPUs, so effectively only 15% utilisation calculated out across all the CPUs, so the total amount of VM CPU performance left over would be 120%. Meaning that your VM would be building credit time based on the 15% delta of the baseline performance. It means that when you have credits available, with this same VM you can use 100% of all 8 CPUs giving you a Max CPU performance of 800%.

Available in:

  • US – West 2
  • US – East
  • Europe – West,
  • Asia Pacific – Southeast

More Info.

Saving millions by fine-tuning Microsoft Azure usage

A guy called Rick who works in Microsoft Core Services Engineering (formerly Microsoft IT), focuses on cloud adoption and cost optimisation and is one of many engineers who have been part of the very large transformation of re-inventing Microsoft’s IT systems and creating new ways to solve problems. As they’ve migrated and rebuilt the bulk of their systems on cloud platforms, the focus somewhat changes and they had to reinvent how to efficiently manage their cloud infrastructure, which equates to saving millions of dollars!!!

Now, they have open source versions of their “snooze” tooling, which allows our people to turn servers off and on via native Azure automation.

More Info.

Challenger Sales Methodology

A common sales technique which CEB Global came up with in which many IT companies use, is this Challenger Sales Methodology.

Here are the highlights:

  • The buying experience is the biggest driver of customer loyalty
  • Your ability to offer unique and valuable perspectives on the customers market
    • Help customers navigate alternatives
    • Help customers avoid potential risks
    • Educate customers on new issues and outcomes
  • How you use the customer’s time, teaching and helping them through their complex buying process
  • Unlike other approaches which seek to understand what customers are trying to solve and map products and solutions to customer needs, Challengers develop a perspective on a specific issue and teach their customers on how to think differently about their own business
  • Rather than leading with products or solutions, a challenger leads with where they see the customer has missed an opportunity or is losing money
  • Challengers create a case for change by discussing the true cost of the customer’s in-action.
  • Only at the very end, does the Challenger’s unique solution come into play.
  • Challenger’s lead to, rather than lead with solutions
  • Challenger’s build constructive tension, the productive force that makes their customer want to act
  • Challenger’s examine and redefine their customers’ beliefs and assumptions and challenge their traditional way of doing business.

More Info.

Azure Management Libraries for .NET – v1.2

We released 1.2 of the Azure Management Libraries for .NET. This release adds support for additional security and deployment features, and more Azure services:

  • Managed service identity
  • Create users in Azure Active Directory, update service principals and assign permissions to apps
  • Storage service encryption
  • Deploy Web apps and functions using MS Deploy
  • Network watcher service
  • Search service

You can find more info about .NET on Azure at More Info.

Web App for Containers and Azure App Service on Linux

Recently announced is the general availability of Azure App Service on Linux and Web App for Containers.

Azure App Service on Linux (Web App with built-in images)

The built-in image option running on Linux is an extension of a current Azure App Service offering, catering to developers who want to use FTP or GIT, deploy .NET Core, Node, PHP or Ruby applications to Azure App Service running on Linux. This is a vanilla App Service scenario powered by Linux OS.

Web App for Containers

Web App for Containers is catered more towards developers who want to have more control over, not just the code, but also the different packages, runtime framework, tooling etc. that are installed on their containers. This allows developers to just focus on composing their containers without worrying about managing and maintaining an underlying container orchestrator. The Web App for Containers feature is based on Docker containers.

Azure IoT Device Provisioning

In other Azure news, Microsoft this week announced a preview of its Azure IoT Hub Device Provisioning Service. It’s now available in Azure regions “East US, West Europe, and Southeast Asia.”

The service is designed to automate the provisioning of Internet of Things devices, avoiding the tedium of having to manually process them. With the Internet of Things, organizations may be tasked with putting connection credentials on each of millions of devices.

The devices should really have hardware security modules in place to store security keys. However, the provisioning service can still be used with devices lacking them. A Windows TPM [trusted platform module] simulator can be used instead.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s