In-Depth

What Admins Need to Know About Azure

If you haven't looked at or used Microsoft Azure lately, you're missing out. See what it offers, and find out if it will benefit your business.

• By Paul Schnackenburg
• 12/09/2014

Microsoft's Azure cloud service is growing quickly; so fast, in fact, that if you haven't been keeping up with it on a regular basis, you'll be far behind after just a few months. That's why I'm here: I'll catch you up on the latest, to help you understand what Azure offers now, as well as provide business and IT context for why you might consider using particular services.

Note that this article will only cover what's new in Azure, and not the basics of what it offers. If you're not familiar with that, you'll need to get up to speed to make the most of this discussion.

Compute Services for Web Sites
If you're not in the business of running Web servers, but need a Web site, Azure Web site hosting is a great option. It's not just for .NET Framework sites, either; the service supports Java as well as MySQL backend databases. A key selling point for Azure over the other multitude of hosting providers out there is the global scale (permitting multiple copies of your site closer to your customers), the rich development environment (it supports almost all modern languages) and the breadth of the service as a true Web application platform.

There is a new tier to give you plenty of options for how you scale your sites; and you can now connect your Web sites to Infrastructure-as-a-Service (IaaS) virtual machines (VMs) you have running in your virtual network. Background services in the form of scripts can now manage your site using Web jobs, and security can be enhanced using the Modsecurity Web Application Firewall with both free and commercial rule sets.

Azure Search as a Service is a very interesting addition, essentially enabling search on a site (or through a mobile app) with very little coding required. It includes geospatial awareness, auto-complete and scoring profiles to control results. Protecting your Web site content is now easier with Backup and Restore, but the most exciting addition is probably Hybrid Connections.

Hybrid Connections isn't limited to Web sites, and can be used with other Azure services. This essentially makes it possible to host part of your application (the Web front end, for example) in Azure while keeping the back end database on-premises, for regulatory or compliance reasons. It's a secure point-to-point connection requiring no change to the name resolution, and it can transport any HTTP/HTTPS and TCP traffic. I can't emphasize enough how important this simple service could prove to be; it could be the killer app for helping enterprises move to a hybrid cloud model. 

Compute Services: Virtual Machines
As expected, running your own VMs in Azure is one of the biggest areas of interest for many businesses. In late September, the new "D" series of VMs were added, which offer up to 800 GB of local SSD storage. Note that this is only for temporary storage on the D: drive, and not persistent data (but that's likely coming soon). There are also two new big VM sizes -- A8 and A9 -- with faster processors, larger amounts of memory and 40 Gb/s RDMA NICs. There's also a new Basic tier of VMs, suitable for dev and test. It's not meant for much more than that, as it doesn't support load balancing and auto scaling.

Business that have adopted System Center Data Protection Manager (DPM) can now have instances of DPM running on Azure VMs, for backing up other VMs in your virtual network. Be aware that there are some limitations, since you don't have access to the underlying fabric. You'll also want to offload long-term archiving of backups to Azure storage instead of housing it on the DPM server(s); it's similar to using Azure storage as a backup destination for your on-premises backups from DPM or Windows Server Backup.

Perhaps the most interesting addition is the Microsoft Migration Accelerator (MA), through the acquisition of InMage in July. This enables easy migration of VMware, Hyper-V and Amazon Web Services (AWS) VMs to Azure. Most importantly, downtime is minimal, as data is written both to the running source VM as well as the new, offline VM until they're in sync and you're ready to swap over. Alternatively, if you're running System Center Virtual Machine Manager (SCVMM) you can use the rebranded Azure Site Recovery as a mechanism to migrate VMs to Azure.

The VM extensions were announced in April, but they've been expanded greatly since then. You can use them to monitor your VMs in Azure as well as protect them from malware (Symantec, Trend Micro and Microsoft solutions are currently available).

Those with an MSDN subscription can now spin up Windows client VMs in Azure for dev and test; but note that this isn't supported for Desktop-as-a-Service (DaaS) scenarios for end users.

Microsoft doesn't offer full desktops running in a cloud as a service, but does offer RemoteApp, which lets you access applications remotely running in a client VM in the cloud (see Figure 1). Most interesting is the ability for IT to prepare its own images with line-of-business (LOB) applications and host these in Azure, providing remote access to the apps on any device.

Desired State Configuration (DSC) is the ability to use PowerShell to define a specific configuration for a system and then push that to one or more systems; recently this was expanded to include Azure.

When it comes to public cloud, security is of course critical. Microsoft understands that, and provides at least two (Cloudlink and Trend Micro) services that can encrypt your Azure VMs with the keys stored outside of Azure.

Azure for Disaster Recovery
Azure Site Recovery (ASR) was mentioned earlier as a mechanism for migrating on-premises VMs to the cloud. But it's much more than that: in previous incarnations, the Azure service was just a management point for the replication of your VMs from one private datacenter to another. The new service lets Azure function as your DR site. This is very powerful technology, although it comes with one major caveat: SCVMM is still required, so you can't simply replicate a VM with Hyper-V Replica. Hopefully this ability will be added in the near future.

Virtual Networks
IaaS VMs depend on network connectivity, and there have been some major updates in this area of Azure. Originally, you could only have a single VPN connection from on-premises to a Virtual Network (VNet) in Azure; now you can have several for redundancy. In the past, each VNet was isolated, so if you had different setups of VMs in different regions (say in the United States and Europe), the VMs could only communicate through the on-premises networks. It's now possible to link VNets together between regions. Previously, VNets, shown in Figure 2, were also limited to a single Affinity group within a datacenter; now they're scoped to an entire region.

Another virtual networking upgrades allows you to reserve your external IP address for VMs and cloud services, which should make DNS and configuration of your on-premises firewall a bit easier. Another interesting recent feature is the Internal Load Balancer (ILB), which provides enhanced security by allowing you to host LOB applications on VMs in Azure in a highly-available manner without exposing them directly.

ExpressRoute, the ability to setup a direct (WAN) connection from your on-premises datacenter to Azure, has now expanded to different regions through partnership with more providers; here's a good overview comparing Site-to-Site VPN with ExpressRoute.

Traffic Manager is an Azure service that can direct traffic to different IaaS VMs or Platform-as-a-Service (PaaS) Cloud Services or Web sites, depending on load or geographical distance. It can now manage endpoints external to Azure;  for on-premises servers or endpoints in other public clouds, you can assign weights to different entries for more fine-grained control. If you want to be able to trace traffic from your PaaS or IaaS VMs, you can add reverse DNS records.

Azure Storage
Azure storage is used by many different services; building complex applications on top of these services can make it hard to pinpoint issues, especially since public cloud, by its very nature, hides a lot of the underlying fabric from you. Storage performance can be especially tricky, so you might want to check out this Microsoft guide, with step-by-step instructions for monitoring, diagnosing and troubleshooting. It's worth noting that the size of single BLOB storage has been increased from 200 to 500 TB.

A useful addition to storage is the introduction of Azure files; it's essentially a file share hosted by Azure that you can access from VMs and cloud services. Related to that, Azure backup retention ranges have been significantly increased.

Redis Cache
Redis cache is an open source cache and data store. Microsoft maintains an open source port for Windows Server, and has made it available in Azure, calling it Azure Redis Cache. Microsoft states in its documentation that "Redis Cache helps your application become more responsive even as user load increases and leverages the low latency, high-throughput capabilities of the Redis engine. This separate cache layer allows your data tier to scale independently for more efficient use of compute resources in your application layer."

Automation
The true value of using public cloud becomes apparent when you can automate tasks using scripts and runbooks, as well as global assets. That automation now makes authentication easier if you're using Azure Active Directory, because you can call Service Management Automation (SMA) from Windows PowerShell.

Related to this are Azure Resource Groups and the Azure Resource Manager, which act as containers for several different parts of an Azure service. They can include Web sites, VMs and cloud services that can be deployed and managed as a single unit. An example is a highly available SharePoint 2013 farm with Active Directory and the SQL back-end that can be deployed with a few clicks in a wizard in the new portal (more on this in a bit). There's also new support in Visual Studio for creating these deployment templates.

SQL in Azure
Microsoft SQL Server 2012 introduced Always On for highly available database services; it was further enhanced in SQL Server 2014. Templates for Azure were recently released that let you easily build an Always On SQL setup in Azure IaaS. Another popular approach is having your active database on-premises with an Availability Group copy running in Azure for disaster recovery.

If you just want database as a service, it became more attractive with the addition of easy auditing of database activity. For an example of the advantages offered by Azure, note that the Premium tier of database services now offers up to four geo-distributed secondary copies of your databases, along with Geo restore and automatic point-in-time backups of your databases (consider the on-premises infrastructure required for similar functionality).

Azure Active Directory
Azure Active Directory (Azure AD), seen in Figure 3, is another crucial (and free) service for IT pros to explore and use. Identity management in today's world of devices and cloud services is possibly the most important skill you can invest in.

You can use directory synchronization or its more capable replacement, Azure Active Directory Synchronization Services (Azure AD Sync), in combination with Active Directory Federation Services, to replicate your on-premises user accounts to Azure. Once there, they can be used to grant access to your in-house Web-based application and other Microsoft SaaS applications such as Office 365, Intune and others. More important, it can be used to enable single sign-on (SSO) to third-party cloud applications such as Salesforce, Box, DropBox and so on. Back in May the list of enabled applications was about 1,200; by late fall, the list had grown to more than 2,400 applications.

But how do you know which SaaS applications your users are actually using? Numerous sources confirm that IT departments regularly underestimate "shadow IT" cloud usage. A free service from Microsoft called Cloud App Discovery comes with a small agent to install on each PC in your network; as it gathers data, you can run reports to target extensively used applications and bring them under management.

Using this Azure AD function lets you not only provide SSO to many cloud services, but also provision and deprovision accounts automatically. So when Jane leaves the company, you only need to disable her account in Active Directory on-premises (as you do today -- right?); that change is replicated to Azure AD and her access is revoked to all cloud apps for which she'd been authorized. It can also provide access to corporate Twitter and other social media accounts without the users knowing the password.

The premium version of Azure AD offers group management; self-service password reset and self-service group management; multifactor authentication; Forefront Identity Manager licenses and more. There's also a new Basic Azure AD tier that includes features like group-based access management; self-service password reset for cloud applications; a customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.

Docker
Just when IT pros thought they'd gotten server virtualization down pat, another new technology crops up. Containers, the most famous of which is Docker, encapsulates applications so they can be deployed on any available server, virtualizing the application rather than the application and OS. Microsoft has announced its own forthcoming container technology, but for now Azure fully supports using Docker on Linux VMs.

Media Services
This platform service for encoding, storing and streaming video from the cloud got its trial by fire during the Sochi Olympics, where video footage was encoded and served to millions of viewers (in the United States) in real time. Encryption for content protection is now built-in, live streaming is in preview, and Dynamic Streaming over HTTP (DASH) -- an emerging standard for video streaming with virtually every major video provider behind it -- is also in preview. The service used to charge for input and output of media; now only output data is charged for.

Mobile Services
Building the back-end application and services for mobile apps (Android, iOS, Windows Phone and others) is now easier in Azure with offline support for Android, as well as SSO in the .NET Framework back-end.

HDInsight: Hadoop on Azure
If your business has any kind of large datasets you want to analyze, using Hadoop for managing that data is the answer. And unless you happen to have a lot of spare servers, enlisting the public cloud to help you is the best way to go. In June, the HDInsight service transitioned to Hadoop 2.4, which can provide up to 100 times the performance improvements over the earlier version for query response times. Apache HBase, a NoSQL distributed database, is now also fully implemented as part of the service.

The New Azure Management Portal
The alternative Web-based GUI for Azure was more primitive, and only a few services were available. This has improved considerably, as you can see in Figure 4, with many more services now visible. But the best thing about the new Azure Management Portal is the customization: You can adjust it so that it shows exactly the information you care about most.

The new portal also addresses possibly the single biggest missing feature of Azure when it comes to enterprise adoption: Role Based Access Control. No more, though, as it's now available.

Get Ahead of the Curve
There's no doubt that Microsoft is taking advantage of its entrenchment in enterprise datacenters to offer a unique roadmap where businesses can pick and choose what services to start moving to the cloud on their own terms. This is something that VMware Inc., AWS Inc. and Google Inc. can't offer. But you can't take advantage if you haven't joined the club. Get a trial account to Azure if you haven't already, or make sure to use your MSDN credits and discounts if you have a subscription. Learn what it can do -- and start using it. Azure is getting better all the time, and will undoubtedly continue to progress. You don't want to fall any further behind the curve.