Author: Joe Carlyle

Joe Carlyle

How to – Secure an Application Service with Application Gateway v2

Application Gateway conceptual

Application Gatway v2 brings several welcome additions to the service since it’s initial v1 release. For those who have spent time configuring an Application Gateway, you’ll be glad to hear that udpate/modification times have been drastically reduced. Better performance and the addition of functionality are some of the other main reasons to use v2 over v1. The entire list can be found here.

Recently, I had to secure an Application Service with an Application Gateway v2 on the WAF (web application firewall) tier. This is something I have done several times with v1 without any significant issue. In this instance the Application Service runs on a custom domain as does the Application Gateway. Requirements were to run SSL end to end and have WAF run in prevention mode.

If you’ve ever done this before, you know there are some basics to be completed within your Application Service. For this post and my requirement, they were map a custom domain, runs HTTPS only and prep rules to allow connections only from your Application Gateway. How to do all of that can be found at the following links:

Once your Application Service is ready to go, you move on to configuring your Application Gateway. This is a relatively simple process and can even be completed within the Portal. There is a published guide here. However, once it was configured, I noticed that certain redirect functionality aspects of the application were returning the default host name of the Application Service. This can also happen if you use Azure AD authentication. With WAF in prevention mode, this returns a 403 as a default rule picks up the change in address.

The reason for this is how both Application Gateway and Application Service handle their host headers. To fix this issue, there are two changes you can make, one of which that is only possible on Application Gateway v2.

The v2 only fix is to rewrite the location in the host header using rewrite rules. Rewrite rules are new functionality only included in v2. A guide on what you need to do exactly is here. Make sure the text is exactly as in the guide or it will not work.

The second option, and the one that is more common is to change how your Custom Probe and HTTP settings are configured. The reason for this is that the default guide does not take into account the use of a custom domain on your Application Service. For both settings, modify and remove the ” PickHostNameFromBackendAddress” setting. Now, the Application Gateway will forward the same hostname and redirection will happen on the same too. Full guide here.

As always, if there are any questions on the above, get in touch!

Joe Carlyle

AZ-301: Microsoft Azure Architect Design – Study Guide

Now that AZ-302 has officially been retired, there is only one route to earn your Microsoft Certified: Azure Solutions Architect Expert certification. That route is to sit and pass both the AZ-300 and the AZ-301 exams. Currently this is arguably the most difficult exam certification path as it is one of only two Expert level certifications for Azure. This post will cover AZ-301, here is what Microsoft have to say about it:

This exam measures your ability to accomplish the following technical tasks: determine workload requirements; design for identity and security; design a data platform solution; design a business continuity strategy; design for deployment, migration, and integration; and design an infrastructure strategy.

Below I’ve put together a collection of links relevant to the sections highlighted as being part of the skills measured for this exam. As always, these are only guide links, sometimes you need to explore a topic much more deeply if you are not familiar with it. Hopefully these study materials will help guide you to successfully passing AZ-301!

If you spot something, or have a better link for a topic, get in touch! I will update this post as regularly as possible and always appreciate any feedback.

A good place to start is Microsoft Learn. there are several interactive learning paths that are free that you can work through at your own pace. I find this a great way to study and gain greater understanding of the services by actually using them.

Determine workload requirements

Gather Information and Requirements

This section requires broad knowledge of the platform and general IT architecture experience. My recommendation would be to familiarise yourself with the Azure Architecture Center.

Optimize Consumption Strategy

Design an Auditing and Monitoring Strategy

Design for identity and security

Design Identity Management

Design Authentication

Design Authorization

Design for Risk Prevention for Identity

Design a Monitoring Strategy for Identity and Security

Design a data platform solution

Design a Data Management Strategy

Design a Data Protection Strategy

Design and Document Data Flows

Design a Monitoring Strategy for the Data Platform

Design a business continuity strategy

Design a Site Recovery Strategy

Design for High Availability

Design a Data Archiving Strategy

Design for deployment, migration, and integration

Design Deployments

Design Migrations

Design an API Integration Strategy

Design an infrastructure strategy

Design a Storage Strategy

Design a Compute Strategy

Design a Networking Strategy

Design a Monitoring Strategy for Infrastructure

Joe Carlyle

AZ-300: Microsoft Azure Architect Technologies – Study Guide

Now that AZ-302 has officially been retired, there is only one route to earn your Microsoft Certified: Azure Solutions Architect Expert certification. That route is to sit and pass both the AZ-300 and the AZ-301 exams. Currently this is arguably the most difficult exam certification path as it is one of only two Expert level certifications for Azure. This post will cover AZ-300, here is what Microsoft have to say about it:

This exam measures your ability to accomplish the following technical tasks: deploy and configure infrastructure; implement workloads and security; create and deploy apps; implement authentication and secure data; and develop for the cloud and Azure storage.

Below I’ve put together a collection of links relevant to the sections highlighted as being part of the skills measured for this exam. As always, these are only guide links, sometimes you need to explore a topic much more deeply if you are not familiar with it. Hopefully these study materials will help guide you to successfully passing AZ-300!

If you spot something, or have a better link for a topic, get in touch! I will update this post as regularly as possible and always appreciate any feedback.

A good place to start is Microsoft Learn. there are several interactive learning paths that are free that you can work through at your own pace. I find this a great way to study and gain greater understanding of the services by actually using them.

Deploy and configure infrastructure

Analyze resource utilization and consumption

Create and configure storage accounts

Create and configure a Virtual Machine (VM) for Windows and Linux

Automate deployment of Virtual Machines (VMs)

Implement solutions that use virtual machines (VM)

Create connectivity between virtual networks

Implement and manage virtual networking

Manage Azure Active Directory (AD)

Implement and manage hybrid identities

Implement workloads and security

Migrate servers to Azure

Configure serverless computing

Implement application load balancing

Integrate on-premises network with Azure virtual network

Manage role-based access control (RBAC)

Implement Multi-Factor Authentication (MFA)

Create and deploy apps

Create web apps by using PaaS

Design and develop apps that run in containers

Implement authentication and secure data

Implement authentication

Implement secure data solutions

Develop for the cloud and for Azure storage

Develop solutions that use Cosmos DB storage

Develop solutions that use a relational database

Configure a message-based integration architecture

Develop for autoscaling

Joe Carlyle

How to – Implement Good Design Using Azure Architecture Center

Cloud platforms like Azure make designing solutions as efficient as possible. Whether it’s a serverless application or a chunky virtual datacenter, you can get up and running in no time. This however, has both positives and negatives. The negatives often being that this level of pace can mean bad design decisions are made.

Bad design doesn’t always happen due to pace either. Sometimes it is as simple as a solution evolving from proof-of-concept directly to production. We have all seen it happen! This means the correct resiliency, governance and performance criteria are often missed.

To avoid both of the above scenarios, my advice is to shift your thinking when it comes to Azure projects/solutions. Be prepared to spend 80% of your time on design. Delivery, as we already said can be lightning quick, there are few barriers to an efficiently delivered solution if designed correctly.

Thankfully, Microsoft offer an entire site worth of content to help with all of this. The Architecture Center is your first stop for all things design within Azure. Here you will find application architecture guides, cloud adoption frameworks and reference architectures for all of the common scenarios seen in Azure.

I am going to briefly look at three sections that can help with all of your deployments:

Best Practices – Naming Convention

This section covers exactly what you would expect. However, naming conventions are not as easily implemented in Azure as you might expect. One key point being, you cannot rename resources. Therefore, get your naming convention agreed upon and stick to it! https://docs.microsoft.com/en-us/azure/architecture/best-practices/naming-conventions

Application Architecture – Choosing Compute

Did you know there are three tiers of compute in Azure?

  1. IaaS – traditional VMs
  2. PaaS – managed hosting
  3. FaaS – ignore hosting, just code

Offering an excellent design-tree, you can understand quickly what decision could be the right fit for your solution then explore in more depth.

https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/compute-overview

Reference Architecture – Serverless Web App

One of my favourite sections, covering multiple scenarios. Each offering best practise design and decision points regarding availability, security and scalability. Some cases also offer reference implementations on Github, meaning you can deploy right away.

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/serverless/web-app

So what are you waiting for? Head to the Architecture Center and start designing your next deployment with more confidence right now!

Joe Carlyle

What is Azure B-Series Compute?

images

Back in 2017, Microsoft announced the introduction of B-Series compute. Since then, the service offering hasn’t changed a huge amount but it is one of the most consistently misunderstood VM SKUs available.

Part of this is how they are displayed on the portal. Classed alongside the D series as “General purpose” but with a much more attractive price point, the B-Series appears to be a winner for all your workloads.

B and D series in VM size selector

Comparing a B2ms and a D2s_V3, there is a clear saving oper month regardless of your consumption offer. You can see they have the same amount of vCPU and RAM. Which is the most common deciding factor when sizing a VM. However, the B-Series has some unique features.

The B-series VMs are designed to offer “burstable” performance. They leverage flexible CPU usage, suitable for workloads that will run for a long time using as small a fraction of the CPU performance as possible and then spike to needing the full performance of the CPU due to incoming traffic or required work.

There are currently 10 different SKUs available, although not in all regions. yet. I’ve listed the current specs as available below:

SizevCPUMemory: GiBTemp storage (SSD) GiBBase CPU Perf of VMMax CPU Perf of VMInitial CreditsCredits banked / hourMax Banked Credits
Standard_B1ls110.545%100%30372
Standard_B1s11410%100%306144
Standard_B1ms12420%100%3012288
Standard_B2s24840%200%6024576
Standard_B2ms281660%200%6036864
Standard_B4ms4163290%400%120541296
Standard_B8ms83264135%800%240811944
Standard_B12ms 124896202%1200%3601212909
Standard_B16ms 1664128270%1600%4801623888
Standard_B20ms 2080160337%2000%6002034860

So the the ability to burst sounds great for certain workloads, however, it obviously isn’t unlimited. While B-Series VMs are running in the low-points and not fully utilizing the baseline performance of the CPU, your VM instance builds up credits. When the VM has accumulated enough credit, you can burst your usage, up to 100% of the vCPU for the period of time when your application requires the higher CPU performance.

Here is a great example from Microsoft Docs of how credits are accumulated and spent.

I deploy a VM using the B1ms size for my application. This size allows my application to use up to 20% of a vCPU as my baseline, which is .2 credits per minute I can use or bank.

My application is busy at the beginning and end of my employees work day, between 7:00-9:00 AM and 4:00 – 6:00PM. During the other 20 hours of the day, my application is typically at idle, only using 10% of the vCPU. For the non-peak hours I earn 0.2 credits per minute but only consume 0.l credits per minute, so my VM will bank .1 x 60 = 6 credits per hour. For the 20 hours that I am off-peak, I will bank 120 credits.

During peak hours my application averages 60% vCPU utilization, I still earn 0.2 credits per minute but I consume 0.6 credits per minute, for a net cost of .4 credits a minute or .4 x 60 = 24 credits per hour. I have 4 hours per day of peak usage, so it costs 4 x 24 = 96 credits for my peak usage.

If I take the 120 credits I earned off-peak and subtract the 96 credits I used for my peak times, I bank an additional 24 credits per day that I can use for other bursts of activity.”

So, there was quite a bit of maths there, what are the important points?

  • Baseline vCPU performance – This dictates your earn/spend threshold so if current vCPU is under the baseline you’re increasing your credits. If it’s over, your decreasing them. If it’s the same, you will earn and spend credits at an equal rate with no change to credit balance.
  • Peak utilisation consumption – If this is not allowing you to bank credits, you will eventually end up in a situation where you cannot burst so you might need to size up your VM.
  • Automation – Doesn’t work here, you only earn credits when the VM is allocated. Re-allocating your VM will cause you to lose your credits banked and start again from the starting allocation.
  • Starter Credit – You are allocated a starting credit which is (30 x “number of cores”)

You can monitor your credit spend and usage via Azure Monitor using specific Credit metrics. This will allow you to fire metric alerts relative to your VM. Very handy if you want to make sure you’re not pushing the performance consistently by mistake and therefore burning credits accidentally.

B-series compute, once understood correctly, is a great option to maximise cost efficiency in your environment. Once you’ve mastered the different approach required, you can make significant savings with relatively little effort.

There is a Q&A on some common topics here.