Joe Carlyle

Azure Networking BCDR – Azure Back to School 2023

Introduction

We are now several days into another year of Azure Back to School, I hope you’ve enjoyed the content so far as much as I have, and thanks again to the team for organising and having me back for another year, I can’t wait for the rest of the month. Check it all out over at – https://azurebacktoschool.github.io/

This year, I’m going to take a look at some of the challenges that BCDR (Business Continuity and Disaster Recovery) can pose to Azure Networking. This is something I have seen pop up quite a lot recently, as companies move to solidify their footprint, close gaps, and make use of all Azure has to offer to “keep the lights on”.

High-Level Architecture

As with many of my articles like this, it is important to call out the scope of the discussion. Azure is a vast platform, and I will be the first to say that every environment is unique. As such, this doesn’t aim to be an exhaustive, several thousand word long piece covering every scenario. For the sake of discussion, it will focus on these core network services – Virtual Network, Virtual Network Gateway, Azure Firewall, Network Security Group, Route Table, and Public IP.

Core BCDR Components

In a similar introductory fashion, it is also important to highlight the Azure BCDR relevant concepts that are included in discussion. Essentially an understanding of what an Azure region is, and what Availability Zones are will cover you here.

Network arch and scenario to cover outage

OK, so let’s look at a typical production network setup in Azure. Heading over to the Azure Architecture Center, we can find some excellent materials and guides, however, we’re going to focus on this one – Hub-Spoke

Azure Hub-Spoke architecture diagram

As you can see from the diagram, this visually includes several services I have mentioned, some secondary, like Public IP addresses, are not there explicitly, but we all know that Bastion, Firewall and VPN Gateway require one.

Network Services Alignment

So let’s look at where these services align to core Azure BCDR requirements. One thing to note here is that Azure divides its services up into different categories based on their regional availability by design:

  • Foundational – Available in all recommended and alternate regions when a region is generally available, or within 90 days of a new foundational service becoming generally available.
  • Mainstream – Available in all recommended regions within 90 days of a region’s general availability. Mainstream services are demand-driven in alternate regions, and many are already deployed into a large subset of alternate regions.
  • Strategic – Targeted service offerings, often industry-focused or backed by customized hardware. Strategic services are demand-driven for availability across regions, and many are already deployed into a large subset of recommended regions

It also then divides how Azure services support Availability Zones:

  • Zonal – A resource can be deployed to a specific, self-selected availability zone to achieve more stringent latency or performance requirements. Resiliency is self-architected by replicating applications and data to one or more zones within the region. Resources are aligned to a selected zone.
  • Zone-Redundant – Resources are replicated or distributed across zones automatically. Think ZRS Storage Account as an example.
  • Always-Available – Always available across all Azure geographies and are resilient to zone-wide outages and region-wide outages. 

Finally, before we get to our specific services, remember that not all Azure regions are equal. Some have all services, some don’t. Some support Availability Zones, some don’t. Make sure you are confirming your requirements against your proposed region – every time – as updates happen quickly!

Ok, so onto our specific network services and how they align:

  • Virtual Network – Foundational & Zone-Redundant
  • Virtual Network Gateway – Foundational & Zone-Redundant*
  • Azure Firewall – Mainstream & Zonal & Zone-Redundant*
  • Network Security Group – Foundational & Zone-Redundant
  • Route Table – Foundational & Zone-Redundant
  • Public IP – Foundational & Zonal & Zone-Redundant*

*SKU dependent, not all SKUs have the same feature set.

First thing that you should notice, is that all of these Networking services have really strong coverage for BCDR. However, not one of them is regionally resilient. That means regardless of our in-region, zonal design, we may need additional regional configuration and deployment, depending on your requirements.

Let’s look at within a single region first, using our same example deployment architecture. Within a fully supported region, (remember, always check!) such as North Europe, we can deploy the entire architecture to be zone-redundant. This means that should an entire zone be lost, our network services will stay active. This is the equivalent of a 99.99% SLA in Azure terms. Obviously this requires some small tweaks during deployment to achieve, and a slight uptick in cost due to SKU requirements, but this is honestly an excellent baseline to work from.

Challenges

One challenge here, I am not aware of a service that allows you to modify zonal deployment/configuration after deployment. You must do it at deployment. This means if you’re approaching an existing environment with this in mind, you might have quite a few maintenance windows and rebuilds etc. Bicep is your friend here for testing and deployment.

Obviously we then have the regional challenge. And by challenge, I guess that ultimately means if you need your services, should a region go down, how do you deal with that in advance? When it comes to networking in Azure, there is no replication service, or tick box to make it multi-region. Why not you ask? That’s for a different post, but let’s look at what is needed.

Generally you would deploy several elements ahead of time, when it comes to networking as per our example design. You could in fact deploy the whole thing, if you have the budget for Azure Firewall in both regions. The network would then be viewed as a hot secondary, allowing you to run individual workloads there permanently, or as part of testing. By deploying these elements ahead of time, it greatly reduces your RTO times, and if you have VMs, you will definitely need at least the Virtual Network as a target for Azure Site Recovery. Again, Bicep can really help here, but ultimately I would recommend having everything within budget deployed ahead of time. Small items, like where a Public IP is on an allow-list, catch you with BCDR. Azure only allocates these on deployment (if a Prefix, and if you’re not using prefixes, why not!?), so get them deployed and added to your vendors etc ahead of time. Similarly, you can plan and runbook changes required based on existing configuration.

Unavoidable Issues

With zone redundancy deployments, I would call out two issues and they have already been highlighted in brief. It has to be actioned at time of deployment, and SKU costs. Configuration wise, for networking it’s fairly simple and shouldn’t pose challenges.

With regional redundancy, there are quite a few more. A lot of it based on the complexity demanded by running two regions, two footprints and that replication methods do not exist for all services – for example replicating a Virtual Machine vs no ability to replicate Azure Firewall natively. There is also cost of course, having two footprints, in theory means double your network costs. Unfortunately, as we all know, cost is only a challenge before an outage, you would have unlimited budget to recover!

Closing Recommendation

To sum up so – Azure Networking BCDR – Zonal Redundancy for a standard footprint is very achievable, and is definitely the way to go. If you need regional redundancy, try build ahead everything you can to mirror the primary region.

Joe Carlyle

Where to Start – NLP with Azure OpenAI

I think without a doubt, one of the most talked about subjects at the moment is AI. Mass usage of OpenAI’s ChatGPT service exploded onto the scene this year, and we haven’t looked back. However, starting at such a broad scale of possibilities can be daunting. This post aims to simplify things down a bit, by looking at one single use case.

In this instance, I am going to take the Natural Language Processing capability offered by Azure OpenAI and have a GPT model summarise a piece of text for me. I completed sample lab files for this as part of a Microsoft Learn course, and I am reusing the Python here with some tweaks of mine!

All of the code for this solution is on Github here – https://github.com/wedoazure/sumo

The idea is that we take a text file, in my code I am using the first chapter from ‘Sherlock Holmes – The Hound of the Baskervilles’, but feel free to use whatever txt file you like, and send it to Azure OpenAI and ask for it to be summarised.

The app itself is command line based, very simple. It reads your text file, then sends a chat completion prompt to the Open AI model asking it to summarise your text.

The model then responds with a fixed length summary based on your input of word count and temperature.

The ability to adjust both is something I have added as my little variation. I had a couple of reasons for changing this up, but mostly built on the fact that your opinion of the output is important. For an example, read the actual text you want summarised, then have the app do it. Is the summary accurate? Is it a bit short, is it a bit too stiff? Change things up! Here is a 50 word summary at a temp of 0.5 versus 0.9 for the same txt file.

Sherlock Holmes and Dr. Watson examine a visitor’s stick, deducing that its owner is a country practitioner who walks a lot and has likely received a presentation from a hospital. The visitor, Dr. James Mortimer, arrives and confirms their deductions. He seeks Holmes’ assistance with a serious and extraordinary problem.

50 words at 0.5 temp

Dr. James Mortimer visits Sherlock Holmes and asks for his assistance with a mysterious problem. Through analyzing a stick left by a previous visitor, Holmes deduces that Dr. Mortimer is a country practitioner who used to work at Charing Cross Hospital. Dr. Mortimer confirms this and reveals that he has a strange case involving the curse of the Baskervilles.

50 words at 0.9 temp

As you can see, these are very different outputs, I personally prefer the response at 0.9, as I am summarising a work of fiction. However, if it was a financial report, you may need a lot less creativity and therefore force a lower temp. Similarly, you may want more words, or less, depending on your scope.

And that’s it! Short and sweet, using a single use case, minimal effort but impactful and useful outcome. I am sure I may make more tweaks, adding more advanced file input is definitely on the list. Let me know if you have any questions!

Joe Carlyle

How to – Share your Certification from Microsoft Learn

Update: As flagged by my friend Dwayne Natwick, online verifiable certifications only appear to be available when renewed or newly passed from July 1st. Older certs will still be active via Credly.
Looks like more of the historic certs are now available as online verifiable. My entire role based cert collection, regardless of upcoming renewal are now available.

Recently, Microsoft announced that they were moving on from Credly. Which personally I thought was a shame, as so many providers use the service, and a regular business can also sign up too meaning everything was in one place.

However, my guess here is the cost was outweighing the benefit for a service they could deliver themselves at scale. So, here we are.

Here is Microsoft’s piece on your current Credly setup:

Microsoft is introducing new features to the Microsoft Learn profile, providing learners with more flexible options for viewing and sharing their Microsoft Certifications directly from Microsoft Learn. With this feature release, Credly badge services will no longer be used for most Microsoft Certifications. All your new and previously earned Microsoft Certifications will automatically be associated with your Learn profile. Once you’ve connected your Microsoft certification profile to your Learn Profile, you can view and share all of your Microsoft Certifications from your Learn profile. Microsoft Certifications earned and claimed on Credly before June 30, 2023, will be available for viewing and sharing through Credly until June 30, 2024. However, your Microsoft Certifications on Credly will no longer be kept current or updated as you pass renewal exams or earn new Microsoft Certifications. The only exception is Microsoft Certifications issued by Certiport which will still be managed and updated on Credly indefinitely.

So, if you take a renewal, or exam that earns a certification from July 2023 onwards, you will be able to share it from Microsoft Learn, rather than it being claimed in Credly. I was very curious about this, so I went and renewed my Azure Network certification a few days ago. And thankfully, nothing about that process was any different.

Once passed, again everything appears the same

However, if I click on the ‘view all’ Certifications link, this cert now shows as ‘Online Verifiable’. See below in comparison to another.

If I click on the ‘View certification details’ link just below the cert title, it brings me to a new page with my verified credential.

The ‘Share’ link on the top right hand corner then allows me to choose from several options that link to this verifiable credential anonymously.

The whole process appears to just work to be honest! Here is the link to my cert for reference –

Microsoft Certified: Azure Network Engineer Associate

Learn have a FAQ page that also may help!

Thanks for reading, and as always if there are any questions just ping me!

Joe Carlyle

Opinion – I’m sold on AI

For the first time in a while, I’m writing just about my thoughts on a topic, rather than specifics. As a result, this will be categorised differently, and maybe I will continue it as a series…

It is hard to spend a single moment of a day at the moment without AI popping up. Social media is alight with opinions, dos and don’ts, hype and Skynet fear. I’m going to start by saying – I think that’s important.

If you spend some time looking at the capabilities that modern AI can offer, you quickly realise that this isn’t a fad. This is something that is coming at us like a train, and is here to stay. That certainty is why I think a mix of opinions is important. Experts on the subject are openly saying they are unsure where this can, will, or should go. That is both exciting and terrifying.

Rather than focus on the terrifying (I personally don’t think it will get there FWIW), I want to focus on the exciting. Recently I’ve seen some use cases, and some demos that have convinced me that this will make my work life better. While I haven’t seen something yet that helps my personal life directly, perhaps AI helping work can indirectly give me a better balance of time.

Also, I currently have zero interest in the creative side. Art, music, even blog posts are something I have no care for seeing AI involved with.

Part of my job requires me to explain complex technology to people in simple language. I have spent some time trying to think how could I explain AI in this way. I think simply stating it’s a new assistant is more confusing than helpful. “I don’t want or need another Siri”. I also think getting to deep on LLMs etc helps no one. I’ve simply settled on AI is an enabler for a new generation of your productivity tool.

In the same vein that an abacus helped you count, and a calculator was a leap forward, AI will be the tech that facilitates a leap forward for your tool.

Let’s take Excel as an example. It’s not a core tool of mine, but I use it a lot. Mostly to read data, rarely to work with complex sets. However when I do, finding out how to do something is difficult. Excel has been around a long time, there is a huge amount of content, searching and finding what you want always takes longer than a single Google search. Enter AI to boost productivity. This is what I want from it.

Working with VS code and GitHub Copilot creating Bicep templates etc. I’ve seen some of this already, write a comment, get some code. It’s not perfect, and sometimes maybe it’s not even correct and this is important to me and why I am calling AI tech to boost your tool.

I don’t think AI can replace someone. I might be wrong, absolutely. But right now, I see it making people more productive. You still need people to validate and confirm the value of what AI has returned. Regardless of capability, I don’t want AI to find data, edit it, and send it to a client, without me involved. I do want it to do the heavy lifting for me, hopefully helping me hit send quicker and with less mental effort. But that is far enough for now please.

As the title says, I’m sold. As long as modern AI can save me time and do so with a degree of accuracy that ensures I can spend time validating and tweaking rather than correcting work it has done I think this will change how we work forever. It is a very exciting time to be working with this technology.

Joe Carlyle

Microsoft MVP Summit – 2023

As part of the Microsoft MVP program, every year, Microsoft run a specific summit for MVPs only. At this event, MVPs interact with Microsoft teams on NDA content and hang out with peers. Over the last number of years, this has been virtual. However, this year the event was hybrid, with MVPs able to attend at Microsoft HQ in Seattle. It was also a celebration of 30 years of the MVP program!

Thankfully I was able to make the trip! Here I am looking delighted with myself after picking up my badge:

As all details within the event are under the MVP NDA, unfortunately I cannot even share a round-up. However, I can say that I am very excited for Build, which is again hybrid in Seattle. You can register here – https://build.microsoft.com/en-US/home

And finally, if you saw all of the posts from this past week and feel like you may be a fit for the program, let’s have a chat about a nomination!