Microsoft

Availability Sets are used within Microsoft Azure to ensure that virtual machines are deployed into different Update Domains and different Fault Domains. This allows Microsoft Azure to provide an SLA of 99.95% for the service provided by the virtual machines within the availability set.

• Updates are planned events. For example when the underlying Azure fabric is patched it may require the restart of your guest VM’s.  This is defined as an Update Domain (UD).
• Failures are unexpected events such as hardware failure whether this is physical or logical that impacts the availability of your Guest VM. This is defined as an Fault Domain (FD)

As a minimum two virtual machines are required to be in an Availability Set for Microsoft to provide the 99.95% SLA.

• An Availability Set can be created with a single virtual machine, however Microsoft will not provide an uptime SLA
• Virtual machines within an Availability Set must reside in the same Cloud Service
• A maximum of 100 virtual machines can reside in an Availability Set
• Five update domains are available per Availability Set

That’s all very well and good, but this now means that our application needs to be able to cope with being restarted when a failure or update occurs.  This point for me needs careful consideration when you are trying to meet your business SLA’s within the framework that Microsoft provides in Azure.

We also need to consider how traffic is directed to each of the Guest VM’s within an Availability Set.  This is where a load balancer comes in to direct traffic to the most appropriate Guest VM within the availability set.

You might think that you could put a single VM into an Availability Set to meet SLA requirements.  However this is where Microsoft have a get out of jail free card, a single VM does not receive the 99.95% SLA.  I guess this is because Microsoft don’t know how long it will take that Guest VM to become available in another update or fault domain.

Final Thoughts

Availability Sets require consideration around the design of the application layer to ensure that not only the Guest VM is available but also access to shared data services between them.  It’s also worth noting that application or service failures are not included within the 99.95% SLA.

 

 

When we talk about Identity and Access what do we really mean?  For me, it boils down to who you are and what you are entitled to access.

Simple statement, but it does start to get rather complicated when you think about Identity Management.  If you think about your own organisation what directory service does it use? Probably Active Directory Domain Services (AD DS).  Think about how many years it has it been fine tuned with integration with third party solutions such as:

• Remote access via RADIUS servers
• Two factor authentication
• Single sign on into applications
• Synchronization of user accounts and groups into hosted web services for web filtering
• Integration with software that provides corporate wide email signatures
• Integration with software that provides automated provisioning and de-provisioning of users

The list does truly go on and on.  Most organisations will treat their on-premises Active Directory Domain Services (AD DS) as the one source of all truth for users, groups, permissions and passwords.

So that’s the on-premises bit, what’s this Azure Active Directory all about?

What is Azure Active Directory

According to Microsoft Azure ‘What is Azure Active Directory‘ homepage it is Microsoft’s multi-tenant cloud based directory and identity management service.  Great you say but what does that really mean?

The key is in the multi-tenant part, its a directory service built for Microsoft. It isn’t architected in the same way as AD DS, most of us are used to the terms Kerberos, NLTM and LDAP, well these aren’t available in Azure AD.  Instead Azure AD uses web centric language such as SAML 2.0, WS-Federation and OAuth2.0  More details on Azure AD Authentication Protocols can be found here.

For those among us who like facts and figures Azure AD Basic and Premium has an SLA of 99.95% and operates out of twenty eight of Microsoft datacentres.   With the object and metadata being held across two or more locations.

Noticeably Azure AD, doesn’t provide the same features set that we are used to with AD DS, for example group policy isn’t available.  Azure AD Join is out for Windows 10 devices which provides some enrollment and integration features into areas such as email, but again it doesn’t provide the rich feature set you would expect from your on-premises AD DS.

Microsoft are adding features continuously to Azure AD, so I’m sure things will progress and update in the near future.  This then leaves us with three choices when it comes to accessing cloud based solutions:

• Separate
• Synchronized
• Federated

Separate

This is where you have a separate identify and access for your on-premises AD DS and Azure AD.

A user ‘John Smith’ has to manage his credentials for both on-premises access to applications via AD DS and different set of credentials for access to applications in Azure AD.

Synchronized

These are identities that exist on-premises in AD DS and in Azure AD.  Typically Azure AD Connect would be used to manage the password synchronization using hashing algorithms.  It uses a SQL Server database to store identity data, with the Express version enabling you to manage 100,000 objects.

Using AD Connect you will gain the on-premises password will authenticate both AD DS and Azure AD. Users will have single sign-on for an extensive set of pre-integrated SaaS applications.  At the moment 2,577 applications are pre-configured for Azure AD integration.

Federated

Federated enables your on-premises AD DS to be the source of authentication into Azure AD and other cloud based resources or partner organizations.  Essentially it supports advanced scenarios that cannot be achieved using the synchronized deployment method for example your security policy prohibits password hashes being synchronized to the cloud.

It should be noted that it is higher maintenance, requires additional servers and extensive setup and redundancy to ensure users can authenticate.

Azure AD Free, Basic and Premium

Just to make things slightly more complicated, Microsoft have three versions of Azure AD, these are Free, Basic and Premium.

• Free – This is the entry level option that doesn’t provide an SLA or company branding.  It does however give you the following:
  • Up to 500,000 objects
  • You have access to SSO applications using the 2,577 Azure AD pre-integrated SaaS applications
  • Ability to extend on-premises AD DS into Azure AD
  • Self Service Password Changes for Azure AD users

• Basic – This is the first paid for option which extends the free features by including:
  • No object limit
  • 99.9% SLA
  • Company branding for login pages and access panel
  • Self Service Password Resets for Azure AD users

• Premium – This is the top option, which extends the Basic features by including:
  • Self service group management
  • Self Service Password Resets with on-premises writeback
  • Multi-Factor Authentication
  • Self service Bitlocker recovery

Final Thoughts

Azure AD is a web scale directory that provides SSO and integration with SaaS and on-premises directory structures and applications.  It is maturing all time with the inclusion of new features on a regular basis.

In the next article I will look at Availability Set concepts, see you in the next installment.

I seem to be spending more and more of my time on Microsoft Azure, so thought it would be a good idea to start a blog series on Azure Concepts to provide an overview of the following:

• Identity and Access
• Availability Sets and Patching
• Storage
• Virtual Machines
• Network Connectivity
• Hybrid Cloud
• Disaster Recovery

What is Microsoft Azure?

So the first question is what is Microsoft Azure?  The best explanation that I could find is from Wikipedia

“Microsoft Azure is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying and managing applications and services through a global network of Microsoft-managed and Microsoft partner hosted datacenters. It provides both PaaS and IaaS services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems”

For me, the part which is missing from the above statement is “providing resources on demand on a pay as you go basis”.

Scale

To give you an idea of the current scale of Microsoft Azure, I thought it would be fun to share a few facts:

• Microsoft Azure operates in 21 different regions
• Microsoft Azure recieves over 90,000 new customers a month
• 1.4 Million SQL Databases are held in Microsoft Azure
• More than 50 Trillion storage objects in Microsoft Azure
• Over 425 Million Azure Active Directory users
• 3,200 Azure Marketplace applications are available

Trying to keep up to date in all things Microsoft Azure is a full time job.   To make things slightly easier Microsoft offer a Cloud Platform Roadmap which enables you to see the upcoming applications, services and infrastructure items.

Final Thought

Microsoft Azure is complicated, you often have a number of ways to achieve the same end results. Hopefully this upcoming series of blog posts will provide you with the concepts that underpin Microsoft’s cloud service offering.