At the time of writing in excess of 50 services are available on Azure and both the number of available services and functionality within each service is being increased rapidly.
Azure Services are catalogued on the Azure website by category.
It is important to note not all services may be available in all regions or certain functionality or options may not be available. A common example of this is VM instance sizes which you should ensure are available for your region before initiating any design or planning activity.
Automation of infrastructure state is often refereed to as ‘infrastructure as code’. A key aspect of this practice is Desired State Configuration, that is ensuring through automation that infrastructure services are configured as expected.
- Azure Automation – Desired State Configuration
- Ensure installs / configures a component if missing
- Absent removes a component or configuration setting if present
- Scripts defined in Powershell Runbooks
- For Windows platforms automate almost any task
- Consider System Center Orchestrator for higher level management and GUI
- Chef – 3rd party product for management, automation & analytics
- Client installed which periodically checks server for updates
- Built on Ruby
- Supports Windows, Linux, Mac
- Cookbooks (group of scripts) known as recipes
- Knife plugin used for Azure integration
- Puppet – similar to Chef
- Azure supports automatic deployment of Puppet Enterprise Agent
- Configure client to communicate with Puppet Master Server
It is important to note the importance of PowerShell, it can be used to carry out any task available in the Azure portal and more beyond that. To get started download the Azure module for Powershell, which is installed by the Web Platform Installer. PowerShell must authenticate with Azure before carrying out any operations which can be achieved using:
- AD account – Add-AzureAccount
- Computer certificate – Get-AzurePublishSettingsFile
Some common commands to be aware of:
- Get-AzureAccount (accounts currently connected)
- Remove-AzureAccount (remove connected accounts)
- Get-Help (show help on PowerShell commands)
The MSDN Azure Cmdlet Reference site is one useful source of information on available Azure PowerShell cmdlets and commands. The Azure GitHub repository ‘contains a set of PowerShell cmdlets for developers and administrators to develop, deploy and manage Microsoft Azure applications.’
Windows PowerShell workflows (runbooks) can be configured in Azure Automation and provide powerful automation and orchestration capabilities.
Microsoft and Azure services which can be used as part of a DR strategy include:
- Azure Backup – scalable, off-site, encrypted backup service
- Create a recovery vault, specify the Azure region
- Download vault credentials
- Download agent
- Install agent
- Upload vault credentials
- Launch backup
- Configure backup properties
- Schedule backup
- StorSimple – hybrid storage appliance with tiered disk storage (SSD, SATA) and Azure storage.
- Uses de-duplication and compression techniques
- Use for backup and DR in addition to production storage
- Data encrypted in flight and at rest, store encryption keys on-premise
- Storage presented using iSCSI
- 2 physical appliances available and a virtual appliance
- Data Protection Manager – Microsoft’s enterprise backup and recovery solution which supports Bare Metal Restore (BMR) and file level recovery.
- Integrates with Azure by registering with the associated Azure Backup Vault
- Use tape, local disk storage or Azure
- Supports workloads including server, client, SQL Server, SharePoint, Hyper-V, VM, Exchange
StorSimple is the optimal solution for high performance storage and support of low RTO and RPO requirements. Azure Backup is a cost-effective, simple solution for providing block level backup and and file level restore with a supported agent. Data Protection Manager can be integrated with Azure Backup and provides additional capabilities for protecting and recovering Microsoft workloads.
When planning a BC / DR strategy it is important to understand:
- RPO (Recovery Point Objective) i.e. the maximum time in minutes for which data loss is acceptable when recovering from a disaster
- RTO (Recovery Time Objective) i.e. the maximum time in minutes it takes to recover service in the event of a disaster
- Synchronous vs. Asynchronous replication i.e. whether operations are carried out at the same time or queued
- SLA (Service Level Agreement) for the underlying services
When designing high availability into Azure services consider:
- Use of Availability Sets and load balancing for Virtual Machines
- SQL Server AlwaysOn (=> 3 node WSFC – Primary Replica, Secondary Replica, FSW)
- SQL Mirroring
Hyper-V Replica provides asynchronous replication of VMs without a shared storage requirement however shared storage can be leveraged with supported SANs for additional functionality. Azure Site Recovery also works wtih Hyper-V Replica.
System Center can provide orchestration for Site Recovery failovers.
Operations Manager is the primary monitoring component within System Center which integrates with other Azure services. On-premise SCOM deployments can integrate with Azure through deployment of the Azure Management Pack for Operations Manager.
The ideal configuration, particularly when a larger number of systems are deployed on Azure is to deploy a SCOM Gateway server. Systems can be configured as proxy agents to monitor other systems which are not directly accessible. TCP port 5723 is used for monitoring traffic.
By uploading the SCOM server Public Key to Azure Storage it is possibly to collect data from the Azure Monitor and Diagnostic Service (Windows, Azure, App Sources, Counters, Events, Logs, Dumps).
Azure build in monitoring capabilities include:
- Default metrics (CPU usage, disk read / write, network in / out)
- Web apps metrics (CPU time, data in / out, HTTP server errors, requests)
- Application diagnostics and logging:
- Application Logging (File System) – access from FTP share for web app
- Application Logging (Table Storage) – access from specified field table
- Application Logging (Blob Storage) – access from blob container
Configure application logging, certificate authentication and verbose logging for additional logging and statistics.
3rd party tools are also available often through the marketplace:
Global Service Monitor is an Azure cloud service which works with SCOM to monitors web applications from an end-user perspective and can help identify issues with DNS, network connectivity, etc.
Application Insights provides deep insight into your applications running on a VM or web role and integrates with SCOM to provide a single consolidated view.
When designing application resiliency consider the use of:
- Availability Sets to split instances across Fault and Update Domains
- 2 Fault Domains exist in Azure
- Up to 20 Update (or Upgrade) Domains can be used but only 5 are by default
- Use Virtual IP (VIP) Swap to test application upgrades
The System Center suite includes the following tools:
- Operations Manager – monitoring and alerting, integrates with OMS
- Configuration Manager – Azure integration through Cloud Distribution Point
- Virtual Machine Manager – hypervisor management (Hyper-V, ESX, XenServer)
- Orchestrator – automate SC tools and Azure with runbooks
- Data Protection Manager – backup to tape, disk or Azure using Online Backup Agent
- App Controller – provisioning and self service, Public Cloud Connector for Azure integration
- Service Manager – DBMS platform for self-service, portal and ITIL features
- Endpoint Protection – security solution for anti-malware
The PowerShell Deployment Toolkit greatly simplifies and accelerates the System Center deployment process.
System authentication can be performed using domain authentication or computer certificates where machines are not domain joined. Consider bandwidth and latency in a hybrid deployment and the optimal placement of services.