Describe Azure services

At the time of writing in excess of 50 services are available on Azure and both the number of available services and functionality within each service is being increased rapidly.

Azure Services are catalogued on the Azure website by category.

It is important to note not all services may be available in all regions or certain functionality or options may not be available. A common example of this is VM instance sizes which you should ensure are available for your region before initiating any design or planning activity.

Design applications that use a web API

ASP.NET Web API is a platform supporting development of RESTful applications for clients including web and mobile, built on the .NET framework. As Web APIs are RESTful they can be configured to use standard HTTP requests (GET, PUT, POST, DELETE) to perform corresponding database CRUD actions.

Custom Web APIs can be created in Visual Studio using Microsoft Visual Basic (VB) or C# by selecting the ASP.NET template then the Web API template. If you chose to ‘Host in the cloud’ for Microsoft Azure you can choose a VM (running IIS) or Azure Web App.

Azure Web Apps can scale out (Free, Shared, Basic, Standard, Premium) and scale up (F1, D1, B1-B3, S1-S3, P1-P4). The Basic service allows manual scaling, the Standard and Premium service enables auto scaling. Basic and Standard both support instances (scaling up) with 7GB RAM and 4 CPU Cores, Premium supports up to 14GB RAM and 8 CPU Cores.

Azure WebJobs handle long-running jobs as executables and scripts:

  • .cmd, .bat, .exe (Windows cmd)
  • .ps1 (Windows PowerShell)
  • .php (PHP)
  • .sh (Bash)
  • .js (Node)
  • .py (Python)

WebJobs can be run continuously, on demand or on a schedule. By default continuous jobs run on all instances but can be configured to run on a single instance. When deciding to scale up or scale out this needs to be considered in regards to whether the job will support running across multiple instances.

Several authentication solutions can be used for securing a Web API:

  • Azure AD – stand-alone or synchronised with on-premise AD
  • AD FS – request identity from on-premise AD
  • ACS – can use multiple identity services



Design applications that use mobile services

Azure App Service allows developers to create mobile, logic, web and API applications.

Mobile Services is an Azure PaaS service implemented in Node.js and .NET that works with Android, iOS, Windows, Windows Phone and HTML. It connects mobile apps and back-end data storage, typically SQL server. Table storage and MongoDB can also be used.

  • .NET projects are built in Visual Studio on top of a Web API project
  • Node.js mobile services are created using the Azure management portal

Create a proxy to a data source to use an external database.

Soft delete for data marks deleted data as such but retains it for future  reference.

Hooks into Azure AD and social-networking providers (Facebook, Twitter, Google). APIs support authentication using these methods. Data authorisation settings limit calls to the mobile service by users without appropriate permissions:

  • Application Key Required
  • Everyone
  • Authenticated Users – User ID and authorisation token
  • Admins and Other Scripts – Master Key

Mobile services has basic push notification system and can link, in to Notification Hub service.

Mobile Services has a free plan and basic and standard plans the latter 2 offering 99.9% SLA. Azure App services has the same 3 tiers with Basic and Standard offering 99.95% SLA however it is notably more expensive.

Develop mobile apps using Windows, iOS, Android, HTML/JS and Xamarin (C#).

Offline Sync uses a SQLite database within the app to allow  data to be synchronised to mobile devices for when the device has no Internet connectivity. Another option is to serialize data to a local data file on the device, this will require additional coding.

Secure Resources with Identity Providers

Azure Access Control Service (ACS) enables a service provider to work with multiple identity providers. An authentication broker provides a layer of abstraction between identity providers and relying parties. ACS acts as an authentication broker so:

  • Hides protocol details working with different identity providers
  • Service provider can simultaneously work with multiple identity providers
  • Handles claims transformation where not supported out the box by identity provider

Azure ACS Concepts

  • ACS namespaces form a trust circle for identity providers and relying parties
  • Rule groups define how identity claims are transformed before passing to relying parties
  • Claim rules define how claims from an identity provider are transformed
  • Services identities can be used to authenticate directly with ACS
  • Identity providers could be AD FS, Facebook, Microsoft, etc.
  • Relying party applications for which ACS may be used for authentication

Azure ACS or alternative tooling can be used for identity:

  • ACS can be used as an authentication broker for AD FS
  • ACS supports popular social networks as identity providers e.g. Facebook
  • Newer versions of ASP.NET use OWIN (Open Web Interface for .NET). OWIN decouples web applications and web servers, Katana is one implementation of OWIN.
  • Azure Mobile Services also enable configure of identity providers using a similar method, connecting with an identifier and security key.

Secure Resources with Hybrid Identities

Active Directory Federation Services (AD FS) is the Microsoft implementation of the ws-Federation Passive Requestor Profile protocol. AD FS allows domain to be extended to external networks however Azure AD provides modern functionality.

Directory Synchronisation (DirSync), now part of AD Connect, allows synchronisation of an on premise AD domain to Azure AD. Directory synchronisation relies upon:

  • Connector space: shadow copies of AD objects with a subset of attributes added here ready for synchronisation
  • Metaverse: central, consolidated view of objects being synchronised
  • Synchronisation Rules: define which and how objects are synchronised

Password hashes can be optionally synchronised. Enable Hybrid Deployment to sync Azure AD changes back on on premise. Matching Rules can be used to determine how objects across multiple directories are synchronised together e.g. 2 user accounts in 2 directories both representing the same user.

Azure AD Application Proxy exposes on premise applications to the cloud with Azure AD protection. Publish applications that will be accessible from outside your network with an external Azure provided  URL and a configured URL pointing to the on premise application. Assign users and groups rights to access the application. Users can view and access applications assigned to them in the Azure AD Access Panel using a web browser.




Azure Traffic Manager & CDN

Azure Traffic Manager & Content Distribution Network (CDN) are Azure services  which support global systems.

Azure Traffic Manager

Routes traffic to services running in different regions based on performance and reliability.

  • Provides global load balancing based on DNS name resolution
  • A * DNS entry is associated with the service
  • A custom domain name may point to the * DNS entry
  • A CNAME for the endpoint is returned based on the configured policy

Endpoint selection is dependent on the policy and chosen method:

  • Round-robin: Traffic distributed evenly or based on weighting
  • Performance: Traffic distributed based on lowest latency
  • Failover: Primary endpoint used first, secondary in the event it is unavailable

Traffic Manager supports up to 10 levels of nesting for more complex traffic distribution scenarios and requirements.


In addition to the facilities which Azure operates out of, CDN point of presence (POP) locations are also placed in strategic locations globally. This network allows content to be delivered to users from the closest location, improving performance for the user and reducing the load on the central node(s).

VPN and ExpressRoute

Virtual Private Networks (VPN) provide a secure connection between an endpoint or site. An endpoint is a single device with the VPN client installed. A site is a location connected by a VPN device. Azure VPN Gateways support both Point-to-Site and Site-to-Site VPNs for supported devices.

Point-to-Site VPN

  • A Dynamic Routing (aka Route-based) VPN gateway is required
  • A Standard or High Performance VPN gateway may be provisioned
    • Standard = 80Mbps, 10 S2S Tunnels
    • High Performance = 200Mbps, 30 S2S Tunnels
  • A client certificate must be created and installed on VPN clients
  • A configuration package can be downloaded from Azure for client setup
  • VPN clients are assigned an IP address from the user configured range
  • Utilises the Secured Socket Tunnelling Protocol (SSTP)

Site-to-Site VPN

  • A Static Routing (aka Policy-based) or Dynamic Routing VPN gateway is required
    • Some VPN devices only support Static Routing however this limits you to a single connection
  • Supported VPN devices are listed here
  • Providing Dynamic Routing is used Site-to-Site and Point-to-Site VPNs can coexist
  • Multiple sites can be connected to a single VPN Gateway, this is known as a Multi-site VPN


  • ExpressRoute provides a reliable, resilent and private connection of up to 10 Gbps into the customer network
  • There are 2 ways to connect
    • Exchange Service Provider – up to 10 Gbps
    • Network Service Provider – up to 1 Gbps
  • Connections into Office 365 are also possible using ExpressRoute
  • ExpressRoute Fridays archived webinars and

vNet-to-vNet VPN

  • Connect 2 Azure Virtual Networks
  • Supports georedundancy and geopresence