Microsoft Azure and Cloud Computing
Microsoft Azure is an overarching brand name for Microsoft’s cloud-computing services. It covers a broad, and still growing, range of services that often form the foundational elements of cloud computing.
KeywordsEuropean Union Cloud Computing Cloud Service Cloud Service Provider Content Delivery Network
What Is Microsoft Azure?
Microsoft Azure is an overarching brand name for Microsoft’s cloud-computing services. It covers a broad, and still growing, range of services that often form the foundational elements of cloud computing.
If you are reading this book, chances are that you are an information technology (IT) professional and have some basic knowledge of Azure. This book was written for the IT professional interested in using cloud-computing services. Some of the topics that may interest you include lowering operating costs, increasing agility, developing better disaster recovery (DR) strategies, accessing unlimited storage, and foregoing responsibility for future hardware refreshes.
Although Azure is considered a fairly new cloud service, it has grown by leaps and bounds in terms of capabilities and offerings during its brief history. Azure is also so diverse that it is not uncommon for IT professionals to be familiar with only a specific subset of Azure services.
Azure may seem to have a short history, but it should not be mistaken for a new or immature technology. Azure is based on mature Microsoft technologies such as Windows Server Hyper-V, Active Directory services, SQL Server, System Center, and so on.
The Azure/Office 365 Connection
Azure was introduced as Windows Azure in 2008. Prior to 2008, Microsoft primarily focused on another cloud service that was well known as Business Productivity Online Standard Suite (BPOS). BPOS consisted of Exchange 2007, Microsoft Office SharePoint Server 2007, Office Communications Online, and Microsoft Office Live Meeting. In 2011, Microsoft rebranded BPOS to Office 365. Office 365 is a software as a service (SaaS) offering that provides customers with access to Microsoft’s top productivity tools without having to implement and maintain significant on-premises infrastructure. Office 365 delivers Exchange Online to provide turnkey e-mail services, SharePoint Online to provide collaboration capabilities, Lync Online for instant messaging (IM) and virtual meeting spaces, and Office Pro Plus for productivity tools for desktop and mobile users.
In order to provide SaaS capabilities for customers, Microsoft had to build datacenters to host the BPOS and then Office 365 productivity suite offerings. The datacenter infrastructure is provided and managed by a special team within Microsoft known as Global Foundation Services (GFS). As a result, customers now have the option to use Microsoft’s productivity and collaboration tools without the added complexity of managing them.
Other core benefits of Office 365 are its scalability, high availability, and associated service-level agreement (SLA). Providing these requires more datacenters, geo-redundancy (redundant services in different geographic regions), and a highly trained operational workforce. The investment made by Microsoft in GFS is beyond the means of many organizations. As a result, even small businesses can now enjoy enterprise-level SLAs and performance.
Anyone who has installed and configured Exchange, SharePoint, or Lync on-premises knows there are myriad required dependent technologies. Active Directory services for identity management is one such technology. To ensure that the services are performing well, monitoring tools such as System Center Operations Manager are required. To provide Office 365 subscribers with unlimited OneDrive for business storage space, a vast and comprehensive storage solution had to be adopted by GFS. Remember too that these services and benefits need to be cost competitive, so economies of scale and efficiency of operations are important topics that Microsoft and GFS continuously need to manage.
It is well known that the birth of cloud computing resulted from the realization that it is possible to monetize excess computing capabilities. What differentiates Azure is that it was built specifically to provide cloud services. It is not the result of excess computing capabilities that were designed for other purposes. It was designed from the ground up to support Office 365. Because other non-Office 365 services can take advantage of foundational services, such as Active Directory, Azure makes acquiring these services possible.
The scalability, elasticity, and reliability of Office 365 SaaS is highly dependent on the Azure infrastructure.
IaaS, PaaS, and SaaS
We have identified Microsoft Office 365 as a SaaS. Other types of cloud services are classified as infrastructure as a service (IaaS) or platform as a service (PaaS).
Because Azure provides computing power for Office 365 foundational services, such as Active Directory, it is easy to identify the IaaS nature of Azure. In fact, Azure is most recognized for its IaaS offering. Examples of Azure IaaS offerings include Azure virtual machines and virtual networks, Azure storage solutions, and Azure recovery services. However, Azure is most often mistaken to be only an IaaS, when in fact it has a large portfolio of PaaS offerings. Examples of its PaaS offerings include Azure SQL Database, Azure websites, Azure Content Delivery Network (CDN), Azure BizTalk Services, and Azure Mobile Services.
As you can see, the Azure portfolio of services is much more significant than better-known Office 365 SaaS offering. Subsequent chapters cover key Azure services. For now, the important takeaway is that, as far as cloud computing goes, Microsoft has demonstrated that it is betting its future as a cloud-computing services provider. No other technology company has the combination of mature technologies, infrastructure, and financial commitment to package a complete SaaS, IaaS, and PaaS offering. In fact, with the changing of the guard in Microsoft’s corner office, CEO Satya Nadella has made cloud computing part of the company’s mission—mobile first, cloud first. It also helps that Mr. Nadella was the executive responsible for inventing and developing the Azure business.
When Microsoft reported its earnings for the quarter ending September 2014, cloud-computing services grew by 128% over the previous year, and they contributed to the bulk of the company’s $14.93 billion in revenue.
These developments are important if you are shopping for an IT partner to provide cloud-computing services, because you are handing off a very important piece of your IT operations. Knowing that a company has built its comprehensive cloud-computing services from the ground up and that it has a strong financial portfolio, has leadership committed to the service, and is an industry leader should buoy the confidence of any CIO making this decision.
Security, Compliance, and Privacy
As a service offering, Azure is a follow-up act to Microsoft Office 365. This is important because Microsoft implemented many industry-required security standards and regulatory compliance requirements when building the Office 365 business. Furthermore, through Office 365 operations, Microsoft has built a cloud-specific, service-oriented organization to address operational requirements including sales and licensing, incident management, and customer support.
The Microsoft Azure Trust Center is a one-stop shop for everything related to security, compliance, trust, and privacy. It is located at http://azure.microsoft.com/en-us/support/trust-center .
Microsoft adopted a multipronged approach when it comes to addressing security in the Azure platform. In addition to standard 24×7 monitoring of the service, other core elements of the approach are discussed in the following subsections.
Using Existing Resources across the Organization
Instead of reinventing the wheel, Microsoft used and enhanced existing resources to secure Azure. By relying on the combined experiences of the Digital Crimes Unit, the Malware Protection Center, and Microsoft Research, and with visibility to security threats on a global scale through services such as Windows Update, Xbox Live, and Office 365, Microsoft is in a great position to have early knowledge to address threats. Microsoft has also proven to be relentless in prosecuting hackers and shutting down rogue hosting providers.
Adhering to an Evolving Security Development Life Cycle
Microsoft aggressively patches its cloud-computing platform and has been following a disciplined Security Development Life Cycle (SDL) that was introduced in 2004 to develop more secure code. Because Microsoft is the developer of nearly the entire technology stack, from the Hypervisor on up, the company is in the best position to be agile in making code changes. Microsoft engineers have been trained to adopt an “assume a breach” mindset and to address potential issues aggressively.
It is used as the technology that drives consumer services like Xbox, Bing, and Cortana.
As an Azure service, it allows customers to use it to mine data.
It is used as the technology that mines data and logs to identify threats.
Microsoft also uses rules to trigger suspicious activities. For example, if a user logs in successfully from Singapore and then attempts to log in from Seattle a few minutes later, this triggers a security event. Even though this could technically be accomplished via remote access, the security event is still triggered because of the “assume a breach” mentality.
Previewing New Security Features
Penetration testing is a standard part of any robust security program. As part of standard operations, Microsoft conducts regular penetration tests against the Azure platform. Moreover, the program goes a step further by incorporating a white hat feature that allows customers to conduct their own penetration testing. Customers are required to agree to the terms of penetration testing, submit a request form, and receive approval before conducting such tests. The terms and the request form can be found on the Microsoft Azure Trust Center or at https://security-forms.azure.com/penetration-testing/terms .
Certifications and Industry Standards
SOC 1/SSAE 16/ISAE 3402 and SOC 2
Cloud Security Alliance CCM
PCI DSS Level 1
United Kingdom G-Cloud
EU Model Clauses
Food and Drug Administration 21 CFR Part 11
The full list of certifications for the Azure platform is located at the Microsoft Azure Trust Center: http://azure.microsoft.com/en-us/support/trust-center/compliance .
Certifications govern the suitability of Azure for specific industry use, and they form the basis of customer trust. Third-party auditors, who are recognized by the certification bodies, independently verify each certification. There is also a requirement for recertification and periodic audits to ensure compliance with all certifications.
Microsoft is a member of the advisory committees of many of the certification bodies, and it provides feedback and recommendations on proposed changes. This allows Microsoft to have visibility into many upcoming changes in order to incorporate them into the Azure platform in a timely manner.
Microsoft Azure Government
Shortly after Office 365 debuted, Microsoft realized that there are specific requirements unique to government entities. This was initially most applicable to the United States federal government and extends to US state and local governments that interact and share data with the federal government. As such, the concept of a US government-only cloud was conceived, which led to the release of the Office 365 Government Community Cloud (GCC). Customers under the Office 365 GCC model must be US federal, state, or local government entities. Today, there are separate GCCs for non-US governments.
Like Office 365, Azure was initially released as a public cloud platform; but in October 2014, Microsoft Azure Government, which is the government edition equivalent to the GCC, was soft-launched for a select number of early government customers. On December 9, 2014, Microsoft publicly announced the general availability of Azure Government. It is considered a rolling deployment, and although not all capabilities and services in Azure are available in Azure Government, there is a roadmap to identify when a capability becomes available.
For more information about Azure Government, check out http://azure.microsoft.com/en-us/features/gov/ .
FBI Criminal Justice Information Systems (CJIS)
Often, these government-specific requirements make it difficult for cloud services providers to scale up. They may also make it riskier for cloud services providers because of special SLAs and compliance requirements that can cause providers to be penalized for noncompliance. For example, the FBI CJIS standard requires that the cloud service provider’s personnel be background-checked and fingerprinted. At the time of this writing, Azure Government is the only major service that can meet all the requirements in FBI CJIS.
Standards such as CJIS apply to all customers using Azure Government. Therefore, even if a government entity using Azure Government does not require Microsoft personnel to be background-checked and fingerprinted, the same personnel would be responsible for the service, and therefore the government customer would default to this higher standard requirement.
Microsoft strongly believes in customer privacy and that content in Azure belongs to the customer. Microsoft draws a clear line separating consumer services from enterprise services, with Azure falling in the latter category where no customer data is mined, sold, or shared with marketers or third-party partners.
Microsoft also promotes privacy by making sure it is transparent about how information is managed. For example, Microsoft published a white paper entitled “Protecting Data and Privacy in the Cloud” to explain how it handles privacy as it relates to cloud-computing services. Microsoft also publishes its datacenter regions, and it goes into detail regarding if, when, and how data is transferred between regions.
When it comes to privacy, the European Union (EU) has the most stringent requirements to govern the handling of personal data, as extensively covered under the EU Data Protection Directive (95/46/EC). Microsoft adheres to the US-EU Safe Harbor certification, which allows data to be transferred outside of the EU to Microsoft for processing purposes.
The Microsoft Azure Trust Center has a section on privacy at http://azure.microsoft.com/en-us/support/trust-center/privacy .
You can download t he “Privacy in the Cloud” whitepaper from http://go.microsoft.com/?linkid=9694913&clcid=0x409.
It is a good practice to search the Microsoft Azure Trust Center and set a favorite for the important information you find. This simple approach has been one of the best practices adopted by Microsoft, and it helps to provide answers quickly to many of the questions that contribute to the uncertainty of adopting a cloud-computing service.
Why Microsoft Azure?
Now that you have a basic understanding of Azure and a sense of how it meets security, regulatory compliance, and privacy requirements, the next question is, “Why Microsoft Azure?”
The bigger question, though, is “Why cloud computing?” The promise of cloud computing, regardless of whether it is of the SaaS, IaaS, or PaaS variety, is the ability to use economies of scale to drive down the costs associated with IT operations. It also allows any organization to achieve a high degree of availability and resiliency at a truly geo-redundant level.
Furthermore, the highly elastic nature of cloud computing provides customers with the ability not only to scale up in real time, but also to scale down when services are not needed, ultimately paying only for utilization. Acquiring hardware and software in the traditional way meant being able to meet peak utilization, if scoped correctly, but it also led to idle usage most of the time.
Cloud computing provides all the attributes to maximize the efficiency of IT operations from a financial standpoint as well as from a service-delivery standpoint. Azure possesses all of these attributes, with the added benefit of being fully integrated into the Office 365 SaaS offering, thereby making Microsoft one of the most comprehensive providers of cloud-computing services.
The Azure Portal
The Azure Portal, or simply the Portal, is the web management interface for all Azure resources. At the time of this writing, the web address of the Portal is https://manage.windowsazure.com . You see the Portal referenced extensively in this book, because this is how you manage Azure.
At the time of this writing, the Portal is also undergoing an update and a new Portal is being previewed. You can access the new Portal at http://portal.azure.com . Where possible, this book references the new Portal.
How Azure Is Licensed
Before embarking on a discussion of licensing, you need to become familiar with two Azure terms: Azure account and Azure subscription. These are the logical containers that differentiate one customer from another.
As the name implies, an Azure account is the first step to acquiring Azure services. The Azure account requires a unique identity known as the Microsoft Azure account name. This name uniquely identifies a particular customer, and there is usually a one-to-one relationship between the customer entity and the account name.
By creating a new Microsoft account or use an existing Microsoft account
Via an Enterprise Agreement (EA)
Via an existing Office 365 tenant
Creating an Azure Account
You can use a Microsoft account, formerly known as a Microsoft Live ID, to create a new Azure account. Follow these steps to sign up for an Azure account with a Microsoft account. We assume that you already have a Microsoft account or know how to sign up for one, so we do not go through those steps here.
You can sign up for a Microsoft account by visiting https://signup.live.com/signup.aspx .
Signing up for Azure with A Microsoft Account
Sign in with a Microsoft account.
- 3.Sign up for the free 30-day trial. Figure 1-3 shows the Sign Up form, which requires a credit card for verification purposes only. You use the same credit card to pay for Azure after the trial.
After you enter a phone number for mobile verification, click Send Text Message.
Enter the verification code, and click Verify Code.
Once the code is verified, you are prompted for a credit card number for verification purposes.
After the credit card number has been verified, click the check-mark button to create the Azure account.
Once you have an Azure account, you can add a subscription. You go through the process of adding a subscription later in this chapter.
Going through the previous steps creates a unique Azure account name. You can determine the Azure account name by following the steps in the next exercise.
Determining Your Azure Account Name
Log in to the Azure Portal at http://manage.windowsazure.com if you are not already logged in.
- 2.In the menu on the left, scroll down and select Active Director, as shown in Figure 1-4.
A single default directory should be listed, as shown in Figure 1-4. Click the arrow next to the directory’s name.
- 4.Click Domains on the top menu, as shown in Figure 1-5.
Take note of your Azure account name, because you need to reference it whenever you interact with Microsoft or a Microsoft Certified Cloud Partner.
If instead of using a Microsoft account your organization purchases Azure through an Enterprise Agreement, your Microsoft account team will help you sign up for an Azure account.
If your organization already has an Office 365 subscription, you can create an Azure account based on the same tenant name as your Office 365 subscription. Follow the steps in the next exercise to create an Azure account based on an existing Office 365 tenant.
Creating an Azure Account From an Existing Office 365 Tenant
- 2.Click Sign In With Your Organizational Account, as shown in Figure 1-6.
Log in with your Office 365 tenant administrator account.
- 4.An Azure account is associated with your Office 365 tenant; the Azure account name is the same as your Office 365 tenant name. You are then prompted to add a subscription, as shown in Figure 1-7. Click Sign Up for Windows Azure.
- 5.You are prompted to select a subscription, as shown in Figure 1-8. Select a subscription type, and follow the instructions to purchase the subscription. Upon completion, the subscription is added to your Azure account. Take note of the different types of subscriptions.
We just walked you through the process of adding a subscription in the previous section. Once you have an Azure account, you need to add one or more Azure subscriptions to the account.
One Azure account can have multiple Azure subscriptions associated with it.
Azure pay-as-you-go via credit card
Azure monetary commitment
Azure Client Access Licenses (CALs)
Depending on the type of Azure service, one or more of these models will be applicable.
An Azure subscription is the primary consumption vehicle for Azure services, which are charged based on utilization. An example of Azure utilization is Azure virtual machines (VMs). Azure VMs are charged based on uptime. Another example of an Azure service that is billed based on use is storage.
The pay-as-you-go option via credit card, as the name implies, allows services such as Azure VMs to be charged to a credit card on a monthly basis. When you create Azure VMs, you can pick the specific Azure subscription against which such use is billed. You see this throughout the book as you create different Azure services.
Azure monetary commitment is designed for large enterprises to pay for Azure services on an annual basis. This is usually tied to an EA, which is also renewable on an annual basis. Such an organization estimates its use for the year and pays that amount as part of the EA renewal. Once a monetary commitment subscription has been created, Azure services can start drawing down from that subscription amount. Azure monitors daily consumption trends to determine whether there are enough funds in a monetary commitment subscription to last until the annual renewal date. If not, the global and billing administrators are notified, and the organization can add funds to the Microsoft subscription. This simplifies billing and facilitates budget planning and allocation for enterprises.
However, not all Azure services are based on consumption. Some Azure services are based on traditional server licensing or CALs. Examples of Azure services that rely on the CAL model are Azure Active Directory (AAD) Premium and the Enterprise Mobility Suite (EMS). To use such services, a customer pays only for the required licenses. All Azure license-based services are subscriptions, and they are usually priced per user or instance per month. Later chapters cover services such as AAD Premium and EMS.
Multiple Azure Subscriptions
Azure’s ability to support multiple subscriptions per Azure account makes it easier to do separate billing. This is especially useful in bill-back scenarios.
Setting up Multiple Azure Subscriptions
Log in to your Azure Portal at https://manage.windowsazure.com .
- 2.Click your login name in the top-right corner, and select View My Bill from the drop-down menu, as shown in Figure 1-9.
- 3.On the Account page, on the Subscriptions tab, you see all the Azure subscriptions associated with the Azure account. Click the Add Subscription option, as shown in Figure 1-10.
On the next screen, select a pay-as-you-go subscription, and follow the instructions to add it to the Azure account.
- 5.Repeat steps 3 and 4 to add another pay-as-you-go subscription. After you are done, you should see two pay-as-you-go subscriptions on the Account page, similar to what is shown in Figure 1-11.
Select the first pay-as-you-go subscription.
- 7.On the details page for the Azure subscription, take note of the available information and options, and then click Edit Subscription Details, as shown in Figure 1-12.
- 8.Type Human Resources Consumption (Pay-As-You-Go method) in the Subscription Name box, as shown in Figure 1-13, and then click the check-mark button.
Repeat steps 6–8 for the second pay-as-you-go subscription, and name it Marketing Department (Pay-As-You-Go method).
- 10.When you are done, you should see two different subscriptions against which Azure services can consume. Thanks to the subscription name changes, you can easily identify which subscription to use when creating Azure resources. Your screen should look similar to Figure 1-14.
This exercise demonstrated a scenario that warrants multiple Azure subscriptions. It also showed you how to add such subscriptions and rename them for easy identification.
Consider putting the billing method as part of the Azure subscription’s description, as shown in the exercise. This enables you not only to identify the subscription, but also to know how the subscription is being funded.
Now that you understand the concept of Azure accounts and subscriptions and have worked through the exercises to create them, it is time to determine how many Azure resources you consume. Under the pay-as-you-go model, you want to forecast your charges. Under the monetary commitment model, you need to know how much to commit for the upcoming year. Therefore, you need a way to come up with an estimate.
If you are an Enterprise customer and have a Microsoft account team, you can work with the account team to come up with that estimate. If you do not have an account team assigned to your organization, you can work with a Microsoft Certified Cloud Services partner or use the Azure Pricing Calculator.
Accessing the Azure Pricing Calculator
Using the Azure Pricing Calculator
Once you have selected a category, the options for that category are displayed. Use the sliders next to an Azure resource to determine the number of units that you require.
Using the Azure Pricing Calculator
Access the Azure Pricing Calculator at: http://azure.microsoft.com/en-us/pricing/calculator or via the Portal.
Click the Virtual Machines box.
- 3.Hover over the question mark to get help on the resource type, as shown in Figure 1-19.
Select A0, A1, A2, and A3 VMs, and note the number of cores and RAM for each VM.
Click the Standard tab to get more VM options, and read the description of the difference between a standard VM and a basic one.
- 6.Use the slider to select the number of instances of the VM that you require, and note the hourly rate for that VM, as shown in Figure 1-20.
In addition to the individual categories of Azure resources, note the option to display the full calculator. This option combines all Azure resources on a single page. When you are done selecting all the different Azure resources you need and their quantities, the calculator provides you with a total cost. This is the value you can use as an estimate.
It is sometimes difficult to get the right value by using the slider, because some mice and trackpads are very sensitive. We have found it easier to use the left and right arrow keys on the keyboard to increase or decrease the number of instances.
This chapter was designed to get you started with Microsoft Azure. It introduced you to the various Azure services and how this cloud-computing platform addresses security, regulatory compliance, and privacy concerns.
You were also introduced to key Azure technologies, such as the Azure Portal, Azure accounts and subscriptions, and the different ways that Azure services can be billed. Finally, we introduced the Azure Pricing Calculator as a tool to assist you in estimating how much Azure services will cost you.
Chapter 2 introduces the different Azure Services. Later chapters explore some of these services in greater detail, including use-case and deployment scenarios.