Microsoft Azure Cloud Series – Azure Resource Manager – Part 3

Hello everybody, time to get in-depth with Azure Resource Manager.  But, before I dive into the Azure Resource Manager, I would like to quickly review some of the basics in Azure.  I will start with a rundown of the Azure Global Footprint.  Then, I will go into how Azure charges are incurred.  And finally, I will dive into the Azure Resource Manager V2 and comparing it to the older Azure Service Manager V1.  Sit tight and let’s go for an Azure Ride 😉

Azure Global Footprint
Azure Resource Manager

Microsoft Azure itself is deployed around the world and involves the concept of regions, which is where you select to place and run your code.  Each region has a Microsoft Azure data center.  These data centers are massive facilities that host tens of thousands or, in some cases, hundreds of thousands of servers.  Currently, Microsoft has:

  • Four regions in North America
  • Two regions in Europe
  • Two regions in Asia
  • One region in Japan

As shown above, Microsoft also has a number of Content Delivery Network (CDN) edge points.  They can be used to cache your content and deliver it even faster to end users.

Once you build an application, you can choose any location in the world where you want to run it and you can move your workloads from region to region.  You can also run your application in multiple regions simultaneously or just direct traffic and end users to whichever version of the app is closest to them

How are Azure Charges Incurred?

This may be different for many of you who are familiar with hosting providers and on-premises systems

Simply, with Microsoft Azure, you pay only for what you use:

  • There are no upfront costs
  • There is no need to buy any upfront server licenses; this is included in the price
  • VMs (IaaS and web/worker role) usage is by the minute
  • VMs (IaaS only) that are stopped in Microsoft Azure, only storage charges apply
  • Likewise, if you use a SQL database, through the SQL Database feature in Microsoft Azure, you do not have to buy a SQL Server license—this is also included in the price
  • For compute services, such as VMs and websites you only pay by the hour

This gives you the flexibility to run your applications very cost effectively
You can scale up and scale down your solutions or even turn them on and off as necessary. This also opens up a wide range of possibilities in terms of the new types of apps you can build.

Managing Azure Deployments

Microsoft Azure currently have two management models:

  • Azure Service Manager (ASM) has been around since 2009 and has been due for an upgrade..
  • Azure Resource Manager (ARM), released last summer, supports modern deployment practices. It is designed to be extensible to all current and future services.

Azure Service Manager V1

  • Traditional way to deploy and manage applications hosted in Azure
  • Azure Portal https://manage.windowsazure.com
  • PowerShell / CLI (default mode)
  • REST API

Azure Resource Manager V2

  • Modern way to deploy and manage applications hosted in Azure
  • Azure Portal https://portal.azure.com
  • PowerShell / CLI (ARM mode)
  • REST API
  • Azure Resource Management Library for .NET

Why and what is Azure Resource Manager?

Today’s challenge with Azure Service Manager V1– it’s difficult to…

  • Set and manage permissions – only co-admin and service admin
  • Monitor and have alerting rules – limited to Management Services and basic KPI in portal
  • Billing – through the billing portal
  • Deployment – complex PowerShell to gather all components for an application
  • Visualize a group of resources in a logical view, including monitoring/billing

ASM V1 Portal – Resource Centric Views

Azure Resource Manager

After working with the current ASM V1 for a number of years now, here’s the breakdown:

  • Resources are provisioned in isolation
  • Finding resources is not so easy
  • Deployment is more complex than on-premise
  • Management of app is challenging
  • Proper use of resources becomes more abstract
  • Isolation makes communications a challenge

Ok, Rob, then why does Microsoft still keep ASM V1 in production?  

Answer:  As of the writing of this blog post, not all features have been ported over to Azure Resource Manager V2.  Once all features and services have been ported over, I expect Microsoft to end of life Azure Service Manager V1.

Azure Resource Manager Overview

Azure Resource Manager

Azure Resource Manager enables you to work with the resources in your solution as a group.  You can deploy, update or delete all of the resources for your solution in a single, coordinated operation.  You use a template for deployment and that template can work for different environments such as testing, staging and production.  Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.

Benefits of ARM

  • Desired-state deployment
    • ARM does desired-state deployment of resources. It does not do desired-state configuration inside these resources (e.g., VMs), although it can initiate the process of desired-state configuration.
  • Faster deployments
    • ARM can deploy in true parallel as compared to semi-sequential in ASM
  • Role-based access control (RBAC)
    • RBAC is fully integrated with Azure Active Directory
  • Resource-provider model
    • Resource-provider model is intended to be fully extensible.
  • Common interface for Azure and Azure Stack
    • When Azure Stack is released, same API model for on-premises and Cloud

ARM Definitions and what they mean?

  • Resource – Atomic unit of deployment
  • Resource group – Collection of resources
  • Resource provider – Manages specific kinds of resources
  • Resource type – Specifies the type of resource

Ok, let’s dive into the details of each now.

Resource Group (RG)
Azure Resource Manager

A Resource Group is a Unit of Management providing:

  • Application Lifecycle Containment – Deployment, update, delete and status
    • You can deploy everything included in a resource group together, thereby maintaining versions of an application along with it’s resources
  • Declarative solution for Deployment – “Config as Code”
    • Resource Group’s are .json, declarative/configuration code
  • Grouping – Metering, billing, quote: applied and rolled up to the group
    • Resource groups provide a logical grouping of resources
  • Consistent Management Layer
    • In the V2 portal, everything is controlled in a RG. RGs can be accessed via REST APIs and resource providers
  • Access Control – Scope for RBAC permissions
    • You can only use RBAC in the new portal and the highest level generally used for RBAC is the resource group level.

But, Rob, that sounds great, but should these resources (VM’s, DB’s, Storage, etc) be in the same Resource Group or in a different one?

Hint:  Do they have common life cycle and management?
Azure Resource ManagerAnswer: It’s up to you

Resource Groups Best Practices

  • Tightly coupled containers of multiple resources of similar or different types
    • When resources are in the container, they have a common life cycle. You can deploy these things together, put RBAC on them together with one request and they can know about each other
  • Every resource *must* exist in one and only one resource group
    • Every resource must be in ONE resource group, important for RBAC
  • Resource groups can span regions
    • Don’t have to live in same location, can deploy to multiple regions

A few final thoughts on Resource Groups and their deployment scenarios before we move on.

  • Most significant question is of lifecycle and what to place in a resource group
  • Can apply RBAC, but is this right for a particular resource group?
  • Sometimes resources are shared across multiple applications, in other words a VM could be stored in a storage account in a different resource group
  • Lifecycle is distinct and managed by different people
  • There is no hard and fast rule

Resource Providers

A Resource Provider is used by the Azure Resource Manager to manage distinct types of resources – in your JSON template, you will have code that shows what the resource provider expects to see in order for the resource provider (sitting out in Azure) to build the resource that you want…for example a SQL Server or SQL DB or VM.

Resource providers are an extensibility point allowing new resource providers to be added in a consistent manner as new services are added to Azure – anyone can write their own provider

Resource Provider Types Examples
Azure Resource Manager

Ok, Rob, how do I know what resources providers are available?

Using PowerShell, log in to your Azure account and then run
Get-AzureRmResourceProvider
Azure Resource Manager

Tools typically used with ARM

  • PowerShellBlog Post coming soon
    • PowerShell is used to deploy the ARM templates and can be used to download log files from the Resource Group to analyze issues
  • Troubleshooting in the portal – Blog Post coming soon
  • Visual Studio
    • Although not required, will more than likely be the tool of choice for creating the ARM templates – Blog Post coming soon

Well, that wraps up my blog post on Azure Resource Manager.  We covered a lot and have much more to go.  Stay tuned…..Until next time, Rob.

Azure Stack…What is it?

The Ignite 2015 conference in Chicago is where Microsoft made the the official announcement of Azure Stack, its private cloud infrastructure for data centers that want to be Azures in their own right. Or in other words, on-prem will be in full parity with Azure Cloud.

AzureStackW1 Azure Stack

Quotes from Brad Anderson from Keynote on Azure Stack

“If you think about Azure, there’s all the infrastructure that you’re aware of, in network, storage and compute. There’s a set of services like IaaS and PaaS that we deliver. And then there’s all your applications, and that, really, is what Azure is,” explained Brad Anderson, Microsoft’s corporate vice president for cloud and enterprise, during a keynote session Monday morning. “Two years ago, we announced we were going to bring portions of this to your data center, and we called it the Azure Pack.”

Portions of this Azure Pack had made their way onto partner vendors’ hardware in the past — in the form of Microsoft Private Cloud Fast Track Program and Dell’s Cloud Platform System. My company, Nutanix was one of the first Private Cloud Fast Track Partners with certified reference architecture.   So we’ve seen private cloud platforms with third-party vendor brands, built around server software made by Microsoft but not called Windows.

What Azure Stack becomes, over and above Azure Pack, is not just a microcosm of Azure, but an extension of Azure itself. As several Microsoft officials confirmed at Ignite, Azure Stack extends the file and object system of Azure into the private space. (And Azure Stack won’t be the only Microsoft technology that does this….Hint, Hint…Hmm…under NDA at moment)

“You want to be able to take those cloud applications, and host them in your environment,” said Anderson. “You’ve told us you want Azure — all of Azure — in your data centers. Azure Stack … is literally us giving you all of Azure to run in your data centers.

I saw early demonstrations of Azure Stack at Ignite, and what I saw was user access policy management system that essentially duplicated the one currently used on the public Azure cloud as shown below.

“The Microsoft Azure Stack gives application owners the ability to ‘write once, deploy anywhere,’ whether it be to your private cloud, a service provider’s cloud, or the public Azure cloud,” reads a post to Microsoft’s server and cloud blog Monday. “Developers will have the broadest access to application development platforms across Windows and Linux to build, deploy and operate cloud applications using consistent tools, processes and artifacts. One Azure ecosystem across public, private and hosted clouds will allow you to participate in a unified, robust partner network for Azure clouds.”

Microsoft’s idea is to make private cloud space and public space addressable and manageable using the same toolset, and by extension, to effectively make data centers into planks, if you will, for Azure. It’s one big reason why the words “Windows Server” are being spoken less and less often by people whom you would think were in charge of it.

Azure Stack Deeper Dive

Now let’s start at the top. When we look at the image below we see the browser experience. In the current version of Azure Pack we have 2 portals, 1 for the tenant and 1 for the admin. In Azure Stack we have 1 browser experience. That experience is also the same across Azure Stack and Azure. So admins as well as the tenants go through the same portal site and leveraging the same portal API’s and extensions. In the deployment of the portal site there is still an option to scale out to multiple website nodes like we do with an distributed deployment of Windows Azure Pack today. When we go down that rabbit hole, we see the Azure Resource Manager and the Core Management Resource Providers. The Core Management Resource Providers integrate in Azure Resource Manager and all components interact with that. Below in this post,  I will focus on the Azure Resource Manager and the Core Resource Providers. Further down we see the Service Resource Providers. The Service Resource Providers will control and manage the resources it is assigned to. Like the Compute Service Resource Provider will manage the compute resources (nodes), the Storage Resource Provider will manage the storage resources (nodes) and so on… And that’s really in a nutshell the top to bottom service layout of the Azure Stack.

AzureStackW2 Azure Stack

Let’s look at the portal. The portal is completely redesigned and which allow you to fully personalize. It is highly scalable and have integration across services. When you install new resource providers today in WAP you need to edit the core code for the Azure Pack portal. Then you need to restart the web service process to see the result of that change. With the new design the portal process runs continuously in a separate process and when you extend the portal by adding extensions a workflow will distribute the extensions to all nodes running the portal site. As mentioned before the admin and tenant site are integrated in the same portal.

AzureStackW3 Azure Stack

The portal UI is very nice, but it would be useless if we cannot login to the portal, right? Let me talk about the identity part of the new Azure Stack. In the old portal we had the options to use the SQL .Net membership or we could integrate ADFS to use AD or other federated identity providers (IDP’s). In the new portal they use claims-based authentication and there is native support for the following:

  • Azure Active Directory
  • Windows AD
  • Active Directory Federation Services (ADFS)

From the Azure Resource Manager to the Core Management Resource Providers it will use Windows Authentication or Basic Authentication. The Core Management Resource Providers will use Windows Authentication or an authentication method defined by the Resource Provider.

AzureStackW4 Azure Stack

Now on to the Azure Resource Manager. The Azure Resource Manager is the new Service Management API. It’s as Microsoft calls it “a product” that allows the management of the compute, storage, network. When you, as a tenant, create a resource group it allows you to put all the resources (VM’s, Networks, websites etc…) in a resource group that can be managed as a whole (Create /Add / Update /Delete – aka Life Cycle Management). With role based access control (RBAC) you, as a tenant, can also provide access to other users that have access based on the permission you assign to the resource group. Also usage is collected for a particular resource group so you can see how much the resources in a resource group will cost. The Azure Resource Manager will also allow you to put deployments in regions. Regions represents the datacenters of your service provider or your own datacenters. Furthermore the Azure Resource Manager is providing audit logging on your subscriptions and resources. To create resources using the Azure Resource Manager you need to create or use an existing template. A template is a json file what can be edited to define the resources in your deployment.

AzureStackW5 Azure Stack

The Azure Resource Manager will talk to the Core Management services. Let’s look at the components involved in that.

  • The Authorization Service: By using RBAC, it allows us to granular assign permissions to resource groups. Subscriptions are assigned to tenants that have a plan defined.
  • The Subscription Management Service is responsible for managing the Service Plans, Offers and subscriptions. You can even use Azure Resource Manager templates to define new subscriptions based on a template you have defined.
  • The Gallery Service is a core common service that will work across any of the connected services. Admins as well as tenants are allowed to put their own gallery items in it.
  • The Events Service is a collector to collect all events across all the services
  • The Monitoring Service collects metrics from all services.
  • And last but not least we have the Usage Service which will collect the usage per service for each tenant / resource group.

AzureStackW6 Azure Stack

So this what I know so far from MS, but will update this post as I know more. MS is not giving defient answer, but rumors are beta late fall and Tech Preview in spring. I can’t wait to get the early bird bits to play around with it and when I do I will follow up on this post to give you more technical information of Azure Stack!