Based on Global Black Belt Azure CAD Workshop, this material was used during ugidotnet.org CAD Lab in June 2017. Azure VMs, AppService, Functions, Logic Apps and Service Fabric were demoed during the day.

2. Physical
Machines
Virtual
Machines
Cloud
Infrastructure
Born in
the Cloud
Mainframe
Monolithic
Client/Server
3 Tier
Component
RAD
Distributed
SOAP
SOA
Web
REST
Mobile
Microservices
Containers
Serverless

3. Balance of
responsibility
Balance of control and responsibility
depends on the category of the service
MOVE-IN READY
Use immediately with minimal configuration
SOME ASSEMBLY REQUIRED
Existing services are a starting point, with additional
configuration for a custom fit
BUILD FROM THE GROUND UP
Building blocks, create your own solution or apps
from scratch
Responsibility OnPrem IaaS PaaS SaaS
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
MicrosoftCustomer

4. Lift and shift Improved
DevOps
Hyperscale
(e.g. IOT)
Third-party
frameworks

5. Getting started
>_
REST API
Management portal
Scripting
(Windows, Linux and Mac)
Select image
and VM size
New disk persisted
in storage
Cloud
Blob
Storage
Comprehensive
Networking
Windows Server
Linux
Boot VM from new disk
General Purpose
Basic
Standard
Optimized Compute
Performance Optimized
Network Optimized
Virtual Machines

7. What are the advantages in terms of
security, privacy, etc…
Forensics Lab

8. Abnormal Behavior
▪ Anomalous logins
▪ Remote execution
▪ Suspicious activity
Security issues and risks
▪ Broken trust
▪ Weak protocols
▪ Known protocol
vulnerabilities
Malicious attacks
▪ Pass-the-Ticket (PtT)
▪ Pass-the-Hash (PtH)
▪ Overpass-the-Hash
▪ Forged PAC (MS14-068)
▪ Golden Ticket
▪ Skeleton key malware
▪ Reconnaissance
▪ BruteForce
▪ Unknown threats
▪ Password sharing
▪ Lateral movement

9. USGov
HIPAA /
HITECH Act FERPA
GxP
21 CFR Part 11
Global
ISO 27001
SOC 1
Type 2ISO 27018
CSA STAR
Self-Assessment
Regional
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC
Japan
China
DJCP
New
Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
China
TRUCS
Spain
ENS
Industry
PCI DSS
Level 1 CDSA
Shared
Assessments
MPAA
Japan My
Number Act
FACT
UK GLBAMARS-E FFIEC
ISO 27017
SOC 2
Type 2
SOC 3
India
MeitY
Canada
Privacy
Laws
Privacy
Shield
ISO 22301
Germany IT
Grundschutz
workbook
Spain
DPA
CSA STAR
Certification
CSA STAR
Attestation
HITRUST
IG Toolkit
UK
FIPS 140-2
DoD DISA
SRG Level 2 ITAR CJIS IRS 1075Section
508 VPAT
SP 800-171
High
JAB P-ATO
DoD DISA
SRG Level 4
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
Azure covers 53 compliance offerings

10. Web and mobile Event-driven
microservices
LOB integration and
hybrid apps
No-code apps

11. Platform Services
Infrastructure Services
Web
Apps
Mobile
Apps
API
Apps
Notification
Hubs
Hybrid
Cloud
Backup
StorSimple
Azure Site
Recovery
Import/Export
SQL
Database CosmosDB
Redis
Cache
Azure
Search
Storage
Tables
SQL Data
Warehouse
Azure AD
Health Monitoring
AD Privileged
Identity
Management
Operational
Analytics
Cloud
Services
Batch
Service
Fabric
Visual Studio
Application
Insights
VS Team Services
Domain Services
HDInsight Machine
Learning Stream Analytics
Data
Factory
Event
Hubs
Data Lake
Analytics Service
IoT Hub
Data
Catalog
Security &
Management
Azure Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Store/
Marketplace
VM Image Gallery
& VM Depot
Azure AD
B2C
Scheduler
Xamarin
HockeyApp
Power BI
Embedded
SQL Server
Stretch Database
Mobile
Engagement
Functions
Cognitive Services Bot Framework Cortana
Security Center
Container
Service
VM
Scale Sets
Data Lake Store
BizTalk
Services
Service Bus
Logic
Apps
API
Management
Content
Delivery
Network
Media
Services
Media
Analytics

12. 40Azure regions
NEWLY ANNOUNCED:
France: France Central and France South
Korea: Korea Central and Korea South
DoD East and Central
South Africa: Cape town, Johannesburg
Achieve global scale, in local regions
Trust

13. Azure App Service

16. Azure App Service

17. App Service Core Capabilities
All features and capabilities are shared across all of App Service application (Web, Mobile, Functions and API)
Enterprise grade
Designed for secure mission-critical applications
Fully managed
Optimized for Availability and Automatic scale
Built for DevOps
Agility through Continuous Deployment
Premium Tier
App Service Environments
Hybrid Connections / VPN Support
Scheduled Backup
Azure Active Directory Integration
Site Resiliency, HA, and DR
Role Base Access Control
Audit / Compliance
Enterprise Migration
Client Certs
IP Restrictions/ SSL
Dedicated IP address IP / NSG
Web Sockets
WW Datacenter Coverage
Automated Deployment
AutoScale
Built-in Load Balancing
WW Datacenter Coverage
End Point Monitoring & Alerts
WildCard Support
HTTP Compression
WebJobs
Sticky Sessions
OS & Framework Patching
Auto-Healing
Local Cache
Init Module
Per Site Scaling
Easy Auth
Remote Debugging w/ Visual Studio
Site Staging Slots /Preview
Traffic Routing
Continuous Integration/Deployment
Git/ Hub, Visual Studio Team Services
App & Site Diagnostics
Site Extensions/ Gallery
NET, PHP, Python, Node, Java, Go
Framework Installer
Browser-based editing
Logging and Auditing
Admin-Site
Support Portal
Web Jobs / SDK 1.1
Recommendation Engine
Site Cloning

18. App Service Plans
•
•
•
•
Resource Group
App Service Plan A
Website A API A
App Service Plan B
Website B
Datacenter Region
Standard Tier
Free Tier
Azure Subscription

20. App Service Plans & Apps
Shared pool
App Service Plan 1
SKU x
App Service Plan 2
SKU Y
Web App 1
2x P2
Web App 2
4x P2
Web App 3
4x P2

21. App Service Plan
Host on an App Service Plan
S1 instance
app app app
Real VM
S1 instance
app app app
Price tier: Standard
Compute Resource: S1
Scale: 2
Apps: running 3 apps
Real VM

22. App Service Plan
Scale-Up
S2 instance
app app app
Real VM
S2 instance
app app app
Price tier: Standard
Compute Resource: S2
Scale: 2
Apps: running 3 apps
Real VM

23. App Service Plan
Scale-Out
S2 instance
app app app
Real VM
S2 instance
app app app
Price tier: Standard
Compute Resource: S2
Scale: 3
Apps: running 3 apps
Real VM
S2 instance
app app app
Real VM

24. S1 instance
App Service PlanApp Service Plan
Re-distribute
S3 instance
app
S2 instance
app app
App Service Plan

25. •
•
•

27. New metrics also allow scale
up and scale down rules

29. http(s)://yoursite.azurewebsites.net
Web, API,
Mobile

30. http(s)://yoursite.azurewebsites.net
w3wp.exe process

31. scm.yoursite.azurewebsites.net http(s)://yoursite.azurewebsites.net
w3wp.exe process

32. yoursite.scm.azurewebsites.net http(s)://yoursite.azurewebsites.net
w3wp.exe process

33. Deployment Options
FTP WebDeploy
Source Control / Continuous
Deployment Integration Cool
GitHubVisual Studio
Team Services
BitBucket DropBox Debug
Console
One Drive
/www

34. yoursite.scm.azurewebsites.net http(s)://yoursite.azurewebsites.net
Deployment
engine w3wp.exe process
w3wp.exe process

35. yoursite.scm.azurewebsites.net http(s)://yoursite.azurewebsites.net
w3wp.exe process
w3wp.exe process

37. Consistent
Management
Layer
AZURE RESOURCE MANAGER API

39. SQL - A Website Virtual
Machines
CRUD
Website
[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQL CONFIG

40. Simplest structure and elements:

41. New-AzureRmResourceGroupDeployment -Name
ExampleDeployment -ResourceGroupName
ExampleResourceGroup -TemplateFile
<PathToTemplate> -TemplateParameterFile
<PathToParameterFile>

43. Role-Based Access
Active Directory

45. User Level
• A.k.a. Deployment Credentials
• Directly tied to your account (RBAC).
• Unique to each RBAC user.
• Should never be shared between users.
• The same for all web apps in your subscription
• Usage:
• Generally used when…
using an FTP client like FileZilla,
doing a git push from your local repository
logging into the Site Control Manager (SCM) site.
(Web) App-Level Credentials
• aka Publish Profile Credentials
• Automatically generated for each web site.
• Same for each Administrator/Co-Administrator on the
Azure Subscription.
Can be found by downloading the publish profile for
the web app.
• Usage:
• Intended to be used by programs that are
deployments on your behalf (WebDeploy and/or
FTP).

47. 2) Code Repository
1) Develop
4) Deploy to stage 5) Validate
7) Deploy to Cloud8) Monitor and Improve
3) Build 6) Publish
Web Apps

48. App Service Plans, Apps & Slots
App Service Plan 1
SKU x
App Service Plan 2
SKU Y
Web App 1
2x P2
Web App 2
4x P2
Web App 3
4x P2
Web App 2 –
Slot A
2x P2
Web App 2
2x P2
Shared pool

49. Deployment Slots
• A separate web site linked to your primary web site.
• Each deployment slot has it’s own URL and runtime environment.

55. scm.yoursite.azurewebsites.net http(s)://yoursite.azurewebsites.net
Deployment
engine w3wp.exe process

59. On-prem APIs 3rd party APIs
AZURE API MANAGEMENT
APIs on Azure Azure APIs
API consumers

60. APP DEVELOPERS
APPS
API PUBLISHERS
Hosted anywhere.
Developed using any
technology.
BACKEND
APIs
DIRECT OR
VPN
Publisher portal
Gateway
Developer Portal

62. API Management Key Concepts
•
•
•
•
•

63. http://aka.ms/apimroadmap

66. Cloud APIs & Platform Functionality
API Connections

69. {
"parameters": {
...
},
"triggers": {
...
},
"actions": {
...
},
"outputs": {
...
}
}

70. 76
The Azure Resource manager is a:
Highly-scalable geo-
distributed system that
Handles millions of
resources across 100,000’s
of subscriptions
Can create 200 node
cluster in < 5 minutes!
Resource Manager
• Handles thousands of parallel deploys per stamp
• Resilient against failure: retries with “at least once”
guarantee
• Simple, declarative JSON template
• Automatically infers dependences between resources
Logic Apps
• Can handle thousands of parallel runs per stamp
• Resilient against failure: retries with “at least once”
guarantee
• Simple, declarative JSON definition
• Automatically infers dependences between actions

71. Trigger
Trigger
• Recurring Schedule
• Polling (wait on HTTP 202)
• Webhooks
• Manual: POST to workflow url
• Subscribed: workflow subscribes itself
• On Demand: ‘run now’
Action
Action
• Call out:
• API Apps (swagger)
• HTTP endpoints
• Other Logic Apps
• Async Support: 202, retry after interval, …
• Wait for Event:
• Timespan
• Webhook being called
• Retry Policies (can be custom)
Response
Response
• Send Response to:
• Manual Trigger
• WebHook
Split On
Split On
• Debatch incoming array
• Run x instances of the logic app
• Retrieve status for each
Retry
Scope
Conditional
Iteration
Retry
• Default 4 retries, 20 secs in between each
• Configurable up to 1 hour in between
• Can be disabled
Scope
• Encapsulate set of actions
• Used for error handling and compensation
• Possible to access result of each
encapsulated action
Conditional
• If…Else boolean expression
• Can have nested conditions
Iteration
• List Iteration
• Loop single action over list of items
• Runs the action x times
• Possible to get statuses for each action
• Do…Until
• Loop single action based on condition
• Runs action until evaluated to true
• Define limit based on
• Time
• Number of iterations
• Overall action has status/outputs but
not for each iteration

72. Enterprise Integration Pack
 Connectors for protocols, SaaS, Enterprise systems
 Format Conversion (XML, JSON, FlatFile)
 Validation
 Extract
 Transform
 Batching/Debatching
 Business Rules
 Trading Partner Management
 B2B - AS2/X12/EDIFACT
 Integration Account

75. • Cloud-scale Event Handlers in no time
• Composing cloud apps becomes simple
• Scales to demand & pay for what you use
• Develop in:
C#, Node.js, Python, PHP, and more
• Schedule event-driven tasks across services
• Expose Functions as HTTP API endpoints
• Fully Open Source
• Running on Serverless Infrastructure

76. Develop
Develop Locally
Input Binding
Azure Services
Execute
App Services
Hosting Plans
Output Binding
Azure Services
Trigger
Web
Hooks
Azure Services
Monitor and Improve

78. Event-driven
scale
Sub-second
billing
Abstraction
of servers

79. Focus on
Business
Logic
Quick start
Managed for
you

81. 1

82. Every 15 minutes Clean tableFind and clean invalid data

83. File added to
Blob Storage
Transform CSV to data rows
CSV
Power BI
Chart graphic

84. Excel file saved
to OneDrive
Microsoft Graph API analyzes content Creates new sheets
with charts

85. Loaded web page
calls WebHook
Completed pageCreate ad based on user profile

86. Photo taken and
WebHook called Stores in blob storage Produces scaled images

87. Millions of devices feed
into Stream Analytics
Store data in
SQL Online
Transform to structured data

88. ? ...
Cortana Analytics answers questionsMessage sent
to Chatbot
Chatbot sends
response

97. Telemetry is collected at each
tier: server backend, middleware,
web service & browser
Telemetry arrives in the cloud
where it is stored & processed with
Machine Learning technology
Detect & Diagnose problems in Azure
Portal; Ask ad-hoc queries in Analytics;
Integrate, Extend & Customize

98. https://aka.ms/gbbcadlabhackguide
http://aka.ms/cadlabslides
christoc@microsoft.com
katriend@microsoft.com

101. POINT TO SITE VPN
SITE TO SITE VPN
AZURE WEBSITES DEDICATED WEB WORKER
ON PREMISES

102. HYBRID CONNECTION
AZURE WEBSITES DEDICATED WEB WORKER
HYBRID CONNECTION
AGENT

104. *NSG = network security group

105. ASE: Concepts
Front Ends:
• HTTP endpoints
• Distribute requests to
workers
• Minimum 2 instances P2
Worker Pools:
• Host the actual apps
• Can have up to 3 pools
of workers, minimum is
one pool
• Can use sizes of P1
through P4
• Can have up to 50
workers
App Service Environment
subnet
Front-End
WorkerPool1WorkerPool2WorkerPool3
VIP

106. subnet
VIP
App Service Environment
Front-End
WorkerPool1WorkerPool2WorkerPool3
VNET

107. Azure Virtual Network
App Service Environment
VIP
vnet
subnet
Azure Virtual Network
App Service Environment
ILB
vnet
subnet

108. On Premises
ASE high level network
Internet
Azure Virtual Network
App Service Environment
subnet
Site to Site or ExpressRoute VPN
VIP

110. App Service
Plan B
ASE: Workers and Update Domains
Worker pool 1:
• Workers (machines): 4
• Available workers:
App Service Environment
subnet
Front-End
WorkerPool1WorkerPool2WorkerPool3
VIP
App Service
Plan A
App Service
Plan B
3210

111. How to scale up correctly
Scale Up App Service Plan B:
• Don’t scale the WP1
• Scale up WP2, then move
ASP to WP2
App Service Environment
subnet
Front-End
WorkerPool1WorkerPool2WorkerPool3
VIP
App Service
Plan B
Web App X
App Service
Plan B

113. • Specify your own subdomain
• Manage your own DNS
• Provide your own SSL certificates
• Host intranet applications
• Build secure 2 tier applications
• Host apps in the cloud not listed in public DNS

114. • Use IPSSL
• Assign an IP address to a specific app
• Buy and use a certificate through the portal
• Leverage Kudu CONSOLE
• Run Functions

115. On Premises
ILB ASE – Intra-net app
Azure Virtual Network
App Service Environment
subnet
Site to Site or ExpressRoute VPN
ILB

116. ILB ASE – 2 tier application
Internet
Azure Virtual Network
App Service Environment
VIP subnet
App Service Environment
subnet
ILB

117. Scenario: WAF
Azure Virtual Network
Azure
LB
App Service Environment
subnet
ILB
Internet
Web Application
Firewall (WAF)
Visitors
Authors
IaaS – MongoDB Cluster
(or others)
subnet

118. https://aka.ms/gbbcadlabhackguide
http://aka.ms/cadlabslides
https://aka.ms/cadlabhacksolution
christoc@microsoft.com
katriend@microsoft.com