What Are The Drone Anti-jamming Systems Technology?
Azure Stack - Azure Nights User Group
1. ABOUT ME
• Azure Cloud Enablement @
• Microsoft Azure Advisor
• ACE Team Blog http://www.azurefieldnotes.com/
James Rooke
@AzureFieldNotes linkedin.com/in/james-rooke-a3572629/azurefieldnotes.com
2. • What is Azure Stack
• How is Stack different to Azure
• Stack Architecture and Hardware
• Deployment and Integration
• Demos
AGENDA
6. Hybrid use cases: Azure and Azure Stack
Edge and
disconnected solutions
Cloud applications that meet
every regulation
Modern applications across
cloud and on-premises
7. Most Azure Marketplace solutions work on Azure Stack
without modification
One Azure Ecosystem
Use Azure Marketplace solutions to deliver differentiated Azure Stack offerings
8. Azure PaaS available in your datacenter
Azure Functions Cloud FoundryAzure Service
Fabric
Azure Container
Service
Azure App Service
Azure Service Fabric and Azure Container Service will be available post-GA. Other services will be
available at GA. Microsoft will deliver additional Azure services through frequent updates to Azure Stack.
Fully-managed platforms for high productivity development
9. Virtual Machines
(VM)
VM Scale Sets
Containers
with Docker
Networking Storage
Above services will be available at GA (Azure Container Service is Post GA). Microsoft will deliver additional
Azure services through frequent updates to Azure Stack.
Azure IaaS available in your datacenter
Beyond traditional virtualization
11. DependenciesScale
How are Azure Stack services different?
Azure services on Azure Stack can sometimes contain differences due
to the following reasons:
API version
2015-08-01
2016-03-01
< >…
12. Virtual Machines
https://azure.microsoft.com/en-us/services/virtual-machines
Azure Virtual Machines (VMs) provides server virtualization for a wide range of Windows
and Linux-based computing solutions.
Azure VMs are one of several types of on-demand scalable computing resources within
Azure, and are typically used when the application or service requires a higher degree of
control over the computing environment than PaaS Azure services:
• Control over operating system selection
• Increased configuration control
• Ownership of patching and software updates
• Specifying and installing the software that runs on the VM
Azure Virtual Machines can support scenarios including development and testing,
running applications, and extending datacenter services.
Service category Compute
API version 2015-06-15
13. Azure Marketplace
The Azure Marketplace is an online store
that contains certified, open source, and
community software applications,
developer services, and data which are
pre-configured to run in Microsoft Azure.
Contains vendor supported images and
solutions for popular products and
capabilities for your users
https://azure.microsoft.com/en-us/marketplace
Service category Compute
API version N/A
14. A way to deploy and manage identical VMs
Auto-scale
Intelligent balancing of resources across update and fault domains
Performance
A single call down the stack
Definition
Support for custom Windows/Linux VMs, and VM extensions
Ease of management
Focus on target instance count without worrying about
underlying resource management
Storage and network resources defined as part of scale set
Virtual Machine Scale Sets
Service category Compute
API version 2015-06-15
https://azure.microsoft.com/en-us/services/virtual-machine-scale-sets
15. Service category App Service
API version Various
App Service | Web Apps
Allows developers rapidly build, deploy, and
manage powerful websites and web apps using
standards-based solutions and APIs
Web apps allow customers to:
• Create personalized customer experiences
• Scale up and out quickly
• Centralize web sites on one platform
• Enable continuous deployment with Git, TFS, GitHub,
and Visual Studio Team Services
• Build solutions based on Windows and Linux images
https://azure.microsoft.com/en-us/services/app-service/web
16. Functions
https://azure.microsoft.com/en-us/services/functions
Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud.
Solution for processing data, integrating systems, working with the internet-of-things (IoT), and
building simple APIs and microservices.
Key features of Azure Functions:
• Choice of language – Write functions using C#, F#, Node.js, Python, PHP, batch, bash, or any executable.
• Bring your own dependencies – Supports NuGet, and NPM
• Integrated security – Protect HTTP-triggered functions with OAuth providers such as Azure Active Directory,
Facebook, Google, Twitter, and Microsoft Account
• Simplified integration – Easily leverage Azure services and software-as-a-service (SaaS) offerings
• Flexible development – Supports continuous integration and deploy your code through GitHub, VSTS, and
other supported development tools
• Open-source – The Functions’ runtime is open-source and available on GitHub
Service category App Service
API version Various
17. Azure Storage
Service category Data and Storage
API version 2015-04-05
https://azure.microsoft.com/en-us/services/storage
Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability.
Azure Storage in Azure Stack provides the following services to meet application needs:
• Blob Storage stores unstructured object data. A blob can be any type of text or binary data, such as a document,
media file, or application installer. Blob storage is also referred to as Object storage
• Table Storage stores structured datasets. Table storage is a NoSQL key-attribute data store, which allows for rapid
development and fast access to large quantities of data
• Queue Storage provides reliable messaging for workflow processing and for communication between components of
cloud services
Provided by a general-purpose storage account which provides access to these services under a single account
There are two Azure Storage performance tiers:
• Standard storage performance tier to store Tables, Queues, Blobs, and Azure Virtual Machine disks
• Premium storage performance tier which currently only supports Azure Virtual Machine disks
18. SQL Server
https://technet.microsoft.com/en-us/library/dn469341.aspx
This feature, based on the codebase from Azure Pack, is ported to Azure Stack.
The SQL Server Resource Provider API is a set of REST APIs which can be used to manage SQL server
resources (IaaS).
The APIs allow for management of SQL Server databases, hosting servers, and server groups.
SQL Server Resource Provider API supported operations:
• Create, delete, update, and retrieve databases
• Create, validate, delete, update, and retrieve hosting servers
• Create, delete, and retrieve server groups
• Retrieve database metrics
Service category Data and Storage
API version N/A
19. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services
• Encrypts keys and secrets such as authentication keys, storage account keys, data encryption keys, .PFX files,
and passwords
Key Vault streamlines the key management process and enables control of keys that access and
encrypt data
• Developers can create keys for development and migrate them to production keys
• Security administrators can grant (and revoke) permission to keys as needed
Key Vault
Service category Management and Security
API version 2015-06-15
https://azure.microsoft.com/en-us/services/key-vault
20. Virtual Networks
Service category Networking
API version 2015-06-15
https://docs.microsoft.com/en-us/azure/Virtual-Network/virtual-networks-overview
A representation of a physical network in Azure Stack and are a logical unit of isolation.
Allow for the control of IP address blocks, DNS settings, security policies, and route tables within this network.
Connect to your on-premises network using one of the connectivity options available in Azure Stack.
Azure Virtual Networks have the following benefits:
• Isolation – VNets are completely isolated from one another allowing for the creation of disjoint networks that use the
same CIDR address blocks
• Access to VMs within the VNet – IaaS VMs can be launched in the same virtual network and they can connect to
each other using private IP addresses even if they are in different subnets without the need to configure a gateway or
use public IP addresses
• Security – Traffic entering and exiting the Virtual Machines in a VNet can be controlled using Network Security groups
• Connectivity – VNets can be connected to each other using network gateways or VNet peering. VNets can be
connected to on-premises datacenters through site-to-site VPN networks
21. Load Balancer
https://azure.microsoft.com/en-us/services/load-balancer
An Azure Load Balancer delivers high availability and network performance to your applications.
An Azure Load Balancer is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy
instances of services defined in a load-balanced set.
Azure Load Balancer can be configured to:
• Load balance incoming Internet traffic to Virtual Machines (Internet-facing load balancing)
• Load balance traffic between Virtual Machines in a Virtual Network, between Virtual Machines in cloud services, or
between on-premises computers and Virtual Machines in a cross-premises Virtual Network (Internal load balancing)
• Forward external traffic to a specific Virtual Machine
Service category Networking
API version 2015-06-15
22. A Virtual Network gateway is used to send network traffic between Azure Virtual Networks and
on-premises locations and also between virtual networks within Azure Stack (VNet-to-VNet).
Each virtual network can have only one Virtual Network gateway.
VPN gateways send encrypted network traffic across a public connection, using a Site-to-Site
VPN connection.
• A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel
• This type of connection requires a VPN device located on-premises that has a public IP address
assigned to it and is not located behind a NAT
VPN Gateways
Service category Networking
API version 2015-06-15
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
24. Azure Stack integrated system
BMC Switch
ToR Switch
ToR Switch
Software Hardware
Support Services
Architecture, hardware,
and topology
Security and
privacy
Deployment,
configuration,
provisioning
Validation Monitoring,
diagnostics
Business
continuity
Patching and
updating
Field replacement of
parts
AzureStack
integratedsystem
25. Infrastructure resource providers overview
This part is
the ‘black box’
of Azure
Stack. You
only get to
interact with
ARM: through
scripting,
templates,
APIs, and the
portal!
26. Top-of-rack switches
• 2 switches per scale unit, configured for resiliency
• 10 GbE or better for server connectivity
• Support for BGP, DCB, PFC, ETS, and Multi-Chassis Link Aggregation
BMC / management network switch
• 1 GbE switch capable of L3 routing and simultaneous connectivity to the ToRs
Azure Stack hardware requirements:
Network switches
27. Ratio** of
Cache to Capacity
10%
Azure Stack hardware requirements: Servers
2 Power Supplies
4+ Capacity Devices
(HDD or SSD)
** Cache capacity should accommodate intended workload.
If Cache device resiliency is 10 drive-writes-per-day or better, then ratio can be 6-10%
If Cache device resiliency is 3-5 drive-writes-per-day, then ratio must be 10% or greater
Storage
Compute
2+ Flash Devices
(NVMe, SATA SSD or SAS SSD)
CPU: 20 Cores Minimum (2 socket @ 10 cores each)
256GB Memory Minimum
Boot Device 400GB or larger (optional mirroring)
NIC – 2 port 10 GbE or better
28. Appliance-like architecture and deployment
Servers: Windows Server 2016
Compute / Storage / Network
All infrastructure roles are hosted in VMs
Resiliency, scalability, change in features
Azure Stack customer and cloud administrator
Tenant and Admin Portal
29. Management of Azure Stack is performed within the portal and should
not be managed like traditional virtualization platform solutions
Traditional Virtualization Management Cloud-based Management
https://adminportal.local.azurestack.external
30. Role Included components or services
ARM Portal WAP Cloud Tenant Control Plane
ARM Operator WAP Operator
Fabric Multiple (foundational services)
ACS Azure Consistent Storage
NC Network Controller
SLB MUX Software Load Balancer MUX
Gateway Remote Access Services GW
Domain AD and DNS (internal use)
ADFS ADFS, Graph
SQL SQL (internal use)
Endpoint Privileged Endpoint
CA Certificate Authority (internal use)
31. Definition
• A server connected to BMC Network that is external to the Azure
Stack environment
• Available to run partner’s lifecycle management software within VMs
Purpose
• Hardware monitoring software
• Firmware configuration and update software
• Emergency management and hardware troubleshooting
• Running the Azure Stack Deployment Virtual Machine for the
duration of initial deployment
Configuration
• Network connection to the BMC switch
• Windows Server 2016 Standard or Datacenter Edition
• Enabled with Hyper-V role
• Meets Azure Stack security requirements
32. Azure Stack concepts
• Single instance of Azure
Resource Manager (ARM)
• 1 or more Regions under
management of ARM
• 1 or more Scale Units within a
Region
• 4 or more servers within a
Scale Unit
Cloud
• Set of Scale Units that share
same “physical location”
• Under one physical and
logical “administrator”
• Networking requirements
o High-bandwidth/low latency
o Flat, layer-3 network
• Other attributes are implied
by customer choices
Region
• Associated with a single
Region
• 1 or more Scale Units within
a Region
• Unit of capacity expansion
• Fault domains (Azure
consistency)
• Alignment of Hardware SKU
– which is homogenous
within Scale Unit
Scale Unit
33. ToR Switch
ToR Switch
BMC Switch
ToR Switch
ToR Switch
Aggregate SwitchAggregate Switch
BMC Switch
Space, Power,
& Cooling
Identity Integration
(Tenant & Cloud
Admin)
Border
Device
Datacenter
monitoring/ticketing/
hardware monitoring
Scale Unit 1 Scale Unit n
Integration in your datacenter
38. Azure Stack multi-node deployment
HLH
The Hardware Lifecycle Host is an additional
physical machine used for the deployment and
other services from the Hardware Vendor.
DVM
The Deployment Virtual Machine is a virtual
machine running on the HLH where the Azure
Stack deployment will be triggered.
During the deployment, the DVM will become
AD DC, WDS, DHCP.
Deployment process
Key Terms
39.
40. Storage
BMC
Infrastructure
Switch Mgmt
Public VIP
Private VIP
/24
/25
/25
/25 - /24
<customer-defined – dedicated to Azure Stack>
<customer-defined – dedicated to Azure Stack>
Subnet name Subnet size
Advertised as individual /32s
Advertised as individual /32s
41. Time Server specified at deployment but also used for Physical Network Switches:
• Time across all infrastructure elements is key
• Kerberos time variance (5 min)
Supports existing logging infrastructure for:
• Physical Network Switches
• Base Board Management Controller
• OEM Tools
Supports existing infrastructure of:
• Radius with MSCHAPv2
• TACACS
42. Azure Stack DC
Tenant VM
DNS Servers:
168.63.129.16
iDNS proxy
Infra Role
DNS Servers:
168.63.129.16
*.azurestack.local
SoA for internal zone
Azure Stack DNS
sea.azurestack.external
SoA for zone
Recursive
Resolver
Authoritative
Resolver
External DNS
Azure Stack
Queries for non-authoritative zones
Delegations for MAS zones
Tenant created Zone:
Contoso.com
DNS Server 1
DNS Server 2
44. Each endpoint requires a certificate
Azure Stack has its own CA
Public reachable endpoints can use Trusted or Enterprise CA Certificates
Dev Kit continues to use self-signed certificates
45. Customer Border Device
Infrastructure External Infrastructure Internal Tenant External
Azure Stack does not have a configurable setting
to identify a proxy server.
You must have direct Internet access or a proxy
that requires no client configuration
46. “Fundamentally, if somebody wants to get
in, they're getting in…accept that.”
What we tell clients:
Number one,
Number two,
Today’s reality
48. Security principles
Assume breach
Locked down infrastructure
• No domain admin credentials
• Network ACLs
• No access to infrastructure components
Simplified auditing
• No configuration needed
• Generated and centrally collected
49. Security principles
Hardened by default
Data at rest encryption (BitLocker)
Network encryption (TLS 1.2)
Strong authentication between infrastructure components
(Kerberos)
Security OS baseline (DISA STIG)
Disabled legacy protocols (e.g. NTLM, SMB 1.0)
HW security features (e.g. secure boot, UEFI, TPM 2.0)
50. Security principles
Hardened by default
Windows Server 2016 security features
• Credential Protection (Credential Guard)
• Code Integrity (Device Guard)
• Antimalware (Windows Defender)
51. Quotas Plan #1 – VMs
Compute
Storage
Network
Note: these are illustrative
GA services; not meant as
an accurate TP2 list
Services
Compute
Storage
Network
AppService
…..
Offer #2 – IaaS and
Web
Base
Plan #1
Add-On
Plan #2
Add-On
Plan #3
Plan #2 – Increase
Compute quota
Compute
Plan #3 – Web
AppService
Compute Quota
– small
Compute Quota
– large
Storage Quota
Network Quota
AppService
Quota
Offer #1 – IaaS only
Base
Plan #1 Account 1
user@ contoso.
onmicrosoft.com
Account 2
user@ fabrikam.
onmicrosoft.com
Subscription 1
Subscription 2
Subscription 3
Subscriptions connect users to
offers; each subscriber can
have multiple subscriptions
Quotas determine the
limit to the resources a
subscriber can consume
Account 3
user@ contoso.
onmicrosoft.com
Plans, offers, and subscriptions in Azure Stack
53. What is syndication?
Azure Marketplace
ISVs publish content
Azure Stack RP
Azure Stack Marketplace
Administration
Azure
Azure Stack Marketplace
Tenant Experience
Azure
Stack
PIR
PIR
54. Why be connected?
Marketplace syndication*
Option to do consumption billing
Option to send telemetry to help improve the product
More opportunities for future value-added services
E.g. can we regularly collect environment data to predict hardware failures before the customer is
even aware?
If the consumption data is in Azure Stack, this also opens up
the possibility of querying it independently for capacity
planning and/or historical usage reporting…
*syndication may be available in a limited way for disconnected customers