Questa sessione affronterà il primo modello di Cloud Computing, Infrastructure as a Service, per distribuire in pochi passi una soluzione Cloud ed integrarla con il nostro datacenter On-premise.
Inizieremo con una breve panoramica di Microsoft Azure e la soluzione IaaS per eccellenza di computing: "Virtual Machine", per poi trasformarla ed estenderla agganciandola ai nostri sistemi e creare un’unica Architettura Cloud Ibrida Microsoft.
Per richiedere accesso al canale contenente le sessioni tecniche di Cloud Conference Italia 2017 compila il seguente form:
https://goo.gl/Fq6DQE
10. e
Azure Regions
Azure is generally available in 36 regions around the world, with plans
announced for 6 additional regions.
11. e
Azure Regions
The world is divided
into geographies
A region is defined
by a bandwidth and
latency envelope
Region 1
Region 2
12. e
Azure Region Pairs
Physical isolation - Each Azure Region in a
pair are always located greater than 300 miles
apart when possible
The Azure Region pairs are connected directly together Data residency – in order to meet data
residency requirements for tax and law
enforcement jurisdiction purposes.
13. e
Availability Zones: intra-region resilience PREVIEW
Regions offer multiple
Availability Zones (AZs)
600 μSec latency diameter
At least three Azs
Three is enough for quorum
An AZ consists of one or more
datacenters
14. e
Business continuity and disaster recovery (BCDR)
This combination of global regions and Availability Zones
provides customers with the most robust infrastructure for
application resiliency of any cloud provider. Whether for
high availability, redundancy, or site failover, Azure provides
the full spectrum of resiliency options
16. e
United States
United States
Canada
Mexico
Venezuela
Colombia
Peru
Bolivia
Brazil
Argentina
Atlanta Ocean
Algeria
Mali
Niger
Nigeria
Chad
Libya Egypt
Sudan
Ethiopia
Dr Congo
Angola
Zambia
Nambia
South
Africa
Greenland
Svalbard
Sweden
Norway
United
Kingdom
France
Poland
Ukraine
Turkey
Saudi
Arabia
Iran
Kazakistan
India
Russia
Russia
China
Myanmar
(Burma)
Indian Ocean
Indonesia
Australia
Pacific Ocean
Pacific Ocean
Data centerOwned capacity
Future capacity
Leased capacity
Edge site
DCs and network sites not exhaustive
Azure inter-DC network
17. e
Platform Services
Infrastructure Services
Web
Apps
Mobile
Apps
API
Apps
Notification
Hubs
Hybrid
Cloud
Backup
StorSimple
Azure Site
Recovery
Import/Export
SQL
Database DocumentDB
Redis
Cache
Azure
Search
Storage
Tables
SQL Data
Warehouse
Azure AD
Health Monitoring
AD Privileged
Identity
Management
Operational
Analytics
Cloud
Services
Batch
RemoteApp
Service
Fabric
Visual Studio
Application
Insights
VS Team Services
Domain Services
HDInsight Machine
Learning Stream Analytics
Data
Factory
Event
Hubs
Data Lake
Analytics Service
IoT Hub
Data
Catalog
Security &
Management
Azure Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Store/
Marketplace
VM Image Gallery
& VM Depot
Azure AD
B2C
Scheduler
Xamarin
HockeyApp
Power BI
Embedded
SQL Server
Stretch Database
Mobile
Engagement
Functions
Cognitive Services Bot Framework Cortana
Security Center
Container
Service
VM
Scale Sets
Data Lake Store
BizTalk
Services
Service Bus
Logic
Apps
API
Management
Content
Delivery
Network
Media
Services
Media
Analytics
19. e
Presenza globale
Scegliere dove mettere i miei dati
Ridondanza e ripristino
Usare una rete globale di data center per gestire la
disponibilità
Sostenibilità ambientale
Beneficiare di innovazioni tecnologiche e software che
permettono di ridurre l'impatto energetico
Datacenter Azure
21. e
Sostenibilità ambientale
2020
60%
energy use from
wind, solar &
hydropower
2012
Carbon
neutral
2018
50%
energy use
from wind, solar
& hydropower
Long-term
goal
100%
energy use from
wind, solar &
hydropower
22. e
Next generation energy technology | Fuel cells
• Direct to server transmission can
double energy efficiency and
increase reliability
• The first fully-integrated fuel cell-
powered datacenter pilot this year.
• The Advanced Energy Lab is a 20-
rack datacenter pilot located in
Seattle
28. e
ISO/IEC 27001 SOC 1 SOC 2 PCI DSS L1 version 3 Cloud Security Alliance
Cloud Security Matrix
HIPAA
(Healthcare)
FedRAMP FIPS 140-2 Life Sciences GxP Family Educational
Rights & Privacy Act
European Union
Model Clause
China
Multi Layer Protection
Scheme
United Kingdom
G-Cloud
Singapore
Multi-Tier Cloud
Security
China
CCCPPF
Australian Signals
Directorate I-RAP
Assessment
Criminal Justice
Information System
Defense Information
Systems Agency L2
Sarbanes Oxley ITAR Defense Information
Systems Agency L3-5
ISO / IEC 27018
Global
United
States
Regional
Coming
soon
Compliance
Microsoft has a long history of transparency, defense-in-depth, and privacy-by-design that enabled us to be
the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for
the EU Model Clauses, the first to achieve ISO’s 27018 cloud privacy standard, and the first to offer
contractual commitments to the GDPR.
29. e
Compliance
Microsoft Azure is proud to announce that
we obtained the ISO 9001:2015 certification,
addressing Quality Management systems.
Achieving the ISO 20000-1:2011 certification
specifically underscores Azure's commitment to deliver
quality IT service management to customers and
demonstrates Azure’s capability to monitor,
measure, and improve service management
processes.
30. e
Sei il proprietario dei tuoi dati, e ne hai il pieno controllo!
Sai come ti aiutiamo a proteggere i dati
Sai dove sono archiviati i dati e come vengono gestiti
Sai chi può accedere ai tuoi dati e in quali termini
Garantiamo trasparenza assoluta sul modo in cui rispondiamo
alle richieste di accesso ai dati da parte delle autorità
Hai la possibilità di esaminare le certificazioni degli standard
per i servizi Microsoft
Security, Privacy, Compliance, Trasparency
Trusted Cloud
TrustCenter
https://www.microsoft.com/it-it/TrustCenter
Manage Your Compliance from One Place – Announcing Compliance Manager
https://servicetrust.microsoft.com/ComplianceManager
33. e
«Platform Images» Immagini Microsoft e terze parti
Azure Marketplace
https://azuremarketplace.microsoft.com
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
OpenSUSE
CentOS by Open Logic
Ubuntu Server by Canonical
SUSE Linux Enterprise Server
Red Hat Enterprise Linux
Oracle Database
Oracle WebLogic Server
34. e
Versioni minime software server supportati nelle VM
https://support.microsoft.com/kb/2721672
• Microsoft BizTalk Server 2013
• Microsoft Dynamics AX 2012 R3
• Microsoft Dynamics CRM 2013
• Microsoft Dynamics GP 2013
• Microsoft Dynamics NAV 2013
• Exchange Server 2013
• Forefront Identity Manager 2010 R2 SP1
• Microsoft HPC Pack 2012
• Project Server 2013
• SharePoint Server 2010
• SQL Server 2008 versioni a 64 bit
• System Center 2012 Service Pack 1
App Controller, Configuration Manager, Data Protection Manager, Endpoint Protection,
Operations Manager, Orchestrator, Virtualizzazione delle applicazioni server, Gestore del servizio
• Team Foundation Server 2012
35. e
Ruoli Windows Server supportati
https://support.microsoft.com/kb/2721672
Windows Server 2008 R2 and later versions
• Active Directory Certificate Services
• Active Directory Domain Services
• Active Directory Federation Services
• Active Directory Lightweight Directory Services
• Application Server
• DNS Server
• Failover Clustering – con limitazioni
• File Services
• Hyper-V role is supported in Azure Ev3, and Dv3 series VMs
• Network Policy and Access Services
• Print and Document Services
• Remote Desktop Services (no VDI)
• Web Server (IIS)
• Windows Server Update Service
44. e
Specifiche tecniche delle VM
We have created the concept of the Azure Compute Unit (ACU) to provide a
way of comparing compute (CPU) performance across Azure SKUs. ACU is
currently standardized on a Small (Standard_A1) VM being 100 and all other
SKUs then represent approximately how much faster that SKU can run a
standard benchmark.
48. e
These VM sizes are hyper-threaded and run on the Intel® Xeon® Platinum 8168
processor, featuring a base core frequency of 2.7 GHz and a maximum single-core
turbo frequency of 3.7 GHz. These VMs will support Azure premium storage disks
by default and will also support Accelerated Networking capabilities for the
highest throughput.
These VMs are currently only available in West US 2, West Europe, and East US.
Southeast Asia will be available soon.
49. e
Specifiche tecniche delle VM
Products available by region
https://azure.microsoft.com/en-us/regions/services
50. e
Licensing
La licenza per l'esecuzione di Windows Server nell'ambiente Azure è
inclusa per impostazione predefinita nel costo al minuto della macchina
virtuale Windows.
Non sono necessarie licenze CAL di Windows Server per accedere a
Windows Server in esecuzione nell'ambiente Azure, in quanto i diritti di
accesso sono inclusi nella tariffa al minuto per le macchine virtuali.
Risparmia fino al 40% - Azure Hybrid Use Benefit
Usa le licenze di Windows Server locali che
includono Software Assurance per ottenere
risparmi significativi sulle macchine virtuali Windows
Server in Azure. Usando le tue licenze esistenti, puoi
pagare la tariffa di calcolo di base e risparmiare fino
al 40%.
51. e
Pricing
Pay as you GO
Azure bills you per-second rounded down to the last minute, saving you
money and simplifying your bill. For example, a VM that runs for 345 seconds
is billed at 300 seconds.
52. e
… workloads don’t require the use of the full
CPU all the time but occasionally will need to
burst to finish some tasks more quickly.
53. e
Announcing General Availability of Azure Reserved VM Instances (RIs)
Azure RIs enable you to reserve Virtual
Machines on a one- or three-year term,
and provide up to 72% cost savings
versus pay-as-you-go prices.
54. e
Total Cost of Ownership (TCO) Calculator PREVIEW
https://www.tco.microsoft.com/Home/Calculator
56. e
Virtual Network
Una rete privata protetta nel cloud
• Reti IPv4 private, isolate e sicure gestite dall’utente
• Subnetting – la più piccola è /29
• Risoluzione nomi interna o con DNS personalizzato
A virtual network is a
representation of your
own network in the
cloud.
57. e
Funzionalità delle Virtual Network
Isolation
• Reti IPv4 private, isolate e sicure gestite dall’utente
• Subnetting – la più piccola è /29
• Risoluzione nomi interna o con DNS personalizzato
Internet communication
• Tutte le VM hanno accesso ad internet (outbound)
Azure resource communication
• Le risorse utilizzando private IP addresses, anche tra
subnet differenti -> default route
Virtual network connectivity
• Connessioni vnet to vnet -> peering
On-premises connectivity
• Gateway Subnet con povisioning e gestione
automatizzate -> VPN Gateway
Traffic filtering
• Traffic can be filtered inbound and
outbound -> NSG
Routing
• override Azure's default routing -> UDR or
BGP• Solo gli indirizzi IPv4 sono permessi
• MCAST / BRCAST non supportate
• ICMP è soltanto instradato, le componenti di Azure non rispondono direttamente al ping
58. e
Indirizzi IP Privati
• Le VM di default non usano indirizzamento statico, utilizzano il DHCP di Azure
• Non si applicano quindi le best practice classiche di indirizzamento tipiche
dell’ambiente on-premises
• È fondamentale non forzare la configurazione e non impostare un indirizzo statico
in modo manuale all’interno della VM, per evitare di renderla irraggiungibile dalla
rete
• Il lease ha durata infinita e resta assegnato alla VM in modo stabile finchè è attiva
• Quando le VM sono in “Stop (Deallocated)” perdono gli IP associati
• Usare Reservation per controllare il DHCP di Azure
59. e
Indirizzi IP Pubblici
• VM (NIC)
• Internet-facing load balancer
• VPN gateway
• Application Gateway
• Dinamico
• Statico
• IPv4 o IPv6 (solo per Internet-facing load balancer)
Gli indirizzi IP pubblici consentono alle risorse di Azure di comunicare con
Internet e i servizi pubblici di Azure
60. e
Multi NIC - IP
• La gestione delle NIC è indipendente dalle VM in ARM
E’ possibile creare una NIC e successivamente agganciarla ad una VM
• Il numero massimo di NIC dipende dalla size della VM
Es. Standard A1: 2 NIC, Standard A4: 4 NIC
Now even entry level VMs support at least 2 NICs.
General availability March 22, 2017 :
Multiple IP addresses per network interface
61. e
Route
• System Route
• User-Defined Route
• BGP Route (ExpressRoute o VPN)
System Routes (default)
• All’interno della stessa subnet
• Da una subnet ad un’altra nella stessa VNet
• Dalle VM ad Internet
• Da VNet a VNet passando da un VPN gateway
• Da VNet a on-premises passando da un VPN
gateway
62. e
Route - UDR
User-Defined Route
• È possibile creare route personalizzate (o definite
dall'utente) in Azure per eseguire l'override delle route
di sistema predefinite di Azure o per aggiungere altre
route alla tabella di route di una subnet.
• Associazione di routing table alle subnet
• Definizione del Next hop per ogni Address prefix
• Set 0.0.0.0/0 route per forzare il tunneling di tutto il
traffico verso la rete on-premises o un appliance (IP-
Forwarding)
63. e
VNet Peering
Funziona anche tra sottoscrizioni differenti
• Le 2 Vnet devono essere nella stessa
regione
• Non ci devono essere subnet
sovrapposte
• Non è possibile fare peering in
ambiente Classic, ma tra ASM e ARM si!
VNet peering permette di connettere 2 Vnet all’interno della stessa regione di Azure
Global virtual network peering will enable you to peer virtual
networks belonging to different Azure regions. Peering virtual
networks in different regions is currently in preview in US West
Central, Canada Central, and US West 2.
64. e
Network Security Group - NSG
• Permette network segmentation e scenari DMZ
• Access Control List
• Filtri su condizioni «allow/deny», «inbound/outbound»
• Accetta indirizzi singoli, CIDR, service tag o wildcard
• Si applica a livello VM o Subnet
71. e
VPN Gateway - Connection topology
Point-to-Site (VPN over IKEv2 or SSTP)
72. e
Virtual Network Gateway
• Policy Based = Static Gateway
Solo SKU BASIC
Max 1 IPsec Tunel
IKE v1
• Route Based = Dynamic Gateway
SKU Basic.. o VpnGw1, VpnGw2, VpnGw3
Max 30 IPsec Tunel (Multisite)
IKE v2
• Check your VPN Device! => Device compatibili
75. e
Device VPN compatibili
Verificare se IKEv1 o IKEv2
compatibile = check
firmware version
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
78. e
NVA
Le Network virtual Appliance supportate su Azure includono
• load balancer
• WAN optimizer
• network security appliance
Sono state annunciate partnership con i leader di mercato
79. e
Azure Virtual Network
Pricing
There is no charge for virtual networks, subnets, route tables, or
network security groups. Outbound Internet bandwidth usage,
public IP addresses, virtual network peering, VPN Gateways, and
ExpressRoute each have their own pricing structures.
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
81. e
Load Balancer
Bilanciamento del carico di livello trasporto, layer 4 (TCP, UDP) che distribuisce il traffico in ingresso
• Bilanciare il carico del traffico Internet in ingresso nelle macchine
virtuali. (Internet-facing load balancing)
• Bilanciare il carico del traffico tra macchine virtuali in una rete
virtuale, tra macchine virtuali nei servizi cloud o tra computer
locali e macchine virtuali in una rete virtuale cross-premise.
(Internal load balancing)
• Inoltrare il traffico esterno a una specifica macchina virtuale.
• Supporto IPv6
82. e
Azure Application Gateway
• Web application firewall
• Routing HTTP basato su policy applicative
• HTTP load balancing
• Cookie-based session affinity
• Secure Sockets Layer (SSL) offload
• URL-based content routing
• Multi-site routing
• End to End SSL
• health monitoring
• Request redirect
Bilanciamento del carico di livello applicativo, layer 7
83. e
Azure Traffic Manager
• Bilanciamento basato su DNS
• Utilizza record DNS di tipo CNAME (Alias)
• Ci sono diverse modalità di Routing:
• Priority: Si utilizza un endpoint primario che
gestisce tutto il traffico. In caso di indisponibilità, si
passa automaticamente ai secondari
• Weighted: distribuire il traffico in un set di
endpoint in modo uniforme o in base a pesi definiti
• Performance: Ci sono endpoint in differenti
posizioni geografiche. Traffic Manager distribuisce
le connessioni in base al'endpoint "più vicino" in
termini di latenza di rete più bassa.
• Geographic: gli utenti vengono indirizzati a
endpoint specifici in base alla posizione geografica
da cui provengono le query DNS.
• E’ possibile annidare diverse istanze di Traffic Manager
91. e
Architettura di Azure Storage
General purpose: This storage account type provides conventional
storage for blobs, files, tables, and queues.
Blob storage: This new account type is specialized for storing blob
data and allows you to choose an access tier.
92. e
Storage Account – General Purpose
Sono disponibili due livelli di performance
• Standard – Backed by magnetic disks – HDD
• Premium – Backed by solid state drives - SSD
Lo "Storage Account"
rappresenta uno spazio dei
nomi univoco per le risorse di
archiviazione in una
determinata area geografica.
È possibile associare fino a 200
storage account per ciascuna
sottoscrizione.
93. e
Storage Replication
These options are dependent upon the “Account Kind” and “Performance”
• Locally redundant storage (LRS)
• Zone-redundant storage (ZRS)
• Geo-redundant storage (GRS)
• Read-access geo-redundant storage (RA-GRS)
https://docs.microsoft.com/it-it/azure/storage/storage-redundancy
95. e
Premium Storage
You choose the option which best meets your required storage size, IOPs, and throughput.
Attach several persistent disks to a virtual machine and you can configure up to 64 TB of
storage per virtual machine, and achieve 80,000 input/output operations per second, and
1,600 MB-per-second disk throughput per virtual machine at less than one millisecond latency
for read operation
Il limite è sempre la dimensione della VM!
97. e
Managed Disk
Azure Managed Disks semplifica la gestione dei dischi per le macchine virtuali IaaS. Specificando il
tipo, Premium o Standard, e le dimensioni del disco necessarie, Azure crea e gestisce
automaticamente il disco.
Non è più necessario preoccuparsi dei limiti degli account di archiviazione, ad esempio di 20.000
IOPS per account.
99. e
Domain Controller & Azure VM?
Deploying Windows Server Active
Directory DCs on Azure virtual
machines is subject to the same
guidelines as running DCs on-premises
in a virtual machine.
(eg: Static Private IP address for full
DNS support)
100. e
Time in virtualized environment:
Host o Guest?
DC & Azure VM - Recommendations
https://blogs.msdn.microsoft.com/virtual_pc_guy/2010/11/19/time-synchronization-in-hyper-v/
Disable VMICTimeProvider
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetse
rvicesW32TimeTimeProvidersVMICTimeProvider]
"Enabled"=dword:00000000
101. e
Create a separate virtual data disk for storing the AD database
(DIT), logs, and SYSVOL
Host Caching Preference set to None
DC & Azure VM - Recommendations
102. e
You should shut down and restart a VM that runs the domain controller role in Azure
within the guest operating system
instead of using the Shut Down option in the Azure Management Portal
DC & Azure VM - Recommendations
108. e
Availability Set
• Unplanned Hardware Maintenance Event
• An Unexpected Downtime
• Planned Maintenance events
È possibile gestire la disponibilità delle VM tramite il
concetto di «Availability Set»
Availability Set = Update Domain (default 5, max 20) +
Fault Domain (default 2, max 3)
Azure gestisce e distribuisce automaticamente le VM su
UD e FD differenti per garantire la massima affidabilità sia
in caso di fault che di aggiornamento
109. e
Availability Set
VMs in an Availability Set are grouped into Updates Domains(default 5)
automatically. When a sixth VM is added to an Availability Set, it’s assigned to
the first Update Domain.
Only one Update Domain is ever rebooted at a time.
Fault domains define the group of virtual machines that share a common
power source and network switch. By default, the virtual machines
configured within your availability set are separated across up to three fault
domains for Resource Manager deployments
For all Virtual Machines that have two or
more instances deployed in the same
Availability Set, we guarantee you will have
Virtual Machine Connectivity to at least one
instance at least 99.95% of the time.
110. e
Virtual Machine e SLA
• For any Single Instance Virtual Machine using
premium storage for all Operating System Disks
and Data Disks, we guarantee you will have Virtual
Machine Connectivity of at least 99.9%.
• For all Virtual Machines that have two or more
instances deployed in the same Availability Set,
we guarantee you will have Virtual Machine
Connectivity to at least one instance at least
99.95% of the time.
• 99.99% SLA applies to Virtual Machines that are
deployed in two or more Availability Zones in the
same region.