2. About me
35, Married from Yavne, Israel
Cloud Valley CTO
P-TSP Azure
Microsoft MVP
Asaf Nakash
asaf@cloudvalley.io
https://il.linkedin.com/in/nakash
https://www.facebook.com/nakashon
https://github.com/nakashon/
11. "Microsoft’s comprehensive hybrid
story, which spans applications and
platforms as well as infrastructure, is
highly attractive to many companies,
drawing them towards the cloud in
general.”
LYDIA LEONG,
GARTNER
Industry
validation
Microsoft a Leader in Gartner Magic Quadrants
Public Cloud IaaS (May 2015) Cloud Storage (June 2015) Enterprise Application PaaS (Jan 2014) X86 Server Virtualization (July 2014)
12. Azure Compliance
Azure has the largest compliance portfolio in the industry
United
States
HIPAA /
HITECH
FedRAMP
JAB P-ATO
FIPS 140-2 FERPA DISA Level 2 ITAR-readyCJIS21 CFR
Part 11
IRS 1075 Section
508 VPAT
Industry
ISO 27001 PCI DSS Level 1SOC 1 Type 2 SOC 2 Type 2 ISO 27018Cloud Controls
Matrix
Content Delivery and
Security Association
Shared
Assessments
Regional
European Union
Model Clauses
United
Kingdom
G-Cloud
Singapore
MTCS Level 3
Australian
Signals
Directorate
Japan
Financial
Services
China Multi
Layer Protection
Scheme
China
CCCPPF
New
Zealand
GCIO
China
GB 18030
ENISA
IAF
13. >90,000
New Azure customer
subscriptions/month
1.5Trillion
Messages per month
processed by Azure IoT
>500Million
Users in
Azure Active Directory
777Trillion
Storage Transactions
per day
>1.5Million
SQL Databases
running on Azure
>40%
Revenue from
Start-ups and ISVs
Azure momentum
14. A cloud you
can trust
“Businesses and users are
going to embrace technology
only if they can trust it.”
At Microsoft, we never take your
trust for granted
• We are serious about our
commitment to protect customers in
a cloud first world.
• We live by standards and practices
designed to earn your confidence.
• We collaborate with industry and
governments to build trust in the
cloud ecosystem.
– Satya Nadella
26. Connect via an encrypted link over
public internet
CUSTOMER
SITE
INTERNET / VPN GATEWAYS
MICROSOFT
CLOUD
PUBLIC
INTERNET
EXCHANGE PROVIDER
PUBLIC
INTERNET
MICROSOFT
CLOUD
NETWORK SERVICE PROVIDER
WAN
MICROSOFT
CLOUD
32. Microsoft Azure Storage
Highly durable and scalable
Multiple copies of your data
Financially backed SLAs
Storage for objects, tables, drives
Supports REST APIs
Availability and DR: Local Redundancy
33. West DCEast DC > 400 miles
Microsoft Azure Storage
Defend against regional disasters.
Geo replication
Availability and DR: Geo-replication
34. Azure storage types
Locally Redundant
Storage (LRS)
Zone Redundant
Storage (ZRS)
Geographically
Redundant Storage
(GRS)
Read-Access
Geographically
Redundant Storage
(RA-GRS)
How it works Makes multiple
synchronous copies
of your data within
a single datacenter
Stores three copies
of data across multiple
datacenters within
or across regions.
For block blobs only
Same as LRS, plus
multiple asynchronous
copies to a second
datacenter hundreds
of miles away
Same as GRS, plus read
access to the secondary
datacenter
Total copies 3 3 6 6
Why use it For economical
local storage or data
governance compliance
An economical, higher
durability option for
block blob storage
For protection against
a major datacenter
outage or disaster
Provides read access to
data during an outage,
for maximum data
availability and durability
Availability SLA 99.9% read/write 99.9% read/write 99.9% read/write 99.9% write
99.99% read
https://azure.microsoft.com/en-us/pricing/details/storage/
40. Introducing: Azure Security Center
Enable security
at cloud speed
Gain visibility
and control
Detect cyber
threats
Integrate partner
solutions
41. Provides a unified view of security across all your Azure subscriptions
Makes it easy to understand your security posture, including vulnerabilities and
threats detected
Integrates security event logging and monitoring, including events from partners
APIs, SIEM connector and Power BI dashboards make it easy to access, integrate,
and analyze security information using existing tools
Gain visibility and control
45. Access security data
in near real-time
from your Security
Information and
Event Management
(SIEM)
Public Preview
Export Logs
Log
Analytics/
SIEM
Azure
Diagnostics
Azure
Storage
Rehydrate:
“Forwarded Events”
Flat files (IIS Logs)
CEF formatted logs
Azure Log
Integration
Standard Log
Connector
(ArcSigt, Splunk, etc)
Azure APIs
46. Enable agility with security
Tailors security recommendations based on the security policy defined for the
subscription or resource group
Guides users through the process of remediating security vulnerabilities
Enables rapidly deployment of security services and appliances from Microsoft
and partners (firewalls, endpoint protection, and more)
48. Integrate partner
solutions
Recommends and streamlines provisioning of partner solutions
Integrates signals for centralized alerting and advanced detection, including fusion
Leverages Azure Marketplace for commerce and billing
Closes security gaps created by disconnected point solutions
50. Continuously analyzes security data from your Azure virtual machines, Azure
services (like Azure SQL databases), the network, and connected partner solutions
Leverages security intelligence and advanced analytics to detect threats more
quickly and reduce false positives
Creates prioritized security alerts that provide insight into the attack and
recommendations on how to remediate
Detect cyber threats
63. What is RBAC
•Allows secure access with granular permissions to
resources
•Assignable to users, groups or service principals
•Built-in roles make it easy to get started
Role Definitions
• Describes the set of permissions (e.g. read actions)
• Can be used in multiple assignments
Role Assignments
• Associate role definitions with an identity (e.g.
user/group) at a scope (e.g. resource group)
• Always inherited – subscription assignments
apply to all resources
71. Thank you!
Cloud Valley CTO
P-TSP Azure
Microsoft MVP
Asaf Nakash
asaf@cloudvalley.io
https://il.linkedin.com/in/nakash
https://www.facebook.com/nakashon
https://github.com/nakashon/
Editor's Notes
Technology is omnipresent. It’s shaping how businesses plan for innovation and growth within their markets. The importance of digital transformation is urgent; Since 2000, 52% of Fortune 500 companies are gone due to digital disruption.
We see companies responding by creating digital strategies across four core areas: engaging their customers, empowering their employees, optimizing their operations, and transforming their products.
Everyone is aware of how important this is. Look at a company like Uber for example. They’ve created a digital model for the taxi industry that has allowed them to surpass every other taxi company by double or more, recently valued at $62.5 Billion. They’ve created a significant shift in an industry that has been largely untouched for decades.
Why is this transformation important? Let’s take a look at the next few years before us…
In 2020, 1 million new devices are expected to come online every hour. The connectivity between people and data is creating billions of new relationships that are driven not only by data but by algorithms that keep customers engaged and buying.*
In 2020, the average age of a S&P 500 corporation is expected to be 12 years old. Compare that to the S&P 500 in 1960 when the average age was 60 years old.**
By the year 2025, at least 60 percent of computing will be cloud-based, due to “everything-as-a-service” shifting fundamental changes in the IT industry.***
For digital transformation, mobility is the universal catalyst and cloud is the great enabler.
How are you planning for digital transformation? Do you have the right people and the right technology in place to build your digital vision?
How can you use technology to shape your future?
*http://www.gartner.com/newsroom/id/3142917
**http://upstart.bizjournals.com/resources/author/2015/06/04/fortune-500-must-disrupt-or-die-writes-r-ray-wang.html?page=all
***http://www.emersonnetworkpower.com/en-US/Latest-Thinking/Data-Center-2025/Documents/002401_DataCenter2025Report_HR_INTERACTIVE.PDF
The Azure Security Center will provide unified security and vulnerability management for all your Azure resources.
Why this Slide:
<Insert underlying reason for including this>
Key Points:
Point 1
Talk Track:
Point 1
Transition to NEXT Slide: <Summary/lead-in to next slide>
– The largest compliance portfolio in the industry, including those that FSI cares about – SOC, PCI and many others.
- This means you can do away with auditing your own physical data center and let Microsoft’s do that work for you.
- We provide you with our 3rd party certifications and detailed audit reports, letting you focus on the application you build.
- Microsoft takes care of our data center security. Microsoft takes care of our data centers’ compliance.
Trust: reliance on the integrity, strength, ability, surety of a person or thing; confidence.
Why is it so challenging?
Cybersecurity incidents, data breaches, social hacking, there’s a pervasive threat.
Risk versus benefits, might be a lot easier to embrace the status quo
Confidence/Trust -> Consumption!
In each and every conversation I’ve had about cloud, the conversation has focused on trust. Customers have come to rely upon and trust their environments and get nervous when you suggest that they change.
So it’s key that we be able to describe how seriously we take our commitment to trust , at the highest level and throughout our organization.
There are three major cloud computing patterns in play today—and Microsoft Azure supports all of them.
Infrastructure-as-a-Service allows development teams to lift and shift all infrastructure building blocks to the cloud by provisioning, configuring, and managing virtual infrastructure. We will host your infrastructure but you manage it.
With Platform-as-a-Service we provide application building blocks and cloud services that allow developers to quickly implement application features without building from scratch. By assembling cloud services, developers can speed up creation and delivery of custom applications and increase efficiency.
Visual Studio Online offers innovative cloud services for developers that enable teams to scale quickly and easily by extending ALM workloads to the cloud and enable new scenarios that are not possible with physical infrastructure. Visual Studio Online offers a complete set of developer services, accessible from anywhere—anytime.
Virtual Machines – select storage, network, OS (or Template), specify the Size and Go!
Cloud Services – Package your solution to deploy onto a standardized O/S as highly-available, infinitely-scalable applications and APIs – focus on Apps enabling Autoscale, Deploy 1000s instances in minutes, integrated monitor & loadbalancing, automatic OS and Application patching
Web Sites - Deploy and scale modern websites and web apps in seconds (Built-in AutoScale + Loadbalancing) supports Continuous Deployment with Git, TFS, Github, SQL, NoSQL, DocumentDB, Search, MongoDB. CMD Wordpress, Umbraco, Drupal
Developer and Operational Efficiency with Automation, Insight, Temaplates, Tools, and thanks
Identity – Extend your Active Directory to Azure and provide Role Based Access Control with the same identity you use on-premises. Assign ability to see and modify resources with single identity.
Instance Level Public IP Overview
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/
Reserved IP addresses for Cloud Services & Virtual Machines
https://azure.microsoft.com/en-us/blog/reserved-ip-addresses/
Azure Datacenter IP Address Ranges
https://msdn.microsoft.com/en-us/library/azure/dn175718.aspx
Azure DNS
https://azure.microsoft.com/en-us/services/dns/
User Defined Routes and IP Forwarding
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-udr-overview/
Multiple VM NICs and Network Virtual Appliances in Azure
https://azure.microsoft.com/en-us/blog/multiple-vm-nics-and-network-virtual-appliances-in-azure/
Create a Multi-NIC VM with a Public IP in Azure
http://blogs.msdn.com/b/rslaten/archive/2014/11/18/create-a-multi-nic-vm-with-a-public-ip-in-azure.aspx
Create a VM with multiple NICs
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-multiple-nics/
About VPN Devices and Gateways for Virtual Network Connectivity
https://msdn.microsoft.com/en-us/library/azure/jj156075.aspx
ExpressRoute
https://azure.microsoft.com/en-us/services/expressroute/
ExpressRoute Pricing
https://azure.microsoft.com/en-us/pricing/details/expressroute/
New Networking features and partnerships for Enterprise scenarios
https://azure.microsoft.com/en-us/blog/networking-enterprise/
Azure Standard VPN Gateway
https://azure.microsoft.com/en-us/updates/azure-standard-vpn-gateway/
Network Security Groups
https://azure.microsoft.com/en-us/blog/network-security-groups/
What is a Network Security Group (NSG)?
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/
Key talking points:
Virtual networking peering allows direct connectivity between two virtual networks in the same region
The mechanism offers significant improvement on Bandwidth and latency since it avoids tunneling or gateways in the path.
High bandwidth: (no caps other than the ones that come with VM size), low latency connection between resources in two virtual networks.
We make 3 copies of data for durability and availability. So if a rack or server goes down, you data is available and accessible. We provide 99.9% SLA for storage.
Windows Azure Storage system is the underpinning to everything in Azure that requires storage. The Windows Azure storage system provides a solid robust data platform for different services that make use of it – Blobs, Tables and Drives.
Use Blob service for storing large amounts of unstructured data that can be accessed from anywhere in the world via HTTP or HTTPS. A single blob can be hundreds of gigabytes in size, and a single storage account can contain up to 100TB of blobs. Common uses of Blob storage include: Serving images or documents directly to a browser, Storing files for distributed access, Streaming video and audio, Performing secure backup and disaster recovery, Storing data for analysis by an on-premises or Windows Azure-hosted service
Tables is a NoSQL datastore which is ideal for storing structured, non-relational data. Common uses of the Table service include: Storing TBs of structured data capable of serving web scale applications, or storing datasets that don’t require a full fledged relational DB.
Drives are what are attached to VMs. They automatically provide get the same durability and availability. This differentiates us from other competitive offerings (like AWS) that have less reliable and durable storage systems for their VM instances.
Additionally, data is asynchronously copied to another datacenter that’s at least 400 miles away.
So you can be sure that every piece of data that you store in the Azure Blob is available as well as protected against regional disasters (we call this geo-replication).
Geo replication is a unique feature, that differentiates us from competition.
How Azure pricing works
https://azure.microsoft.com/en-us/pricing/details/storage/
Premium Storage: High-Performance Storage for Azure Virtual Machine Workloads%
https://azure.microsoft.com/en-us/documentation/articles/storage-premium-storage-preview-portal/
You can use Premium Storage for Disks in one of two ways:
Create a new premium storage account first and then use it when creating the VM
Create a new DS-series or GS-series VM
While creating the VM, you can select a previously created Premium Storage account, create a new one, or let the Azure Portal to create a default premium account
Tip: To leverage the benefit of Premium Storage, create a Premium Storage account using an account type of Premium_LRS first. To do this, you can use the Microsoft Azure Preview Portal, Azure PowerShell, or the Service Management REST API
Azure uses the storage account as a container for your operating system (OS) and data disks
If you create an Azure DS-series or GS-series VM and select an Azure Premium Storage account, your operating system and data disks are stored in that storage account
Key talking points:
Managed disks is a new feature that is cross cutting. You will see different aspects of it when we discuss security and flexibility improvements later in the presentation.
Managed disks simplifies scale by taking away the need for the administrator to know about service limits of storage accounts and ensure that IOPS and throughput capabilities are easy to understand.
Managed disks also integrate directly with virtual machine scale sets to automatically scale the front end compute and the backend storage.
Gain visibility and control
Get a central view of the security state of all your Azure resources. At a glance, you could verify that the appropriate security controls are in place. And, you could quickly identify any resources that require attention.
Enable secure DevOps
Say ‘Yes’ to agility by enabling DevOps with policy-driven recommendations that guide resource owners through the process of implementing required controls – taking the guesswork out of cloud security.
Stay ahead of threats
Stay ahead of current and emerging threats with an integrated and analytics-driven approach. Detect actual threats earlier and reduce false alarms.
Key talking points:
Today disk management is a fairly complex process. Users must understand service limits of storage accounts and directly manage page blobs in one or more storage accounts to ensure they have enough storage capacity and IOPs. Availability is also an issue as a storage account could potentially be a single point of failure.
Managed disks solves the availability problem by ensuring the disks are created on physically separate stamps of storage when provisioned with VMs in an availability set.
Key talking points:
Improved diagnostics and the Network Watcher service will enable monitoring and diagnostics at the network level for virtual machines.
These capabilities spread across the spectrum of resource health monitoring, metrics and alerting, diagnostic APIs, a new network monitoring service. Everything geared towards providing you the ability to monitor and diagnose your network infrastructure in Azure.
VPN Gateway and Tunnel Health
We are announcing the addition of Virtual Private Network (VPN) Gateway and VPN Tunnel resource health, this will provide you real time health information about these resources to gain actionable information on health and outages related to your resource.
Application Gateway Metrics
We are announcing server performance metrics for Application Gateway, this metric will provide you an aggregated view of the health of your gateway hosts. Enabling you to get a single unified view with total request count, average latency, total failed request count, total throughput, min of unhealthy and healthy host count.
NSG and UDR Diagnostics
We are also glad to announce improvements to Network Security Group (NSG) and User-Defined Routes (UDR) diagnostics, to troubleshoot network traffic flows on your Virtual Machine (VM)/Network Interface Card (NIC). You can now view all the effective security rules impacting a given VM/NIC, irrespective of whether the NSGs are applied at NIC and/or Subnet. You can also view the full list of effective routes, including system routes, impacting given NIC traffic. All of these APIs will be available in Azure Resource Manager (ARM) and can be managed via REST APIs, .NET SDK, PowerShell cmdlets, command-line interface and Azure portal. Learn more about NSG and UDR diagnostics. Learn more about NSG and UDR Diagnostics .
Network Watcher
We are also pleased to announce Network Watcher, a service that will enable you to monitor and diagnose conditions at a network scenario level, besides the above mentioned resource level monitoring and diagnostics capabilities. Network diagnostic and visualization tools available with Network Watcher will enable you to take packet captures on a Virtual Machine (VM), help you understand if an IP flow is allowed or denied on your VM, find where your packet will be routed from a VM and gain insights to your network topology.
Packet capture capability available to you in Network Watcher will help you diagnose network fault conditions, to monitor your network for security and compliance needs. You will be able fine tune your packet captures by specifying the protocol (TCP, UDP or both), IP address and port ranges, size of capture and storage location to save the capture. Packet captures are stored in a standard PCAP file format to facilitate usage of third party tools to analyze the output. You can store these captures either on the attached VM disk or specify your own blob storage location.
Network watcher comes with a tight integration with existing Azure services like OMS. You can now configure OMS hub as one of the destination for storing metric and logs, this will enable you to utilize the existing capabilities of OMS to do analyze and present your metrics and logs.
Key talking points:
Today for all Internet facing Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have external connectivity at least 99.9% of the time.
Azure will offer a service level agreement for a single virtual machine when the virtual machine is deployed with SSD backed premium storage.