Everything You Need to Know About Azure Infrastructure – December 2019 Edition
By the time you read this, it will be 2020. I hope you have had a great holiday season and are feeling all relaxed and ready for a new semester of Azure action.
As you can imagine, December is downtime for much of Microsoft; many are on vacation for quite a long time and there aren’t many new feature announcements. Most of what you see on the Azure blogs and social media is marketing and recaps. But behind the scenes, late November and early December are busy periods for the program managers; they’re working on the backlog to decide what will be worked on in the coming semester (January-June, codenamed Vibranium, instead of the element Chromium which should have been next).
Because it was quiet, I’m going to take a different approach with this month’s article and look back on interesting things from 2019.
By the way, Azure Arc is not a highlight for me – I still believe that there is more hype than meat with that service, but it has gotten the media to talk about Azure a lot, so job done!
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
You Got a Region, Everyone Gets a Region!
If it wasn’t for the revenue headlines, 2019 would be known as the “year of expansion” for Microsoft Azure. In the last 12 months the following regions have been added, making the total number to be 54 active regions:
- Switzerland West
- Switzerland North
- Germany North
- Germany West Central
- Norway East
- Norway West
- UAE Central
- UAE North
- South Africa North
- South Africa West
Not to mention that Qatar North was announced to be on the way and we know that a new region of some kind (Azure or other Microsoft cloud) is being built in Sweden. And who knows how many data centers are also being built into the 54 active regions.
One of the top fears preventing cloud adoption has been security. That security spans many areas, including governance, network security, identity, application-layer security, monitoring & management, and design.
Some of what Microsoft has built upon goes back many years. Azure Active Directory (Azure AD) plays a big role, providing identity services for users (accounts), services (service principals), and components of services (managed service identity). Azure Firewall (network security), policies, and management groups (governance) pre-date 2019 but continued to develop over the year. Azure Security Center has continued to add compliance reporting solutions and recommendations that should guide (not instruct, because they’re dumb reports that sometimes have bad recommendations) your reviews of Azure deployments. At Ignite, Microsoft revealed Security Virtual Hub and Azure Firewall Manager, an evolution of the hub & spoke network that merges the Azure WAN Hub with Azure Firewall in a simpler, easier to deploy, and more scalable design … that is doomed to failure if Microsoft’s policy to not allow ExpressRoute Standard to connect to Azure WAN Hub (protecting the turf of ExpressRoute Premium’s Global Reach feature).
Bring-your-own-key has continued, with previews launched for storage accounts, guest OS encryption, and support being announced for ExpressRoute encryption – just in case someone has spliced the fiber cable under the sea.
At Ignite, Microsoft covered security in Azure from all aspects. Identity got lots of coverage. Private Link/Private Endpoint, a preview of how to network PaaS resources, were discussed in depth. Web Application Firewall for Application Gateway v2 and Azure Front Door improved. Microsoft’s cloud-based SIEM, Azure Sentinel, was released. Azure Bastion, a platform-based jump box for RDP and SSH access to virtual machines, was made generally available. And the concepts of micro-segmentation were pushed repeatedly.
Cloud Adoption Framework (CAF)
Do you have any kind of interaction with Microsoft? If so, all you’re going to hear about is CAF. CAF. CAF-CAF-CAF.
The Cloud Adoption Framework is the One Microsoft approach to cloud adoption in Azure, consolidating and sharing best practices from Microsoft employees, partners, and customers. The framework gives customers a set of tools, guidance, and narratives that help shape technology, business, and people strategies for driving desired business outcomes during their adoption effort. This guidance aligns to the following phases of the cloud adoption lifecycle, ensuring easy access to the right guidance at the right time.
Do you feel “synergised” now?
Seriously, what is CAF? It starts out as a guide on how an enterprise should adopt Microsoft Azure. And to begin with, it’s great. But after a while, it all falls apart because guidance becomes options. What it boils down to in the end is a bunch of questions that you should ask yourself with some loose guidance and things to consider. I wouldn’t consider it a best practice or a scaffold. I would consider it a fine cure for insomnia. I did try to read it, but my eyes glazed over about 3 or 4 paragraphs in. I would expect that some exam will have about 10-20 questions on it in the next year or two.
And yes, Microsoft field staff are using it as their crutch in every meeting: “read the CAF”. You will soon ask for de-CAF-inated meetings.
Compute is Boring
I noticed two things in the last year about Azure virtual machines. Firstly, there’s been very little interest in the announcements in the last year. There have been a few minor series developments. More N-Series stuff, some niche M-Series stuff. And sure, there’s the AMD-powered machines, but they’re still niche too. And Generation 2 is here, but that’s still early days and hasn’t the support or big pull yet.
Secondly, the “compute keynote” at Microsoft Ignite was boring … let me correct that … BORING. I used to spend so much time writing and presenting about virtual machines. But now … it’s networking, security, and the other things that the business values. Heck, I have customers now that have a no virtual machine policy for their cloud deployments.
The Rise of Azure
No spoilers here! Microsoft beat the competition to win the JEDI contract with the US Pentagon. That’s a $10 billion dollar contract for custom-deployed Azure services. It created huge headlines with many lesser-informed media-types expressing shock that a “less-capable” Azure could win the tender.
Sure, AWS has a bigger customer base. But it’s a different customer base to Microsoft. AWS was out the gate first (credit to them) and raced ahead with start-ups. They still do a much better job of pursuing developer-lead companies than Microsoft, in my opinion. But Microsoft owns the large enterprise market and the partner-lead sales/implementation channels. And while they were late to market and stumbled with “Azure v1”, they evolved and focused on the rights things: hybrid, customer feedback, and developing for future trends such as containers, AI/machine learning, and IoT. Ask yourself this: would an organization such as the US military have a lot of devices to manage, a need for off-site resilience, data to process, and processes to automate/enhance? Would ruggedized mobile/backpack versions of a cloud edge that could integrate with a drone (as shown in an agriculture scenario at Ignite) be useful to the Pentagon? Does Microsoft have a more mature development environment that provides a complete DevOps envelope around its cloud? Does Microsoft provide everything … the OS, the cloud platform, the identity system, a security platform that covers more than just the network, a hybrid cloud focus (not just an announcement), and more? Does AWS have all that? So, who was more likely to win that contract, after all?
For some-reason, a very old song that got covered in a Netflix sci-fi show is now worming around my head.
One of the dangers of cloud adoption is that you get Google Hang-outed – that is, you invest in some preview feature, that stays preview for 18 months. Then one day the feature quietly stops working. You investigate and then find something like Export Azure Activity Log To Storage Or Azure Event Hubs. This is where you learn to export your Activity Log audit trail (90 days in Azure) to a storage account where you can keep it for as long as you want, which can be very economic with blob tiering. But there you will see this message:
You can now collect the Activity log into a Log Analytics workspace using a diagnostic setting similar to how you collect resource logs
That’s nice. But Log Analytics is restricted to 720 days and many customers require 10+ years of audit trails. You read the instructions that appear to be still valid, try them out, and find … the feature is gone. I found out that it was gone by my colleagues telling me that the audit trail export had stopped working.
I can think of a number of pretty significant features in Azure that have been in preview for a very long time. I wonder what the story is with those features?
I started working with Azure to promote it to my then customers: Microsoft partners in Ireland. These were companies that were the IT department for their customers – a concept that the developers in Microsoft really have struggled to understand. The instant feedback I got was that it was challenging to do managed services with Microsoft Azure across tenants (the way it legally should be done in non-SaaS scenarios).
Then Microsoft announced and made Azure Lighthouse generally available. Here was a feature where a customer could enroll a partner (really, a partner will do this work for the customer) to be their managed service provider for their Azure tenant/subscriptions/resources. The process can be quite simple, or quite detailed, depending on how granular you want to get with access and role-based access control.
Once enabled, the partner has easy access to all of their customers under a single sign-in – each partner engineer signs into the partner tenant once and once-only, ideally with MFA, and can see all customers. They can open Azure Monitor and see everything. They can use Security Center across all environments. It really can simplify the whole process and will lead to better identity security – much better than the usual alternative of the partner having a single, never-changing, shared username/password with global admin/owner rights in every customer.
I guess the only spark in the dark was Proximity Placement Groups, but that’s like an anti-uptime feature for lower latency.
And Now for Something Different
If 2019 taught us anything, it’s that loud feedback matters. One week before Microsoft Inspire, the partner conference, Microsoft Xbox One’d the conference by announcing huge changes to internal usage rights packages and partner competencies that would badly impact the most important asset that Microsoft has – the channel that sells and implements their products and services. Microsoft commonly states that 90% of their sales are assisted/made by a Microsoft partner.
The response was loud and consistent – this was going to cost Microsoft their partner network and their future profitability just to save a few million on what should be seen as a necessary cost-of-sale. Five day later, Microsoft completed the Xbox One-ing process by reversing course. This was proof that feedback counts.
If you want to impact Microsoft Azure’s future direction, then engage the right way. Talking to local field staff is pointless – they’ll either forget what you said to them or their feedback (if they pass it on) will be lost. Go direct to the product group. One way is to get involved in the Azure Feedback Forum. Post ideas and vote on feedback – more votes equals louder and measured feedback. Some teams take this seriously, and admittedly, some ignore it.
Another option is to talk to Program Managers at a conference or event. These are people that publicly represent the teams and their job is to talk to you, the customer. They gather feedback and use it to build up a DevOps backlog that is stack ranked and used to engineer the product over the future semesters (half-year development cycles).
A third option is to get involved in preview feedback. If Microsoft announces a preview that you can join, it’s typically a route into a program called Azure Insiders. Here you can get to talk directly to program managers that are responsible for the features being previewed, and you can shape that product. If you work at it, you will get to know the program managers and can have a relationship with the team and other teams over time.
As a Microsoft Valuable Professional, I have a unique set of private channels into product groups. Sometimes I know the right people. Sometimes they’ll engage. Sometimes, they will listen and sometimes they won’t. I can tell you that I have provided feedback that resulted in changes to things over the years. Some big and some insignificant. But here’s the thing … one does not have to be an MVP to have this impact. In fact, I think that some program managers tune out people like me as noise. But I’ll tell you this, seeing something being talked about as a significant new feature and knowing that you were the one who came up with that idea … that’s cool!