Deploying Complex and Large Scale Azure Environments – Microsoft Ignite 2016 4/18/2018 1:17 PM Deploying Complex and Large Scale Azure Environments – Tales from the Trenches CLD334a Aaron Saikovski Specialist Solution Architect – Microsoft Cloud Technologies Rackspace Australia T: @RuskyDuck72 E: aaron.saikovski@rackspace.com © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Quick Intros Storage Large Scale Deployments Networking 4/18/2018 1:17 PM Agenda Quick Intros Large Scale Deployments Subscriptions Tagging Storage Networking Automation Monitoring Questions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM About me © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Large Scale Azure Deployments 4/18/2018 1:17 PM Large Scale Azure Deployments © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Subscriptions © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Subscriptions One Subscription per environment -> Dev, Test, Prod 4/18/2018 1:17 PM Subscriptions One Subscription per environment -> Dev, Test, Prod MSA and AzureAD Accounts -> subscriptions Enterprise Agreement (EA) - > Consolidated billing Restrict access to Prod (Yes Devs we are looking at you  ) TIP#1: Use named accounts (AzureAD) instead of MSA and use MFA!!! TIP#2: Use billing alerts at the subscription level to manage spend © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Subscriptions 4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Subscription Limits 4/18/2018 1:17 PM Source: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#subscription-limits © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Tagging © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tagging Key:Value pairs -> name resources 4/18/2018 1:17 PM Tagging Key:Value pairs -> name resources Link resources -> cost centre, business unit etc Group common resources Resource -> 15 tags Max. Names -> Max. 512 characters Value ->Max. 256 characters. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tagging..cont Examples: Azure “Classic” mode doesn’t support tagging 4/18/2018 1:17 PM Tagging..cont Examples: Environment: Dev, Test, Prod Build date Cost centre Owner Azure “Classic” mode doesn’t support tagging TIP#3: Automated shutdown of resources without tags. Save $$$ © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Tagging Source: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Storage © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Quick Storage Recap 4/18/2018 1:17 PM Source: https://docs.microsoft.com/en-us/azure/storage/storage-redundancy © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Storage Accounts Don’t overload storage accounts 4/18/2018 1:17 PM Storage Accounts Don’t overload storage accounts Plan Pricing Tiers -> Performance Premium storage -> Production workloads Avoid single storage accounts Standard storage -> MAX 500 IOPs per disk Premium -> MAX 5000 IOPS per disk (P30) TIP#4: Enable encryption when provisioning. Not after! © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Storage Account Naming 4/18/2018 1:17 PM Storage Account Naming Naming of storage accounts -> Storage load balancing Eg. ‘devstorageacct001’, ‘devstorageacct002’ Traffic bound to a partition server -> Rebalance -> performance hit! Can have a big performance hit on VM workloads TIP#5: Prefix storage accounts with a 3 digit hash (Unique) Source: https://docs.microsoft.com/en-us/azure/storage/storage-performance-checklist © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Storage Account Naming 4/18/2018 1:17 PM Storage Account Naming Same cluster Unique cluster © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Networking © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Networking Planning!!! Overlapping IP ranges -> ExpressRoute, S2S VPN Deploy and Redeploy -> Iterate Keep it simple Single VNet vs VNet Peering GatewaySubnet -> /27 Address Space TIP#6: Avoid Network Security Groups (NSGs) at the NIC level © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Security Groups (NSGs) 4/18/2018 1:17 PM Network Security Groups (NSGs) Recommended!! © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Automation © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Automation Automate everything -> ARM, PowerShell, CLI 4/18/2018 1:17 PM Automation Automate everything -> ARM, PowerShell, CLI No manual changes ARM is incremental Tag resources Resource groups & Tags for cost optimisation Layer the deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Automation..cont Store ARM templates in a private repository 4/18/2018 1:17 PM Automation..cont Store ARM templates in a private repository Linked templates vs. layered ARM templates Azure Automation for scheduled tasks TIP#7: Keep your Azure PowerShell and SDK tools up to date TIP#8: Lock ResourceGroups with ‘CanNotDelete’ lock level TIP#9: Don’t store passwords in .param files -> use KeyVault!! Bonus Tip: Staggered Automation runbook schedules -> PowerShell © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Automation..Tips and Tricks 4/18/2018 1:17 PM Automation..Tips and Tricks Use "location": "[resourceGroup().location]" as default resource location Use subscription().id, resourceGroup().id for unique identifiers in variables Use listKeys for dynamic value lookups: …"[listKeys(resourceId('Microsoft.Cache/Redis', parameters('redisCacheName')), '2014-04-01').primaryKey © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Automation..Tips and Tricks..cont 4/18/2018 1:17 PM Automation..Tips and Tricks..cont Use outputs for debugging: "outputs": { "RedisSessionStateHost": { "type": "string", "value": "[concat(parameters('redisCacheName'), '.redis.cache.windows.net')]" } © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Monitoring © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitoring OMS (Log Analytics) -> default used by Rackspace 4/18/2018 1:17 PM Monitoring OMS (Log Analytics) -> default used by Rackspace Support -> subscription level Lots of metrics are captured Automated alerting -> Support ticket Example Key VM metrics Malware signatures update status Realtime protection CPU average greater than 95 percent average over 5 minutes Operating System Disk C = has less than 500 MB free space Recovery vault backup failures © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitoring..cont Include PaaS workloads – App Services, DocDB etc 4/18/2018 1:17 PM Monitoring..cont Include PaaS workloads – App Services, DocDB etc AppInsights -> URL monitoring -> multiple test locations Webhooks -> Azure Functions -> OMS Ingestion TIP#10: OMS has a 15 minute indexing interval © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OMS Query Samples ARM Deployments: 4/18/2018 1:17 PM ARM Deployments: Type:AzureActivity AND (OperationName="Microsoft.Resources/deployments/write" OR OperationName="Microsoft.Resources/deployments/validate/action") | measure count () by ResourceId, ResourceGroup Malware signatures out of date: Type=ProtectionStatus AND (ProtectionStatusRank=250) AND (TypeofProtection="System Center Endpoint Protection") © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

OMS Query Samples..cont 4/18/2018 1:17 PM SQL Azure: Average CPU utilization percentage greater than 80% over 10 minutes: Type=sqlazure_CL MetricName_s=cpu_percent | measure max(Average_d) as DBCPU by DatabaseName_s interval 10minutes | where DBCPU >=80 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Takeaways TIP#1: Use named accounts (AzureAD) instead of MSA and use MFA!!! TIP#2: Use billing alerts at the subscription level to manage spend TIP#3: Automated shutdown of resources without tags. Save $$$ TIP#4: Enable encryption when provisioning. Not after! TIP#5: Prefix storage accounts with a 3 digit hash (Unique) TIP#6: Avoid Network Security Groups (NSGs) at the NIC level TIP#7: Keep your Azure PowerShell and SDK tools up to date TIP#8: Lock ResourceGroups with ‘CanNotDelete’ lock level TIP#9: Don’t store passwords in .param files -> use KeyVault!! TIP#10: OMS has a 15 minute indexing interval

Questions Microsoft Ignite 2016 4/18/2018 1:17 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Continue your Ignite learning path 4/18/2018 1:17 PM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/18/2018 1:17 PM Thank you Chat with me in the Speaker Lounge Find me (@RuskyDuck72 or email: aaron.saikovski@rackspace.com) or at the Rackspace booth © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.