Azure Web Apps

You may have many developers in your company—each with their own opinion on which software platform is best; however, the Azure App Service platform supports a wide variety of software choices. Azure Web Apps describes a managed application that is running in the Azure App Service. Earlier support options that used web and worker roles were a good start, but limited instance size changes with other management complexities. Today, Azure App Service and Web Apps provide services that remove management complexity, deploy quickly, and offer a service plan to match any project budget.

Azure App Service’s advantages include global scaling to support security, compliance, and performance, which translates to easier maintenance. Azure App Service provides PaaS to support mobile back ends, RESTful APIs, and the ability to build and host web applications (a.k.a Web Apps). The Azure portal supports creating a web app easily; however, you should be familiar with the service plans and their features to best support your application’s requirements.

Azure App Service is a traditional multitenant server deployment model. Your app service shares Hyper-V hosts with other Azure subscriptions. This is cost-effective, but Microsoft introduced several restrictions around scalability and security. This is a consideration for all the current service plans except the High-Performance, Security, and Isolation service plan. There is a free service plan that includes a limit of ten web mobile instances or APIs; however, it is the only plan that doesn’t support a custom domain name.

There are a few other service plan attributes to be aware of as you plan and design a web application deployment model. The Auto Scale feature is only available in the Standard, Premium, and Isolated pricing models.

The last feature is VPN Hybrid connectivity. In the App Service platform, hybrid connections can be used in a hybrid connection manager (HCM) and bus relay configuration to access application resources in other networks. This feature does not allow a “side channel” to access your application.

Azure Database Services

Microsoft Azure has a database-as-a-service offering that is more than Microsoft SQL Server. Popular business database-hosted services include MySQL, MariaDB, and PostgreSQL. There are also other Azure services to help with access and migration. Microsoft SQL (services) include two offerings: one service is “SQL managed,” and the other is Azure SQL Database.

The hardware, OS upgrades, and system configuration are included in the cloud services, so those requirements are removed from the traditional work of an IT Operations team or database administrators (DB Admin). The methods to maintain or gain high availability, disaster recovery, backup, and query performance insight are additional services that need to be configured and enabled.

Azure SQL Database is a multitenant database service. Microsoft services include supporting the network, storage, Hypervisor, and the hardware that a cloud provides with managed services. Upgrades are also included with SQL Database.

Before you review the database table limits of the Basic, Standard, and Premium tiers, you should first understand the formula used as part of the DTU cost model. The DTU and elastic DTU (eDTU) have benchmarks that include virtual computer characteristics, such as CPU, memory, and IO (input/output). The vCore purchasing model for a SQL Server managed instance supports Azure virtual machines (refer to Chapter 10) Gen4 and Gen 5 Hyper-V hosts. Additional processor chip sets include the Haswell and Broadwell CPU. Performance and security are always common areas of concern. You should understand the Azure SQL tier models to gain understanding of the total cost.

Azure DNS

Azure DNS provides global name resolution using the Microsoft Azure cloud-native infrastructure. DNS (Domain Name System) has been an essential function of the Internet since the mid-1980s. This network service is responsible for assigning domain names (easy-to-remember names) to Internet resources. The resource is mostly used to provide principle namespace to an Internet Protocol (IP) subnet.

Microsoft supports customized domain name integration, which includes features that support purchasing a domain name using the Azure App Service Domains page. Azure DNS supports controlled access to manage DNS services through role-based access control (RBAC). DNS writes to activity logs to troubleshoot and support Azure resources locking. Azure locks prevent subscriptions, resource groups, or individual resources (i.e., VM) from being accidentally modified. Locks support two settings: cannot delete and read-only.

Azure DNS services support internal Azure Private DNS services and external resources outside of your Azure subscription. Pricing information is based on two metrics: the number of DNS zones and the number of queries.

Azure Traffic Manager

Azure Traffic Manager is a component to support high availability. Relative to DNS, it supports IP traffic and distributes that traffic based on your Azure regional workloads. Traffic Manager uses DNS to direct end-user or client requests based on your preferred routing policy. No TCP/IP traffic flows through Azure Traffic Manager; it only routes the request to the appropriate endpoint based on the profile. It is not a proxy or gateway, so the traffic is only redirected between the endpoints.

Traffic Manager identifies regions to respond to the DNS server request. The DNS resolvers provide the correct endpoint. The two main benefits are traffic distribution support and failover. Both benefits support the high availability of client services.

Before you deploy Traffic Manager, you need to have a public IP address (URL) in DNS for the probes used for redirecting traffic and a profile of the routing method. From the Azure portal, search the Traffic Manager profile, as shown in Figure 3-1.

Once the profile is created, use the Azure portal to review the Traffic Manager settings, as shown in Figure 3-2. It shows the current profile status and settings, which can be changed using the Configuration icon on the left.

The endpoints are updated in the portal view to then efficiently route DNS traffic based on the “priority” selected in this example. It directs traffic to IP addresses that are associated with cloud services or on-premises networks. The DNS name is returned to the requesting client; however, if the endpoint is offline or degraded, the DNS name is not returned to the requesting client.

The most effective use of Azure Traffic Manager supports Azure georedundant Active Directory Federated Services (ADFS). Azure supports Transport Layer Security (TLS) and the management of SSL certificates for custom domains with DNS.

Content Delivery Network

You want to deliver web services and content (i.e., video files) efficiently and with the best user experience and fastest response times. The Azure Content Delivery Network (CDN) uses point-of-presence (POP) edge server repositories to store content and minimize network latency.

CDN servers enable content delivery and are globally available across Azure regions. Before you can create a CDN profile , you must register the Microsoft CDN service and a registered resource provider in your Azure subscription. Register the CDN service in the Azure portal, select your subscription, and locate Microsoft.Cdn, as shown in Figure 3-3.

Once the service is registered, you can create a CDN profile to choose the specific collection of endpoints for that specific profile service, as shown in Figure 3-4.

A CDN profile enables a better customer experience, which fosters a recurring customer. The Azure CDN can deliver better performance through high-bandwidth network caching. The first user that requests a service sends a request to review the content (i.e., video). The content originates from a server; it can have latency due to network distance. The content is cached to the edge servers in a POP location near the end user. The second user that requests the same services does not incur the same network latency because they pull the content from the locally cached POP location nearest to them.

Azure Batch

A batch job (or batches of jobs) enables large jobs or multiple transactions to be part of a single group by using a pool of computers. With Microsoft Azure Batch, you don’t need special hardware or dedicated virtual machines. In fact, the processes are automated to pool computers by using the Batch API from the Azure portal or CLI.

You only pay for the virtual machines (VM), data storage, and network traffic that run the parallel workloads. There is not a cost for running individual batch jobs. Virtual machine prices vary so you should choose a lower-sized VM to reduce costs. Another tip is using a low priority of VM because the Batch job pools. Batch pools are allocated from the overall Azure surplus capacity systems.

If you have large requirements for batch processes, large VMs are available from the underlying VM pool; you don’t have to use inexpensive systems. Large-scale batch jobs run in parallel and use high-performance computing (HPC). The batch command-line tools include PowerShell cmdlets and the Azure CLI. For more functionality, you can use the Azure portal to review job stats and performance data.

You can also use new tools for reviewing batch processes from GitHub, such as Azure Batch Explorer (see https://azure.github.io/BatchExplorer/).

Azure Private Link

Azure Private Link is a newer service that allows connectivity to PaaS services by using an IaaS virtual network (vNET) as the endpoint. This provides the workload a private IP address instead of a public IP address, and hence, connectivity to the workload over Azure VPN tunnels or ExpressRoute private peering. The service ties a PaaS service over its public IP address to the customer’s virtual network over the Microsoft Azure backbone network. This means no “hair-pinning” of traffic over VPN or ExpressRoute to get the public IP address to talk to the private virtual network.

Services evolve on an almost daily schedule; however, Azure Private Link is only available for Azure Storage, Azure Cosmos DB, and Azure SQL Database. These are likely the three most used PaaS services in Azure. Azure Private Link can protect against data leakage because only an instance of a PaaS service is made available, not the entire service.

Network connectivity in Azure utilizes Microsoft virtual networks, and traffic is not routed over other network provider resources. To maintain a private connection between your applications deployed in different Microsoft Azure regions, you can deploy Private Link. You may think the network access is only to and from Microsoft Azure resources, but that is not the case.

Private Link is a service used with the Azure Standard load balancer; it also supports the Azure private endpoint. Azure deployments have leveraged the Private Link service to connect to Azure PaaS services like Azure Storage. Azure subscriptions can securely connect to on-premise networks and Azure partner services by using a private endpoint.

You do not need to expose a public IP address to the Internet to connect; with an Azure private endpoint, the IP address uses Azure Private Link services. Private Link is generally available in Azure regions and can be easily created from the portal, as shown in Figure 3-5.

Private Link provides connectivity using the Azure network to connect securely to Azure partner network services. You also have the choice to connect to your company’s own service across a VPN or ExpressRoute (see Chapter 9). The Private Link platform supports the connection between a service provider and an Azure consumer.

Private endpoints supported by a VPN or ExpressRoute can connect directly using private links running over the VPN or ER. Another security feature is the risk reduction of data leakage. Mapping of PaaS services to specific user access can be blocked. Private Link features continue to be enhanced.

Summary

In this chapter, you learned about the Azure App Service for mobile back ends, APIs, and web app services with a global platform as a service (PaaS) solution. There are service tiers to support your application requirements, as well as the ability to leverage other PaaS Azure services. You were introduced to Azure database services and the many tools to help migrate databases to an Azure-hosted DB platform.

You gained insight into Azure DNS as a global service for client and server connectivity. You learned that Azure Traffic Manager redirects DNS requests to a localhost to reduce latency, or it can be used in failover mode. You learned that the Azure Content Delivery Network (CDN) is a global service that supports caching on Azure edge systems to speed up content delivery to clients. You gained insight into Azure Batch services, and, you learned about Azure Private Link services, including private endpoints.