Azure availability zones vs availability sets

Availability Zones in Azure ensure VM/service placement on physically separate infrastructure with no shared dependencies (power/cooling/etc). This leads to a design decision for new Azure projects as well as prompting a revisit to designs that use Availability sets.

I’m not going to list all the services that support Zones, or the regions that support them as this is constantly changing. It’s summarised here: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview However, at the time of writing: Not all Regions support Availability Zones, if your desired region does not support them yet then it is likely on the roadmap but it does limit your options for the time being. The first Azure Services to support Zones were VM’s, Disks, Public IP’s and Load Balancers – clearly geared up for the IaaS market. Since then many of the PaaS services have onboarded to support Zones.

Availability SLA

I think it’s fair to say that if the Region you’re deploying to supports Availability Zones, then use them! VM’s in Availability Zones offer a higher SLA that Availability Sets: 99.99% VS 99.95% and many of the Azure PaaS services are now being enabled to work in Zones by being “Zone Redundant”.

Placement

Zone’s are supported by VM Scalesets, which mean you don’t need to explicitly place them, however for normal VM’s you are required to specify the Zone. When using Availability sets, Azure would automatically set placement of the VM based on the Availability Set properties.

Disk storage

Availability Zone’s require Managed Disks, wheras VM’s in Availability Sets could choose between Managed or Unmanaged. I won’t go into the pro’s and con’s on disk storage now but my rule of thumb is that most VM’s should use Managed Disks.

Cost

Availability Zone’s do carry an extra cost when compared to Availability Sets, not for the VM Compute cost but for the bandwidth. This is charged at $0.01 per GB in/out of the Zone. It’s a pretty minimal charge when you think about it, and really it’s the price for the extra 0.05% in the SLA. Still, it’s worth including when you’re designing your architecture.

Cloud Solution Architect at Microsoft in the UK.

Preparing for the Microsoft Azure AZ-202 exam (70-532 Developer Migration)

So I’ve been preparing for the new AZ-202 exam, and the first place you should always start is looking at the exam objectives. I generally parse them, see what i might need to brush up on (if i’m taking an exam its usually because i think i already know the subject quite well).

Exam Objective Scrape

Given half a chance, i always go to automate everything and this was no exception when i noticed we’d restyled the Exam pages… the Powershell comes out.

It scrapes the contents from the exam page and creates a CSV file with links to find documentation on the exam topics.

I then apply the standard Microsoft levels to say which subject areas i’m confident in. I apply some conditional formatting to make it look nice, and i’ve got my revision prep list ready to go.

So what was the AZ-202 like?

I took the AZ-202 in Beta in order to provide feedback to the exam team for when the exam goes live. The format of the exam is much the same as all the other Microsoft exams I’ve taken, a mix of case-study focused questions, a set of questions you can’t hit previous on, and a bulk of general questions with different answer formats.

The quality of the exam questions, even in Beta was really high. I only commented on about 10% of the questions, the rest were sufficiently clear in their phrasing and testing strategy.

The AZ-202 is the migration exam for the 70-532 exam, and i can tell you – it felt much harder. Microsoft exams getting harder can only be a good thing, it means that holding the associated certification is seen to be of higher value. What really struck me was the depth some of the questions went to, i can’t speak about specifics for obvious reasons… but the exam felt it was really trying to test for the practical knowledge of “has this person actually done this” rather than “has this person read about this and mostly understands it”.

My revision strategy is minimal to say the least. I broadly think that exams should test what you already know, and you shouldn’t dedicate a bunch of time to prepare for an exam in a subject you’re not confident in. True to my self assessment (the 100-400 levels above), the areas i was weakest in were the IOT questions. This is the other good thing about exam certification, there will ultimately be a couple of areas you’ll need to brush up in to provide a completeness of knowledge.

Cloud Solution Architect at Microsoft in the UK.

Producing animated gifs on Windows 10

I’ve had a real struggle trying to find capable apps for Windows 10 that do a decent job taking screengrabs and producing an animated gif. Several comparison guides have been read, followed and led to quite a poor experience.

I’m going to be pretty prescriptive in my recommendations; 2 tools. One for capturing a persistent screen region to file with minimum fuss, and the other for producing a nice animated gif with variable delays and slick editing experience.

Screen capture

It’s really easy in Windows 10 to capture the whole screen to file, Windows+PrintScreen. However when you’re trying to make a specific resolution gif, or even just a window you need to find a 3rd party tool. Lightshot is that tool, it’s free, simple to use and has just the features needed without bloatware or advertising.

You can see some of the Lightshot tools in the image above, but by far the most important is once the screen region is set that it persists for future screengrabs and saves straight to file.

Animated Gif Production

Now that you’ve got a nice set of image files in a directory, the task to create the Gif begins.
ScreenToGif is an Open Source project that does an awesome job. For my purposes i’m going to focus on the Editor capabilities, although it does have a capture mode but that doesn’t align with what I need from it.

The editor gives the ability to tweak the order of the images, the delays and transitions between the images and works with high-res images nicely. The project output also saves as a STG file which means you can return to it at any time.
The last feature I find really handy is the ability to draw on the image inside ScreenToGif, it means I can quickly annotate the screengrab and save it.

To see an example of what the final version looks like, check this out.
https://animated.azurewebsites.net/managedidentity.htm

Cloud Solution Architect at Microsoft in the UK.

Auditing the use of Managed Service Identity in Azure

Managed Identity in Azure quite simply provides an AAD backed identity for your Web App or Virtual Machine, in order to communicate with other Azure services without explicitly providing credentials.

The range of Azure services that you can communicate with is growing, for the sake of this blog post we’re not going to focus on a specific service – instead querying the control plane to find all applicable RBAC assignments that have been set up for our Managed Identity. Please note that the script and example is all focussed around App Service, not a VM.

Switching it on

Turning on Managed Identity for a Web App you’ve published to Azure is easy. Navigate to the Web App, under settings you’ll finding Managed Service Identity, then flip the toggle box on before hitting Save.

This is what happens under the covers;

The App Gets a nice GUID assigned, this should be familiar to those working with ApplicationId’s and ServicePrincipals.

Toggling it

If you remove the Managed Identity from the app, and then set it back on again then a new PrincipalId is generated and any permissions you’d set up for this identity onto other Azure services will have been removed.

Auditing the Identity permissions

In an ideal world you’ll have a deployment script that sets up permissions for your Web App or VM on it’s dependant services with the least privilege required, however having a way of auditing a deployed applications permissions is going to be helpful in getting to that state. The script I’ve made looks at;

  • All Web Apps in your Azure subscription
  • Reports RBAC assignments for the Web Apps Identity
  • Checks all Keyvaults for Access Policies that the Identity has been allowed to use

The script: https://github.com/Gordonby/Snippets/blob/master/Powershell/Get-ManagedIdentityAssignments.ps1

The script populates two arrays with the pertinent information that you want to capture. From these arrays you can then start building a script that would restore the permissions to be used in a failure scenario.
Here’s what the they look like;

Cloud Solution Architect at Microsoft in the UK.

TemplateParameterObject Parameter in Azure Powershell New-AzureRmResourceGroupDeployment

If you’re initiating a deployment to Azure using an ARM template, then you can make use of the TemplateParameterObject to pass through a hashtable that contains the parameters for the template.

EG.

When you come to deploy the template using Powershell, you can therefore run something like this.

Cloud Solution Architect at Microsoft in the UK.