AZ900 Cert Prep :: Lesson 5 : Azure Compute and Networking Services

Let's get a few definitions out of the way before we get into all the different types of compute services available in Microsoft Azure

Compute : Any cloud service that uses CPU, memory etc.

Virtual Machines (VM) : VM emulates the entire OS and runs on top of a physical host machine. It requires a hypervisor like VMWare to manage and allocate the resources. Each VM has its own OS and kernel, and runs applications as if it were a separate physical machine. They provide strong isolation and security between different instances, but can be very resource intensive due to the duplication of OS components.

Docker : Docker is a platform and ecosystem that simplifies the creation, deployment and management of applications using containerization. Containers are lightweight, isolated and portable environments that the host machine's OS kernel. Multiple containers can run on a single host and each container has its own isolated runtime, including file systems and network interfaces. Docker has a more efficient resource utilization and a faster runtime compared to the VMs

Containers : Containers are the runtime instances created from Docker. Containers are created using an image. An image is basically a zip file that contains the OS, database, web servers, apps, modules required to run the application. Important note : Although the image might have an OS, it'll only have the user-made components of the OS, the container uses the kernel-mode OS of the host computer. So if an image is built to run on Linux, it can only run on a host computer that's running Linux

Here's the flow of how the application runs in the cloud :

To run the app, you need a computer -> that computer has a container runtime (like Docker) -> Docker downloads the image from a repo -> Docker runs it in a special environment (container) or in case of VM, you take the computer -> download all the dependencies and the app -> you run it

With all the definitions cleared, here are some of the key computer types offered in Azure :

Azure Compute Types

Azure Virtual Machines

• They make it easy to create a custom VM. You can choose from a variety of configs
• It is an IAAS service, so it's upto the user to set up the OS, install all the dependencies and deploy the app.

Azure Container Instances

• You can simply point the ACI to the image and it will run it in a container without you having to create any VM or doing any configurations
• You only pay for the memory and the CPU used by your container
• You can use container groups if you want to run multiple containers in a single ACI instance.
• This is designed for small workloads that perform an operation quickly

Azure Kubernetes Service

If you want to run an application for a longer period of time.

Azure Functions

• Useful for performing quick operations.
• Designed for microservices that take input, perform an operation and return a result.
• Functions can be event driven, say when a certain file is uploaded to a folder or something
• Can run in a consumption based model, i.e., only pay for the compute resources that your function uses

Azure Virtual Machines

• These are Virtual Machines (VM) in the cloud
• Both Windows and Linux are available
• Each VM is a guest on a host computer (that's in a server rack in an Azure datacenter)
• Stopping a VM deallocates it, so you wouldn't be billed for it.
• It also offers a feature called availability sets that help you with high availability. This is not the same as availability zones.
• There are two components in an availability set. And both of them provide fault tolerance but address different concerns. Let's look at them in detail.

Fault Domains

• They are a logical representation of a physical server rack in an Azure datacenter.
• These are designed to protect you from a fault that might occur in a hardware rack

Update Domains

• This is a logical construct designed to ensure availability when a VM needs an update and needs to reboot for it
• When the update needs to reboot the machine, Azure will only update one update domain at a time and only when the VM in the first update is up and running that it will update the other VMs one by one.

There is another option with VMs, which is called a Virtual Machine Scale Sets (VMSS)

Virtual Machine Scale Sets (VMSS)

• This allows you to scale multiple VMs
• You only need to specify the OS and how many VMs you want in the Scale Set
• The VMs in the VMSS are autoscaled
• All VMs in the VMSS are deployed using availability sets for fault tolerance

And another form of virtualization that you can use in Azure are called Azure Virtual Desktops

Azure Virtual Desktops

This essentially allows you to run application in a virtualized environment without having to install anything in your personal computer. It has clients for Windows, MacOS, Android, iOS, web browsers and everything. So you can use any device to access this virtual PC and do any work without using any of of your devices resources (apart from everything used to actually run the virtual desktop app in your device)

Resources Required for a Virtual Machine

Open Azure Portal -> Click on "Virtual Machine" -> Click on Create -> Azure Virtual Machine -> Create a new resource group (or choose an existing one from the dropdown menu) -> name it whatever -> name your Virtual Machine -> Select Region -> Pick availability option (Base, availability zones, VMSS or Availability Set) -> Select image (linux or Windows) -> Size of the VM -> Use SSH public key -> Review + Create -> Download the private key and create resources -. Deployment in progress ----after completion---> Go to Resource

What are the different resources that are required for a virtual machine?

Go to homepage -> Click on the name of the given resource group (it's a cube like icon) -> have a look at all the resources in the resource group

You'd notice that even after creating just 1 VM, we have multiple resources getting created. We would have :

1. Virtual Network : has both a private and a public endpoint (explained in sec 5.6)
2. Virtual Machine
3. Public IP address
4. Network security group
5. Network Interface
6. Operating System (OS) disk
7. SSH Key : Because we chose SSH for remote access while creating the VM. With the exception of SSH key, all the other resources are going to be created every time you create a virtual machine.

Go to the homepage -> Select "All resources" -> You'll see all the things that exist in your Azure Subscription (even though all you created was just one VM). But just look at the resources group and you'll be able to tell where each resource belongs

Application Hosting Options

Azure App Service

• It's a PaaS Service
• Used to create and host web apps in the cloud.
• Each app service deployment in the Azure datacenter (Microsoft's deployment of the App Service) has several front ends and these frontends use a customized, proxy-based routing module to send a request to a virtual machine that's hosting the app that's being requested
• The virtual machines running a web app (whether that's 1 VM or many VMs) run within an "App Service Plan" which is a logical unit that helps with scaling web apps
• When you create a web app you specify with "App Service Plan" you want to host it in and that "ASP" defines the tier you'll be using for hosting. The lower tier has a lower cost, but also less powerful and fewer features.
• When you create new apps in the same App Service Plan, they all will run in the same VMs. So if you have multiple VMs in an App Service Plan, they're all exact copies of each other, including all the apps that's running on them.

How to create one?

Go to dashboard -> Click on App Service -> Select the resource group -> VM name has to be unique within a subscription. So you can't create two VMs with same name. But someone else with a different Azure subscription can create a name with your name. But the name that you give your Web App has to be unique across Azure App Service. Because this is a DNS name. -> Also notice that in the bottom right of the name box, there's written ".azurewebsite.net", this means we can browse to it by just browsing to <name>.azurewebsite.net And that's another reason why the name has to be unique across all of Azure. -> Choose if you want a code, docker container or a static web app -> Choose runtime stack (like python, JAVA etc) -> Since this is a PaaS, there are fewer options, and lesser control, but also lesser complexity for us to deal with -> select OS -> In pricing plan, it'll say Windows Plan (central US) -> That's the App Service Plan -> Click on "Create New" and rename it to whatever -> Click "Review and Create" -> Click "Create"

Creating an App Service is faster than creating a VM because that Virtual Machine that this app is going to run on is already sitting there waiting to create a webapp within it.

Go to resource and that'll show you your web app running inside Azure -> on the left, if you scroll down, you'll see a "scale up" and a "scale out" option.

• Scale Up : more powerful or less powerful machine
• Scale Out : adding more exact copies of the machine

Any scaling operating applies to the App Service Plan. So if you have 2 web apps on the same app service plan then both of those apps are on the same VM, so any scaling options to all apps running in the app service plan.

In the "Scale out" tab there's two options:

• Manual Scale : has a slider to add more VMs
• Custom Autoscale : for custom rules that you can use to scale based on metrics

Azure Kubernetes Service

If you need a powerful container solution. Kubernetes is a powerful container orchestration service, which implies that it excels at scaling containers and making sure they're available when you need them.

• AKS is Microsoft's implementation of Kubernetes in Cloud
• Kubernetes runs in a Kubernetes Cluster with 2 different types of computers Control Plane : Primary computer that controls the cluster Kubernetes Node : Which are computers that run your containers.

The control plane orchestrates the cluster, and it is responsible for scaling in or out.

You still only pay for the compute resources that are in your cluster.

Azure Networking Services

Azure Virtual Networks

Enables you to configure your networking in Azure without the hassle of configuring networking hardware, running cables etc.

Azure Virtual Network is an IP address specified in a classless inter domain format as 10.0.0.0/16. Which means it has 65,534 usable IP addresses. Within this, you can also specify 3 subnets, each with 254 usable IP addresses.

Web Tier

Subnet 1 (10.0.1.0/24) Used for hosting the website that provides the user interface for the application. It is the only subnet that has access to the internet

Middle Tier

Subnet 2 (10.0.2.0/24) where we implement business rules, data validation, etc.

Data Tier

Subnet 3 (10.0.3.0/24) Used for storing all the data that our application uses

Typically your Web Tier can communicate with your Middle Tier, and your Middle Tier can communicate with your Data Tier. But your Web Tier and Data Tier shouldn't be able to communicate with each other directly

Ultimately Azure Virtual Networks allow you to lift and shift your entire network topology from on-premises to the cloud and gives you plenty of capability to enable future growth as your network grows.

You can create multiple network in Azure based on your needs and you might find that you need to connect resources that in different virtual networks. For this, Azure offers a feature called, "Virtual Network Peering", and this allows you to connect two Azure networks together. This network traffic runs through Microsoft's private network (and NOT the internet), therefore peered traffic is not encrypted.

You can peer Virtual Networks in the same region or in different regions, but when you're peering a VNet in two different regions, it's called "Global Virtual Network Peering

Azure DNS

• Helps you manage your domain name system (DNS) records in Azure
• Internet facing zones are called public zones
• Zones that are used for Azure VNets are called private zones

Azure VPN Gateway

• Allows you to create secure connections between Azure VNets and other networks.
• So when you create an instance of a VPN Gateway, an instance of a gateway subnet is also created automatically. And within that gateway subnet, you'd find two more VMs that are used to implement the functionality of VPN gateway
• You don't pay for those VMs, you can't connect to them, you don't manage them, they're only used for your VPN gateway.
• There are 3 types of VPN gateways

VNet to VNet

Allows you to connect 2 Azure Virtual Networks together using a VPN gateway

Site to Site

Allows you to connect an Azure VNet to another network that's outside of Azure.

Point to Site

Allows you to connect a single device such as a mobile or a laptop to an Azure VNet

• Another point for Azure VPN gateway is that the network speed is limited to 1.25 gigabits per second
• You also pay for the overhead of dealing with encrypted network traffic
• The previous two points are especially important if you're deciding between Azure Virtual Network and Azure VPN gateway for connecting two Azure VNets

Azure Express Route

Also used to connect Azure resources to on-premises network, but unlike VPN gateway, Express Route offers speed upto 10 gbps over a dedicated fiber and upto a 100 gbps if you use "Express Route Direct" which is a high level offering that connects you directly to Microsoft's network.

Another advantage is that the traffic doesn't flow over the internet, instead you directly connect via a Microsoft Enterprise Edge (MSEE) Router

When you're using Express Route, you'll typically connect using a third party provider and that's usually your Internet Service Provider. The provider will have a direct connection to the MSEE, and that MSEE is directly connected to Microsoft's network in Azure. The key point here is that Microsoft calls an express route connection, a "Circuit".

Public and Private Endpoints

Two simple points.

• Public Endpoint is a resource that has an IP address that is reachable over the internet and Private Endpoints have an IP address that is only reachable over a private network.
• A resource can have both a public and a private endpoint.

When we were creating a VM and that created the Virtual Network. That virtual network had a private address space with a private endpoint for our virtual machine, but also, a public IP address resource, and that public IP address provides us with a public endpoint for a virtual machine