Cluster computing

Friday, March 4, 2022

Azure App Configuration

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Azure App Configuration with the link here. This article elaborates on the best practices with Azure App Configuration.

Application configuration is a regional service. Applications with different configurations per region are encouraged to create separate instances for each region so that they don’t introduce a single point of failure. Multiple configuration stores also help with disaster recovery mitigation. Regions and availability zones in Azure continue to guarantee high availability for this service just like that of other services. Regions are scattered throughout the globe and regions support multiple availability zones.

There are two options for organizing keys – key prefixes and labels. Key prefixes are the beginning part of keys. A set of keys can be grouped by using the same prefix in their names. Prefixes can have folder paths like separators and qualifications. Keys are what the application code references to retrieve the values of the corresponding settings. Labels are an attribute on keys and they are used to create variants of a key. A version might be an iteration, an environment, or some other contextual information.

App Configuration treats all keys stored with it as independent entities App configurations don’t attempt to infer any relationship between the keys. Aggregation is made possible with the help of labels. Application code can perform configuration stacking. Any configuration data can be stored such as those that are kept as configuration files or environment variables. For large or sensitive data, it is preferable to store it in other stores or key vaults and save only the references as configuration keys and values. A connection string can be used to access an app configuration store. Managed identities can be used to access the App configuration store.

Excessive requests made to App Configuration can result in throttling or overage charges. Requests can be reduced by increasing the refresh timeout, watching a single sentinel key, using Azure Event Grid to receive notifications when configuration changes, and spreading requests across multiple app configuration stores. There is an option to bulk import the configuration settings from the current configuration files using either the portal or CLI. The same option can be used to export key values from app configuration.

Client applications demonstrate two common risks. First, they use a connection string that is exposed to the public, and second, the scale of the requests from client applications can be excessive. It is recommended that a proxy be used instead between the applications and the app configuration store. The proxy service can securely authenticate with the app configuration store without a security issue of leaking the authentication information. App configuration provider libraries enable writing such a proxy service and come with a built-in cache.

When the configuration is checked in as code in a git repository, it gives the benefits like traceability and approval process for changes. There are tools to deploy this configuration data. App Configuration syncs GitHub action synchronizes the app configuration whenever a pull request is merged to the configuration as a code repository. Azure Dev Ops can include Azure App Configuration push for synchronization which is a pipeline task. Similarly, Azure App configuration uses Azure CLI as part of the CI/CD system to import configuration files.

Thursday, March 3, 2022

Azure App Configuration

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft 365 capabilities. This article discusses Azure App Configuration.

This is a service to centrally manage application settings and feature flags. Configuration settings must not be spread out across distributed components of an application or service hosted in the cloud because it can lead to hard-to-troubleshoot errors during an application deployment. App configuration must store all the settings for the application and secure their access in one place.

Unlike zookeeper, which is a co-ordination service with elements from group messaging, shared registers and distributed lock services and provides an interface to guarantee wait-free property and FIFO execution of requests from each client, the Azure App Configuration merely centralizes the configuration as a resource provisioned by a service that can perform access control. This lightweight conversion of configuration to a configuration service is just right to those clients that want to add a key-value or read a key-value from the store.

Azure App Configuration can be deployed using an Azure Resource Manager Template (ARM template) which is a json file that defines the infrastructure and configuration for the project. Azure App Configuration supports hierarchical namespaces, labeling, extensive queries, batch retrieval, specialized management operations, and a feature-management user interface. It is not meant to be a KeyVault to store secrets and is usually complimentary to a KeyVault in most deployments. It provides hardened security for references to those secrets as configuration key-values.

App Encryption encrypts all key values it holds, and it encrypts network communication. Key name and labels are used as indexes for retrieving configuration data and aren’t encrypted.

It is different from Azure App Settings which allows to define app settings for each App service instance. The settings are passed as environment variables to the application code while the Azure App Configuration allows to define settings that can be shared across multiple applications. The application code accesses these settings through the configuration providers for .NET and Java, Azure SDKs or via REST APIs. Settings can be imported and exported between Azure App Settings and Azure App Configuration.

There’s a limit of 10 KB for a single key-value including its attributes, labels, tags and other metadata. This suffices for most configuration. If a key-value is larger than this, then it can be placed in a cloud store.

Configurations are generally created one store per environment such as development, integration and production environments. This provides the best security isolation. If we do not need security isolation between environments, we can use labels to differentiate between configuration values.

Free and Standard tiers both provide core functionality, including config settings, feature flags, basic manage ment operations, metrics and logs but if more than one store is required for a subscription, a standard tier provides unlimited number of stores. Each configuration store in a standard access tier can store up to 10GB and stores history for 30 days. Free tier stores are limited to 1000 requests/day while standard access stores are limited to 30000 requests per hour. Only the standard tier has an SLA and it is 99.9% availability. The first 200,000 requests to a standard tier are free but there is overage charge for requests past the daily allocation.

Wednesday, March 2, 2022

External configuration store pattern

This pattern is applicable when configuration must be exported out of the application deployment package and into a centralized location. It is useful for sharing configuration data across applications and application instances.

Changes to configuration should not result in administrative overhead, downtime, or redeployment. It is possible to edit these files to change the application behavior after the application is deployed. It might be challenging to manage configurations across multiple running instances of the application. It can result in instances using different configuration settings across multiple applications. These problems point to a dedicated configuration management system as a solution.

The configuration management can be stored externally and provided an interface that can be used to quickly and efficiently read and update configuration settings. The type of external store depends on the hosting and runtime environment of the application. It can be cloud-based storage or a dedicated configuration service or a hosted database or another custom system.

There are a few things required from this store. First, the interface to read and update must be easy to use. The information must be properly organized. The implementation must authorize the user’s access for configuration protection. It should be flexible to allow storage of multiple versions of the configuration such as deployment, staging, or production.

In addition, caching will be required for application performance. It depends on the type of backing store used, and the latency of this store. Caching minimizes the impact on application performance and provides fast access. External configuration stores might come with a local cache.

The following issues and considerations must be tackled when implementing this pattern.

A backing store must offer acceptable performance, high availability, robustness, and backups. Cloud storage or a configuration platform already come with this approach. The schema of the backing store must allow flexibility for types of information to hold. Multiple versions of settings and rollback are common task.

The physical capabilities of the backing store also affect usability. If the store must store XML versus JSON, it will require parsing to read settings. Parsing increases the impact on performance. Control over the scope and inheritance of configuration settings will affect the delegation of control. Configuration interface must expose the configuration data in the required formats such as typed values, collections, key-value pairs, and property bags.

A strict separation between the permissions to read and write configuration might be required and this will be implemented in the configuration store interface. Writing caching configuration data can help address transient connectivity issues. The application deployment pipeline must provide the last known set of configuration values and fallback to an earlier version if it cannot be used.

Azure Table storage for key-values, Blob storage for hierarchical access, and cosmos DB are some examples for ISettingsStore. An ExternalConfigurationManager class can provide a wrapper over a BlobSettingsStore. This class might use Microsoft Reactive Extensions to publish changes made when the system is running.

Tuesday, March 1, 2022

Microsoft 365 scenarios include productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.

An organization maybe subject to regional data privacy regulations that requires protection, management, and provisioning rights and controls over personal information stored in the IT Infrastructure. One of the examples of the data privacy regulation is the General Data Protection Regulation. Failure to comply with this data privacy regulation can result in substantial fines.

Examples of the types of data in the Microsoft 365 include chat sessions in Microsoft Teams, emails in Exchange, and files in SharePoint and OneDrive. The steps to assess risks and to take appropriate actions to protect the data in Microsoft 365 is now discussed in this section. The Microsoft 365 identity, device and threat protection controls for the data privacy needs also provide additional information.

The data privacy capabilities are brought together by several features including the compliance manager which helps to manage regulatory compliance activities, an overall score of the current compliance configuration, and find recommendations for improvement. It is a workflow-based risk assessment tool.

The Microsoft 365 defender for Office 365 helps to protect Microsoft 365 apps and data such as email messages, office documents and collaboration tools from attack.

The sensitivity labels help to classify and protect the organization’s data without hindering the productivity of users and their ability to collaborate.

The data loss and protection capabilities help to detect, warn and block risky, inadvertent or inappropriate sharing of data containing personal information, both internally and externally.

The data retention labels and policies help to implement governance controls and data retention.

The email encryption capability helps to protect personal data by sending and receiving encrypted email messages.

These capabilities help put safeguards in place but continuous monitoring, investigation and response to security incidents will be required, nevertheless.

Microsoft 365 is an identity-based cloud. When the identities are isolated, it becomes a sovereign cloud. The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. The sovereign 365 clouds for geared for advanced data protection both by virtue of isolated identities as well as better controls.

Monday, February 28, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

The scenario used to describe Microsoft 365 is often the one used to set up the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely.

Microsoft 365 for enterprise consists of local and cloud-based applications and productivity services, Windows 10 enterprise, and device management and advanced security services. The applications work with a full suite of online services for email, file storage and collaboration, meetings and more. The windows 10 enterprise improves productivity and security and for IT professionals, provides comprehensive deployment, device, and app management. The device management and advanced security services includes Microsoft Intune that enables workforce productivity while protecting organizational data.

Microsoft 365 enterprise is available in three plans which include E3, E5 and F3. E3 provides access to Microsoft 365 core products and features which further workforce productivity. E5 includes Defender for office 365, security tools and collaboration tools. It includes all the E3 capabilities plus advanced security, voice, and data analysis tools. F3 helps workers in the field with purpose-built tools and resources.

Microsoft 365 add-ons are available for E3 users. These add-ons are for Identity and Threat protection, Information protection and compliance, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Insider Risk. These add-ons enable E3 users to take advantage of features in E5.

With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.

Sunday, February 27, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft Intune with the link here. The previous article mentioned Microsoft Intune with its device and application management capabilities. This article discusses its usage with Microsoft 365. 

The standard Microsoft 365 cloud is used by Enterprise, Academia and even home Office 365 tenants. It has the most features and tools, global availability, and lowest prices. Since it’s the default choice between the clouds, everyone qualifies. That said there are sovereign 365 clouds for advanced data protection.

The scenario used to describe the Microsoft 365 is often the one used to setup the infrastructure for hybrid work. This is achieved by allowing on-site and remote workers to access the organization’s on-premises and cloud-based information, tools, and resources easily and securely. The key layers of architecture that empower these workers include the following capabilities. MFA enforced with security defaults helps protect against compromised identities and devices by requiring a second form of authentication for sign-ins. Optionally, conditional access can be enforced with MFA based on the properties of the sign in. Conditional access policies can also be authored to be risk-based so that the sign-ins can be protected with Azure AD identity protection. Self-service password reset is another feature where Intune can step in with automations that are self-service for the users. It leverages the Azure Active Directory to turn on self-service password reset where the organization’s workforce is asked to register. When they register, they get instructions for resetting their password themselves. The Azure AD application proxy provides remote access for web-based applications hosted on intranet servers. Azure Point-to-site VPN can create a secure connection from a remote worker’s device to the intranet through an Azure Virtual Network. Windows 365 supports remote workers who can only use their personal and unmanaged devices with Windows 365 cloud PCs. Remote desktop services allow employees to connect to their domain joined windows computers. Remote Desktop Services Gateway encrypts communications and prevents the RDS hosts from being directly exposed to the internet. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

One of the ways for new and upcoming services involves writings APIs once but exposing the through Microsoft Graph and other outlets with the help of wrappers

Saturday, February 26, 2022

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction to Microsoft 365 with the link here. The previous article mentioned Microsoft 365 with its broad capabilities. This article discusses its usage with Intune and Microsoft Graph. 

Microsoft 365 for enterprise is a complete, intelligent solution that empowers everyone to be creative and work together securely. It is designed for large organizations, but it can also be used for medium-sized and small businesses that need the most advanced security and productivity capabilities. Microsoft Intune manages devices and applications. Configuration Manager manages software installations, updates, and settings on the devices. Endpoint Analytics determines the update readiness of the windows clients. Windows Autopilot sets up and pre-configures Windows devices.

Microsoft Intune APIs serve to expose all features of Microsoft Intune for programmatic access. They can be used to define and enforce compliance policies, protect company data, create and deploy device configuration policies, create and deploy device access control policies, and perform remote actions to manage devices. They can be used to deploy apps to devices, manage access to eBooks, and define and deploy app configuration settings, app protection settings, and app usage policies. They can be used to automate defining and assigning role-based access control, auditing and reporting compliance, usage and access and managing telecom expenses. All the Intune APIs are made available via Microsoft Graph.

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using a standard set of REST APIs and client libraries for all data sources that makes it convenient for developers to seamlessly integrate different data sources. It uses the concepts of users and groups to elaborate on these functionalities.  A user is an individual who uses Microsoft 365 cloud services and for Microsoft Graph, it is the focus for which the identity is protected, and access is well managed. The data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights are what makes Microsoft Graph so popular. A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.  

By providing a common API framework to expose device management and application management capabilities to developers for building mobility and security services using Microsoft 365, the combination of Intune, Microsoft 365 and Graph provides unparalleled capabilities. With these capabilities, IT professionals managing on-site, and cloud-based infrastructure enable hybrid worker productivity. Those workers can access cloud-based service and data in their Microsoft 365 subscription and organizational resources anytime and from anywhere. Their sign-ins are secured, and their applications and devices can be managed with cloud security. The hybrid workers can be as productive and collaborative as on-premises.