Mar0320243 March 20244 March 20240Commentby Gregor Suttie

Azure Spring Clean March 2024

Posted in Azure, Best Practices

Introduction

Hello everyone, this blog post is my entry for this year’s AzureSpringClean event for 2024, which Thomas Thornton and Joe Carlyle run yearly.

This blog post covers how to save $$$ in Azure, so let’s dive straight in.

In this blog post which I also gave a talk on at the Glasgow Azure User Group in February, I cover how to check where you can save money in Azure, so at this point, you’re probably already spending more than you should, trust me there isn’t an environment I haven’t seen cost savings anywhere as yet, is something you need to check for regularly.

Azure Advisor

This is a free service in the Azure portal that uses AI to monitor your environment and it will recommend where you can save money, typically this is due to not using Azure reservations or your Virtual Machines needing to be resized, however, there are other areas across Azure where you can save money.

The screenshot below is of Advisor in Azure: –

We can use Advisor to check for the following kinds of recommendations:-

  • Cost
  • Security
  • Reliability
  • Operational Excellence
  • Performance

This article concentrates on Cost savings, but I highly recommend you check Advisor weekly.

If you click on Cost on the left you will see a screenshot like the one below: –

Here we can see all of the cost recommendations including right-sizing virtual machines, using reserved instances on SQL and Cosmos DB, and even reservations on App Service instances and more.

Reservations

Not a lot of people know this but you can add reservations for numerous different Azure resources, including things like managed disks and Blob storage, etc.

You save thousands of $$$ by making use of Azure reservations especially for Azure Virtual Machines, just make sure to rightsize them using Advisor recommendations before you add any reservations.

Azure Hybrid Benefit

Azure Hybrid Benefit allows you to use your existing on-premises Windows Server and SQL Server licenses with Software Assurance or qualifying subscription licenses to pay a reduced rate (“base rate”) on Azure services.

Instead of paying the full price for new Windows Server or SQL Server licenses in Azure, you can leverage your existing investments to save on costs.

You can activate AHB by purchasing licenses within Partner Centre and then applying them to your Azure Virtual Machine(s) like the following screen, the license costs around $260 but can save you thousands depending on the size of your Virtual Machine(s).

Azure Log Analytics Workspaces

Be careful what you log, make sure you are checking the usage and estimated costs on each of your log analytics workspaces. It is quite easy to turn on logging on app services or containers to try to locate issues in the code or performance tuning and forget to turn them off.

Cost Optimization

Within Advisor I want to point out a cool Azure Workbook – go to Advisor, click on Workbooks, and then locate the Cost Optimization workbook which is still in preview.

This workbook will highlight your Rate optimization and Usage Optimization and show you what you’re using and what you have forgotten to delete.

It shows you things like whether are you using all of your reservations and if you need more, it shows you things like unattached public IP addresses, deallocated Virtual Machines, and loads more, please do check it out.

Budgets

Every subscription should have an Azure Budget. I shall repeat this – Every subscription should have an Azure Budget.

Azure budgets allow users to set spending thresholds and receive alerts when their Azure spending approaches or exceeds those thresholds. This helps organizations to manage and control their Azure spending by providing visibility into usage and costs. This will stop you from getting a large bill at the end of the month and you would be shocked at the costs accumulated through the past month.

Summary

Check Advisor weekly, add a budget to all of your subscriptions, resize your Virtual Machines, make use of reservations, check how much you’re spending on logging, and also make sure you turn on Defender for Cloud (security thing not a cost thing).


Dec18202318 December 202318 December 20231Commentby Gregor Suttie

Visiting Seattle (MVP Summit 2024)

Posted in Uncategorized

If you are intending on visiting Seattle anytime soon especially for the upcoming MVP Summit in March 2024 then this blog post will help. (you may need an esta, visa for the states – https://esta.cbp.dhs.gov/esta)

Where to stay, ok so there are lots of hotels, my advice is either choose to stay near Redmond, google for the Aloft Seattle Redmond, this is near to the campus but not much to do at night, or go for somewhere in Bellevue, last year I stayed at the Hilton Bellevue (Address: 300 112th Avenue Southeast, Bellevue, WA 98004, United States) and it was good, lots of other MVP’s were staying there or in the other couple of hotels that were next to it, If you stay there its a 15 min walk into Bellevue, so just enough to work up an appetitite or long enough to have a laugh walking home in a group of friends.

Advice – use something like booking.com and get a hotel with a free cancellation, book early.

Ok so asuming you have flight and hotel booked what are the things to fo once in Seattle, here is a list of some of the things I found to be nice to see / good fun.

Downtown Seattle (not near much but its where the sightseeing is)

  • Seattle Kracken Ice hockey was outstanding and would go back
  • Space Needle, go up just as its about to get dark for some awesome photos and views
  • Take the ferry to Bainsbridge Island, if you have a car deffo go for a drive, if not still worth doing, again try to come back in the dark as the views are awesome
  • Seattle Spin, friendly bar with table tennis tables and its good fun, just dont fall and almost break your ankle like I did.
  • Pike Place Market, go there and wonder about and check out all the shops downstairs, there is a lot to see, breakfast there is a good start to the morning.
  • The original Starbucks is across he road from the Pike Place Market
  • Seattle Underground

You can see most of the sights in Downtown in a day or less so look into other things to do.

Bellevue (where you will be a lot of the time when not at campus)

This list will grow over time as I update it.

Other Tips

The week is a long week so pace yourself, you get to be on campus which is just amazing and you get a badge which means you get to use the free shuttle buses and taxis onsite to get from building to building. The Microsoft campus is huge and I do mean huge, checkout the visitor centre and the tree houses, from memory theyre behind build 32 – https://www.google.com/maps/place/Microsoft+Treehouse/@47.6434445,-122.126478,17z/data=!3m1!4b1!4m6!3m5!1s0x54906d7a717097e1:0x5bc5877a17a05faa!8m2!3d47.643441!4d-122.1216071!16s%2Fg%2F11hckqvgp6?entry=ttu

Most people fly home Saturday as there might and I do mean might be something on Friday, not always.

Summary

I wrote this quickly but any questions do let me know (ask on twitter) , oh and Vancouver is only like 2 hours away.


Nov27202327 November 202327 November 20230Commentby Gregor Suttie

Azure Front Door and access restrictions

Posted in Uncategorized

Lots of you may be familiar with Azure Front door but if not then let me summarize.

Azure Front Door is a cloud-based service from Microsoft Azure that provides a scalable and secure way to route traffic to various backend services, such as web applications, APIs, and microservices. It acts as a global load balancer that can intelligently distribute traffic across multiple regions based on geographic location, latency, and other metrics.

Some of the key features of Azure Front Door include:

  1. Global load balancing: Azure Front Door can intelligently distribute traffic across multiple backend services located in different regions, ensuring optimal performance and availability for users worldwide.
  2. Security: Azure Front Door provides SSL termination, DDoS protection, and other security features to help protect your backend services from malicious attacks.
  3. Traffic routing: Azure Front Door can route traffic based on user location, content type, URL path, and other criteria, making it easy to implement complex traffic routing scenarios.
  4. High availability: Azure Front Door is designed to provide high availability and reliability, with built-in redundancy and automatic failover capabilities.
  5. Analytics: Azure Front Door provides detailed analytics and monitoring capabilities, including real-time metrics, logs, and alerts, to help you optimize your traffic routing and improve the performance of your backend services.

Overall, Azure Front Door is a powerful tool for managing and optimizing traffic to your backend services, helping to ensure high performance, scalability, and security for your applications and APIs.

When you create an Azure Web application out of the box you get a wesbite that ends with the name .azurewebsites.net, many customers want to use a custom domain name so that it is much cleaner and nicer like gregorsuttie.com instead of gregorsuttie.azurewebsites.net

So if you are using Azure Front Door as part of a solution along with a custom domain and you wold like to restrict access to users so that they cannot go to the .azurewebsites.net part then you can go to Networking and use what’s called an Access restriction.

Now they will see this instead:-

You can even whitelist IP addresses so that certain users can still use the .azurewebsites.net as well as the kudu interface.

Don’t forget to subscribe to my YouTube Channel. And my Newsletter


Nov23202323 November 202323 November 20230Commentby Gregor Suttie

Ignite 2023 In-Person Review

Posted in Uncategorized

This blog post covers my recent trip to Seattle for the Microsoft Ignite Conference in Seattle last week, I always give my honest opinion and have no filter, last years Ignite wasnt great, this years was very much improved and here is why.

This years Ignite was in a new venue, right next door to last years but now its in the newer Seattle Convention Centre and the venue itself works great, not huge amounts of walking and the layout just works. The weather was good, the atmosphere was good all week, there was swag and even the Ignite bag option made a welcome return. Satya was in person for the Keynote which was also awesome to attend his keynote.

I enjoyed this years Ignite for several reasons, I thought the sessions were of a good standard, some people still saying not enough deep dive content but all said and done I thought it hit the mark.

I felt like i was witnessing the dawn of a new era, It really did feel like this is the age of AI, now I know were all sick of hearing about copilots and AI etc etc but this is the start of a huge change in the industry, our way of working is already changing and we are just starting out on the journey, I can’t wait to see where we are this time next year as these language models and the tooling around them gets better we can invent new ways of working faster and smarted – bring it on.

If your or your company isnt seriously looking into AI and what it offers I think you’ll be missing out for sure.

So Ignite was better because of the following reasons:-

  • Speakers hung around after sessions to talk
  • The ask the experts was super popular
  • The venue made it easy to find rooms and move around
  • The community lounge had some heavy hitters stop bye and hang out, chat and be able to network with them
  • The Keynote’s were in a cool venue with a nice atmosphere
  • The content was all about the era of ai but its exciting times and a lot of the sessions demo’d whats new and whats coming next
  • We had more some new MVP Networking meetups with the Azure Cosmos DB team on campus and the Azure MVP Leads
  • Networking with old and new friends and just enjoying learning about new technologies and generally having fun. A big thing for me is meeting the people I connect with online so its so much fun to meet them in person and say hi.
  • The after parties were pretty good, I really enjoyed the silent disco not gonna lie

Highlights included meeting Brendan Burns, Mark Russenovich, Erin Chapple, some guys called Patch and Switch, dunno who they are really, and going to watch the Seattle Kracken which was awesome!

See you in Vegas next year!


Oct14202314 October 202314 October 20230Commentby Gregor Suttie

OpenSource walkthrough step by step LIVE!

Posted in Uncategorized

Last night I interviewed a chap on my stream called John Aziz, John is 22 years of age and is a Gold Microsoft Studnt Ambassador. His name popped up when I saw this tweet from Savannah Ostrowski who is the Product Lead for the Azure Developer CLI.

I love opensource and I hear good things about Hacktoberfest, which is a month-long celebration of open-source projects, their maintainers, and the entire community of contributors.

I wanted to know more about John, his open source contributions and especially as its related to the Azure Developer CLI which i think if your into Azure at all (not just devs) then you should chekck it out asap.

John came onto my stream last night and introduced himself, he introduced Hacktoberfest and talked people through how they can get started in opensource, and also in Hacktoberfest itself.

John then picks an issue that is needing resolved and starts to work on it LIVE – ok now this is seriously impressive, I havent honestly seen anyone do this yet, I’m sure people do these on streams but I have never spoken to John, hes 22 ,and doesnt even know the Go programming language.

I was thoroughly impressed, if your interested in watching the link is below.

John is going to be working at Microsoft some day and probably not long from now, I have no doubts in that. I hope you enjoy the video and learning about opensource, how to get started


Jul24202324 July 202324 July 20230Commentby Gregor Suttie

3 New Azure Bicep Features

Posted in Uncategorized

Recently I invited Freek Berson onto my Azure livestream to dicuss Bicep and for Freek to demo 3 of his favourite new features.

Freek and I chatted about

  • What is Bicep?
  • How is Bicep being adopted?
  • Why is IaC important?
  • Demo: Bicep Parameter Files
  • Demo: Opinionated Formatting
  • Demo: Deployment Stacks
  • What you need to use these features
  • Call to Action

You can catch the livestream below

Please subsribe and leave comments 🙂

Don’t forget to subscribe to my YouTube Channel. And my Newsletter


Jul24202324 July 202324 July 20230Commentby Gregor Suttie

Dapr 101: with Azure Greg and Marc Duiker

Posted in Uncategorized

This past week I was joined my Marc Duiker on my Azure stream and Marc came on to cover off an intro to Dapr and show a few examples of why Dapr is such an interesting project if you are doing a Cloud Native project and especially if you are interested in learning more about Microservices and looking for a way to make the complex areas of microservices far less complex.

“Dapr (Distributed Application Runtime) is a free and open source runtime system designed to support cloud native and serverless computing. Its initial release supported SDKs and APIs for Java, . NET, Python, and Go, and targeted the Kubernetes cloud deployment system.”

In our livestream Marc introduces Dapr and runs through just a couple of slides before we dive into Visual Studio code, crack open the code and he start’s showing me some demonstrations on using the Dapr CLI showing how to the following:-

  • Dapr 101: start building distributed applications with ease
  • Dapr building block API’s
  • When is it really useful to use Dapr?
  • Demo: State management using Dapr
  • Demo: Resiliency built into Dapr
  • Demo: Workflows using Dapr
  • Demo: Chaining Workflows using Dapr
  • Demo: Observability using Dapr

If you would like to watch the video and learn more then you can watch the video from here:

Please subsribe and leave comments 🙂

Don’t forget to subscribe to my YouTube Channel. And my Newsletter


Jun15202315 June 202315 June 20230Commentby Gregor Suttie

Outstanding Contribution to Microsoft Coummunity – Global Winner

Posted in Uncategorized

Proud of this one and decided to blog about it so I have it on my blog.

4 years I had no Azure experience, hard work pays off. Time to plan whats next…


Jun11202311 June 202311 June 20232Commentsby Gregor Suttie

AZURE VM EXTENSIONS: PART 3 Refactoring our code

Posted in Uncategorized

In this last part of talking about Azure VM Extensions I will make a couple of changes to refactor and make things better. Once you have more time, go back and refactor your code, its a good feeling to go back and improve upon the code.

So in this case I wanted to use Managed Identities for the CustomScriptExtension and I couldn’t get it working at first and due to time pressures I resorted to using SAS tokens. The thing I soon realised was that this is not the best way to go and I really wanted to revisit the codebase and get Managed Indentites working.

I see a lot of people created System Assigned Managed Identities and I try my best not to use these as they are tied to a resource, I always create a Managed Identity from the Azure Portal or Bicep first and then use that.

So I refactor my Bicep code for the CustomScriptExtension to use the Managed Identity Ive created and now the code is no longer needing to make use of a new SAS token each time it ran and then use this, its more secure to use a User Assigned Managed Identity.

@description('Deploy required userManagedIdentity')
module userManagedIdentity './modules/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep' =  {
  scope: resourceGroup(multiTenantResourceGroupName)
  name: userManagedIdentityName
  params: {
    name: userManagedIdentityName
    location: location
    tags: tags
  }
  dependsOn: resourceGroups
}

The above Bicep code creates our User Assigned Managed Identity and then we can make use of this within our CustomScriptExtension like so.

module virtualMachineName_ZabixxInstaller './modules/Microsoft.Compute/virtualMachines/extensions/deploy.bicep' = {
    scope: resourceGroup(multiTenantResourceGroupName)
    name: 'ZabixxInstaller'
    params: {
      enableAutomaticUpgrade: false
      name: 'ZabixxInstaller'
      publisher: 'Microsoft.Compute'
      type: 'CustomScriptExtension'
      typeHandlerVersion: '1.10'
      virtualMachineName: virtualMachineNameBackend
      location: location
      autoUpgradeMinorVersion: true
      settings: {
         fileUris: [ 
          'https://${storageAccountName}.blob.core.windows.net/${containername}/InstallZabbixAgent.ps1'
          'https://${storageAccountName}.blob.core.windows.net/${containername}/zabbix.zip'
          ]
      }
      protectedSettings: {
        commandToExecute: 'powershell.exe -ExecutionPolicy Unrestricted -File InstallZabbixAgent.ps1'
        managedIdentity: {
          objectId : userManagedIdentity.outputs.principalId
        }
      }
    }
    dependsOn: [
      resourceGroups
      virtualMachineBackend
    ]
  }

Summary

In summary we went from generating a SAS token off of the Azure Storage account to changing this to use a User Assigned Managed Identity which is more secure.

Don’t forget to subscribe to my YouTube Channel. And my Newsletter


Jun0520235 June 202311 June 20233Commentsby Gregor Suttie

Azure VM Extensions: Part 2 CustomScriptExtension

Posted in Uncategorized

This blog post covers some of the battles I have had trying to install some software onto a VM within Azure. There are many ways to go about this and at the end of the day, yeah you live to fight another day.

High level requirements:

1 – Install Zabbix Agent (which is a windows service) onto the same VM and ensure the service starts correctly.

As like most things in life there is more than one way to do something, I could have used RunCommands I could add onto the DSC and added this step into part 1 etc. etc.

I went with using an Azure CustomScriptExtension, maybe not the best option, who knows, but here is how to get this working.

module virtualMachineName_ZabixxInstaller './modules/Microsoft.Compute/virtualMachines/extensions/deploy.bicep' = {
  scope: resourceGroup(multiTenantResourceGroupName)
  name: 'ZabixxInstaller'
  params: {
    enableAutomaticUpgrade: false
    name: 'ZabixxInstaller'
    publisher: 'Microsoft.Compute'
    type: 'CustomScriptExtension'
    typeHandlerVersion: '1.10'
    virtualMachineName: virtualMachineNameBackend
    location: location
    autoUpgradeMinorVersion: true
    settings: {
       fileUris: [ 
        'https://${storageAccountName}.blob.core.windows.net/${containername}/InstallZabbixAgentGS.ps1?${DSCSAS}'
        'https://${storageAccountName}.blob.core.windows.net/${containername}/zabbix.zip?${DSCSAS}'
        ]
    }
    protectedSettings: {
      commandToExecute: 'powershell.exe -ExecutionPolicy Unrestricted -File InstallZabbixAgentGS.ps1'
      managedIdentity: {}
    }
  }
  dependsOn: [
    resourceGroups
    virtualMachineBackend
  ]
}

So lets break this code down, firstly I make use of already written Azure Bicep Resource Modules which you can grab here :- https://github.com/Azure/ResourceModules/

I’m also using version 1.10 of this extension so make sure to watch out for that.

The fileUris are pointing to a storage account that has public access DISABLED, enabling public access is not what you want, notice the part at the end which is a SAS Token, I tried to get this working using a Managed Identity and gave up as running out of time, the docs say you can use a Managed Identity and maybe I will go back and try this now that I have more time, then update this blog post.

“If I generate a new SAS each time you deploy based on deployment time, it will re-run the Script extensions every time, since that SAS value changes. If you move to Managed Identity, the script extension does not have to process when you redeploy, it will be skipped, since the configuration/settings didn’t change. If you want it to redeploy, with no changes, then you can change the value of the forceUpdateTag value.”

Huge shout out to https://github.com/brwilkinson he was helping me with this a LOT, and was super helpful, I owe it to him for helping me get this working and I owe it to him to go back and test it using Managed Identity.

Summary

So in summary I am generating a SAS token from the existing storage account like I do in Part 1 and then I pass that into fileUris so that I don’t run into permission issues.

Don’t forget to subscribe to my YouTube Channel. And my Newsletter