Tuesday, May 24, 2016

Azure Resource Lock: Safeguard Your Critical Resources

Prevention is better than Cure – There were quite a few instances when I thought I should have applied this logic. This has even more significance if you are playing around public cloud more so while dealing with mission critical resources there. There must have been numerous occasions when you would have to protect you resources from some unwarranted human actions, to put it bluntly we are seeking a solution prevent other users in organization from accidentally deleting or modifying critical resources.

Azure has given us couple of ways to apply that level of control, firstly with role-based access control (RBAC), With the Reader and various Contributor roles RBAC is a great way to help protect resources in Azure. You can effectively limit the actions that a user can take against a resource. However, even with one of the Contributor roles, it is still possible to delete specific resources. This makes it very easy to accidently delete an item. 


Azure Lock provides you the options using which you can effetely control any such adventure. Unlike RBACK, you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure Role-based Access Control. Using Resource lock you can lock a particular subscription, a particular resource group or even a specific resource. With this in place authorize users can still be able to read or modify the resources but they CAN NOT breach that lock and delete the same.


To make this happen you have to apply the Resource Lock Level to aforementioned scopes. You can set the lock level to CanNotDelete or ReadOnly(As of now these two are the only options supported). CanNotDelete means authorized users can still read and modify a resource, but they can't delete it. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it.

When you apply a lock at a parent scope, all child resources inherit the same lock.

One point worth mentioning here is that you will also need to be in either an Owner or User Access Administrator role for the desired scope, because to play with Resource Lock it’s prerequisite to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions(only these two have appropriate permissions).

Create Resource Lock Using ARM Template


With Azure Resource Manager template we can lock the resources at the time of its creation. An ARM template is a JSON-formatted template file which provide a declarative way to define the deployment of Azure resources. 

Here is the example of how to create a lock on particular Storage Account-

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "lockedResource": {
      "type": "string"
    }
  },
  "resources": [
    {
      "name": "[concat(parameters('lockedResource'), '/Microsoft.Authorization/utLock')]",
      "type": "Microsoft.Storage/storageAccounts/providers/locks",
      "apiVersion": "2015-01-01",
      "properties": {
        "level": "CannotDelete"
      }
    }
  ]
}

If you see the example clearly the name of storage account coming via parameter while the most important section to be noticed is how the lock (utLock) has been created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock.

Create Resource Lock using PowerShell

Placing a resource lock on an entire group could be helpful in situations where you want to ensure no resources in that group are deleted. With below example I have tried to create a resource lock on a particular resource Group” UT-RG”

New-AzureResourceLock -LockLevel CanNotDelete `
 -LockNotes 'No deleting!' `
 -LockName 'utLock' `
 -ResourceGroup 'UT-RG' -Verbose

To remove the resource Lock make use of Remove-AzureResourceLock cmdlet, make sure you are providing proper ResourceId.
> Remove-AzureResourceLock -ResourceId '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/UT-RG/providers/Microsoft.Storage/storageAccounts/utsrt/providers/Microsoft.Authorization/locks/utLock'
#Deleting Resource Group 
Remove-AzureresourceGroup -Name 'UT-RG' -Force -Verbose

Off late Azure has brought this support to ARM Portal as well, to achieve the similar things via portal click the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.Once prompted Give the lock a name and lock level and you are immune to those talked about unwanted situations.It gives you options to lock an entire subscription to ReadOnly if malicious activity was detected.

Wednesday, May 11, 2016

Solutions in Azure : Azure CDN for Maximum Bandwidth & Reduced Latency - Part II

From First Part of the Article we can derive a conclusion that the CDN’s job is to enhance your regular hosting by reducing bandwidth consumption, minimizing latency and providing the scalability needed to handle abnormal traffic loads. It cuts down on round-trip time (RTT), effectively giving similar response to end user irrespective of their geographical presence.

In MicroMarketMonitor’s recent report, it has clearly mentioned that only the North American content delivery network market is expected to grow from $1.95 billion in 2013 to $7.83 billion in 2019. One significant factor driving this growth is end user interaction with online content. So moving forward its gona be a major factor while architecting any only application--

Azure CDN Highlights


1. Improve rendering speed & Handle high traffic loads
Azure CDN servers the content by making use of its large network of POPs. This dramatically increases the speed and availability, resulting in significant user experience improvements.
2. Designed for today’s web
Azure CDN is specifically designed for the dynamic, media-centric web of today—and cater to the requirement of its users who expect everything to be fast, high quality, and always-on. 
3. Streaming Aware Era
Azure CDN can be helpful under all possible three ways while serving videos over HTTP- Progressive Download and Play, HTTP Pseudostreaming & Live Streaming. 
4. Dynamic Content Acceleration
If you understand the nitty-gritties of Azure CDN it also uses series of techniques to serve uncatchable content faster. For example, it can route all communication from a client in India to a server in the US through an edge in India and an edge in the US. They then maintain a constant connection between those two edges and apply WAN optimization techniques to accelerate it. 
5. Block spammers, scrapers and other bad bots
Azure Content Delivery Network is built on a highly scalable, reverse-proxy architecture with sophisticated DDoS identification and mitigation technologies to protect your website from DDoS attacks. 
6. When the expectations are at peak, Azure CDN delivers
Thanks to its distributed global scale, Azure Content Delivery Network handles sudden traffic spikes and heavy loads, like the start of a major product launch or global sporting event.

Working With Azure Storage


Once the CDN is enabled on an Azure storage account, any blobs that are in public containers and are available for anonymous access will be cached via the CDN. Only blobs that are publicly available can be cached with the Azure CDN. To make a blob publicly available for anonymous access, you must denote its container as public. Once you do so, all blobs within that container will be available for anonymous read access. You have the option of making container data public as well, or restricting access only to the blobs within it.

For best performance, use CDN edge caching for delivering blobs less than 10 GB in size.
When you enable CDN access for a storage account, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to access blobs in a public container. For example, given a public container named music in a storage account named myaccount, users can access the blobs in that container using either of the following two URLs:
  • Azure Blob service URL: http://myAccount.blob.core.windows.net/music/
  • Azure CDN URL: http://.vo.msecnd.net/music/

Working With Azure Websites


You can enable CDN from your websites to cache your web contents, such as images, scripts, and stylesheets. See Integrate an Azure Website with Azure CDN.
When you enable CDN access for a website, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to retrieve objects from a website. For example, given a public container named cdn and an image file called music.png, users can access the object using either of the following two URLs:

  •  Azure Website URL: http://mySiteName.azurewebsites.net/cdn/music.png
  • Azure CDN URL: http://.vo.msecnd.net/cdn/music.png

Working With Azure Cloud Services


You can cache objects to the CDN that are provided by an Azure cloud service. Caching for cloud services has the following constraints:
  • The CDN should be used to cache static content only.
  • Your cloud service must be deployed to in a production deployment.
  • Your cloud service must provide the object on port 80 using HTTP.
  • The cloud service must place the content to be cached in, or delivered from, the /cdn folder on the cloud service
When you enable CDN access for a cloud service, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to retrieve objects from a cloud service. For example, given a cloud service named myHostedService and an ASP.NET web page called music.aspx that delivers content, users can access the object using either of the following two URLs:
  •  Azure cloud service URL: http://myHostedService.cloudapp.net/cdn/music.aspx 
  • Azure CDN URL: http://.vo.msecnd.net/music.aspx

Accessing Cached Content over HTTPS

Azure allows you to retrieve content from the CDN using HTTPS calls. This allows you to incorporate content cached in the CDN into secure web pages without receiving warnings about mixed security content types.

To serve your CDN assets over HTTPS there are couple of constraints worth mentioning:

  • You must use the certificate provided by the CDN. Third party certificates are not supported.
  • You must use the CDN domain to access content. HTTPS support is not available for custom domain names (CNAMEs) since the CDN does not support custom certificates at this time.

Even when HTTPS is enabled, content from the CDN can be retrieved using both HTTP and HTTPS.

Note: If you've created a CDN for an Azure Cloud Service (e.g. http://[XYZ].cloudapp.net/cdn/) it's important that you create a self-signed certificate for your Azure domain ([XYZ].cloudapp.net). If you're using Azure Virtual Machines can be done through IIS.

Custom Domain to Content Delivery Network (CDN) endpoint

In case you want to access the cached content with custom domain, azure lets you map your domain to particular CDN End point. With that in place you can use your own domain name in URLs to retrieve the cached content.

For detailed information on implementation please check- Map CDN to Custom Domain

CDNs are an essential part of current generation’s Internet, and they’re only going to become more important as time goes on. Even now, companies are hard at work trying to figure out ways to move more functionality to edge servers (POP Locations) in order to provide users with the fastest possible experience. Azure CDN plays a vital role as it suffice current generation CDN requirement. While implementing Azure CDN (Or any CDN for that matter) the important thing is to formulate a strategy regarding the maximum lifespan of an object beforehand.

P.S.: As of Now you can't use your own custom domain or SSL Certificate with Azure CDN, But that support will eventually be coming.

Related Articles : Solutions In Azure: Azure CDN