Terraform and Azure

Notes

  • Azure will let you create your own custom Dashboards
  • ARM templates (aka Azure Resource Management) – predefined infrastructure using JSON
  • E.g. using Azure Cloud Shell (which includes terraform, git, etc): git clone https://github.com/scarolan/azure-terraform-beginners
  • Edit terraform.tfvars
    • resource_group
    • hostname (dashes OK, probably not underscores)
    • location: get a list using az account list-locations --output table
    • az vm list-skus -l westindia --output table | grep Standard_A0
  • terraform init: gets workspace ready, pulls in plugins and modules
  • terraform plan
  • terraform apply
  • See it being built in real-time in resource groups

Notes on the code: https://github.com/scarolan/azure-terraform-beginners

  • main.tf:
    • azurerm_resource_group: Azure must have a resource group
    • azurerm_virtual_network
    • azurerm_subnet
    • azurerm_network_security_group
    • azurerm_network_interface
    • provisioner “remote-exec” – simple remote exec. Could use Ansible, Chef

 

Azure Active Directory

Azure Active Directory now allows synchronisation between Azure AD and on-prem Directory Services.

Azure AD B2C

  • allows users to use 3rd party identities such as Facebook, Google or Microsoft ID (similar to AWS Federated Identity)

Azure AD Premium: supports password writeback.

 

Azure: Infrastructure and Networking

Azure Datacentres Architecture

Azure Datacentres

Terms

AWS  -> Azure

Placement Groups -> Affinity Groups

 

Fabric Controller

Some racks have a fabric controller which:

  • provisions VMs
  • heals failed VMs
  • rehydrates VMs
  • manages health and lifecycle of VMs

Azure Stamp / Cluster

  • shipping container
  • 20 rack group
  • all hardware in stamp uses same processor generation
  • 800 to 1000 individual servers very close together

Regional Availability and High Availability

Each rack functions as a fault domain.

Availability sets keep VMs available during downtime (which includes unscheduled – e.g. equipment failures and scheduled maintenance).

You need to have VMs in an availability set to qualify for the Azure 99.95% SLA.

Availability set: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets#availability-set-overview

The closest I can find in AWS is this: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-increase-availability.html

 

Initial impressions of Microsoft Azure (with terminology in AWS-speak)

Initial impressions with Azure (having been in AWS)

Weird how, when you’re trying to login via the command line, you have to open a browser window to complete the login.

And when you attempt to do az login -u <username> -p <password> as mentioned here:

https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest

it says

Logging in through command line is not supported. For cross-check, try 'az login' to authenticate through browser.

Azure concepts

See also https://dzone.com/articles/azure-for-the-aws-user-identity

Tenant => a user ( or, in Microsoft-speak, a representative of an organisation)

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

Service Principal: a credential for your application (https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-service-principals ).

You then assign permissions to the Service Principal via roles.

An IAM Role does not exist in AWS. Instead it has applicationsservice principals and RBAC.

E.g.

  • Applications: your apps OR 3rd party (e.g. Salesforce, Office 365)
  • Service Principals: identity assigned to these applications
  • RBAC – role based access control – assigned to users, groups or service principals

Resource Group: each resource must belong to a Resource Group.

A resource group is simply a logical construct that groups multiple resources together so they can be managed as a single entity. For example, resources that share a similar lifecycle, such as the resources for an n-tier application may be created or deleted as a group.

https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption-guide/adoption-intro/azure-resource-access#what-is-an-azure-resource-group

Subscription:

a logical construct that groups together resource groups and their resources. However, an Azure subscription is also associated with the controls used by Azure resource manager.

https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption-guide/adoption-intro/azure-resource-access#what-is-an-azure-resource-group

Storage

Note also Azure uses Storage Accounts which have blob containers and file shares rather than S3.

 

Install

homebrew install is good.

As I use zshit was odd to see a .bash_completionfile being installed. Turns out the CLI has full tab completion for commands under the bash shell.

Login sucks

$ az login

Note, we have launched a browser for you to login. For old experience with device code, use “az login –use-device-code”

You have logged in. Now let us find all the subscriptions to which you have access…

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

$ az group create –name TutorialResources –location eastus

Please run ‘az login’ to setup account.

$ az login -u <username> -p <password>

Logging in through command line is not supported. For cross-check, try ‘az login’ to authenticate through browser.

Why do you have to login via a browser?!!

No subscriptions were found for ‘None’

No subscriptions were found for ‘None’. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level accesses

It’s easy to get bogged down in technical terms and, after a while you switch off. So, this one fooled me. I was thinking it was some technical jargon. No, it means you haven’t entered your credit card.

Even after you’ve entered your credit card I still got:

You have not created any subscriptions yet.  at https://portal.azure.com/#blade/Microsoft_Azure_Billing/MySubscriptionsBlade

and the Add button was greyed out.

Good old Microsoft. The entire process looks and feels clunky even though it’s a brand new service (newer than AWS). Shades of IBM.

It turned out, even though I had the Free plan, I was still getting the None error. Once upgrading to Pay-As-You-Go I was able to do an az login. Still find the browser login bizarre though.

Spin up a VM

1. create a Resource Group

Note: a Resource Group is a logical construct that groups multiple resources together so they can be managed together as a single entity ( https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption-guide/adoption-intro/azure-resource-access#what-is-an-azure-resource-group ). E.g. an n-tier application.

az group create --name myResourceGroup --location eastus

I really don’t understand why Microsoft have to create a different naming convention to AWS for Regions. (i.e. eastus as opposed to us-east).

2. spin up your VM

And it sucks that Azure has a URL that’s ridiculously long. E.g. the URL for AWS you can almost type by hand:

https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#Instances:sort=instanceId

whereas for Azure it’s:

https://portal.azure.com/#blade/HubsExtension/DeploymentDetailsBlade/overview/id/%2Fsubscriptions%2F38ca8927-35a3-4f4b-bf11-0faf7dfe83e3%2FresourceGroups%2FmyResourceGroup%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fvm_deploy_Fq3o8mNnoqLg0wiG97oEWNEDyFX5J2Xt

3. open ports

az vm open-port --port 80 --resource-group myResourceGroup --name myVM

 

Note the default for Azure is to spit out vast amounts of output after each command (whereas AWS is silent) – e.g. that last command had 221 lines of output afterwards.

4. connect to VM

ssh azureuser@publicIpAddress

(this took a loooong time to connect)

5. install web server

sudo apt-get -y update

sudo apt-get -y install nginx

Refreshingly, the demo uses ssh and nginxrather than some Microsoft’y version.

6. test

Locally:

curl localhost 

which defaults to port 80.

Then open uppublicIpAddress in a browser.

7. cleaning up

az group delete --name myResourceGroup

Note: you need to enter y not yesat the command line to confirm. Out of habit, I entered yesa few times and wondered why it wasn’t accepting it. My bad – it does actually prompt you for y.

See also https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-cli

And other guides:

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/