There’s a vast amount of available resources that give advice on Azure best practices. Based on recent recommendations given by experts in the field, we’ve put together this list of 10 of the best practices for 2020 to help you fully utilize and optimize your Azure environment.
1. Ensure Your Azure VMs are the Correct Size
- “There are default VM sizes depending on the image that you choose and the affected Region so be careful and check if the proposed one is really what you need. The majority of the times you can reduce the size to something that fits you better and at a lower cost.”
2. If you use the Azure Cost Management Tool, Know the Limitations
- Azure Cost Management can be a useful tool in your arsenal: “Listed as “cost management + billing” in the Azure portal, the Azure Cost Management service’s cost analysis feature offers comprehensive insights into the costs incurred by your Azure resources—starting from the subscription level. This can then be drilled down to specific resource groups and/or resources. The service also provides an overview of current costs as well as a monthly forecast based on the current consumption rate.”
- However, know that visibility and action are not equivalent: “Even though [cloud efficiency] is a core tenant of Microsoft Azure Cost Management, optimization is one of the weakest features of the product. The essence of the documentation around this is that you should manually eliminate waste, without going into much detail about what is being wasted or how to eliminate it. Plus, this expects manual intervention and review of each resource without giving direct actions to eliminate the waste.”
3. Approach Role-Based Access Control (RBAC) Systematically
- “Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.”
- “Even with these specific pre-defined roles, the principle of least privilege shows that you’re almost always giving more access than is truly needed. For even more granular permissions, you can create Azure custom roles and list specific commands that can be run.”
4. Ensure you aren’t paying for orphaned disks
- “When you delete a virtual machine in Azure, by default, in order to protect against data loss, any disks that are attached to the VM aren’t deleted. One thing to remember is that after a VM is deleted, you will continue to pay for these “orphaned” unattached disks. In order to minimise storage costs, make sure that you identify and remove any orphaned disk resource.”
5. Tag Everything
- “Centralize tagging across your Azure environments. This enables you to discover, group and consistently tag cloud resources across your cloud providers – manually or through automated tag rules. Maintaining a consistent tagging structure allows you to see resource information from all cloud providers for enhanced governance, cost analytics and chargeback.”
6. Decipher how and when to utilize the Azure logging services
- “Logs are a major factor when it comes to successful cloud management. Azure users can access a variety of native logging services to maintain reliable and secure operations. These logging options can be broken down into three overarching types, as well as eight log categories. The granular data collected by Azure logs enables enterprises to monitor resources and helps identify potential system breaches.”
7. Know Your Serverless Options
- “Serverless computing provides a layer of abstraction that offloads maintenance of the underlying infrastructure to the cloud provider. That’s a form of workload automation in and of itself, but IT teams can take it a step further with the right tools.
- Developers and admins can use a range of serverless offerings in Azure, but they need to understand how they want their workflow to operate in order to select the right services. To start, determine whether your application has its own logic to direct events and triggers, or whether that orchestration is defined by something else.”
8. API Authentication
- “APIs handle an immense amount of data, which is why it’s imperative to invest in API security. Think of authentication as an identification card that proves you are who you say you are. Although Azure Database provides a range of security features, end users are required to practice additional security measures. For example, you must manage strong credentials yourself. Active Directory is the authentication solution of choice for enterprises around the world, and the Azure-hosted version only adds to the attraction as companies continue migrating to the cloud.”
9. Ensure the VM you need is available in your location
- “Have the following 3 things in mind when choosing the location for your virtual machine:
- Place your VMs in a region close as possible to your users to improve performance and to meet any legal, compliance, or tax requirements.
- Each region has different hardware available and some configurations are not available in all regions, so this can limit your available options.
- There are price differences between locations, but if you choose to place your VM in a cheaper region it may impact negatively the performance if the region is far from your users (see point 1).”
10. Multi-Factor Authentication for all standard users
- “Businesses that don’t add extra layers of access protection – such as two-step authentication – are more susceptible to credential theft. Credential thefts are usually achieved by phishing or by planting key-logging malware on a user’s device; and it only takes one compromised credential for a cybercriminal to potentially gain access to the whole network.
- Enforcing multi-factor authentication for all users is one of the easiest – yet most effective – of the seven Azure security best practices, as it can be done via Azure Active Directory within a few minutes.”
You can use these best practices as a reference to help you ensure you are fully optimizing all available features in your Azure environment. Have any Azure best practices you’ve learned recently? Let us know in the comments below!
Google Cloud Best Practices: 2020 Roundup
15 AWS Best Practices for 2019
16 Tips to Manage Cloud Costs
The Three Core Components of Microsoft Azure Cost Management
Microsoft Azure growth has long held the silver medal in public cloud. As of Q1 2020, Azure held 17% of the public cloud market, behind AWS’s 32%. But much of the adaptation to COVID-19 has happened after the Q1 period, which means they’re missing some dramatic activity: the drop in usage for businesses with lower demand, the massive increase in usage for those with high demand, and the infrastructure changes to support the at-home workforce.
Azure Growth Trends
Market reporting comparing Azure to its competitors in the IaaS market has shown steady growth and gain in market share. Microsoft reported that Azure grew 59% year-over-year last quarter, and has been growing at similar rates for the past year.
While these Azure growth rates are reported, the actual revenue numbers are reported as part of the “Intelligent Cloud” business, which includes Azure, other private and hybrid server products, GitHub, and enterprise services.
Something to keep in mind is that it’s easy to equate growth with net new customers Azure has gained – however, much of the growth comes from the increase in resources and usage within each customer. As just one example, among ParkMyCloud users, the average number of resources per Azure account increased 30-fold over a six-month period ending in February this year.
COVID-19 and Azure Usage
Back in March, Microsoft shared that, given any capacity constraints within a region, it would be giving resource priority to certain types of customers: first responders, health and emergency management services, critical government infrastructure, and Microsoft Teams to enable remote work. Even as they shared that, some customers were already running up against capacity constraints in certain regions and unable to create or restart VMs.
Whether customers experienced these shortages themselves or not, we’ve heard anecdotally that the possibility of capacity constraints has instilled enough fear in some that they’ve chosen to leave resources running when not being used as an (expensive) guarantee of availability for the next time they’re needed.
Microsoft Teams and Windows Virtual Desktops (VDI) are also seeing rapid adoption. As of last month, Teams daily active users were up to 75 million, up from 32 million in early March. Teams is part of the Productivity and Business Processes segment and does not impact the Intelligent Cloud revenue. However, it is integrated with Office 365 products, making it the platform of choice for many new users right now almost by default, similarly to the many enterprise users that adopt Azure as part of larger Microsoft agreements.
So – is Azure experiencing growth? Certainly, yes. But is it growing faster than competitors? Right now, there’s no evidence that it is.
New to Azure?
Are you among the newest batch of Azure users? There’s a lot to learn. Here are a few resources other new users have found helpful.
- Make sure you take advantage of free training resources.
- See if you’re eligible for Azure credits.
- Ensure your IAM roles are in order before adding users or granting third-party access.
- Know the difference between “deallocating” a VM and “stopping” a VM.
- …which matters because one costs money, even when you’re not using it. Next up, get wasted spend from always-running and oversized resources under control.
And use this checklist to find other ways you might be wasting money.
Microsoft Azure IAM, also known as Access Control (IAM), is the product provided in Azure for RBAC and governance of users and roles. Identity management is a crucial part of cloud operations due to security risks that can come from misapplied permissions. Whenever you have a new identity (a user, group, or service principal) or a new resource (such as a virtual machine, database, or storage blob), you should provide proper access with as limited of a scope as possible. Here are some of the questions you should ask yourself to maintain maximum security:
1. Who needs access?
Granting access to an identity includes both human users and programmatic access from applications and scripts. If you are utilizing Azure Active Directory, then you likely want to use those managed identities for role assignments. Consider using an existing group of users or making a new group to apply similar permissions across a set of users, as you can then remove a user from that group in the future to revoke those permissions.
Programmatic access is typically granted through Azure service principals. Since it’s not a user logging in, the application or script will use the App Registration credentials to connect and run any commands. As an example, ParkMyCloud uses a service principal to get a list of managed resources, start them, stop them, and resize them.
2. What role do they need?
Azure IAM uses roles to give specific permissions to identities. Azure has a number of built-in roles based on a few common functions:
- Owner – Full management access, including granting access to others
- Contributor – Management access to perform all actions except granting access to others
- User Access Administrator – Specific access to grant access to others
- Reader – View-only access
These built-in roles can be more specific, such as “Virtual Machine Contributor” or “Log Analytics Reader”. However, even with these specific pre-defined roles, the principle of least privilege shows that you’re almost always giving more access than is truly needed.
For even more granular permissions, you can create Azure custom roles and list specific commands that can be run. As an example, ParkMyCloud recommends creating a custom role to list the specific commands that are available as features. This ensures that you start with too few permissions, and slowly build up based on the needs of the user or service account. Not only can this prevent data leaks or data theft, but it can also protect against attacks like malware, former employee revenge, and rogue bitcoin mining.
3. Where do they need access?
The final piece of an Azure IAM permission set is deciding the specific resource that the identity should be able to access. This should be at the most granular level possible to maintain maximum security. For example, a Cloud Operations Manager may need access at the management group or subscription level, while a SQL Server utility may just need access to specific database resources. When creating or assigning the role, this is typically referred to as the “scope” in Azure.
Our suggestion for the scope of a role is to always think twice before using the subscription or management group as a scope. The scale of your subscription is going to come into consideration, as organizations with many smaller subscriptions that have very focused purposes may be able to use the subscription-level scope more frequently. On the flip side, some companies have broader subscriptions, then use resource groups or tags to limit access, which means the scope is often smaller than a whole subscription.
More Secure, Less Worry
By revisiting these questions for each new resource or new identity that is created, you can quickly develop habits to maintain a high level of security using Azure IAM. For a real-world look at how we suggest setting up a service principal with a custom role to manage the power scheduling and rightsizing of your VMs, scale sets, and AKS clusters, check out the documentation for ParkMyCloud Azure access, and sign up for a free trial today to get it connected securely to your environment.
When you create a virtual machine in Microsoft Azure, you are required to assign it to an Azure Resource Group. This grouping structure may seem like just another bit of administrivia, but savvy users will utilize this structure for better governance and cost management for their infrastructure.
What are Azure Resources Groups?
Azure Resources Groups are logical collections of virtual machines, storage accounts, virtual networks, web apps, databases, and/or database servers. Typically, users will group related resources for an application, divided into groups for production and non-production — but you can subdivide further as needed.
They are part of the Azure resource group management model, which provides four levels, or “scopes” of management to help you organize your resources.
- Management groups: These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.
- Subscriptions: A subscription associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
- Resource groups: A resource group is a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed.
- Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
One important factor to keep in mind when managing these scopes is that there is a difference between azure subscription vs management group. A management group cannot include an Azure Resource. It can only include other management groups or subscriptions. Azure Management Groups provide a level of organization above Azure Subscriptions.
You will manage resource groups through the “Azure Resource Manager”. Benefits of the Azure Resource Manager include the ability to manage your infrastructure in a visual UI rather than through scripts; tagging management; deployment templates; and simplified role-based access control.
You can organize your resource groups for securing, managing, and tracking the costs related to your workflows.
Group structures like Azure’s exist at the other big public clouds — AWS, for example, offers optional Resource Groups, and Google Cloud “projects” define a level of grouping that falls someplace between Azure subscriptions and Azure Resource Groups.
Tips for Using Resource Groups
When organizing your resource groups, it is essential to understand that all the resources in a group should have the same life-cycle when including them. For instance, if an application requires different resources that need to be updated together, such as having a SQL database, a web app or a mobile app, then it makes sense to group these resources in the same resource group. However, for dev/test, staging, or production, it is important to use different resource groups as the resources in these groups have different lifecycles.
Other things to consider when building your Azure list of resource groups:
- Resources can be added to or deleted from an Azure Resource Group. However, each of your resources should belong to an Azure Resource Group, so if you remove the resources from one Resource Group, you should add it to another one.
- Keep in mind, not all resources can be moved to different resource groups.
- Azure resource group regions: the resources you include in a resource group can be located in different Azure regions.
- Grant access with resource groups: you should use resource groups to control access to your resources – more on this below.
How to Use Azure Resource Groups Effectively for Governance
Azure resource groups are a handy tool for role-based access control (RBAC). Typically, you will want to grant user access at the resource group level – groups make this simpler to manage and provide greater visibility.
Azure resource group permissions help you follow the principle of least privilege. Users, processes, applications, and devices can be provided with the minimum permissions needed at the resource group level, rather than at the management group or subscription levels. For example, a policy relating to encryption key management can be applied at the management group level, while a start/stop scheduling policy might be applied at the resource group level.
Effective use of tagging allows you to identify resources for technical, automation, billing, and security purposes. Tags can extend beyond resource groups, which allows you to use tags to associate groups and resources that belong to the same project, application, or service. Be sure to apply tagging best practices, such as requiring a standard set of tags to be applied before a resource is deployed, to ensure you’re optimizing your resources.
Azure Resources Groups Simplify Cost Management
Azure Resource Groups also provide a ready-made structure for cost allocation — resource groups make it simpler to identify costs at a project level than just relying on Azure subscriptions. Additionally, you can use groups to manage resource scheduling and, when they’re no longer needed, termination.
You can do this manually, or through your cost optimization platform such as ParkMyCloud. Continuous cost control comes from actual action – which is what ParkMyCloud provides you through a simple UI (with full RBAC), smart recommendations with one-click remediation, and an automatic policy engine that can schedule your resources by default based on your tagging or naming conventions. For almost all Azure users, this means automatic assignment to teams, so you can provide governed user access to ParkMyCloud. It also means you can set on/off schedules at the group level, to turn your non-production groups off when they’re not needed to help you reduce cloud waste and maximize the value of your cloud. Start a trial today to see the automation in action.
Do you know the difference between Azure “deallocate VM” and “stop VM” states? They are similar enough that in conversation, I’ve noticed some confusion around this distinction.
If your VM is not running, it will have one of two states – Stopped, or Stopped (deallocated). Essentially, if something is “allocated” – you’re still paying for it. So while deallocating a virtual machine sounds like a harsh action that may be permanently deleting data, it’s the way you can save money on your infrastructure costs and eliminate wasted Azure spend with no data loss.
Azure’s Stopped State
When you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server. This will kick you out of the OS and stop all processes, but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you’ll see the state listed as “Stopped”. The biggest thing you need to know about this state is that you are still being charged by the hour for this instance.
Azure’s Deallocated State
The other way to stop your virtual machine is through Azure itself, whether that’s through the console, Powershell, or the Azure CLI. When you stop a VM through Azure, rather than through the OS, it goes into a “Stopped (deallocated)” state. This means that any non-static public IPs will be released, but you’ll also stop paying for the VM’s compute costs. This is a great way to save money on your Azure costs when you don’t need those VMs running, and is the state that ParkMyCloud puts your VMs in when they are parked.
Which State to Choose?
The only scenario in which you should ever choose the stopped state instead of the deallocated state for a VM in Azure is if you are only briefly stopping the server and would like to keep the dynamic IP address for your testing. If that doesn’t perfectly describe your use case, or you don’t have an opinion one way or the other, then you’ll want to deallocate instead so you aren’t being charged for the VM.
If you’re looking to automate scheduling when you deallocate VMs in Azure, ParkMyCloud can help with that. ParkMyCloud makes it easy to identify idle resources using Azure Metrics and to automatically schedule your non-production servers to turn off when they are idle, such as overnight or on weekends. Try it for free today to save money on your Azure bill!
Azure credits are a perk offered by Microsoft that help you save money on your cloud bill. Like a gift card for a retail store, credits are applied to your account to help cover costs until they are exhausted or expire. In a sense, these credits act as a spending limit because any usage of resources or products that are not free will be deducted from the credit amount. We found 7 different ways that you can earn credits and start saving on your Azure bill.
1. Visual Studio Subscription
If you’re a Visual Studio subscriber, you get monthly Azure credits that can be used to explore and test out different Azure services. The amount of Azure credits that you receive will depend on the type of Visual Studio subscription that you have.
With a Visual Studio Enterprise subscription, you get a standard of $150 in monthly credits. For subscriptions through MSDN Platforms you get $100 a month. For Visual Studio Professional and Visual Studio Test Professional, you get $50 a month.
2. Azure for Students
Full-time students at an accredited, two or four-year educational institution in a STEM-related field are eligible for these credits.
When a student signs up with their school email address, Microsoft gives them $100 in credit in order to help them further their career and build their skills in Azure thanks to the free access to learning paths, labs, and professional developer tools.
3. Azure Free Account
With a free account, you get access to a number of popular Azure services for no cost. In addition to access to free services, you’ll also get a $200 credit. It’s important to note that while the free account lasts for 12 months, your credits must be spent in the first 30 days.
Whether you’re just getting started in Azure or are looking to further your knowledge, a free account is always a great way to test the waters without having to make a long term commitment.
4. Microsoft Partner Network
In the Partner Network, those that are members of Microsoft’s Action Pack program receive $100 of Azure credits every month. Based on your computing needs, you can use these credits for any Azure service; some examples include, Virtual Machines, Web Sites, Cloud Services, Mobile Services, Storage, SQL Database, Content Delivery Network, HDInsight, Media Services, and more.
The great part about this is that there are a handful of usage scenarios that won’t consume all of the $100 credit – you can use this pricing calculator to estimate how much you could use with a $100 credit.
Any of the unused monthly credits can’t be carried over to succeeding months or transferred to other Azure subscriptions, so make sure to use it while you can!
5. Microsoft for Startups
This global program is designed to help startups as they build and scale their organizations. Part of the technical enablement features that are always free and available to all startups is $200 of Azure credits that can be used towards any service for 30 days. This is a great option for startups because it’s free and gives you the ability to explore all the different offerings without having to spend any money.
6. Azure for Education
With Azure for Education, users are given access to the learning resources and developer tools that educators and students need in order to build cloud-based skills. This program is available to students, educators and institutions – once signed up, educators get $200 of Azure credits.
Whether you’re teaching advanced workloads, interested in building cloud-based skills, or just getting started in your Azure learning journey, this program provides guidance and resources for individuals looking to further their knowledge in Azure.
7. Microsoft for Nonprofits
In an effort to make their technology more affordable and accessible for nonprofit and nongovernmental organizations, Microsoft offers donated and discounted products. Each year, approved organizations receive $3,500 in Azure credits which can be used to purchase all Azure workloads created by Microsoft (excluding Azure Active Directory, which is licensed under EM+S).
No matter the industry you’re in or learning level you’re at, there are a wide variety of credits and resources offered that can help make Azure an affordable option for you.
Top 3 Ways to Save Money on Azure
How to Save Money with Microsoft Azure Enterprise Agreements
9 Ways to Get AWS Credits
4 Ways to Get Google Cloud Credits