Software

Azure Fundamentals Part 6 Summary

Leave a comment

This is a summary of Azure Fundamentals part 6: Describe Azure cost management and service level agreements, both for my own exam revision and to help others get a more concise digest of the otherwise long-winded material.

Plan and Manage Costs

This part is a summary of the Plan and manage your Azure costs module.

Total Cost of Ownership

Total Cost of Ownership (TCO) refers to the total cost of running a data centre, which may include hidden costs such as software licences, electricity, network maintenance, salaries, etc.

There’s a TCO Calculator where you can compare running workloads on-premises vs on Azure (estimated). Here you:

  1. Define your workloads, i.e. select servers, databases, storage and networking.
  2. Adjust assumptions: here you can reuse existing licences via Software Assurance, decide whether you want to replicate storage across regions, and adjust other costs such as electricity, salaries and network maintenance.
  3. View report. Here you can adjust the timeframe between 1-5 years, and see a breakdown per category (e.g. compute or storage).

Azure Subscriptions

The different types of subscriptions are:

  • Free trial: 12 months of popular free services, credit against any service for 30 days, and more than 25 services always free. Services are disabled when the trial ends or the credit expires.
  • Pay as you go: pay for what you use. You can apply for volume discounts and prepaid invoicing.
  • Member offers: other subscriptions (e.g. Visual Studio) can provide discounts against Azure usage.

Purchasing Azure Services

You can purchase Azure services via:

  • Enterprise Agreement: commit to spending a certain amount over 3 years to get custom pricing.
  • Web Direct: use the Azure Portal directly; billed monthly.
  • Cloud Solution Provider: via a reseller (Microsoft partner).

Factors Affecting Cost

  • Resource type: different resources have different billing criteria
  • Usage meters: resources have billable units, e.g. VMs have CPU time and other units)
  • Resource usage: you can deallocate a VM to stop incurring charges, but you could still be charged for the disk if you leave it around
  • Subscription types (e.g. free trial)
  • Azure Marketplace: billing structures set by third party
  • Location: different regions have different prices
  • Bandwidth: network traffic in/out of Azure data centres is billed according to which geographical zone they’re in

Use the Azure Pricing calculator to estimate the cost of running a number of Azure services.

Manage and Minimise Costs

  • Understand estimated costs: use the TCO and Pricing calculators, and consult the docs about usage and billing for the relevant services
  • Monitor usage with Azure Advisor which provides suggestions (e.g. unused resources)
  • Use spending limits to restrict spending and avoid accidental overrun (there are also subscription limits and quotas from Azure)
  • Azure Reservations: prepay and get up to 72% discount over Pay as you go prices
  • Choose low-cost regions and locations (but keep in mind that you pay for network traffic between regions)
  • Research available cost-saving offers
  • Use Azure Cost Management + Billing to control spending (breakdown of costs)
  • Apply tags to identify cost owners (i.e. organise billing data, e.g. by department)
  • Resize underutilised VMs (need to turn them off, so consider downtime)
  • Deallocate VMs during off hours (e.g. dev/test running only during business hours) – can be scheduled
  • Delete unused resources
  • Migrate from IaaS to PaaS services
  • Save on licencing costs
    • Choose cost-effective OS (i.e. Linux)
    • Use Azure Hybrid Benefit to repurpose Windows Server or SQL Server software licences on Azure via Software Assurance

Service Lifecycle and Availability

This part is a summary of the Choose the right Azure services by examining SLAs and service lifecycle module.

Service Level Agreements

Service Level Agreements (SLA) define guarantees about the service provided by Azure, usually around availability/uptime.

  • Access SLAs from Service Level Agreements portal.
  • Uptime/downtime is measured as a percentage, e.g. 99.9% (or three 9’s) means the service can be down 0.1% of the time, which on a weekly basis works out to 10.1 minutes per week.
  • Downtime measurements are cumulative.
  • If the SLA is breached, you can claim a service credit which is a percentage of the fees you paid (defined in the SLA).
  • There’s generally no SLA for free services.
  • Azure status tells you when there’s an outage. From there you can also reach Azure Service Health, a personalised status view within the Azure Portal.
  • You get a composite SLA by multiplying the SLA for each service.
  • SLA is affected by customisations on resources (e.g. tier, or disk type) as well as redundancy (e.g. VMs behind a load balancer).

Azure Service Lifecycle

New services go through the following stages:

  1. Development
  2. Public preview
  3. General availability

Things in preview include:

  • Preview (new) services
  • Preview features for existing services
  • Preview features for Azure Portal

Use the Azure updates page to keep track of the lifecycle status of features/services.

Software

Sirius Planner 0.2 Released

Leave a comment

Today I have released the second closed alpha demo of Sirius Planner. This version builds on and consolidates the features released in the first alpha demo three weeks earlier.

This video gives a quick overview of Sirius Planner 0.2, with a recap for new users and highlighting some of the new features.

This release brings:

  • Complete tag management (CRUD) including listing and prioritising tasks within a tag
  • Rich text descriptions
  • Coloured tags even while editing in task detail view
  • Several usability enhancements
  • Several bugfixes, many of which were reported by people using version 0.1

If you’d like to try Sirius Planner, please fill in the signup form and I’ll send you some credentials.

Software

Sirius Planner 0.1 Released

1 Comment

I’m happy to announce Sirius Planner, a task planner app that I’ve been working on in recent weeks. I’ve just released an alpha demo to a small number of people. Check out the features in the video below:

Video tutorial showing features and limitations of Sirius Planner 0.1.

Sirius Planner is a calendar-based task planner that lets you:

  • Create and manage tasks
  • Prioritise tasks on a particular day via drag & drop
  • Move tasks to different days via drag & drop
  • Focus on tasks in a day, week, or 5-week period
  • Tag tasks

This project is still in its early stages, but already has most of the core features in place. If this is something you think could be useful to you, please get in touch.

Software

Securing PowerShellGet on a Windows EC2 Instance

Leave a comment

I’ve been doing some work with security on AWS recently, and part of that involved running security assessments using Amazon Inspector to identify vulnerabilities at network and host level.

If I launch a fresh EC2 instance right now using the Microsoft Windows Server 2019 Base AMI and run a host-level assessment, the report lists a vulnerability related to the PowerShellGet module:

Microsoft Security Response Center’s entry about this vulnerability explains a little more about it:

“A security feature bypass vulnerability exists in the PowerShellGet V2 module. An attacker who successfully exploited this vulnerability could bypass WDAC (Windows Defender Application Control) policy and execute arbitrary code on a policy locked-down machine.

“An attacker must have administrator privileges to create a configuration that includes installing PowerShellGet V2 module onto a machine from the PowerShell Gallery. The WDAC policy must be configured to allow the module to run. After this is done, PowerShell script can be injected and run fully trusted, allowing the attacker arbitrary code execution on the machine.”

— CVE-2020-16886 at MSRC

The same page says that this vulnerability was fixed in PowerShellGet v. 2.2.5. So why do we have this problem? Here’s why:

PS C:\Users\Administrator> Get-Module PowerShellGet -ListAvailable


    Directory: C:\Program Files\WindowsPowerShell\Modules


ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     1.0.0.1    PowerShellGet                       {Install-Module, Find-Module, Save-Module, Upda...


PS C:\Users\Administrator>

That AMI came with PowerShellGet 1.0.0.1, but we need version 2.2.5. We can install it by running a Powershell session in Administrator mode, and running the following commands (from the Installing PowershellGet documentation) and agreeing to install the NuGet provider:

Install-Module -Name PowerShellGet -Force
Update-Module -Name PowerShellGet

This results in the new 2.2.5 version being installed alongside the older 1.0.0.1 one:

A Powershell session showing how we started with PowerShellGet 1.0.0.1, installed a more recent version, and now have the new 2.2.5 version alongside the old one.

I don’t know enough to be able to say whether having that version 1.0.0.1 around still poses any kind of risk, but it seems to be enough for Amazon Inspector which no longer reports any vulnerability after installing version 2.2.5:

If you’re really paranoid, check out this Stack Overflow question for ways to get rid of the old version manually. I haven’t actually tried this, so be careful.

Site News

The Sixth Anniversary

2 Comments

It’s been six years since Gigi Labs was launched. That’s a long time for any blog, and a third of my overall 18-year presence on the web.

In terms of content, Gigi Labs has slowed down but gone in some interesting directions. That’s mainly because of the way things generally turned out over the past year, including:

  • I spoke at a couple of conferences
  • I earned a couple of certifications
  • I gave up on Windows and have completely switched to using Linux at home
  • I’ve been doing more management and architecture than actual development
  • COVID19 means I have more time but less motivation to do development-related stuff in my spare time
  • I have continued writing long blog articles professionally in my free time
  • Getting really tired of WordPress as a blogging platform
  • Picking up a little gaming once again
My RedisGraph talk at RedisConf 2020

Here is a summary of some of the more interesting things I wrote over the past year:

Over the coming year, I’m not expecting to focus very much on writing new articles at Gigi Labs, for a number of reasons:

  • In most cases, anything I can write about software development, architecture or management is already covered somewhere on the web. I don’t want to contribute to information overload on the internet.
  • I don’t really want to write about management. There are far too many people blogging about management who think their particular experiences are universal wisdom that needs to be shared with the world.
  • Writing high-quality technical articles is very time-consuming and provides little reward.

I’ve always enjoyed sharing knowledge on the web – for free – and that’s not quite going to change. But just to make the best use of my own time, I’ll write some new content only when I feel it’s worth my time, i.e. when it’s something unique, fun, or even something existing that I can tell in a more concise and accessible manner (e.g. the C# Asynchronous Programming series). My old blog, Programmer’s Ranch, as well as Tania Rascia’s blog are good examples of the direction in which I’d like to take Gigi Labs.

Another thing that I think will change is Gigi Labs’ role as both my blog and my personal portfolio. I’m currently developing a new website which will keep track of my projects, websites, talks and other contributions, while Gigi Labs will go back to being just my creative outlet.

"You don't learn to walk by following rules. You learn by doing, and by falling over." — Richard Branson