I want to learn how to hook Microsoft’s ADFS up to AWS as a third party identity provider so naturally I saw this as an opportunity to use those $200 in free Azure credits we all get to try things out.
For me, it’s just time to pick up these skills. Just knowing AWS isn’t enough these days. Knowing the big three is helpful in getting hired, so I will probably be poking around in Google Compute Engine, too. Let’s jump into some initial impressions from my few days’ work with Azure:
- Sorry to be a Debbie Downer right off the bat, but Azure is slow. The machines run fine, but resource creation and deletion is S-l-o-w with a capital S. It doesn’t matter how you interface with Azure, either. Whether using the CLI or the portal, be prepared to wait a long time for things to happen. Azure’s slowness is my biggest complaint about the service so far; it’s maddening enough that I don’t want to use Azure.
- Want to use a service? You have to subscribe to it, first. With Amazon, if you want to use a service for the first time, just use it.
- You can only have four cores running at once with your demo account? I ran into unexplainable errors creating a VM and was redirected to http://aka.ms/corequotaincrease when I finally figured out how to run the ‘az” command with the “ — debug” flag.
- I really like the idea of resource groups. You can delete the resource group and — so far — everything within the resource group gets deleted, unlike AWS Cloudformation where sometimes things get orphaned. This idea sort of terrifies me, as well. It’s too easy to wipe out an entire infrastructure if it’s all in one resource group.
- The concept of VM extensions (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/extensions-features) is cool as hell. Think of VM extensions as pre-blessed user-data for AWS EC2 instances. Granted, some of the extensions are questionable — who needs to back up a supposedly immutable instance? — but one must remember that a large share of Azure customers lift and shift their crusty legacy crap into the cloud and completely miss out on DevOps. Examples of VM extensions include configuration management agents like Chef, Puppet (eww), and Powershell DSC, Datadog (!), and anti-malware agents.
- There seems to be a dearth of VM types available in different data centers. For example, I was entirely unable to spin up a Windows VM in the Central US region last evening. Sometimes, just playing around in the console, there will be three different sizes of VMs to spin up, while other times there will be only one.
- Availability zones are a public beta feature, in 2018. From what I’ve done with Azure so far, it seems like the Microsoft team has different ideas about high availability than Amazon’s approach. For instance, there are availability sets, which span fault domains and update domains. A fault domain is all of the VMs that are connected to the same power source and/or physical network switch. An update domain is a collection of VMs that are affected by (lower-level?) system restarts.
- Networking is…weird. See availability zones, above. You can take advantage of AZs for some services, but virtual networks isn’t one of them. I have no idea how subnets align with availability zones within a region. I tried to create multiple VMs in different availability zones, in the same subnet, thinking that maybe AZs spanned one big Layer 2 domain, but that’s not the case. The VMs just wouldn’t spin up.
- Some of the examples I’ve been following actually encourage the use of static IPs, which boggles my mind. With AWS, it would make sense to create an elastic network interface to bind to Active Directory Domain Controllers, and then change the DHCP option set for a VPC to point to these “static” IPs, so there’s definitely a use case for static IP, but applying static IPs to load balancers is bizarre.
- There’s no need for NAT gateways. Microsoft has three distinct means of providing outbound Internet access to VMs in a virtual network: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections.
- I haven’t played with DNS yet, or I have only played with it a little bit, but there appear to be bugs in the Azure CLI? I can create an Azure DNS zone in the portal, but I can’t create one using the ‘az’ command.
- Microsoft is currently ahead on the storage pricing war. $0.06 per month for SMB file shares is nice. Amazon should consider competing here (source: https://azure.microsoft.com/en-us/pricing/details/storage/).
- For some odd reason, message queues services are lumped in with storage?
- Managed disks and unmanaged disks are quite a difficult concept to grasp and some Microsoft docs (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-azure-adfs) lead new users towards creating unmanaged disks, in distinct storage accounts. Don’t do that. For details on managed disks vs unmanaged disks, see https://buildwindows.wordpress.com/2017/05/31/azure-managed-vs-unmanaged-disks-the-choice/.
- There isn’t an equivalent service to Amazon’s ACM, that I’m aware of. Nor do you store your SSL certificates in their IAM equivalent. Free SSL certificates are kind of a big deal.
Watch for a continuation of this post once I start merging traditional AD DS and AD FS services into Azure AD. Meanwhile, there’s a crude bash script I’ve cobbled together to assemble an AD server footprint I have so far here. I expect change.