May | 2018 | siliconvalve

May 30 2018

Are Free Tier Cloud Services Worth The Cost?

Over the years that I’ve been talking with public groups on cloud services, and Azure in particular, I will typically have at least one person in every group make a statement like this:

“Azure’s good, but the free tier isn’t as good as AWS.”

I’ve discussed this statement with groups enough times that I thought it would be good to capture my perspective on where Azure stands, provide some useful resources, and pose a question to those whose starting point is free services.

You want The Free? You can’t handle The Free!

You want the free?!

When people talk about how a free tier isn’t that useful, typically what they are saying translates into is one of two scenarios:

The timeframe the free tier is offered for is not long enough for the person to achieve an acceptable learning outcome based on their time investment;
More commonly, the service limits are too low meaning the person cannot achieve an acceptable learning outcome before their credit runs outs (regardless of time).

The reality is, beyond basic scenarios (run a Virtual Machine, create a database), and where someone doesn’t have sufficient continuous time to allocate to their cloud environment, the more likely it is they will receive minimal value from free tier services.

Effective use of free tiers

So how to minimise these outcomes?

Be clear about what you want to achieve before you start a free tier subscription. If you don’t know *what* you want to do in advance you are likely to fritter away that free credit before you get to your eventual end goal. Additionally, if you know what you want to achieve then review the required cloud services you will use and determine if a free tier is going to provide you with sufficient resources to reach your goal.
Start with pre-built environments or quickstarts – find labs or similar that give you access to existing environments. Attend events that include credits as part of attendance and use those to achieve a goal. Look at tutorials and samples to find automation scripts / templates that can get you up and running quickly (but remember the previous tip – if you try to provision a ten node Kubernetes cluster will that actually succeed in a free tier? Would a one node cluster suffice to allow you to learn?)

All the cloud platforms will provide you with time-limited free tiers, with some services being offered as “always free” at certain low usage levels.

Azure has had free services trials or tiers in one way or another for some time. Traditionally, however it hasn’t offered a 12 month period, though fairly recently that’s changed and there is now an extended 12 month Free tier offering for Azure.

One Azure cloud… many ways to get ongoing credits

Where Azure does differ substantially from AWS in particular is in the number of offerings Azure has that get you access to Azure credits on ongoing basis, lifting you out of having to use just free tier services:

Microsoft Developer Network (MSDN) Azure Benefits – available as an add-on to existing MSDN subscribers (note: your organisation might not have access to this benefit depending on your licensing). This is an ongoing benefit while you pay for an MSDN subscription.
Azure Starter for Students (formerly Dreamspark). This is an ongoing benefit while a student.
BizSpark Benefits – available to those who are leveraging the BizSpark programme for their business. Ongoing benefit while you are in the BizSpark program.
Azure for non-profits – go through the process to prove your status and gain access to Azure Credits.
Microsoft Azure Passes – typically when Microsoft runs training courses for Azure attendees will typically be provided with Azure credits in the form of an Azure Pass. We gave these away at the Global Azure Bootcamp this year. Time-limited offers (one to three months).

Investing in yourself or your idea

The reality of free tier services is they will only get you so far, whether the use you make of the cloud is to learn new concepts or to try an idea you have.

My take is this: if you aren’t prepared to invest your own money (i.e. I just want more free stuff) then you don’t put much value on your own education or idea.

If we had the cloud computing services we have now when the dotcom boom was happening we may well have seen a massively different outcome.

Startups wouldn’t have spent massive amounts of their funding on infrastructure and wasted months waiting for services to be provisioned before they even got to serving the first request.

Imagine if you had on-demand services when you were at school (maybe you still are) – the quality of your education would be improved by access to these sorts of services.

We are at a pivotal moment where we now have access to on-demand resources that a generation ago would have been unimaginable. If you are serious about an idea or personal development put your money where your brain is.

But I’m not an accountant!

Congratulations. Now you are! Didn’t hurt a bit either, did it?

It’s unavoidable for many of us that at some point it will come down to cost. I know there will be more than a few of you sitting there having previously paid a larger than expected cloud hosting bill. I bet you now manage those resources like a hawk. While this is a painful way to learn, you will have identified a key factor in how you design and run cloud native services.

Also, welcome to how businesses work – specifically how to control costs so they can remain viable. This is why your last request to the ops team for 10 servers was rejected, or why you had to finesse your design to fit into existing infrastructure constraints. 🙂

So, where to next?

I highly recommend spending time familiarising yourself with services in the cloud too – avoid anti-patterns that will likely be where you will unexpectedly spend more money than you thought.

You can find good examples of ways to configure services from the likes of Scott Hanselman and content like his “Penny Pinching in the Cloud” posts, or Troy Hunt’s posts on how “Have I been pwned” performs on Azure (pricing at the bottom of the post).

So, did I solve your problem? Make more of the Free? Unlikely I suspect.

Ultimately you need to consider that free tiers and services are designed as a taster, to get you thinking about how your could use those services for other things. While there are “always free” services, the reality is you will be unlikely to build the next Atlassian with it, but I’m pretty sure you can use them to pass exams or to get educated on cloud technology.

Happy Days 😎

Tagged education, Free, Ideas, Show Me the Money, Tier

May 08 2018

Developer toolkit for working with Azure AD B2C JWT-protected APIs

I’ve blogged in the past about Azure Active Directory B2C and how you can use it as a secure turnkey consumer identity platform for your business.

In this post I’m going to walk through how you can debug JWT-protected APIs where those JWTs are being issued by AAD B2C. Note that a lot of what I write here will probably be applicable in any scenario where you are working with JWTs as AAD B2C is standards compliant so any advice here can be applied elsewhere.

We aren’t going to get into the Identity Experience Framework (IEF) here because he’s a whole universe of detail beyond the basic policy engine we’ll cover here 🙂

Your toolikit

Here’s the tools to get started with debugging.

Required tools:

A test AAD B2C tenant – a very strong recommendation *not* to use your production one!
An API testing tool like Postman. The B2C team has published how you can use Postman to test protected APIs.
Your API source code in a debug environment. Must be configured in the test AAD B2C tenant you are using!
A test client application – I’ve been using a customised version of the WPF sample client app from the B2C team.

Optional, but recommended:

jwt.ms (there is also jwt.io if you prefer)
Mailinator or any number of alternatives.
Create a B2C Profile Edit Policy even if you never roll it out to customers. This policy can be invoked via the Azure Portal to allow you to initialise new profile attributes.

Use standard OAuth libraries in your clients

Microsoft has great first-party support for B2C with the Microsoft Authentication Library (MSAL) across multiple platforms, but as B2C is designed to be an OAuth2 compliant service so any library that supports the specification should work with B2C. Microsoft provides samples that show how libraries like AppAuth can be used.

Rolling out custom attributes

There is currently a limitation with B2C around rolling out new custom attributes. Until an attribute is referenced in at least once policy in your tenant the attribute isn’t available to applications that utilise Graph API. This is why I always create a profile edit policy even that I can add new custom attributes to and then invoke the policy via the Azure Portal to initialise the attribute.

Testing APIs

Create test users

This is where a service like Mailinator comes in handy – you can create multiple test users and easily access the email notifications sent by B2C to perform actions like initial account validation or password reset.

Note: free services like Mailinator may be good for simple testing, but you may have security or compliance requirements that mean it can’t be used. In that case consider moving to a paid tier or other services that provide secured mailboxes (a service like outlook.com).

Request Tokens – Test Client Application

Once you have one or more test users you can then use one of the following approaches to obtain test tokens to use when calling APIs.

If you aren’t using Postman to retrieve tokens to supply in API calls then you can use the test client application above (assuming you are developing on Windows – or at some future point when we get WPF ported to .Net Core :)) to request tokens for users in your test tenant.

B2C Test Tool

Once you have the tokens you can copy them out and use them in Postman to make requests against your API by setting Authorization in Postman to use Bearer Tokens and then copying the value from the test tool into the ‘Token’ field.

Postman using a Token

If you’ve having issues with tokens being accepted by your API then you can leverage jwt.ms to review the contents of the token and see why it might be being rejected. A sample is shown below.

jwt.ms sample

If you have access to the target API source code make sure to debug that at the same time to see if you can identify why the token is being rejected.

As a guide the common failure reasons will include: token expired (or not yet valid); scopes are incorrect (if used); incorrect issuer (misconfiguration of client or API where they are not from the same B2C tenant); invalid client or audience ID.

So there we are! I hope you found this post useful in debugging B2C APIs – I certainly wish that I’d had something to reference when I started developing with B2C! Now I do! 😉

Tagged Azure Active Directory B2C, Consumer Identity, Debugging, Identity

May 03 2018

3 Comments

ALM, Azure, Function Apps, Release Management, Visual Studio Team Services

Multi-environment deployments for Compiled C# Azure Functions with VSTS Release Management

This post covers an approach you can use to deploy compiled C# Functions using the tooling available in Visual Studio 2017 and various Build and Release Management Tasks contained in Visual Studio Team Services (VSTS).

Note that this post discusses deploying to the v1 Functions runtime platform.

I was lucky enough to speak with Damian Brady on the DevOps Labs show on Channel 9 and cover the first part of this blog. If you’ve watched that, or you’ve come here via the Github repository for the solution we used, then we’ll go down to the next level and really look at how you can recreate this setup in your environment.

1. Pre-requisites

There are a few moving pieces we need to get into place first in order to complete the configuration. Let’s take a look at those.

a. Connecting environments

Note that in order to complete these steps you may require elevated privileges in one or more of the mentioned services. If you do not have access to an admin-level account in any of the services you will likely need to ask someone to configure these for you.

> Github to VSTS

In our demonstration we’re using a Github repository as our source repository and allowing VSTS’ Build capability to perform Continuous Integration Builds when a commit occurs on the master branch. Microsoft has documented how to configure Github to connect with VSTS already, so go and take a read and head back here when you’re done setting up the integration.

> VSTS to Azure

We use the Azure Resource Manager Service Endpoint option in VSTS to configure our connection into Azure from VSTS. There is documentation from Microsoft around how you setup the connection, including steps to create a custom Service Principal (or use a pre-existing one your Azure admin has created for you). Once again, go have a read and once you have a working Service Endpoint in VSTS head back over here.

b. Configure SendGrid

If you’d like to run the Functions once deployed you will need to configure SendGrid so you can use the binding in the Functions being deployed. You can follow the official Azure documentation on setting up a (free) SendGrid account and then make sure to set the API key value for the AzureWebJobsSendGridApiKey App Setting for your deployed Functions.

c. Create target Azure Resources

Go ahead and also create a Function App in the Subscription you want to deploy to (ensure that the Service Principal you setup previously has Contributor-level access to, at minimum, the Resource Group that will contain the Function).

You can use the process we document here to deploy to either a Service Plan or Consumption Plan, though there is a minor difference we will see later in the post.

The Azure resources to deploy should include:

Application Insights
Cosmos DB Account – Add Database “quotedemo” with Collections “quotes” and “leases”
Function App (can be Consumption or Service Plan)
Storage Account (can be created at same time as Function App)

Before we move on, make sure to capture the following:

Application Insights Telemetry Key (shown on the ‘Essentials’ part of the Application Insights instance)
Cosmos DB Account URL and Access Key
Function App:
- AzureWebJobsStorage (Service Plan);
- WEBSITE_CONTENTAZUREFILECONNECTIONSTRING (Consumption Plan);
- WEBSITE_CONTENTSHARE (Consumption Plan);
- FUNCTIONS_EXTENSION_VERSION (most likely set to “~1”).

d. Configure Application Insights for Release Annotations

In this scenario we will need to enable the Application Insights API or order to support Release Annotations which make it possible to see new release markers on timelines.

Once again, Microsoft has this well documented, including the Task you need to add in VSTS to allow you to create Annotations.

OK! Now we are ready to configure the Build and Release Management steps in VSTS.

2. Configure the Build

In a Team Project in VSTS you wish to use host the Build and Release Management Definitions go ahead and create a new Build.

Remember to select Github as your source repository.

Setup Github as source

When you are prompted for a template, select the ASP.Net Core (.Net Framework) build.

Select Build Template

If you want a Continuous Integration (CI) build then ensure you set the Trigger as required.

CI trigger

At this point we have a build that produces a packaged web application that can be pushed to the Azure App Service hosting the Function App. We could add more Tasks to the Build to do this, but we want to support multiple environments so this is where Release Management comes into play.

I recommend you run the Build to ensure it’s functional and to produce an artefact we can use in our next step.

3. Configure Release Management

Now we have a build that produces a build artefact we can now use VSTS Release Management (RM) to deploy and configure this artefact to any environment we can reach.

Let’s go ahead and choose to create a new Release Management Definition. When you have the option, select the “Azure App Service Deployment” template.

Release Management Template

The resulting Definition will be very vanilla and contain a single Task. We need to make some changes to deploy our service exactly as we’d like.

a. Add the Build Artefact

First we need to tell Release Management what we want to deploy, so let’s go ahead and add our existing Build by clicking on the Artefacts box and selecting our Build as shown below.

Add Artefact

If you wish to enable Continuous Deployment (CD) into Environments you can click on the lightning bolt on the Artefact and enable the CD trigger. Note that you can still stop automated deployments by putting in approvals or making deployments manual – by creating a Release you always have a build artefact to deploy.

CD Trigger

b. Configure RM Tasks

This is where your previously completed configuration with the Azure Service Endpoint and in setting up the resources in Azure will come into play.

Click on the Tasks tab and the RM Definition will open.

Clicking Task

Once open click on the Environment at the top of the Task list. As we are going to deploy all assets into a single Subscription we can set up a few items that will apply to all Tasks in the RM Definition.

The first thing we will do is to select the Service Endpoint we previously setup (below it is named “Service Principal for Demo”, but you can name it anything meaningful).

Setup Environment

Once you select the method of connection to the Azure Subscription change the “App type” field to be “Function App” and then from the final picker, select the Function App instance you setup earlier. If you don’t see it, it could be that you placed it another subscription or that the Service Endpoint does not have sufficient rights to list the Function Apps in the Subscription.

Your setting should look something like the below.

Environment Configuration

We could deploy the sample code now, but it would fail to run because it is missing configuration.

c. Deploying configuration

You will notice that up until now we’ve not dealt with any of the runtime configuration settings for the Function. When you develop locally the Functions Tools in VSTS will generate a “local.settings.json” file, but it will be blocked from commit via the gitignore included in the project type. It’s recommended you don’t change this, and even if you it won’t help you on deployment anyway (so… y’know, why bother to change the ignore file?)

For this Task we are going to need to pull in a free Marketplace Task – the Azure WebApp Configuration from Pascal Naber (Xpirit). This Task is a wrapper around some Azure Cmdlets, but it does a great job of removing your overhead in managing that 🙂

You will need to be a VSTS admin in order to install Marketplace Tasks (if you aren’t you can still request an admin to install them).

Once installed you can now add the Task to your Release Management Definition after the App Service Deployment (as shown below).

Release Tasks

The Task expects any App Settings you need to deploy to be added as Variables to the Definition. So, for example, if we want to control the value we set for the ‘APPINSIGHTS_INSTRUMENTATIONKEY’ App Setting in our target Function we would create a Variable in our Release called ‘appsetting.APPINSIGHTS_INSTRUMENTATIONKEY’ and set the value to be the Telemetry Key we captured earlier in the post.

The beauty of this approach is that you can one-way save secrets and they won’t show up (or be recoverable) via the Variables tab again. There is also an option to write them to Azure Key Vault if you want.

Below is a sample of the Variables once setup.

RM Variables

The eagle-eyed amongst you might spot that I am also setting default Function values (FUNCTIONS_EXTENSION_VERSION, AzureWebJobsStorage, AzureWebJobsDashboard for a Service Plan).

This is because I force the Application Settings Task to overwrite all existing values in the App Service. This is on purpose – it ensures no manual fixes are ever safe in Azure and our Release Management Definition is the source of truth for both the Artefact and the Configuration.

Note: For Consumption Plans make sure you set WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, WEBSITE_CONTENTSHARE in addition to the above values. If you don’t your deployment will fail after the first deployment (this is the source of the error in the video).

The full set of Variables for our sample is listed below.

Common Variables

AppInsightsApiKey – API key you configured earlier for Application Insights (*not* Telemetry Key).
AppInsightsApp – Application ID configured earlier for Application Insights (also not Telemetry Key).
appsetting.APPINSIGHTS_INSTRUMENTATIONKEY – use telemetry key from Application Insights.
appsetting.AzureWebJobsDashboard – use exiting value from Function (before first deployment).
appsetting.AzureWebJobsSendGridApiKey – use SendGrid API key you setup earlier (should start ‘SG.’).
appsetting.AzureWebJobsStorage – use exiting value from Function (before first deployment).
appsetting.CosmosConnection – use Connection String from Cosmos Account you setup earlier.
appsetting.FUNCTIONS_EXTENSION_VERSION – use exiting value from Function (before first deployment).
appsetting.NotificationsSender – use an email address you control (to be used as From: in emails).

Service Plan deployment

None: above list is all you need

Consumption Plan deployment

appsetting.WEBSITE_CONTENTAZUREFILECONNECTIONSTRING – use exiting value from Function (before first deployment).
appsetting.WEBSITE_CONTENTSHARE – use exiting value from Function (before first deployment).

Once you’ve configured the Variables you should now be able to save the Release Management definition and create a Release to test out your deployment.

I’ve recorded a quick video (see below) that shows this end-to-end and also has an additional bonus step of hitting an HTTP Triggered endpoint on the Function as a post-deployment confirmation step (you will need to copy a Host key from the Function App and save it as ‘VersionApiKey’ in the Variable to use to call the API, then add the Smoke Web Test Task from the Marketplace).

So what should the demo Function do? It should trigger an email to a recipient when a record is added to Cosmos DB. The recipient is listed in the record that is inserted, samples of which are included in the Github project. If you can’t get it running make sure to leave a comment and I’ll help you out!

Tagged Continuous Deployment

siliconvalve

adventures in the new and the old

Monthly Archives: May 2018