This week we released a major set of updates to Microsoft Azure. This week’s updates include:
- SQL Databases: General Availability of Azure SQL Database Service Tiers
- API Management: General Availability of our API Management Service
- Media Services: Live Streaming, Content Protection, Faster and Cost Effective Encoding, and Media Indexer
- Web Sites: Virtual Network integration, new scalable CMS with WordPress and updates to Web Site Backup in the Preview Portal
- Role-based Access Control: Preview release of role-based access control for Azure Management operations
- Alerting: General Availability of Azure Alerting and new alerts on events
All of these improvements are now available to use immediately (note that some features are still in preview). Below are more details about them:
SQL Databases: General Availability of Azure SQL Database Service Tiers
I’m happy to announce the General Availability of our new Azure SQL Database service tiers - Basic, Standard, and Premium. The SQL Database service within Azure provides a compelling database-as-a-service offering that enables you to quickly innovate & stand up and run SQL databases without having to manage or operate VMs or infrastructure.
Today’s SQL Database Service Tiers all come with a 99.99% SLA, and databases can now grow up to 500GB in size.
Each SQL Database tier now guarantees a consistent performance level that you can depend on within your applications – avoiding the need to worry about “noisy neighbors” who might impact your performance from time to time.
Built-in point-in-time restore support now provides you with the ability to automatically re-create databases at a certain point of time (giving you much more backup flexibility and allowing you to restore to exactly the point before you accidentally did something bad to your data).
Built-in auditing support enables you to gain insight into events and changes that occur with the databases you host.
Built-in active geo-replication support, available with the premium tier, enables you to create up to 4 readable, secondary, databases in any Azure region. When active geo-replication is enabled, we will ensure that all transactions committed to the database in your primary region are continuously replicated to the databases in the other regions as well:
One of the primary benefits of active geo-replication is that it provides application control over disaster recovery at a database level. Having cross-region redundancy enables your applications to recover in the event of a disaster (e.g. a natural disaster, etc). The new active geo-replication support enables you to initiate/control any failovers – allowing you to shift the primary database to any of your secondary regions:
This provides a robust business continuity offering, and enables you to run mission critical solutions in the cloud with confidence.
More Flexible Pricing
SQL Databases are now billed on a per-hour basis – allowing you to quickly create and tear down databases, and dynamically scale up or down databases even more cost effectively.
Basic Tier databases support databases up to 2GB in size and cost $4.99 for a full month of use. Standard Tier databases support 250GB databases and now start at $15/month (there are also higher performance standard tiers at $30/month and $75/month). Premium Tier databases support 500GB databases as well as the active geo-replication feature and now start at $465/month.
The below table provides a quick look at the different tiers and functionality:
This page provides more details on how to think about DTU performance with each of the above tiers, and provides benchmark details on the number of transactions supported by each of the above service tiers and performance levels.
During the preview, we’ve heard from some ISVs, which have a large number of databases with variable performance demands, that they need the flexibility to share DTU performance resources across multiple databases as opposed to managing tiers for databases individually. For example, some SaaS ISVs may have a separate SQL database for each customer and as the activity of each database varies, they want to manage a pool of resources with a defined budget across these customer databases. We are working to enable this scenario within the new service tiers in a future service update. If you are an ISV with a similar scenario, please click here to sign up to learn more.
Learn more about SQL Databases on Azure here.
API Management Service: General Availability Release
I’m excited to announce the General Availability of the Azure API Management Service.
In my last post I discussed how API Management enables customers to securely publish APIs to developers and accelerate partner adoption. These APIs can be used from mobile and client applications (on any device) as well as other cloud and service based applications.
The API management service supports the ability to take any APIs you already have (either in the cloud or on-premises) and publish them for others to use. The API Management service enables you to:
- Throttle, rate limit and quota your APIs
- Gain analytic insights on how your APIs are being used and by whom
- Secure your APIs using OAuth or key-based access
- Track the health of your APIs and quickly identify errors
- Easily expose a developer portal for your APIs that provides documentation and test experiences to developers who want to use your APIs
Today’s General Availability provides a formal SLA for Standard tier services. We also have a developer tier of the service that you can use, starting at just $49 per month.
OAuth support in the Developer Portal
The API Management service provides a developer console that enables a great on-boarding and interactive learning experience for developers who want to use your APIs. The developer console enables you to easily expose documentation as well enable developers to try/test your APIs.
With this week’s GA release we are also adding support that enables API publishers to register their OAuth Authorization Servers for use in the console, which in turn allows developers to sign in with their own login credentials when interacting with your API - a critical feature for any API that supports OAuth. All normative authorization grant types are supported plus scopes and default scopes.
For more details on how to enable OAuth 2 support with API Management and integration in the new developer portal, check out this tutorial.
Click here to learn more about the API Management service and try it out for free.
Media Services: Live Streaming, DRM, Faster Cost Effective Encoding, and Media Indexer
This week we are excited to announce the public preview of Live Streaming and Content Protection support with Azure Media Services.
The same Internet scale streaming solution that leading international broadcasters used to live stream the 2014 Winter Olympic Games and 2014 FIFA World Cup to tens of millions of customers globally is now available in public preview to all Azure customers. This means you can now stream live events of any size with the same level of scalability, uptime, and reliability that was available to the Olympics and World Cup.
DRM Content Protection
This week Azure Media Services is also introducing a new Content Protection offering which features both static and dynamic encryption with first party PlayReady license delivery and an AES 128-bit key delivery service. This makes it easy to DRM protect both your live and pre-recorded video assets – and have them be available for users to easily watch them on any device or platform (Windows, Mac, iOS, Android and more).
Faster and More Cost Effective Media Encoding
This week, we are also introducing faster media encoding speeds and more cost-effective billing. Our enhanced Azure Media Encoder is designed for premium media encoding and is billed based on output GBs. Our previous encoder was billed on both input + output GBs, so the shift to output only billing will result in a substantial price reduction for all of our customers.
To help you further optimize your encoding workflows, we’re introducing Basic, Standard, and Premium Encoding Reserved units, which give you more flexibility and allow you to tailor the encoding capability you pay for to the needs of your specific workflows.
Additionally, I’m happy to announce the General Availability of Azure Media Indexer, a powerful, market differentiated content extraction service which can be used to enhance the searchability of audio and video files. With Media Indexer you can automatically analyze your media files and index the audio and video content in them. You can learn more about it here.
More Media Partners
I’m also pleased to announce the addition this week of several media workflow partners and client players to our existing large set of media partners:
- Azure Media Services and Telestream’s Wirecast are now fully integrated, including a built-in destination that makes its quick and easy to send content from Wirecast’s live streaming production software to Azure.
- Similarly, Newtek’s Tricaster has also been integrated into the Azure platform, enabling customers to combine the high production value of Tricaster with the scalability and reliability of Azure Media Services.
- Cires21 and Azure Media have paired up to help make monitoring the health of your live channels simple and easy, and the widely-used JW player is now fully integrated with Azure to enable you to quickly build video playback experiences across virtually all platforms.
Visit the Azure Media Services site for more information and to get started for free.
Websites: Virtual Network Integration, new Scalable CMS with WordPress
This week we’ve also released a number of great updates to our Azure Websites service.
Virtual Network Integration
Starting this week you can now integrate your Azure Websites with Azure Virtual Networks. This support enables your Websites to access resources attached to your virtual networks. For example: this means you can now have a Website directly connect to a database hosted in a non-public VM on a virtual network. If your Virtual Network is connected to your on-premises network (using a Site-to-Site software VPN or ExpressRoute dedicated fiber VPN) you can also now have your Website connect to resources in your on-premises network as well.
The new Virtual Network support enables both TCP and UDP protocols and will work with your VNET DNS. Hybrid Connections and Virtual Network are compatible such that you can also mix both in the same Website. The new virtual network support for Web Sites is being released this week in preview. Standard web hosting plans can have up to 5 virtual networks enabled. A website can only be connected to one virtual network at a time but there is no restriction on the number of websites that can be connected to a virtual network.
You can configure a Website to use a Virtual Network using the new Preview Azure Portal (http://portal.azure.com). Click the “Virtual Network” tile in your web-site to bring up a virtual network blade that you can use to either create a new virtual network or attach to an existing one you already have:
Note that an Azure Website requires that your Virtual Network has a configured gateway and Point-to-Site enabled. It will remained grayed out in the UI above until you have enabled this.
Scalable CMS with WordPress
This week we also released support for a Scalable CMS solution with WordPress running on Azure Websites. Scalable CMS with WordPress provides the fastest way to build an optimized and hassle free WordPress Website. It is architected so that your WordPress site loads fast and can support millions of page views a month, and you can easily scale up or scale out as your traffic increases.
It is pre-configured to use Azure Storage, which can be used to store your site’s media library content, and can be easily configured to use the Azure CDN. Every Scalable CMS site comes with auto-scale, staged publishing, SSL, custom domains, Webjobs, and backup and restore features of Azure Websites enabled. Scalable WordPress also allows you to use Jetpack to supercharge your WordPress site with powerful features available to WordPress.com users.
You can now easily deploy Scalable CMS with WordPress solutions on Azure via the Azure Gallery integrated within the new Azure Preview Portal (http://portal.azure.com). When you select it within the portal it will walk you through automatically setting up and deploying a complete solution on Azure:
Scalable WordPress is ideal for Web developers, creative agencies, businesses and enterprises wanting a turn-key solution that maximizes performance of running WordPress on Azure Websites. It’s fast, simple and secure WordPress hosting on Azure Websites.
Updates to Website Backup
This week we also updated our built-in Backup feature within Azure Websites with a number of nice enhancements. Starting today, you can now:
- Choose the exact destination of your backups, including the specific Storage account and blob container you wish to store your backups within.
- Choose to backup SQL databases or MySQL databases that are declared in the connection strings of the website.
- On the restore side, you can now restore to both a new site, and to a deployment slot on a site. This makes it possible to verify your backup before you make it live.
These new capabilities make it easier than ever to have a full history of your website and its associated data.
Security: Role Based Access Control for Management of Azure
As organizations move more and more of their workloads to Azure, one of the most requested features has been the ability to control which cloud resources different employees can access and what actions they can perform on those resources.
Today, I’m excited to announce the preview release of Role Based Access Control (RBAC) support in the Azure platform. RBAC is now available in the Azure preview portal and can be used to control access in the portal or access to the Azure Resource Manager APIs. You can use this support to limit the access of users and groups by assigning them roles on Azure resources. Highlights include:
- A subscription is no longer the access management boundary in Azure. In April, we introduced Resource Groups, a container to group resources that share lifecycle. Now, you can grant users access on a resource group as well as on individual resources like specific Websites or VMs.
- You can now grant access to both users groups. RBAC is based on Azure Active Directory, so if your organization already uses groups in Azure Active Directory or Windows Server Active Directory for access management, you will be able to manage access to Azure the same way.
Below are some more details on how this works and can be enabled.
Azure Active Directory
Azure Active Directory is our directory service in the cloud. You can create organizational tenants within Azure Active Directory and define users and groups within it – without having to have any existing Active Directory setup on-premises.
Alternatively, you can also sync (or federate) users and groups from your existing on-premises Active Directory to Azure Active Directory, and have your existing users and groups automatically be available for use in the cloud with Azure, Office 365, as well as over 2000 other SaaS based applications:
All users that access your Azure subscriptions, are now present in the Azure Active Directory, to which the subscription is associated. This enables you to manage what they can do as well as revoke their access to all Azure subscriptions by disabling their account in the directory.
In this first preview we are pre-defining three built-in Azure roles that give you a choice of granting restricted access:
- A Owner can perform all management operations for a resource and its child resources including access management.
- A Contributor can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others.
- A Reader has read-only access to a resource and its child resources. A Reader cannot read secrets.
In the RBAC model, users who have been configured to be the service administrator and co-administrators of an Azure subscription are mapped as belonging to the Owners role of the subscription. Their access to both the current and preview management portals remains unchanged.
Additional users and groups that you then assign to the new RBAC roles will only have those permissions, and also will only be able to manage Azure resources using the new Azure preview portal and Azure Resource Manager APIs. RBAC is not supported in the current Azure management portal or via older management APIs (since neither of these were built with the concept of role based security built-in).
Restricting Access based on Role Based Permissions
Let’s assume that your team is using Azure for development, as well as to host the production instance of your application. When doing this you might want to separate the resources employed in development and testing from the production resources using Resource Groups.
You might want to allow everyone in your team to have a read-only view of all resources in your Azure subscription – including the ability to read and review production analytics data. You might then want to only allow certain users to have write/contributor access to the production resources. Let’s look at how to set this up:
Step 1: Setting up Roles at the Subscription Level
We’ll begin by mapping some users to roles at the subscription level. These will then by default be inherited by all resources and resource groups within our Azure subscription.
To set this up, open the Billing blade within the Preview Azure Portal (http://portal.azure.com), and within the Billing blade select the Azure subscription that you wish to setup roles for:
Then scroll down within the blade of subscription you opened, and locate the Roles tile within it:
Clicking the Roles title will bring up a blade that lists the pre-defined roles we provide by default (Owner, Contributor, Reader). You can click any of the roles to bring up a list of the users assigned to the role. Clicking the Add button will then allow you to search your Azure Active Directory and add either a user or group to that role.
Below I’ve opened up the default Reader role and added David and Fred to it:
Once we do this, David and Fred will be able to log into the Preview Azure Portal and will have read-only access to the resources contained within our subscription. They will not be able to edit any changes, though, nor be able to see secrets (passwords, etc).
Note that in addition to adding users and groups from within your directory, you can also use the Invite button above to invite users who are not currently part of your directory, but who have a Microsoft Account (e.g. email@example.com), to also be mapped into a role.
Step 2: Setting up Roles at the Resource Level
Once you’ve defined the default role mappings at the subscription level, they will by default apply to all resources and resource groups contained within it.
If you wish to scope permissions even further at just an individual resource (e.g. a VM or Website or Database) or at a resource group level (e.g. an entire application and all resources within it), you can also open up the individual resource/resource-group blade and use the Roles tile within it to further specify permissions.
For example, earlier we granted David reader role access to all resources within our Azure subscription. Let’s now grant him contributor role access to just an individual VM within the subscription. Once we do this he’ll be able to stop/start the VM as well as make changes to it.
To enable this, I’ve opened up the blade for the VM below. I’ve then scrolled down the blade and found the Roles tile within the VM. Clicking the contributor role within the Roles tile will then bring up a blade that allows me to configure which users will be contributors (meaning have read and modify permissions) for this particular VM. Notice below how I’ve added David to this:
Using this resource/resource-group level approach enables you to have really fine-grained access control permissions on your resources.
Command Line and API Access for Azure Role Based Access Control
The enforcement of the access policies that you configure using RBAC is done by the Azure Resource Manager APIs. Both the Azure preview portal as well as the command line tools we ship use the Resource Manager APIs to execute management operations. This ensures that access is consistently enforced regardless of what tools are used to manage Azure resources.
With this week’s release we’ve included a number of new Powershell APIs that enable you to automate setting up as well as controlling role based access.
Learn More about Role Based Access
Today’s Role Based Access Control Preview provides a lot more flexibility in how you manage the security of your Azure resources. It is easy to setup and configure. And because it integrates with Azure Active Directory, you can easily sync/federate it to also integrate with the existing Active Directory configuration you might already have in your on-premises environment.
Getting started with the new Azure Role Based Access Control support is as simple as assigning the appropriate users and groups to roles on your Azure subscription or individual resources. You can read more detailed information on the concepts and capabilities of RBAC here. Your feedback on the preview features is critical for all improvements and new capabilities coming in this space, so please try out the new features and provide us your feedback.
Alerts: General Availability of Azure Alerting and new Alerts on Events support
I’m excited to announce the release of Azure Alerting to General Availability. Azure alerts supports the ability to create alert thresholds on metrics that you are interested in, and then have Azure automatically send an email notification when that threshold is crossed. As part of the general availability release, we are removing the 10 alert rule cap per subscription.
Alerts are available in the full azure portal by clicking Management Services in the left navigation bar:
Also, alerting is available on most of the resources in the Azure preview portal:
You can create alerts on metrics from 8 different services today (and we are adding more all the time):
- Cloud Services
- Virtual Machines
- Web hosting plans
- Storage accounts
- SQL databases
- Redis Cache
- DocumentDB accounts
In addition to general availability for alerts on metrics, we are also previewing the ability to create alerts on operational events. This means you can get an email if someone stops your website, if your virtual machines are deleted, or if your Azure Resource Manager template deployment failed. Like alerts on metrics, you can route these alerts to the service and co-administrators, or, to a custom email address you provide. You can configure these events on a resource in the Azure Preview Portal. We have enabled this within the Portal for Websites – we’ll be extending it to all resources in the future.
Today’s Microsoft Azure release enables a ton of great new scenarios, and makes building applications hosted in the cloud even easier.
If you don’t already have a Azure account, you can sign-up for a free trial and start using all of the above features today. Then visit the Microsoft Azure Developer Center to learn more about how to build apps with it.
Hope this helps,
P.S. In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at: twitter.com/scottgu