I recently joined Chris Presley for Episode 5 of his podcast, Cloudscape, to talk about what’s happening in the world of cloud-related matters. My focus was to share the most recent events surrounding Microsoft Azure.
Topics of discussion included:
- Always scure – Azure DDos protection
- Always secure – confidential compute
- Azure Standard Load Balancer
- Azure Event Hubs Kafka
- Azure functions improvements
- Azure Blockchain Workbench
Always secure – Azure DDos protection
Microsoft has a new initiative which puts security upfront and center. This is especially timely now with GDPR and not just the risks from attacking, the risks from social engineering and everything else, but there are also some really complicated compliance environments. This is the Always Secure initiative.
One of the first components coming from this initiative is that Azure is going to have a distributed denial of service attack protection service (DDOS). We know this is a very common service attack that happens on the internet, and there are companies like Cloudflare which provide this exact DDOS protection service. Microsoft has now decided to make this a part of their service. It makes a lot of sense. If you sign up for it, they will do the DDOS protection against your public-facing endpoints.
This is Microsoft’s initiative to demonstrate that Azure is secure by default and they have put as much as they can into their investment and R&D of Azure’s security.
It’s really cool that they are bringing this on board instead of relying on third-party providers. They had a lot of good security-related announcements like this at Microsoft Build 2018.
Always secure – confidential compute
The other announcement from Microsoft is the confidential compute platform. This is really interesting because it’s built on the latest improvements from Intel. They have new extensions in the chips, called SGX extensions, which can do secure enclave computations. Basically, the encryption or decryption happens at the CPU chip level.
Usually, what happens is, if you have a lot of encrypted data that you want to work on, you decrypt it in RAM so you don’t pay for big performance hits. The other thing that could happen is that you have data that’s encrypted end to end, but once you reach its last leg of its destination, it is decrypted to be computed on.
With this new extension from Intel, the computer running the computation is not even aware of the contents of the data. For example, SQL Server has this capability called Always Encrypted and the whole goal of Always Encrypted is that SQL Server shouldn’t know what the contents of the encrypted data are. Today, the way it is usually implemented is the client holds the decryption keys. The problem with that is if you want to do really heavy computing and you have data that’s always encrypted in SQL Server, then it has to move to the client and the client is the one that has to decrypt. That is an issue because most clients are not as beefy as the database servers themselves.
But now, using the secure enclaves inside the chip, they have a way to guarantee that they can send the decryption key to the SQL Server itself and the SQL Server process base does not know the actual key. It doesn’t need to know it because the Intel chip is the one that’s going to be a receiving the key and it’s going to perform the computation and then send the results back to the clients.
What they are doing with these new Intel extensions is very interesting because this will allow for large, scalable queries on encrypted data that remains encrypted at all points.
Azure Standard Load Balancer
Azure Standard Load Balancer has a new feature. Now you can move them completely out of public endpoints and you can just have them inside a virtual network. There is a pattern here of moving a lot of diverse types of Azure resources that were architected years ago to all have public endpoints. But with the new security environment that has evolved in the last few years, this is just the showstopper for many people. As a response to this, there is a general movement away from public endpoints and into Virtual Network protected endpoints.
There is also an improvement in scale for the Load Balancer. For example, now you can put up to a thousand VM’s behind one of these higher end load balancers that you could get in Azure.
Azure Event Hubs Kafka
Another big announcement that I thought was smart is that Azure has developed a Kafka endpoint for its own message processing system called Event Hubs. You can take a Kafka application or a Kafka tool and you can connect it to an Azure endpoint that under the covers is their own event hub service but is compatible. The Kafka application would not know that it is not actually talking to a Kafka cluster.
This approach mirrors the strategy they are using to migrate people from MongoDb and Cassandra to Cosmos Db. Instead of saying, “Oh, here’s a migration tool to do migration from MongoDb or Cassandra or Kafka to an Azure service,” they are developing these compatibility endpoints under the covers. The applications think they are talking to each other their native platform be it MongoDb or Cassandra or Kafka.
Azure functions improvements
Microsoft is also working hard to make their serverless story stronger. They have improved the monitoring, they’re improving the diagnostics and they are also improving what you can do with Azure functions in terms of state full operations or long-running operations. They are trying to make more use cases fit into the Azure functions serverless platform.
We will probably see a lot more work trying to make serverless computing more attractive inside Azure, as well.
Azure Blockchain Workbench
Azure Blockchain Workbench is Microsoft’s first step into providing the blockchain-as-a-service offering to the rest of the developer community.
Right now what we have are templates. Amazon Web Services also released a “blockchain-as-a-service” offering but in the end, they are just templates. So we have yet to have a cloud provider really develop the first blockchain as a service offering but Microsoft is quickly getting there.
With the workbench, not only do you get the templates at this point, but you are also going to get other components built around the blockchain that will make it a lot easier to develop. So, for example, bundled up will be not only the blockchain component, but it will be an API that will go on top of it.
There will be an actual SQL database that will go on top of it, as well. It comes with a SQL database so you could do quicker and faster reporting and inquiring off of the blockchain. Blockchains don’t really lend themselves to fast querying and index seeking. What usually happens is that you take the data from the blockchain and you put it on a query-friendly structure like a SQL database.
Microsoft is trying to make it very easy for people to develop blockchain solutions without knowing much about the blockchain infrastructure. You just have to know that you have an Ethereum blockchain under the covers. You won’t have to learn how to run an Ethereum node and you won’t have to learn how to provide or configure your consensus algorithm on the Ethereum config files or anything like that. The service will be taken care of for you. You would only need to interface with the API exposed by the service, and then you potentially would also even be able to swap out different blockchains from the backend.
If you build a solution and then you go to client that doesn’t want to run Ethereum, they want to run in something else such as Hyperledger, then because you are only working with front face and API of the service, you should be able to swap out the blockchain in the backend and your application should continue to work.
So this is just the very first steps into having that real generally available blockchain as a service offering. But we know it’s coming now. They’ve made it public preview, and I always say once these things come into public preview, they’re like public promises to see them to the end.
This was a summary of some of the Microsoft Azure topics we discussed during the podcast. Chris also welcomed Greg Baker (Amazon Web Services) and Kartick Sekar (Google Cloud Platform) who discussed topics related to their expertise.
Click here to hear the full conversation and be sure to subscribe to the podcast to be notified when a new episode has been released.