Accelerate: Azure Fast Start For Mobile Application Development

Accelerate: Azure Fast Start for
Mobile Application Development
1
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under
a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly
prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied,
including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing
market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Copyright and Trademarks
© 2015 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as
expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at

http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx
Azure, Internet Explorer, Microsoft, Microsoft Corporate Logo, Windows PowerShell, SQL Server, Visual Basic, Visual C++, Visual C#, Visual Studio, Windows,
Windows Phone and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other
Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All
other trademarks are property of their respective owners.
The Missing Link
Use Case
• I want to access my data securely from anywhere
• Outsource static content
• Sync / Orchestrate processes in the cloud
How Microsoft Azure can help?

• Highly available infrastructure
• Representational State Transfer (REST) enabled and Software Development Kit
(SDK) multi language/platform
• Timely secured access
• Messaging
Microsoft Partner Ready 4

Context…

Azure
Storage
Corporate
Network Mobile Application
PDF DOCX JPG VIDEO DB

Module 3: Microsoft Azure
Storage
Module Overview
Agenda
• Section 1: Storage Features
• Section 2: Storage Security
• Section 3: Blob Storage
• Section 4: Table Storage
• Section 5: Queue Storage
• Section 6: Azure Files
• Section 7: Premium Storage
• Section 8: Content Delivery Network

Storage
Section 1: Storage Features

Understanding Storage
• Storage in the cloud
o Scalable, durable, and available
o Anywhere, anytime access
o Only pay for what the service uses
• Exposed via RESTful Web services:

o Use from Azure compute
o Use from anywhere on the internet

Azure Standard Storage Account
• Can CDN-enable an account
o Blobs delivered via 24 global Content Delivery Network (CDN) nodes
• Can co-locate a storage account with a compute account

o Explicitly or using affinity groups
• Accounts have two independent 512-bit shared secret keys
• 500 TB per account
• 10 storage accounts per subscription (default)

Storage Features
• Local redundant storage (LRS)
• Zone Redundant – block blobs only, no metrics
• Geo-replication (Geo Redundant storage)
• “Read access - Geo Redundant Storage” (RA - GRS)
• Storage analytics
o Logs: Provide trace of executed requests for your storage accounts
o Metrics: Provide summary of key capacity and request statistics for Blobs, Tables, and Queues

Storage in the Compute Emulator
• Provides a local mock storage
• Emulates storage in the cloud
• Allows offline development
• Requires SQL Server 2008 Express / SQL Server 2005
Express or later
• There are some differences between Azure Storage and the
Storage Emulator
o Refer http://msdn.microsoft.com/en-us/gg433135
• A good approach for developers:

1. To test pre-deployment, push storage to the cloud first
2. Use Dev Fabric for compute connect to cloud-hosted
storage
3. Finally, move compute to the cloud

Storage Libraries in Many Languages
• C# / .NET • Android 0.4.1
• Python 0.9.0 • C++ - 1.0
• Ruby 0.6.2
• Perl
• JavaScript (Node)
• Java SDK 2.0
• PHP 0.4.0
• Erlang
• Common LISP
• Objective-C
• C#/Visual Basic on Windows Phone 7
• Node.js 0.4.2

Storage
Section 2: Storage Security

Storage Security
• Azure Storage provides simple security for calls to storage service
o HTTPS endpoint
o Digitally sign requests for privileged operations
• Two 512-bit symmetric keys per storage account

o Can be regenerated independently
• More granular security via Shared Access Signatures (SAS)

Shared Access Signatures
• Fine grain access rights to blobs and containers
• Sign URL with storage key—permit elevated rights
• Revocation:
o Use short time periods and re-issue
o Use container-level policy that can be deleted
• Two broad approaches:

o Ad hoc
o Policy-based

Ad Hoc Signatures
• Create short-dated SAS
o Signedresource blob or container
o AccessPolicy Start, Expiry, and Permissions
o Signature HMAC-SHA256 of above fields
• Use case
o Single use URLs
o For example, provide URL to Silverlight client for upload to container
http://...blob.../pics/image.jpg?
sr=c&st=2009-02-09T08:20Z&se=2009-02-10T08:30Z&sp=w
&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

Policy-Based Signatures
• Create container-level policy
o Specify StartTime, ExpiryTime, and Permissions
• Create SAS URL

o Signedresource blob or container
o Signedidentifier optional pointer to container policy
o Signature HMAC-SHA256 of above fields
http://...blob.../pics/image.jpg?
sr=c&si=MyUploadPolicyForUserID12345
&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d
• Use case
o Providing revocable permissions to certain users/groups
o To revoke: Delete or update container policy

Client Side Encryption
• Encryption via the ‘envelope’ technique using Cipher Block Chaining (CBC) mode with Advanced
Encryption Standard (AES)
• Blobs
o Supports encryption of whole blobs only
o Must use UploadFrom methods or OpenWrite method
o The wrapped CEK and some additional encryption metadata are then stored as blob metadata along
with the encrypted blob on the service
o Downloading an encrypted blob involves retrieving the content of the entire blob using the
DownloadTo*/BlobReadStream methods
o All blob types supported
• Queues
o Since queue messages can be of any format, the client library defines a custom format that includes
the Initialization Vector (IV) and the encrypted content encryption key (CEK) in the message text

Client Side Encryption (continued)
• Tables
o Supports encryption of entity properties for insert and replace operations
o Due to these additional reserved properties required for encryption, users may now have only 250
custom properties instead of 252. The total size of the entity must be less than 1 MB
o Only string properties can be encrypted

Blob Encryption Service: Sample Code
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1" /* key identifier */);
// Create the encryption policy to be used for upload and download.

BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null);
// Set the encryption policy on the request options.

BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };
// Upload the encrypted contents to the blob.

blob.UploadFromStream(stream, size, null, options, null);
// Download and decrypt the encrypted contents from the blob.

MemoryStream outputStream = new MemoryStream();
blob.DownloadToStream(outputStream, null, options, null);

Azure Storage Abstractions
Azure Files
Server Message Block
Blob Queues Tables (SMB) storage with
Simple named files Reliable storage and Structured storage.
drive mapping
along with metadata delivery of messages A table is a set of
capability. Based on
for the file for an application entities; an entity is a
blob storage (includes
set of properties
tech support)

Storage
Section 3: Blob Storage

Blob Storage Concepts
http://<account>.blob.core.windows.net/<container>/<blobname>
Account Container Blob Pages/Blocks
PIC01.JPG
images Block/Page
PIC02.JPG
contoso
Block/Page
videos VID1.AVI

Blob Details
• Main Web service operations
o PutBlob
o GetBlob
o DeleteBlob
o CopyBlob
o SnapshotBlob
o LeaseBlob
• Associate metadata with blob

o Standard HTTP metadata/headers (Cache-Control, Content-Encoding, Content-Type, etc.)
o Metadata is <name, value> pairs, up to 8 KB per blob
o Either as a part of PutBlob or independently
• Blob always accessed by name

o Can include ‘/‘ or other delimiter in name
for example, /<container>/myblobs/blob.jpg

Blob Containers
• Multiple containers per account
o Special $root container
• Blob container
o A container holds a set of blobs
o Set access policies at the container level
o Associate metadata with container
o List the blobs in a container
o Including blob metadata and MD5 message digest algorithm
o No search/query, that is to say, no WHERE MetadataValue = ?
• Blobs throughput
o Effectively in partition of 1 partition key
o Target of 60 MB/s per blob

Two Types of Blobs Under the Hood
• Block blob
o Targeted at streaming workloads or individual file uploads
o Each blob consists of a sequence of blocks
o Each block is identified by a Block ID
o Size limit of 200 GB per blob
o Optimistic concurrency via Entity Tags (ETags)
• Page blob
o Targeted at random read/write workloads
o Each blob consists of an array of pages
 Each page is identified by its offset from the start of the blob
o Size limit of 1 TB per blob
o Optimistic or pessimistic (locking) concurrency via leases
• Append blob
o All writes to append blob and added sequentially to the end of the blob
o Ideal for logging scenarios
o Size limit 200 GB per blob

Storage
Section 4: Table Storage

Table Details
Not an Relational Create, Query, Delete

Database Management Tables can have metadata
System (RDBMS) Table
Insert
Update
Merge – Partial update
Entities Replace – Update entire entity
Upsert
Delete
Query
Entity Group Transactions
Multiple CUD Operations in a single atomic transaction

Table Storage Concepts
Account Table Entity

Name =…
Email = …
customers
Name =…
EMailAdd=
contoso
Photo ID =…
Date =…
photos
Photo ID =…
Date =…

Entity Properties
• Entity can have up to 255 properties
o Up to 1 MB per entity
• Mandatory Properties for every entity

o PartitionKey and RowKey (only indexed properties)
 Uniquely identifies an entity
 Defines the sort order
o Timestamp
 Optimistic concurrency
 Exposed as an HTTP ETag
• No fixed schema for other properties

o Each property is stored as a <name, typed value> pair
o No schema stored for a table
o Properties can be the standard .NET types
o String, binary, bool, DateTime, GUID, int, int64, and double

No Fixed Schema
FIRST LAST BIRTHDATE FAV SPORT
Wade Wegner 2/2/1981
Nathan Totten 3/15/1965 Canoeing
Nick Harris May 1, 1976

Querying
?$filter=Last eq ‘Wegner’
FIRST LAST BIRTHDATE
Wade Wegner 2/2/1981
Nathan Totten 3/15/1965
Nick Harris May 1, 1976

Purpose of the Partition Key
• Entity Locality
o Entities in the same partition will be stored together
 Efficient querying and cache locality
 Endeavour to include partition key in all queries
• Entity Group Transactions

o Atomic multiple Insert/Update/Delete in same partition in a single transaction
• Table Scalability
o Target throughput—500 tps/partition, several thousand tps/account
o Azure monitors the usage patterns of partitions
o Automatically load balance partitions
 Each partition can be served by a different storage node
 Scale to meet the traffic needs of your table

Partitions and Partition Ranges
PARTITIONKEY ROWKEY TIMESTAMP
(CATEGORY) (TITLE) MODELYEAR
Bikes Super Duper Cycle … 2009
Quick Cycle 200

Server A Bikes Deluxe … 2007
Table = Products
[MinKey - Canoes) … … … …
Canoes Whitewater … 2009
Server A Canoes Flatwater … 2006

Table = Products Rafts
PARTITIONKEY 14 ft Super Tourer
ROWKEY … 1999
TIMESTAMP MODELYEAR
(CATEGORY) (TITLE)
… … … …
Rafts 14ft SuperBack
Fabrikam Tourer … 1999
Server B Skis … 2009
Trackers
Table = Products … … … …
[Canoes - … … … …
MaxKey) Fabrikam Back
Skis
Tents Super Palace …
… 2009
2008
Trackers
… … … …
Tents Super Palace … 2008

Storage
Section 5: Queue Storage

Queue Storage
Account Queue Message
customer ID
order ID
http://…
adventureworks order processing
customer ID
order ID
http://…

Queue Storage (continued)
• Simple asynchronous dispatch queue
o No limit to queue length (subject to storage limit)
o 64 KB per message
o List queues—list queues in account Add Message to Queue (C#)
• SAS Security
• HTTP/REST queue operations
o CreateQueue
o DeleteQueue
o Get/Set Metadata
o Clear Messages
• HTTP/REST message operations

o PutMessage—adds a message to the queue
o GetMessages—reads one or more messages and hides them
o PeekMessages—reads one or more messages without hiding them
o DeleteMessage—permanently deletes messages from queue

Queue Storage Reliability
• Guarantee delivery/processing of messages (two-step consumption)
o Worker de-queues message, and it is marked as Invisible for a specified Invisibility Time
o Worker deletes message when finished processing
o If worker role crashes, message becomes visible for another worker to process
o Remember to handle poison messages, remove messages if de-queue count is above the threshold
P2 1 C1
1
1. GetMessage(Q, 30 s) msg 1
5. C1 crashed
Producers 4 33 2 1 Consumers
0 0 1 1
2
2
1 C2
P1
2. GetMessage(Q, 30 s)  msg 2
3. C2 consumed msg 2
6. msg1 visible 30 s after Dequeue
4. DeleteMessage(Q, msg 2)
7. GetMessage(Q, 30 s)  msg 1

Demo: Azure Storage
Storage
Section 6: Azure Files

Azure Files
• Files – A PaaS solution to a network share in cloud
o SMB 2.1 and SMB 3.0 support on shares
o Enables “lift and shift” of applications
 Applications use native operating system APIs to access files
o Enables on-premises applications to use a file share in Azure with encryption—must open port 445
(outbound)
o REST interface to access files access from anywhere

Azure Files Concepts
• A share can have multiple directories
• All directories and files must be created in a parent share
• An account can contain an unlimited number of shares, and a share can store an unlimited
number of files, up to the capacity limits of the storage account

Azure Files - Scenarios
• Share data across virtual machines and applications
o Multiple writers, multiple readers using standard file system semantics
• Share settings throughout services

o Virtual machines can read settings and files from a common, shared location. These virtual machines
can be updated externally via REST.
• Dev/Test/Debug
o Very useful to have a shared location for installing applications, setting up virtual machines, running
tools, and keeping notes while developing, testing, and debugging cloud services.

Website Served From Azure File Share
…
Load Balancer
Azure Azure
Virtual Virtual
Machine Machine
SMB 3.0
Azure File Share

Azure Files - SMB 2.1 and SMB 3.0 Protocol
• Enables moving on-premises applications that rely on shared file storage to Azure
o Azure virtual machines can “net use” to a share
• Natively supported by operating system APIs, libraries, and tools

o Windows (CreateFile, ReadFile, WriteFile, …)
o CRTs (fopen, fread, fwrite, …)
o .NET (FileStream.Read, FileStream.Write, …) and many more
• Supports standard file system semantics

o Move and rename files and directories
o Read-only, write through, overlapped
o Change notifications

Recently Added Features
• Copy File – server side copy of a blob or file to a destination file within the Storage account or across
different Storage accounts
• Abort Copy File – abort a pending copy file operation
• File share size quota – limit the size of file shares
• Get File Properties – returns all user-defined metadata, standard HTTP properties, and system
properties for the file. It does not return the content of the file
• Set File Properties – set system properties on the file
• CORS Support – allow browser access using Set File Properties, Get File Properties, and Preflight File
Request
• Get Share Stats – get usage data for a file share.
• Shared Access Signatures – provide SAS based access to file shares and files with REST APIs.
• Get Share ACL and Set Share ACL –shared access policies on a share for use with REST APIs.

Azure Files – Linux Client Operating System Support
• Linux SMB client does not support encryption
• Mounting from Linux still requires the client to be in the same Azure region as the file share.

Azure Files: Getting Started
• Request a token
o Users are usually auto approved
• Redeem token
o Create new storage account in the approved subscription
o Create share (using PowerShell)
o Put files into share (azcopy)
o Connect to share from virtual machine

Demo: Azure Files
Storage
Section 7: Premium Storage

Azure Premium Storage
• Premium storage account can be created via the Azure Preview Portal, Azure PowerShell or the
Service Management REST API
• Supports only Azure Page Blobs that are used to hold persistent disks
• Available in the following regions - West US, East US 2, West Europe, East China, Southeast Asia
and West Japan
• Only support Locally Redundant Storage (LRS)
• Must use DS-Series or GS-Series disks for virtual machines
• Cannot be mapped to a custom domain
• Storage analytics not currently supported
• No support for Block blobs, Azure Files, Azure Tables or Azure Queues

Azure Premium Storage Scalability
• Three types of Premium Storage disks
• Scalability Targets

Premium Storage – Disk Traffic (only)

Creating a Premium Storage account

Storage
Section 8: Content Delivery

Network
Content Delivery Network (CDN)
• High-bandwidth global blob content delivery
o 31 locations globally (US, Europe, Asia, Australia and South America), and growing
o Same experience for users—irrespective of how far they are from the geo-location where the storage
account is hosted
• Blob service URL vs. CDN URL:

o Azure Blob URL: http://<StorageAccount>.blob.core.windows.net/
o CDN URL: http://<id>.vo.msecnd.net/
o Custom Domain Name for CDN: http://cdn.contoso.com/

CDN (continued)
GET
http://guid01.vo.msecnd.net/images/pic.1jpg
Edge
Location
404
To enable CDN: Edge Edge
Location Location
1. Register for CDN via Dev Portal
2. Set container images to public
TTL Content
http://sally.blob.core.windows.net/ Delivery

http://guid01.vo.msecnd.net/ Network
pic1.jpg
pic1.jpg
pic1.jpg Windows
Azure
http://sally.blob.core.windows.net/images/pic1.jpg
Blob
Service
Microsoft Partner Ready

Accelerate: Azure Fast Start For Mobile Application Development

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Accelerate: Azure Fast Start For Mobile Application Development

Uploaded by

Copyright:

Available Formats

Accelerate: Azure Fast Start for

Mobile Application Development

For more information, see Use of Microsoft Copyrighted Content at

How Microsoft Azure can help?

Microsoft Partner Ready 4

Microsoft Partner Ready 5

PDF DOCX JPG VIDEO DB

Microsoft Partner Ready 6

• Section 2: Storage Security

• Section 3: Blob Storage

• Section 4: Table Storage

• Section 5: Queue Storage

• Section 6: Azure Files

• Section 7: Premium Storage

• Section 8: Content Delivery Network

Microsoft Partner Ready 8

Section 1: Storage Features

o Anywhere, anytime access

o Only pay for what the service uses

• Exposed via RESTful Web services:

o Use from anywhere on the internet

Microsoft Partner Ready 10

• Can co-locate a storage account with a compute account

• Accounts have two independent 512-bit shared secret keys

• 500 TB per account

• 10 storage accounts per subscription (default)

Microsoft Partner Ready 11

Microsoft Partner Ready 12

• A good approach for developers:

Microsoft Partner Ready 13

Microsoft Partner Ready 14

Section 2: Storage Security

o Digitally sign requests for privileged operations

• Two 512-bit symmetric keys per storage account

• More granular security via Shared Access Signatures (SAS)

Microsoft Partner Ready 16

• Sign URL with storage key—permit elevated rights

o Use container-level policy that can be deleted

• Two broad approaches:

Microsoft Partner Ready 17

o AccessPolicy Start, Expiry, and Permissions

o Signature HMAC-SHA256 of above fields

o For example, provide URL to Silverlight client for upload to container

Microsoft Partner Ready 18

• Create SAS URL

Microsoft Partner Ready 19

Microsoft Partner Ready 20

Microsoft Partner Ready 21

// Create the encryption policy to be used for upload and download.

// Set the encryption policy on the request options.

// Upload the encrypted contents to the blob.

// Download and decrypt the encrypted contents from the blob.

Microsoft Partner Ready 22

Microsoft Partner Ready 23

Section 3: Blob Storage

Account Container Blob Pages/Blocks

Microsoft Partner Ready 25

• Associate metadata with blob

• Blob always accessed by name

Microsoft Partner Ready 26

Microsoft Partner Ready 27

Microsoft Partner Ready 29

Section 4: Table Storage