Overview of Microsoft Azure Services
Microsoft Azure Services
As you saw in Chapter 1, Microsoft Azure represents computing capabilities. What does that mean? That Azure strives to be the foundation of modern computing and continues to evolve. The services presented are a snapshot in time, and you should expect new services to be introduced at an accelerated pace.
This evolution is currently manifested by monthly releases of new capabilities. As of this writing, Azure addresses 25 categories of services.
This chapter goes through all these services at an introductory level. Furthermore, by working your way through this chapter, you will become more familiar with the Azure Portal. The chapter should be used as a quick reference guide to the different Azure services, their intended audience, and the benefits of each.
The Azure Portal
Azure services are managed and accessed primarily via PowerShell or the Azure Portal. This chapter focuses on using the Azure Portal to introduce the different Azure services.
At the time of this writing, the Azure Portal is in transition. Figure 2-1 shows the current Azure Portal interface, and Figure 2-2 shows the new interface that was introduced in the spring of 2015. The current portal is accessible via https://manage.windowsazure.com, the new Preview Portal is accessible at https://portal.azure.com. In both cases, an existing Azure subscription is required to log into the Portal.
Figure 2-1. The current Azure Portal interface
Figure 2-2. The new Azure Portal interface
The original Azure Portal interface is sometimes known as the Full Azure Portal. If you are at the Full Azure Portal and would like to switch to the new Portal, simply click the user icon at upper left and select Switch to New Portal from the drop-down menu, as shown in Figure 2-3. You can switch back to the Full Azure Portal from the new Portal interface in the same way.
Figure 2-3. Switching to the new Portal from the original Portal
Because the new Portal is imminent, the remainder of this chapter and the book, where applicable, focus on the new Portal interface.
Note At the time of this writing, the new Azure Portal interface is in preview. The final release of the new Portal may be slightly different from the preview version. Furthermore, not all Azure services are shown in the preview version of the new Portal—for example, Visual Studio Online, HD Insight, and so forth. If you do not see a service in the new Portal, you may have to switch to the Full Azure Portal. There may also be new Azure services that appear in the new Portal but not in the existing Full Azure Portal. Because of this transition period, which may stretch through calendar year 2015 and part of 2016, you need to be familiar with both Portals.
In order to view the different Azure services from the new Portal, click Browse in the left margin and select Everything, as shown in Figure 2-4.
Figure 2-4. Browsing Azure services from the new Portal
Because most Azure services are currently accessible via the Full Azure Portal, this chapter uses it to describe these services (refer again to Figure 2-3). The first service on that list is Websites, followed by Virtual Machines, Mobile Services, and so on. Let’s go down the list and explore each of these services; each description defines the service, indicates the most relevant audience to whom the service is applicable, and highlights the service’s benefits and capabilities.
Azure Websites is an Azure service that provides the platform for building and hosting your website.
What Is It?
Azure Websites is classified under the provider as a service (PaaS) category. It is essentially a fully managed platform that enables you to build and deploy websites and web-based applications in seconds.
Audience
The target audience for Azure Websites is application developers and hosting providers.
Benefits and Capabilities
From an operational point of view, there are no web servers to maintain or patch. Websites and apps deployed on Azure Websites also benefit from the scalability of the service, including the ability to auto-scale. This lets organizations focus solely on the site’s look and feel and the application code. Azure is fully responsible for the infrastructure, the operating system (OS), and the web server publishing platform.
Note Relying on Azure Websites to manage the infrastructure does not mean giving up total control. Azure Websites provide real-time monitoring, alerts, and analytics so that you and your team are informed of any issues.
Azure websites and data can be automatically backed up so that your sites’ code and data have disaster recovery built in as part of the deployment. Rapid deployment of websites and web-based applications is achieved by providing fully managed Microsoft and non-Microsoft platforms. For example, popular publishing platforms such as WordPress, Joomla, and Drupal are available for content management.
In the likely event that you need to access data sources, Azure Websites can access Azure-based databases as well as databases running in your on-premises datacenters. Developers can use Visual Studio, which has built-in integration with Azure services and allows for a full application development lifecycle that includes the continuous publishing of web applications as well as multiple testing and staging environments that can be isolated from each other.
The anticipated end result is a quicker and more efficient way to publish and update websites. Because IT no longer needs to provision hardware or patch software because the infrastructure is handled by Azure, published websites and applications have improved uptime and better security.
References
Azure Websites is explored in detail in Chapter 5. You can also find more information at http://azure.microsoft.com/en-us/services/websites/.
Azure Virtual Machines is probably the most recognized Azure service. It falls under the infrastructure as a service (IaaS) category.
What Is It?
As an IaaS, Azure Virtual Machines provides customers with a quick and easy way to deploy and manage virtual machines (VMs).
With Azure VMs, customers are responsible for managing the guest OS and the software installed on the VMs, including patching and securing the VMs. Azure is responsible for the underlying hardware, the hypervisor, and the datacenter environment, such as power, cooling, physical access security, redundancy, and disaster recovery.
Audience
The target audience for Azure Virtual Machines includes datacenter operations and infrastructure providers, such as central IT for organizations, as well as customers looking to get out of the datacenter operations business but who still require enterprise class servers and databases to host their applications and other software assets.
Benefits and Capabilities
Managing datacenters is essentially a high-cost and complex facilities-management project. Datacenters house the IT backbone of many organizations, and the disruption of such services usually means significant loss of revenue. In some cases, it is a matter of life and death. Thus it is not an overstatement to say that the datacenter is a mission-critical component of any industry.
Local and Geo-Redundancy with Service Level Agreements (SLAs)
There are essentially three types of datacenter infrastructure:
- Legacy and/or out-of-capacity, single-location datacenter
- Modern single-location datacenter with spare capacity
- Modern geo-redundant datacenter
Azure datacenters fall into the third category, with each location having excess capacity and the ability to scale up and out quickly. In terms of geo-redundancy, Azure datacenters can be hundreds of miles apart. By default, in a datacenter, VMs are provisioned on three physically separate infrastructures that are located in different parts of the facility. This is known as local redundancy. As an Azure customer, you have control over whether the VMs are replicated to geographically separate datacenter facilities located a distance apart from one another. Geo-redundancy occurs in addition to local redundancy—it is not a substitute. Therefore, for many organizations, the greatest benefit of hosting VMs in Azure is its built-in local and geo-redundancy capabilities. This is even more important if an organization’s datacenter infrastructure falls into the first legacy category: an out-of-capacity type of facility. Local and geo-redundancy help organizations meet their disaster recovery (DR) and high availability (HA) requirements.
Azure VMs that have two or more instances deployed in the same availability set come with a financially backed 99.95% service-level agreement (SLA). Availability sets are covered in more detail in Chapter 11.
Azure VM infrastructure is built to support Microsoft and non-Microsoft technologies. An organization can choose to use certified images from the Azure VM gallery or upload its own images. Figure 2-5 and Figure 2-6 show the VM image gallery in the Full Azure Portal and the new Azure Portal, respectively. Note that the VM image gallery contains Microsoft and non-Microsoft technologies that are certified on Azure.
Figure 2-5. Azure VM image gallery in the Full Azure Portal
Figure 2-6. Azure VM image gallery as seen in the new Azure Portal
Modern and Always Up-to-Date Hardware
Azure VM customers no longer need to replace and update hardware. They no longer experience racking of servers and waiting for hardware orders to be processed. Azure VM customers have access to the latest hardware, and they only need to know the number of processor cores, the amount of memory, and the type of storage.
There are many options for VMs, A-series with high performance, enterprise drives, and D-series with solid state drives (SSDs). In January 2015, Microsoft announced a new class of VMs touted as the “largest VM in the cloud,” known as the G-series. The G-series VMs provide the most memory, the highest processing power, and the largest local SSD storage of any VM currently available. The G-series VMs are based on the latest Intel Xeon processor E5 v3 family.
Note For information about the different VM sizes, see the Virtual Machine and Cloud Service Sizes for Azure at https://msdn.microsoft.com/en-us/library/azure/dn197896.aspx If you are interested in comparing the different VMs, visit this blog: http://blogs.msdn.com/b/igorpag/archive/2014/11/11/azure-a_2d00_series-and-d_2d00_series-consistent-performances-and-size-change-considerations.aspx.
Requirements change, and, as such, the infrastructure on which an application depends tends to grow or shrink. With earlier virtualization technology, applications were based on physical infrastructure and remained locked in. Therefore, it was difficult to scale up or down in response to a business’s needs. The ability to change the VM type for applications provides the flexibility to supply the best architecture at the time and to maximize IT operational budgets. The ability to schedule shutdowns for VMs manually or automatically further maximizes operations budgets, because it allows IT departments to pay only for what they use and when they need the VMs.
You have seen that VMs are charged based on utilization. As long as the VM is running, it is incurring charges. This model can also extend to licensing. The guest OS in a VM is included as part of the VM runtime charges. In some cases, certain software in the VM is covered under the same licensing model. For example, the SQL and Oracle VMs provide licenses that are part of their respective VM runtime charges. Alternatively, customers that own licenses can still use their own licenses and install them on the VM. Bringing an existing license reduces the VM runtime charges accordingly. Therefore, the flexibility extends from the hardware to the licensing of software.
References
Azure VMs are explored in greater detail in Chapter 6. For more information about Azure VMs, visit http://azure.microsoft.com/en-us/services/virtual-machines/.
Azure Mobile Services falls under the PaaS category. It is a platform designed to build and publish mobile apps.
What Is It?
Azure Mobile Services provides a platform to rapidly build and deploy apps for iOS, Android, Windows, and Macs. Specifically, it provides the following key capabilities that are associated with mobile apps:
- Authentication
- Push notifications
- App data stored in the cloud or on premises
Audience
The target audience for Azure Mobile Services includes application developers and organizations that need to provide native mobile apps that are responsive and scalable.
Just as with Azure Websites, customers can focus solely on designing and developing mobile apps and let Azure manage the delivery mechanism. Like all the other Azure services, mobile apps deployed on Azure enjoy good performance, high availability, scalability, and the ability to support natively all the popular mobile platforms, not just Microsoft’s. The ability to store data on premises or in the cloud, and to be able to cache data, lets developers balance security and performance requirements.
Azure Mobile Services provides app owners with real-time analytics to help determine customer behavior through app interaction. This gives organizations the ability to fine-tune or even segment user experiences. In-app push-notification capabilities further provide a rich experience that allows organizations to interact with users.
Mobile apps deployed on Azure can be connected to social websites such as Facebook, Google+, Microsoft, and Twitter. Identity information can be connected to these social platforms to provide a single sign-on solution for more seamless integration between the app and the social websites preferred by the user.
References
For more information on Mobile Services, visit http://azure.microsoft.com/en-us/services/mobile-services/.
As the name implies, Azure SQL Databases handles the provisioning of databases in the cloud. However, SQL databases are available as PaaS and IaaS offerings.
What Is It?
Azure SQL Databases provides Microsoft SQL Server technologies in the cloud. SQL databases fall into the PaaS and IaaS categories because they can be provisioned either way.
As an IaaS, Microsoft SQL Server is installed on a VM. In this model, organizations are responsible for maintaining and patching the guest OS and the SQL database engine and other roles.
As a PaaS, Azure SQL Databases allows you just to provision a fully managed relational database service that includes built-in high availability. With this model, organizations are not responsible for any hardware or software infrastructure—just the contents and the size of the databases.
Figure 2-7 shows the difference between provisioning Azure SQL Server (IaaS) versus a SQL database (PaaS).
Figure 2-7. SQL Server (IaaS) vs. SQL database (PaaS), as shown in the new Azure Portal
Audience
The target audience for Azure SQL Databases includes application developers who need to use databases as a storage medium and non-developers who want to consume database services.
Benefits and Capabilities
Databases are mission-critical components on which applications rely. Over the years, Microsoft SQL Server technology has made big strides in terms of performance, scalability, and high availability (HA). SQL Server Availability Groups is a recent technology that has taken HA to a new level. Still, many of these technologies are most effective when they are built on a geo-redundant infrastructure. Azure SQL Databases is designed to allow for technologies such as AlwaysOn to provide databases with HA capabilities.
References
For more information on Azure SQL Databases, visit http://azure.microsoft.com/en-us/services/sql-database/.
There are several types of storage options in Azure. Azure SQL Databases is one of four major types, as shown in Figure 2-8.
Figure 2-8. The four major storage options in Azure
What Is It?
Azure Storage is essentially hosted hard drive space in the cloud. You may be familiar with consumer versions of these storage options such as OneDrive, DropBox, ShareFile, Google Drive, and iCloud. Azure Storage is the commercial and enterprise equivalent of such storage solutions, and it includes capabilities that are not available in consumer cloud storage, such as DR, HA, and audit capabilities. Azure Storage solutions are also designed to work seamlessly with enterprise workloads, including servers and applications. This section introduces the three additional storage options shown in Figure 2-8: Azure Block BLOB Storage, Azure Page BLOB and Disk Storage, and StorSimple managed storage.
Audience
The target audience for Azure Storage and StorSimple is IT operations personnel who manage storage options and organizations that are looking at replacing or expanding storage capacity. Recent events have also resulted in new business initiatives that may lead to a significant spike in storage needs. For example, law enforcement videos from body cameras (bodycams) and the expanded use of rich media for training and communications may accelerate the need for additional storage availability.
Benefits and Capabilities
Azure Storage provides many options for storing and managing your data in Azure. StorSimple provides an integrated solution for managing storage tasks between your on-premises devices and Azure cloud storage.
Agility and Price
The biggest benefit of Azure Storage is the ability to scale up or down in seconds and only pay for what is being used. Because Azure has the benefit of economies of scale when purchasing hard drives, the savings are passed along to customers.
Note You may hear the terms thin provisioning and thick provisioning when configuring Azure Storage. Thin provisioning refers to the allocation of space dynamically as needed; whereas thick provisioning means allocating a certain amount of predefined space, like a fixed volume, regardless of current demand. Thick provisioning immediately allocates space, and it is thus considered consumed and incurs storage charges immediately on provisioning.
High Availability and Redundancy
Like all Azure services, storage in Azure has built-in HA and DR. At a minimum, storage is allocated as locally redundant storage (LRS), where it is replicated across three different infrastructures in the same datacenter. Customers have the option to provision geographically redundant storage (GRS), which expands an LRS instance to a second geographically separated Azure datacenter, hundreds of miles away. Figure 2-9 illustrates selecting the storage redundancy level as seen in the new Azure Portal when provisioning storage.
Figure 2-9. The various redundancy levels as seen in the new Azure Portal when provisioning storage
There are also options to take snapshots of Azure storage so that customers have timely copies of files in case there is a need to revert to a previous state. Traditional strategies that reduce storage downtime, such as striping, RAID, mirroring, and replication can be designed based on Azure Storage.
Innovative Approach to Storage
Azure introduced new and innovative ways to provision and manage storage. Solution providers, such as SoftNAS, can provide software-based NAS that uses Azure Storage.
Azure StorSimple is based on a 2U physical rack-mountable device that is installed on premises. A StorSimple device provides the ability to overflow into the cloud through content aging, compression, and deduplication. Instead of a disk-to-disk-to-tape concept, a StorSimple device provides a disk-to-disk-to-cloud approach. Each StorSimple device has SSDs for low-latency tier one data, traditional spinning drives for tier two data, and connectivity to Azure for tier three data. StorSimple is a good example of a hybrid cloud model as it pertains to storage. Chapter 7 covers it in detail.
References
Azure Storage and StorSimple are discussed in detail in Chapter 7. For more information about Azure Storage, visit http://azure.microsoft.com/en-us/services/storage/. For more information about StorSimple, visit http://azure.microsoft.com/en-us/services/storsimple/.
HDInsight is a Hadoop distribution powered by Azure.
What Is It?
Hadoop is a Java-based programming framework designed to process large data sets by using a distributed computing infrastructure (nodes). Azure meets the classic distributed cloud computing model, and, as such, it is a great candidate to be a Hadoop platform. HDInsight is a version of Hadoop provided in Azure. It can process large amounts of data, scaling from terabytes to petabytes, and it has the ability to spin up as many nodes as necessary to process the data.
Audience
The target audience for HDInsight includes data warehouse developers, data scientists, and analysts who need to process large amounts of data. HDInsight is also applicable to organizations that have business intelligence or advanced analytics initiatives.
Benefits and Capabilities
The flexibility and scalability of Azure make it easy to spin up as many nodes as necessary to process data efficiently. When processing data, exponentially more space is normally necessary than would be required by the raw data itself, because of the need to replicate data and store information that will be required for analysis. Therefore, Azure’s access to petabytes of storage is an important requirement in order for Hadoop in HDInsight to work. HDInsight also allows developers to use their preferred language, including C#, Java, .NET, and more. In addition, HDInsight supports hybrid configurations, so it can be connected to other Hadoop clusters that may be located on premises or in other clouds.
References
HDInsight is covered in detail in Chapter 15. For more information, visit http://azure.microsoft.com/en-us/services/hdinsight/.
Azure Media Services and Content Delivery Network (CDN)
Azure Media Services is a set of capabilities designed to handle rich content, specifically audio and video. The Content Delivery Network (CDN) is a distributed computing model designed to stream content efficiently worldwide, thus offloading organizations’ network and bandwidth load.
What Is It?
Audio and video files have special handling requirements, such as storage, encoding and decoding (CODEC), conversion, editing, meta-tagging, and playback. Azure Media Services is designed to provide all of these capabilities so that audio and video content can easily be consumed in different form factors and on different devices. In certain scenarios, there may be the need to create metatags for rich content automatically in order to facilitate indexing and searching.
Azure Media Services works closely with Azure CDN in that the latter is the delivery mechanism for vast numbers of viewers located across the globe. Streaming bandwidth-intensive videos from a single source is less efficient than a global delivery network, which provides a better experience for end users and relieves the need for organizations to install expensive high-bandwidth, low-latency networks specifically designed for streaming.
Benefits and Capabilities
Audio and video content can take up a lot of storage space. Therefore, all the benefits of Azure Storage are applicable when dealing with rich media content. Azure Media Services can process rich content and make it easy to consume. Furthermore, Azure Media Services and Azure Storage provide the ability to integrate with third-party video management system (VMS) providers as well as third-party video capture device manufacturers. Figure 2-10 shows the Azure Media Services technology stack.
Figure 2-10. Azure Media Services technology stack and integration with partner solutions
Note At the time of this writing, the ability to detect motion in a video and the ability to auto-detect content patterns are still in development. However, they are part of the roadmap of capabilities that Microsoft is seeking to deploy. Justice, law enforcement, surveillance, and public safety customers are most interested in this set of capabilities.
The ability to transcribe audio and video content in order to create a transcript enhances the ability to index and search content. It also provides the ability to meet Americans with Disability Act (ADA) requirements. Azure Media Services Transcription Service processes videos by playing them in their entirety in order to create the transcript. This is done in the background and does not require anyone to sit through the entire playback. Furthermore, organizations can choose to process only those videos that require transcription, so this saves time and cost.
Another goal of Azure Media Services is to accept and recognize a wide array of video types, such as MP2, MP3, MOV, AVI, and many more. It will then be able to repackage them into the common H.264 format for easier consumption across the broadest array of devices. Azure Media Services also boasts adaptive streaming, which means in the event that an end user’s network degrades, the quality of the video resolution may change in order to preserve smooth streaming.
Note Recently Microsoft Office 365 introduced Office 365 Videos, which is based on SharePoint Online. The architecture behind Office 365 Videos is Azure Media Services. SharePoint Online is configured to use a specially built connector to access Azure Media Services. This is all preconfigured and done transparently, and it is an example of how other solutions can be built to use Azure Media Services.
References
For more information on Azure Media Services, visit http://azure.microsoft.com/en-us/services/media-services/. For more information on Azure CDN, visit http://azure.microsoft.com/en-us/services/cdn/.
Azure Service Bus is a queue-based messaging system for connecting applications and services.
What Is It?
One of the key requirements for applications is the ability to interact with other applications or services. The most common way for applications to communicate with other applications is via a message queue. Fundamentally, Azure Service Bus is that message queue.
Audience
The target audience for Azure Service Bus includes application developers who need to incorporate a robust and highly available inter-application messaging system, regardless of whether the application resides on premises or in the cloud.
Benefits and Capabilities
Azure Service Bus provides one-directional or bidirectional communications channels between applications. It can also act as a relay for messages or as a message broker with subscription and filtering capabilities. Often, when an application queue is not available, there are delays in data processing or notifications. Azure Service Bus provides a highly available system. Furthermore, Azure Service Bus enables on-premises applications to communicate with services and other applications in Azure and vice versa. This allows organizations to adopt a modern hybrid datacenter approach.
References
For more information on Azure Service Bus, visit http://azure.microsoft.com/en-us/services/service-bus/.
Visual Studio Online provides developers with tools to manage development projects and to store code in Azure.
What Is It?
Visual Studio Online combines capabilities from Visual Studio, Team Foundation Server (TFS), and cloud services to make it easier for developers to manage development projects. With Visual Studio Online, development teams should no longer need to deploy servers dedicated to software project management, testing, or storing code.
Audience
The target audience for Visual Studio Online includes application developers and development teams.
Benefits and Capabilities
Instead of deploying and maintaining servers dedicated to source control, organizations can use Visual Studio Online as a code repository. The redundancy provided by Azure significantly reduces the risk of losing valuable code-based intellectual property (IP). Furthermore, Azure’s HA capabilities ensure that there is minimal impact to development timelines as a result of the downtime associated with outages or the unavailability of traditional code repositories.
Visual Studio Online also supplies robust control that securely supports the development efforts of a range of developers—from just a few to thousands—through capabilities such as advanced branching, merging, and visualization. To promote communication, Visual Studio Online provides the ability to comment and reply to code edits and changes between team members.
References
Developer tools such as Visual Studio Online are beyond the scope of this book and are better served by reference material dedicated to this topic. For more information about Visual Studio Online, visit http://azure.microsoft.com/en-us/services/visual-studio-online/.
BizTalk is Microsoft’s business-to-business (B2B) tool for enterprise application integration.
What Is It?
BizTalk Server has been around as a standalone technology for quite some time, with the primary role of providing enterprise application integration. Azure BizTalk Services is the hosted version of BizTalk.
Audience
The target audience for Azure BizTalk Services includes developers and system integrators (SIs) who need to integrate enterprise applications and line-of-business (LOB) applications that are based on disparate technologies.
Benefits and Capabilities
Azure BizTalk Services provide all the benefits of BizTalk Server without the need to deploy and maintain any infrastructure. Key capabilities of Azure BizTalk Services include out-of-the-box connectors to integrate SAP, Oracle EBS, SQL Server, and PeopleSoft. Azure BizTalk Services also provides the ability to integrate applications founded on standards-based communication such as HTTP, FTP, and SFTP. In addition, Azure BizTalk Services supports B2B integration between applications that are housed on premises and those hosted in the cloud, thus supporting the modern hybrid datacenter initiative.
References
For more information about Azure BizTalk Services, visit http://azure.microsoft.com/en-us/services/biztalk-services/.
Disaster recovery in Azure is provided through Azure Recovery Services for protection of corporate data and to provide availability for application workloads.
What Is It?
Azure Recovery Services consists of two distinct services:
- Azure Backup
- Azure Site Recovery Services
A key component of the service is its vaults, which are used to store and protect data based on the services that are most needed by a particular business. Vaults store backups of applications and configuration settings for VMs. They provide the options to fail over, from site to site or site to Azure, and replication from on premises to other locations.
Audience
The target audience for Azure Recovery Services includes IT administrators and server-management personnel. It also includes Chief Information Security Officers (CISOs) who are responsible for DR and business continuity.
Benefits and Capabilities
The term natural disaster is often used to prepare for personal and business disaster-recovery efforts. Disasters may include hurricanes, tornadoes, earthquakes, and so forth. They can cause billions of dollars in damage and untold hardship for individuals and families. On the financial side, a business that took a lifetime to build or generations to grow can be destroyed in hours or even minutes.
AZURE BACKUP
Azure Backup lets you back up Windows servers easily. The simplicity of this service gives small and large businesses peace of mind. Only a few steps are required, to start and complete a backup plan:
- Create a backup vault from the Full Azure Portal. In the Azure Recovery Services view, select the Create a New Vault option, and click the arrow to start the wizard. For this example, choose Backup Vault, provide a unique business name and the Azure region in which to create the storage vault, and click the checkmark at bottom right in the window, as shown in Figure 2-11.
Figure 2-11. Use the Full Azure Portal to create a backup vault or site recovery vault, and locate the storage vault in an Azure region
- Once the vault is created in your Azure subscription, the simplicity of this backup process is evident. Select the name of the backup (in this case, ContosoBackup), and download the vault credentials (at right) needed to register your server with your Azure backup vault (just created).
- Download and install the backup agent. Once the agent is installed, use the management interface to create a backup policy. (Ingress data, or data moving into the vault, incurs a cost.)
Note Azure supports Windows Server 2012 and System Center 2012 SP1 Data Protection Manager, or Windows Server 2012 Essentials. The management interface to enable backup from that server is different: Server 2012 Management Console, Data Protection Manger Console, or Windows Server Essentials Dashboard.
The vault credentials created includes the vault name and current date, which you can download using the Save As option in the Portal. These vault credentials cannot be edited. This example uses the vault credentials, which can be downloaded from the right side of the console (see Figure 2-12). An alternate server-authentication method is to manage certificates, as shown in the center at the bottom of the Portal. Once the backups are started, you can return to this screen and select Protected Items to view the recovery points and backup details.
Figure 2-12. Azure Backup details designed to support disaster recovery by backing up servers from on premises to Azure
This is the recovery model built by Azure customers who requested specific recovery scenarios. This support model is the broadest set of features to support most medium and large business needs. The specific scenarios include the following:
- On-premises to Azure (Virtual Machine Manager (VMM) + Hyper-V)
- On-premises to on-premises (VMM + Hyper-V to VMM + Hyper-V)
- On-premises to on-premises (SAN replication + VMM)
- On-premises VMware to on-premises VMWare using InMage
Note InMage is a Microsoft acquisition that enables real-time replication between VMware sites. The requirements have changed based on customer feedback, but currently InMage is available as a separate product via a subscription to Azure Site Recovery services.
The first Azure Site Recovery scenario is to back up on-premises servers into your Azure subscription using System Center VMM and Microsoft Hyper-V (virtualization hypervisor). The steps to complete this start when you create an Azure vault (as in the previous exercise), install the provider on the VMM server, add the Azure storage account, and install agents that allow applications to use System Center VMM to store in your Azure vault. Additional steps include using the VMM console to enable protection in the Azure cloud, mapping networks from VMs to Azure networks, and testing the deployment.
References
For more information about Site Recovery Services, visit http://azure.microsoft.com/en-us/services/site-recovery/. For more information about Azure Backup, visit http://azure.microsoft.com/en-us/services/backup/ and http://azure.microsoft.com/en-us/documentation/services/site-recovery/.
Automation
This Azure service for automation provides reputable and reliable processes to do work automatically for almost any Azure or third-party cloud service.
What Is It?
Automation in Azure uses Microsoft’s PowerShell workflows, called runbooks, to communicate through an exposed API for cloud management to create, deploy, monitor, and maintain your Azure properties.
Audience
The target audience for Automation includes Azure administrators, IT administrators, developers, and SIs who need to automate repetitive processes for VMs, web services, Azure Storage, SQL Server, enterprise applications, and LOB applications.
Benefits and Capabilities
Over the years, Microsoft PowerShell interactive scripting language has continued to add new commands to support administration and management. However, the strength of using PowerShell is not in the individual cmdlets but in when they are enabled through a business process flow in the runbook workflows.
AZURE AUTOMATION
Azure Automation runbooks can be created and customized based on the system tasks needed to provide useful work. Automation runbooks take input parameters, provide output, and can even call child runbooks. Azure work, in the form of runbooks, can be created or chosen from the preconfigured runbooks in the gallery. Follow these steps:
- In the Full Azure Portal, select the Automation view, and click Create an Automation Account. Provide a unique name, and select the Azure region with which the account should be associated. Click the checkmark in the lower-right corner to finish this step (see Figure 2-13).
Figure 2-13. The Full Azure Portal requires an automation account before any runbooks can be imported and modified
Note There are two subscription-pricing models for automation accounts. The Free model supports a total job run time of up to 500 minutes, and the Basic model supports job run times at $0.002 cents per minute. - Once the account is created, you need to create a runbook or select a preconfigured runbook to use for automation requirements. For this example, select a runbook from the Runbook Gallery by going back to the Automation view, selecting the account created (ContosoAutomation), and clicking runbooks.
The runbooks are created by the community, by individual contributors (like Charles Joy MSFT) or, in this example, the System Center Automation Product Team. Each runbook from the gallery provides a description so you can better understand the automation task.
- The gallery enables different views based on the runbook. Once you have selected a runbook, click the arrow at bottom right to move through the wizard (see Figure 2-14).
Figure 2-14. Preconfigured runbooks from the current gallery. Views help separate automation features based on work topics
- When the wizard screens’ options are completed, go back to the Automation account that you created and edit the runbook to provide the automation task specific to your business needs. In this example, invoke-pscommandsample, select the option to enable editing in this runbook, as shown in Figure 2-15. Notice the options to test this runbook after automation and then to publish it into production.
Figure 2-15. Editing the runbook PowerShell script after the runbook has been imported into the Automation services
References
For more information on Azure Automation, visit http://azure.microsoft.com/en-us/services/automation/ and http://azure.microsoft.com/blog/2014/08/12/azure-automation-runbook-input-output-and-nested-runbooks/.
Scheduler
Azure Scheduler is designed to run jobs in the cloud once or on a recurring basis to take action using HTTP or HTTPS endpoints. For example, a recurring action to gather website data and put in in a spreadsheet can be scheduled to run daily.
What Is It?
Azure Scheduler is a process or framework that uses the Scheduler API to schedule jobs programmatically. This feature is used to invoke work on a recurrent or calendar basis using the REST API to manage communication to HTTP, HTTPS, or a storage queue.
Audience
The target audience for Scheduler includes developers of Azure Mobile Services, to enable them to create scheduling scripts, Azure websites, and WebJobs for production; test/dev; and many others that need scheduling services.
Benefits and Capabilities
Developers of company resources use this feature with HTTP commands such as GET, PUT, POST, DELETE, and others. Creating jobs both inside and outside of Azure properties is a key benefit. One example would be to pull down a Twitter feed and gather data that could be used in a company’s social marketing efforts.
AZURE SCHEDULER
- From the Full Azure Portal, select the Scheduler view, and click Create a New Job (in this example, ContosoJob). Name the job, select the action type and method from the drop-down lists, input a URI (contoso.com), and click the arrow to move to the next page. Choose to configure the job as a one-time job or a recurring job. If the job is a recurring job, set the schedule for how often the job should run, including a start and end date/time. Click the checkmark in the lower-right corner to complete the wizard.
- Once the job is completed, select it to review the details and examine statistics, such as the number of jobs enabled, errors, and other details, as shown in Figure 2-16.
Figure 2-16. Azure Scheduler job dashboard, which you can use to review the details of jobs, including job errors
References
For more information on Scheduler, visit http://azure.microsoft.com/en-us/services/scheduler/.
API Management
This Azure feature provides a framework to manage custom, public, or proprietary application program interfaces (APIs) for development. It provides a secure service so that other companies or communities can build applications using APIs that you make available.
What Is It?
One way to accelerate the adoption of a developer platform is by enabling an API management process, which is integrated into Azure. This service more easily streamlines the process for developers to share, manage, and secure their API intellectual property.
Audience
The target audience for API Management includes developers who are building applications that can use this Azure cloud service to better their customers support or to attract new customers and other developers to their platform.
Benefits and Capabilities
Azure API Management allows businesses to grow by enabling other businesses, customers, partners, and private developers to use your APIs. Selling digital assets enables businesses to become more agile by securely publishing an API set to the developer community. This service helps to streamline production platforms and create new content channels for products and services.
From the Azure Portal, you can configure any of your current APIs on the Portal back end. These may be public, private, or partner APIs. You enable features in your public Azure Portal, such as caching, security, and others needed to enable consumption of the API set. Developers then subscribe and register at your Portal, which is automatically created by Azure API Management, and then start using your exposed API to build tools and services.
API Management provides the framework for development of your APIs by supplying configurable proxy features, forms, and protocols to expose only the property that you select by enabling quotas, rate limits, and valuation.
References
For more information on API Management, visit http://azure.microsoft.com/en-us/services/api-management/.
Machine Learning
Azure Machine Learning (ML) cloud services allow companies to create advanced analytic solutions using the nearly unlimited Azure resources. ML is a powerful cloud-based predictive analytics service that can use any data including unstructured HDInsight data.
What Is It?
Azure Machine Learning allows a user with a web browser to drag and drop gestures and data-flow graphs to build and connect any data, anywhere, in order to share complex analytics in minutes. No coding is required, but it is optional to use current resources.
Audience
The target audience for Azure Machine Learning includes businesses who want to know more about their customer’s habits, requirements, and purchasing preferences with the goal of operationalizing this data. Analytics are used to target e-mail and/or direct mail campaigns more precisely based on large amounts of data. Your company may also choose to sell the analytic insight created with Azure Machine Learning by publishing its analytic web services through the Azure Marketplace.
Benefits and Capabilities
Companies and businesses can make better decisions and function more efficiently based on the diagnosis and understanding of the analytics provided by Azure Machine Learning. You need two parts to take full advantage of it:
- Azure Machine Learning (introduced earlier)
- Azure Machine Learning Studio
AZURE MACHINE LEARNING STUDIO
The Azure Machine Learning Studio provides an interactive workspace in which you can develop and drag and drop data from sources and enable statistical functions, as shown in Figure 2-17. This studio provides a sandbox for testing your predictive analysis model. No programing is required. Follow these steps:
- Create a Machine Learning workspace in your Azure subscription, and select the option at far right to sign in to Azure Machine Learning Studio, which is automatically associated with your Azure subscription.
- The first time you are in the studio, select the Experiment Tutorial to become more familiar with the drag-and-drop features.
- Rename and save your work so you can come back later to improve or create new analytic models.
Figure 2-17. The Machine Learning Studio view of the default tutorial, which is designed to teach drag-and-drop features for analytics
Note When you are ready to publish models that you create, they become visible to the public and are not limited to the view from within your Azure subscription.
References
Azure Machine Learning Studio is further explored in Chapter 14. To see more information, visit http://azure.microsoft.com/en-us/services/machine-learning/.
As the name implies, Networks handles the provisioning and management of virtual networks in Azure.
What Is It?
Like all things that connect to the Internet, Azure VM cloud services need IP addresses. These IP addresses and IP classes are based on virtual network segments in Azure. Virtual networks allow IT administrators to group VMs in order to control accessibility and security, just like on-premises networks and VLANs.
Azure Networks also lets organizations define networks that are on premises in order to establish connectivity between virtual networks in Azure and these on-premises networks via a secure gateway.
Audience
The target audience for Azure Networks includes IT administrators who want to enable IaaS and business owners who want to enable disaster recovery in Azure or for a datacenter managed through Azure. In addition, the audience includes network team members who need to extend their TCP/IP network into Azure virtual networks for production application and on-premises DNS look up.
Benefits and Capabilities
Azure Networks provide the ability to connect on-premises infrastructure to Azure datacenters in order to extend and create true hybrid datacenter architectures. This allows administrators to manage Azure-based VMs as they would on-premises VMs. The three network-connection methods—point-to-site virtual private network (VPN), site-to-site VPN, and ExpressRoute—are explained next. These connections are then made to Azure gateways that are created, managed, and monitored by the customer organization’s IT or network staff, the same way they would any network device.
The networking options to connect Azure are scalable, persistent, and secure so that the Azure network is seamlessly integrated with your on-premises datacenter. Azure Networks forms the foundation on which many Azure services can easily be made available. Figure 2-18 illustrates a site-to-site VPN tunnel connecting an on-premises datacenter network to an Azure virtual network via an Azure gateway. The on-premises networking equipment is configured to communicate and establish a secure VPN with the Azure gateway’s IP address, which is provided when the gateway is created.
Figure 2-18. Connection of an on-premises datacenter to an Azure network via the gateway and VPN tunnel
Point-to-Site VPN
A point-to-site VPN lets you set up a VPN from an individual machine to Azure virtual networks. Point-to-site VPNs are generally used in a development environment where individual machines need to connect to VMs that are hosted on an Azure network. The more common scenario is a site-to-site VPN.
Site-to-Site VPN
A site-to-site VPN provides the connection between on-premises network segments and Azure virtual network segments. This allows traffic to be fully routable between both network segments via the Border Gateway Protocol (BGP). This is the typical architecture for extending an organization’s network into Azure. On-premises VMs can then communicate with VMs in the Azure virtual network segment. This communication uses the Internet to connect to the Azure gateway, and it is secured via a persistent VPN tunnel.
A more traditional, albeit more expensive, method of connecting two remote datacenters is via a dedicated network circuit. ExpressRoute enables the provisioning of a multiprotocol labeling system (MPLS) circuit to connect an on-premises network with Azure’s network. An ExpressRoute circuit is provisioned via worldwide partner ISPs and telecom providers that support Azure, such as AT&T, Level-3, BT, Tata, SingTel, Equinix, and many more.
References
Azure Networks is discussed in detail in Chapter 8. For more information about Azure Networks, visit http://azure.microsoft.com/en-us/services/virtual-network/. For more information about ExpressRoute, visit http://azure.microsoft.com/en-us/services/expressroute/.
Traffic Manager
This service is used to distribute user traffic to Azure services in one or more datacenters.
What Is It?
Traffic Manager controls IP and web traffic by load-balancing with DNS name resolution across different methods to different endpoints (for example, cloud services and websites) in Azure datacenters.
Audience
The target audience for Traffic Manager often includes the typical team that uses load balancing in a collaboration between the website team and the network team. With the help of Traffic Manager, when creating profiles in the Azure Portal, the website team and business owners can easily distribute the load from inside Azure.
Benefits and Capabilities
Traffic Manager is currently available only in the Full Azure Portal for configuration. It does appear as an option in the Preview Portal, but profiles cannot yet be created. Traffic Manager supports load balancing without the added cost of expensive routers or the expense of employing networking engineers.
With traditional hardware load balancing, there are rules that need to be configured using network commands. Azure Traffic Manager handles the configuration rules by using an intelligent policy engine and applying to Domain Name System (DNS).
A key component to understand about Traffic Manager, and what sets it apart from traditional load-balancing hardware, is that no end-point traffic is moved or routed through it. The (software) profile that is created uses a DNS query to route traffic to the appropriate end point.
After you create and deploy the Azure services (that is, Azure Cloud Services and Azure Websites), those are the end points. Then you can create a profile by selecting Create a Traffic Manager Profile in the Traffic Manager view, as shown in Figure 2-19. This enables the New Network Services option, with Traffic Manager and Quick Create preselected. Be sure to enter a unique name for the DNS prefix.
Figure 2-19. Create a new Traffic Manager profile by selecting Create a Traffic Manager Profile in the Traffic Manager view
The DNS name in this example could be ContosoMainWebsite.trafficmanger.net. Notice that only the first part of the DNS name can be edited. Technically, this process creates a lookup for the resource record (CNAME) in the DNS services. The next option is to select the end points for this profile at the top of the Traffic Manager Profile view, as shown in Figure 2-20.
Figure 2-20. Select the specific end points to add to this profile for querying DNS. Click the check mark at lower right to configure the profile
You can configure additional options for each profile to support the end points, such as DNS time to live (how long does the query remain valid?) for each query. Additional settings include the type of load balancing, performance (default), round robin, and failover. These are all major load-balancing features in high-end and high-cost hardware.
References
For additional information about Traffic Manager, visit http://aka.ms/matm.
RemoteApp
The RemoteApp service provides your company’s core applications hosted on Windows servers in Azure, and it allows access by users with tablets like Microsoft Surface, iPad, and various Android devices.
What Is It?
Using the RemoteApp service, IT can enable a massively scalable Remote Desktop Service for Windows with applications running on Azure cloud services in about an hour. This service scales dynamically, enables global access from almost any device, and is configured from the Full Azure Portal.
Audience
If your CEO has visions of a successful deployment of virtual desktop infrastructure (VDI), Azure RemoteApp enables global deployment of servers hosting Windows applications. The target audience for the RemoteApp service also includes IT organizations that struggle with agility, resources, or the ability to scale up and down based on user demand. IaaS teams can take advantage of the pre-built application collections in Azure, or they can integrate existing on-premises services using the Microsoft Remote Desktop Session Host.
Benefits and Capabilities
Microsoft Windows has provided Remote Desktop Services (RDS) as part of the OS for many years. Customers are challenged by the cost and location of IT server hardware that allows scaling to support virtual hosted applications. Azure RemoteApp is ready to use instantly with tens of thousands of preconfigured servers, which removes the complexity of on-premises configuration.
Use of Azure RemoteApp is provided in two, easily consumable models: cloud collection and hybrid collection. A cloud collection is ready to go with minimal configuration from the Azure Portal. This includes all the applications and data stored in Azure cloud services. Companies that have enabled synchronization between on-premises Active Directory and Azure Active Directory can sign in using their corporate credentials.
Azure RemoteApp hybrid collection includes all the applications running in the Azure cloud; it also stores data in Azure. However, this model further allows users to access information and resources on the company’s local network. Corporate accounts are used to log in to access these Azure applications if federated services between on-premises and Azure are enabled.
Azure administrators and business owners with privileges in Azure subscriptions can start a RemoteApp trial by selecting one of the Microsoft Office applications that are preinstalled and ready to share with all end users in your organization.
AZURE REMOTEAPP SERVICE
To use the Azure RemoteApp service, follow these steps:
- From the Full Azure Portal, select the RemoteApp property, and click the Create a RemoteApp Collection arrow in the center of the screen to start the wizard. Some of the required decisions include the unique name of the collection, what Azure region to use, Basic or Standard plan, and what preconfigured Office application to use during the trial.
- Click the Create RemoteApp Collection check mark in the lower-right corner, as shown in Figure 2-21.
Figure 2-21. RemoteApp trial enabled using the Full Azure Portal. This allows the quick-create wizard to use preconfigured Microsoft Office applications
There are two plan choices, and the cost of each plan is about the same for traditional types of users, task workers, and information workers. The Basic plan includes using lightweight remote applications for 0.18 cents per hour, and the Standard plan includes using productivity applications for 0.20 cents per hour.
Note Pricing is not the only reason to choose a cloud solution. It is important, however, because we’ve seen over time that changes in Azure actually help control, if not reduce, customer costs.
The hybrid collection for Azure RemoteApp requires the on-premises IT team to complete connections supporting IaaS network connections, so a few more technical steps are required to enable other applications. The major steps include creating a custom template image for the RemoteApp service, creating the RemoteApp collection (described earlier), enabling the on-premises network with Azure virtual networks, and publishing your company’s RemoteApp applications to Azure.
References
For more information and step-by-step details required to create either of the two Azure RemoteApp services, visit http://azure.microsoft.com/en-us/documentation/articles/remoteapp-whatis/.
Management Services
Azure Management Services supports alerts and notification components for any of the services used in the Full Azure Portal.
What Is It?
In the simplest form, Azure Management Services issues alerts based on overages or an anomaly in components configured in your subscription. This feature specifically supports the creation of active rules based on Azure metrics to send out notifications about any threshold violations.
Audience
The target audience for Azure Management Services includes Azure administrators, technical team members, application owners, and business solution owners. Preemptive alerts are sent by e-mail and report any degradation in performance that may impact availability. Alerts are created using a two-step wizard to support these types of notifications.
Benefits and Capabilities
Azure Management Services provides e-mail notifications in real time when issues are uncovered and performance breaches thresholds established using the built-in Azure metrics. Specific metrics vary based on the Azure workloads and are exposed through the Full Azure Portal.
AZURE MANAGEMENT SERVICES
One example of such a notification uses the wizard to configure an alert for an Ubuntu server:
- Click the Management Services property, and click Add Rule at bottom center in the Portal to start the wizard, as shown in Figure 2-22.
Figure 2-22. Create a new alert by clicking Add Rule at bottom center in the Management Services view
- Add a name and description, and use the drop-down arrow to select the service type. In this example, Cloud Service is selected for the Ubuntu Linux server. Other service types include Mobile Services, SQL Databases, Storage, Virtual Machines, and Websites. The service type selected may prepopulate data in the wizard, as is the case in this example. The Cloud Service Deployment data and Cloud Service Role are created automatically.
- Click the arrow at bottom-right to move to the second page of the wizard, shown in Figure 2-23. The default Metric is CPU Percentage, so you need to add a Threshold Value and check two options: “Send an e-mail to the service administrator and co-administrators” (default Azure admins) and “Specify the email address for another administrator.” Enable Rule is checked by default. If you click the down arrow to the right of the CPU Percentage metric, you can select other metrics. These include Disk Ready Bytes / Second, Disk Write Bytes / Second, and Network In and Network Out.
Figure 2-23. Complete the creation of a new alert by adding a threshold values, enabling e-mail actions, and validating Enable Rule, which is checked
The second Action, “Specify the email address for another administrator”, enables the Address text box; enter [email protected]. This address can be a distribution list so that more than one e-mail recipient can be alerted at the same time. You can easily enable automation by using System Center Orchestrator to monitor the e-mail account [email protected], pull the exact user e-mail that is on call from a SQL database or Excel worksheet (for example, [email protected]), and automatically e-mail that individual and not the entire team.
- Click the check mark at bottom right to complete this alert. It appears on the main screen in the Management Services view in the Portal.
Let’s look at one more example to help you understand the power of these services and how better to take advantage of the alerting feature. In this case, you want to set an alert for one of your websites:
- Click Add Rule at the bottom of the Management Services view. Just as before, provide a Name and Description, but this time select one of your websites as the Service Type.
- Click the arrow at the bottom of the page to move t the second page, shown in Figure 2-24.
Figure 2-24. Second page of the wizard after selecting Website. The default Metric is AverageMemoryWorkingSet. Click the drop-down arrow to explore additional metrics
In this example, Service Type (from the first page of the wizard, as you saw in Figure 2-22) was changed to Website and the Contoso Company Website was selected. Now you can customize alerts based on HTTP error codes. When web administrators make changes to the website, links to pages may be missed or misconfigured; by enabling multiple alert notifications, you can more easily identify corrections.
One final thought regarding the types of alerts possible with this example: you could create an alert based AverageResponseTime in the Metric drop-down list. If you select this metric, the response time threshold is measured in milliseconds. This alert could be set for 3,000 milliseconds or 3 seconds, (1 second = 1,000 milliseconds), which is an eternity for some websites to render the main page of your company portal.
References
Alerting in Management Services is easy, and it can be customized based on resources including all the different services. For more information about alerting and monitoring using Azure Management Services, visit https://msdn.microsoft.com/en-us/library/azure/dn306639.aspx.
Azure Active Directory (AAD)
Azure Active Directory (AAD) is identity management (IDM) in the cloud.
What Is It?
AAD is Active Directory in the cloud. It is intended to extend on-premises Active Directory (AD) and provide modern IDM capabilities, such as claims-based authentication and out-of-the-box federation with popular third-party software-as-a-service (SaaS) apps like Salesforce, Dropbox, and ServiceNow. AAD strives to be a feature-rich advanced directory-as-a-service (DaaS) offering in Azure, and it is currently one of the most rapidly adopted Azure services.
Audience
The target audience for AAD includes application developers who need authentication services for apps, IT administrators managing AD or other IDM solutions, SIs who need to provide single sign-on (SSO) capabilities to disparate third-party SaaS, and CISOs who are interested in providing advanced IDM features such as multifactor authentication (MFA) and Rights Management Services (RMS).
Benefits and Capabilities
AAD is already the IDM for Office 365 customers. Through AAD, Office 365 services can provision mailboxes and grant access to SharePoint Online sites because user accounts that are locked in AD are not synchronized to AAD. A good resource on Microsoft Office 365 administration is Microsoft Office 365 Administration Inside Out by Anthony Puca, Julian Soh, and Marshall Copeland (Microsoft Press, 2013). This book addresses how and why AD is synchronized to AAD.
AAD is now unlocked for non-Office 365 uses as well. Azure sells the expanded capability of AAD via a SKU known as Azure Active Directory Premium, which is also part of a suite known as the Enterprise Mobility Suite (EMS).
For Office 365 customers, the benefit of expanding the use of AAD includes the ability to take advantage of all the integration work that has been done for Office 365, such as Directory Synchronization (DirSync) and Active Directory Federation Services (AD FS) for SSO.
For non–Office 365 customers who use on-premises AD, extending into Azure with AAD delivers the capability to use all the security profiles that have been implemented in AD for claims-based applications, provide SSO, and implement advanced authentication services such as MFA and RMS.
Figure 2-25 shows the application gallery in AAD. At the time of this writing, AAD provides SSO for more than 2,400 out-of-the-box pre-federated apps.
Figure 2-25. Adding a pre-federated third-party SaaS from the application gallery in AAD to provide SSO
References
AAD is covered in detail in Chapter 9. For more information, visit http://azure.microsoft.com/en-us/services/active-directory/.
Summary
This chapter was designed to increase your familiarity with all the different Azure Services available today. You should expect the number of services to increase over time. As you can see, Azure is a collection of many services for different business requirements, and it covers all aspects of IT operations—from networks to IDM and access control to application development. From here, you can choose to go directly to the chapter that dives deeper into the configuration and use of each specific Azure service.
In the next chapter, you gain the deep insight necessary for planning Azure services. Planning provides guidance to ensure that services are created effectively based on business requirements. Read the planning section to understand how specific configurations may be used and how potentially unwanted configurations may be avoided.