Posts

As I was getting ready for Velocity conference (https://conferences.oreilly.com/velocity/vl-eu) and the Kubernetes training by Sebastien Goasguen, I happened to be captured by a spiral of testing. First, I needed to have a K8s cluster running for said training. Sebastien suggested Minikube, which is a nifty way of having a local K8s cluster on your workstation and play with it. As it was too easy, I went through my K8s the hard way (http://cloudinthealps.mandin.net/2017/09/14/kubernetes-the-hard-way-revival/) on Azure again to be able to work on the real stuff, and use kubectl from my Linux env (embedded in windows 10). And I realized that I might have internet issues during the conference and would be happy to have Minikube running. So back to square one and to setting up minikube and kubectl properly on Windows. I tried the easy way, which was to download Minikube for Windows and run it. It obviously failed, and I could not find out why. After some try and fails, I just updated Virtualbox, which I was already using for personnal stuff. I just had then to rest the minkube setup that I had, with “minikube delete” and then start fresh : “minikube start” and voilà, I had a brand new Minikube+kubectl setup fully on Windows 10 (and a backup on Linux and Azure). But as I was working on that, I stumbled on a news there about Azure Stack (https://social.msdn.microsoft.com/Forums/azure/en-US/131985bd-bc56-4c35-bde8-640ac7a44299/microsoft-azurestack-development-kit-201709283-now-available-released-10102017?forum=AzureStack) and specifically the AS SDK, which allows for a one node setup of Azure Stack. This tickled my curiosity gene. A quick Google to find if there was any tutorials or advice on running nested Azure Stack on Azure, and here am I, setting up just that. Keep in mind that the required VM (E16s-V3) is just above 1€/hour, which means 800€ monthly, so do not forget the auto-shutdown if you need to control your costs :) The guide I followed is there : https://azurestack.blog/2017/07/deploy-azure-stack-development-kit-on-an-azure-vm/ I did almost everything using the Azure portal, maybe it might be useful to build a script to do that more quickly. Note that the email with the download link takes some time to be sent, so you might start with that. Or you can use the direct link : https://aka.ms/azurestackdevkitdownloader And this first test did not work out the way I expected. There were many differences between the article, the official doc, and what I encountered while deploying. Back again to first step, I redeployed the VM, redownloaded the SDK, and started from scratch, following the official doc (https://docs.microsoft.com/en-us/azure/azure-stack/azure-stackdeploy), I just added the tweak to skip the Physical host check, in order for the installation to continue even though it was running on a VM. After a few hours, Voilà I had a fully running Azure Stack, within an Azure VM! Now I just have to read the manual and play with it. This’ll be the subject of a future post, keep checking!

Obviously you have heard a lot of talk around security, recently and less recently. I have been in the tech/IT trade for about 15 years, and every time I have met with a new vendor/startup, they would start by saying that we did security wrong and they could help us built Next Gen security. I am here to help you move to the Next Gen :) All right, I am not. I wanted to share a short synthesis of what I have seen and heard over the past months around security in general, and in the public cloud in particular. There are few statements I did find interesting : • Perimetric lockdown, AKA perimeter firewalls, is over. • No more need for IDS/IPS, in public cloud, you just need clean code (and maybe a Web Application Firewall) • Public cloud PaaS services are moving to an hybrid mode delivery Of course, these sentences are not very clear, so let me dig into those. First, perimeter security. The “old” security model was built lake a medieval castle, with a strong outer wall, and some heavily defended entry points (Firewalls) There were some secret passages (VPNs), and some corrupted guards (Open ACLs :) ). https://commons.wikimedia.org/wiki/File:Herstmonceux_Castle_with_moat.jpg This design has lived and is not relevant any more. It is way too difficult to manage and maintain thousands of access lists, VPNs, exceptions and parallel Internet accesses, not mentioning the hundreds of connected devices that we have floating around. A more modern design, for enterprise networking, often relies on device security and identity management. You will still need some firewalling around your network, just to make sure that some dumb threat cannot go in by accident. But the core of your protection, networking-wise, will be based on a very stringent device policy that will allow only safe devices to connect to your resources. This solution will also require that you have a good identity management, ideally with some advanced threat detection in place. Something that can tell you when some accounts should be deactivated/expired, or when you have abnormal behavior : for example, two connections attempts for the same account, from places thousands of kilometers apart. For those who have already setup 802.1X authentication and Network Access Control on the physical network for workstations know that it requires good discipline and organization to work properly and not hamper actual work. To complete the setup, you will need to secure your data itself, ideally using a solution that manages the various levels of confidentiality, and can also track the usage and distribution of the documents. As I said No more need for IPS/IDS. Actually, I think that I have never seen a real implementation that was used in production. Rather there was almost always an IPS/IDS somewhere on the network, to comply with the CSO’s office requirement, but nothing was done with it, mostly because of all the generated noise. Do not misunderstand me, there are surely many true deployments in use that are perfectly valid! But for a cloud application, it is strange to want to get down to that level where your cloud provider is in charge of the lower infrastructure levels. The “official” approach is to write clean code, to make sure that your data entry points are protected and then to trust the defenses in place from your provider. However, as many of us do not feel comfortable enough to skip the WAF (Web Application Firewall) step, at least Microsoft has heard the clamor and will add the possibility to connect a WAF in front of your App Service shortly. Note here : it is already possible to insert a firewall in front of an Azure App Service, but this requires a Premium service plan, which will come at a ahem premium price. And that was my third point : PaaS services coming to a hybrid delivery mode. Usually when you look at PaaS services in the public cloud, they tend to have public endpoints. You may secure these endpoints with ACLs (or NSG for Azure), but this might not be very easy to do, for example if you do not have a precise IP range for your consumers. This point had been discussed and worked on for a while, at least at Microsoft, and we are now seeing the first announcements for PaaS services that are usable through a Vnet, and thus private IP. This leads to a new model, where you may use these services, Azure SQL for example, for your internal applications, through a Site-To-Site VPN.

I have been pushing my team to get certified on Azure technologies for the past 24 months, with various degrees of success. I am quite lucky to have a team who does not discuss the value of the certification, however much they discuss the relevance of the questions. But, as I am now going over almost 15 years of certifications in IT, I feel quite entitled to share my views and opinion. Keep in mind that I work in infrastructure/Operations, and in France, which will probably give some bias to my analysis :) I will start with some general comments on the value of certifications, from a career perspective, and dive into some specifics for each vendor I have certified with over the years. Some of my exams are a bit dated, so please be nice. I will conclude with my general tips to preparing for an exam. As I said, it’s been almost 15 years since my first cert, and I started that one before even being employed, that gives me some insight about the relevance of such investment in my career. I took my first dip into the certification world during a recruitment process with a consulting company. We were two candidates, I was the young guy and the other one was already holding his Microsoft MCP. I felt, at that time, that I could benefit from one myself, and compensate some of my lack of experience with it. As I registered for my first MCP exam, for Windows 2000 (!), I was contacted to get into a kickstart program to get my certification level up to Microsoft MCSE, everything started from there. After a few months, I passed the final MCSE exam (out of 7 at that time) and was recruited, to work on Cisco networking, which had nothing to do with my skills, by the very same company that had interviewed me when I discovered the MCP. I still think that the fact that I went through the certification path did a lot to convince my boss to be of my motivation and ability to work hard. Over the years I refreshed my MCSE with each version of Windows (from 2000 to 2016) and added a few new ones, depending on what I worked on at my positions : Cisco, RedHat, Vmware and Prince2. Even though it was not obvious in my first job, the following ones were pretty clear cases where my certifications held some value to my employer. We discussed the fact during some of the interviews rather openly. And I was in a recruiter’s shoes myself a few times, and here is why I feel is useful regarding the certifications. First it show that you can focus on sometimes gruesome work, for a while. Passing these kind of exams almost always forces you to learn tons of new information, on software or devices that you maybe never handle. Then it show dedication to maintain them over time, when they have at least some value to your current position. And, let’s be candid, it show you can take one for the team, because almost every vendor partnership requires some level of certification. And, as I said, I know for a fact that I had been recruited, at least partly, twice thanks to my certs. On the salary part, I am not definite on the impact of certifications. I do not feel that the cert plays a part there, but I cannot prove or disprove it. That being said, when you take one of these exams, you will experience very different things depending on the vendor, and sometimes on the level of certification. Let’s take a closer look. We’ll start with my longest running candidate : Microsoft. Apart from one beta test ten years ago, I always had some kind of MCQ with them. You may have some variation around that : drag and drop, point and click etc. But, by and large nothing close to a simulator or designer. This had led to a bad reputation a while ago, when you may have had an MCSE (which was like the Holy Grail of Microsoft certification) while having absolutely no hands-on experience with Windows. They have kept the same format for Azure exams, and are taking some heat also, because the exams are deprecated almost as they go out. I am wondering whether they are working on some other way to certify. Cisco had a router/switch simulator for a long time, which had brought some rather interesting exams, for the lowest levels. I only took the CCNA 15 years ago, so I do not know how it goes for higher levels. The only caveat, from my perspective, was that the simulator did not allow for inline help and auto-completion, which you still have in real life. RedHat, for the RHCE exams, had the most interesting experience in my view. The exam was completely in a lab, split in two sections. First you had to repair a broken RHEL server, three times. Then you were given a list of objectives that you had to meet with a RHEL server. You could choose whichever configuration you would prefer, as long as the requirements were met (with SELinux enforced, obviously :) ). You had a fully functional RHEL, with the man pages and documentation, but without an internet access. I still feel to that day that this way let you prove that you really were knowledgeable and had the necessary skills to design and implement a Linux infrastructure. And the trainers were always fun and very skilled. I also certified on Vmware Vsphere for a while and that brought me to a whole new level of pain. The basic VCP level is fine, just along the same lines as an MCP. But when I started to study for the next level, VCAP-DCD (which stands for Vmware Certified Advanced Professionnal-DataCenter Design), I had to find some new ways of preparing and learning. You see, where a usual exam requires you to learn some basic stuff by heart (like the default OSPF timers, or the minimum Windows 2000 workstation hardware requirements) it was still a limited scope. For this exam, you had to be able to completely design a Vsphere infrastructure, along the official Vmware guidelines, form all of the perspective ...

It has been a long two-days event for Microsoft France. I wanted to summarize this event and what happened during those two days. I will not be extensive about all the announcements and sessions that were offered. This will just be my experience (pun intended) of the event. This year I did not present a session, mainly because the process to submit one was very unclear, and I did not want to fight against smoke. And last precision, it was only my second Experiences, and I never attended its predecessor, Techdays. As I said, it is a two-days event, split between a business day and a technical day. I attended both, as my role is also split between the two aspects. I found that the distinction was very visible regarding the content of the various sessions, apart from the keynotes (and Partner Back to School session). Overall the technical level is rather low, but most of MS staff is onsite and you can have very interesting discussions with them, as well with the other attendees. A word on the attendees : there are very different groups in there. I have met with numerous Psellers and MVPs, as well as Microsoftees. Obviously, there are many customers and partners around, some of them just for show, some with a very specific project/problem in mind. And there are people that I am not accustomed to see in business events, but who bring a refreshing variety to the general attendee population. These are both students from multiple schools (engineering, but not only), and employees who managed to get their managers to approve because the event is free. I am not sure whether it is the case in other countries, but in France we usually have difficulties getting approval to travel abroad and pay for a conference. It is not always true with every company, but it has been widespread enough that some European-wide events are replicated to a smaller scale in France to allow French techies to get the content as well. Back to the event itself, the rhythm was rather intense this year and I missed many sessions, to be able to meet and discuss with everyone I wanted to. As it is with all event, the quality of a session is very dependent on the quality of the speaker. The ones I attended were very good and made a lot of effort to stay focused on their topic and keep everyone on board. About the keynotes, well they were of the expected quality, on par with Inspire, with several videos, demos, interviews etc. As was the case with Ignite, some talks were highly specific (to AI or Quantum computing) and made me believe that Satya Nadella is taking some moves from Elon Musk. It was very different from the Tech’Ed days were we were shown the new interface for System Center, or a new tablet. The buzzword this year at Experiences was AI (it was Blockchain last year). I have to admit that the AI Hackademy included some very interesting ideas and startups. I did not manage to visit them all but I was pretty impressed to see so many startups working on the subject, and bringing fresh ideas and concepts to our world. All right, everything was very positive, I am convinced. I will share one mildly negative thought though : AI was sometimes thinly stretched over a piece of software or idea. I’ve seen some interesting uses of statistics, or even good programming and algorithms, but to say these were truly AI was going a bit far. At least that’s my opinion, but we may not all have the same definition… as for what is a cloud :)

This week, I had my first troubles with GitHub while trying to push all the updates I did to “Kubernetes, the hard way” to use Azure. Long story short, I did have to ditch everything I did write for the new guide, and start over, as there were too many new commits from Kelsey’s guide. This misadventure pushed me to do several things : Create and maintain my own fork of Kelsey’s guide : https://github.com/frederimandin/kubernetes-the-hard-way Rewrite this guide, and make it work on Azure Use Visual Studio Code, with the GitHub and Markdown plugins. As it was also a first… some pain was involved. Go several steps beyond, in order to play a bit more with K8S The first two steps are done and commited, as you may see on GitHub. It did take a smaller amount of work than expected, as most of the commands I wrote for the previous guide were still usable. I did have to redeploy the test K8S cluster to confirm that everything was fine. Please, if you have some spare time, do not hesitate to use this guide, and give me some feedback! Then I tried several test, in addition to the ones included in the guide. First I deployed a container from the Docker public Registry : https://hub.docker.com/r/apurvajo/mariohtml5/ This went quite well, and I had the infinite mario running for several hours, and accessible from the outside world on its own port. At that point I got lost… I started to update this blog, and realized that the website was not using HTTPS. I figured now would be good time to do it, and I thought about using Let’s Encrypt (https://letsencrypt.org). As it was my first time, it took me a while to find out what to do exactly. Actually, the easiest way was to just activate the extension for the web app on Azure, and follow the guide. We are now securely discussing on https://cloudinthealps.mandin.net :) That was fun, but I still have not started to play with Helm (https://www.helm.sh), which was the original idea. Ill have to postpone that activity and blog about it later!

Following my recent ventures in the Kubernetes world (http://cloudinthealps.mandin.net/2017/08/23/kubernetes-thehard-way-azcli-style/), I now had a functional Kubernetes cluster, on Azure, built with my own sweat and brain. But that was not the original goal. The original goal was to try and play with Azure Container Instances, and its Kubernetes connector https://azure.microsoft.com/fr-fr/resources/videos/using-kubernetes-with-azure-containerinstances/ Following the guide on GitHub was relatively straightforward and painless (https://github.com/Azure/aci-connectork8s), but I encountered two small issues. One was that I am not completely comfortable yet with all things K8s, and I had to read a bit about taints, to understand why the current ACI connector is not used by the K8s scheduler by default. Not a big deal, and a good way to get to know more about K8s. The second one was maybe due to the fact that I had never used ACI before, maybe not. I logged it into the GitHub project as an issue (https://github.com/Azure/aci-connector-k8s/issues/33) to make sure that it is taken into consideration. Short story was that I was missing a registered Provider in my subscription. However the error message did not pop up in kubectl output, but only on the Activity log in Azure portal. Another good occasion to learn an dig into some tools.

Finally a tech post! I have been busy this week, on command lines and Kubernetes. The starting point was the recent announce for Azure Container Instances and the related Kubernetes conenctor : https://github.com/azure/aci-connector-k8s I admit I did try what Corey Sanders showed in his show : https://channel9.msdn.com/Shows/Tuesdays-WithCorey/Tuesdays-with-Corey-Azure-Container-Instances-with-WINDOWS-containers. However what I found interesting and wanted to try was the ACI connecter to Kubernetes, and how we would work with that. Of course we have a test Kubernetes cluster here, that someone from our tema built, but it felt too easy just to add the connector. Also I am not comfortable yet with Kubernetes and I wanted to get my hands dirty and know more about the inner workings of a k8s cluster. I remembered a quote from the Geek Whisperers’ show featuring Kelsey Hightower. He said that he wrote a guide to build a K8s cluster from the ground up, without any shortcuts. The guide is found there : https://github.com/kelseyhightower/kubernetes-the-hard-way The downside is that the guide is aimed at Google Cloud Platform, and I am an Azure guy. And there was my pet project for this week : adapt the guide for Azure, using only Azure CLI commands! There was one final trick for me to learn : store and share all that on GitHub. As I never had to work with Git by myself, it was also a good way to learn the moves. So, lots of new stuff learnt : • Create a K8s cluster from scratch • GitHub, and Git • Making progress on Azure CLI • A good refresh and Azure infrastructure The project is hosted there : https://github.com/frederimandin/Kubernetes-the-azcli-way There are many following steps to work on : • Integrating properly with Kelsey’s guide • Testing my own guide again • Adding ACI connector to my cluster and play with it (and write about it of course!) I’ll keep you posted, of course!

We are almost halfway of the first quarter for Microsoft Financial year, a month after the partner convention, which has been rebranded “Inspire”. Now that I am not a newbie any more, I can step back a bit and see past the awe of the first event. The setting this year was in Washington DC, which is great place for these kind of events. There are many hotels nearby, the city center is small enough to walk around, and there are many chic places for the evenings. This is not a travel blog, so I will not go further into the tourism information. This year we had decided, with our PSE, to have a lighter Microsoft agenda, and to be able to attend more sessions and impromptu meetings. I have to say that it was a wise choice. It allowed us to make new connections, to network quietly and to enjoy the Expo and the other partners. Note that I found it way easier to network this time, as our company was better known in the ecosystem, and we also had a better knowledge of the various people, names and acronyms used throughout Microsoft. This year I was able to attend several sessions, with different format : roundtables, breakout, demo theater, workshop and of course keynotes. The content was really good, though it is definitely not a technical event. The best way to have a technical discussion is to go to the Microsoft pods with a specific subject in mind and ask for an expert on that matter. Also these pods provide good help and advice on how to build or develop your business along the current track or toward a brand new scope (yes GDPR was a recurrent topic, I’ll write separately about that later on). I have met many amazing partners and vendors, through the social events, or on their booths and we have started to build new relationships that will hopefully help develop all our business and knowledge. Once again, it is an event where you have to be prepared, and be prepared to change your plans. First you need to have an idea of your goal beforehand. Do you want to find new partners within the ecosystem? Would you rather gian some traction or visibility in that ecosystem, both from Microsoft and from the other partners? Are you open to new business opportunities? Are you here to listen to the keynote and get a feeling of what is coming for the near future? Then, you need to build your agenda around that goal : sessions, meetings, events etc. But do remember to leave some room to be able to continue a discussion with an unexpected partner, or be ready to not attend a session live and see the recording, because something else popped up. And mostly, have fun :)

I know, there are tons of materials and training that will explain you how to select between SaaS and custom software. I’ll summarize their usual points, but I wanted to add some details on how you might have to look at the full scope of cloud services : from Iaas, through PaaS, to Saas, and a detour through containers. First the usual discussion, that have seen unfurl dozens of times : why choose SaaS over a custom/on-premises solution? You know the drill, right? On one side, you have full control and can customize the solution. This means the software will be tailored to your exact needs, and you will control exactly what is done with it, how is updated, where data is stored, accessed, replicated, backed-up etc. You will know the exact setup of the deployment, which layer is connected to which other layer, how, where traffic goes, how each layer is protected, and replicated. You will handle failover, high-availability etc. In a few words : you will be the master in your own kingdom. Problem with that path : you are, mostly, on your own. All of these domains I just listed are your responsibility, and you have to have knowledge and skills to handle those. You might need to expand those skills to cover 24*7. You’ll need a strong IT team, in addition to a trained software team. On the other side, you have SaaS : bright new, quick and easy. You set that up in a flash, connect the solution to your other enterprise software, create user accounts and voilà! No administrative overhead, the only skill you have to master is the configuration of the solution. You’ve seen the downside coming : you have absolutely no control over the software, its release cycle, the mechanisms in place to provide high-availability. Sometimes you have some control over your data, but it’s not obvious. In the end it’s your call to choose the balance you need. The cloud has integrated the same choices and solutions. You will have to decide whether you want to use IaaS, PaaS or SaaS. The basic triggers are the same, you choose the right balance between control, freedom and responsibility. Read here a good explanation : https://docs.microsoft.com/fr-fr/azure/app-service-web/choose-web-site-cloud-servicevm I would like to add something to that horizon, something spicier, which could probably give you the best of each solution, provided you are ready to learn some new skills. We had the same discussion several times with our customers, revolving around the limitations of Azure App Service for some Java applications, its lack of control, and how moving from that to a full-blown IaaS virtual machines felt like dropping out of the cloud. Here what we built with some of those customers. We wanted to provide them with the flexibility and ease of use of Azure App Service, tailored to their needs, without adding much IT admin overhead. We had already been running a Kubernetes cluster for our own internal needs for a while, and it was an easy leap to suggest that solution. Kubernetes is becoming the leader in container orchestration, but you could choose any other solution (DCOS, Swarm etc.) Here is a short list of the benefits the customer gained in that solution : • Flexibility of the deployment and settings of the application, down to every Java VM option • Scalability of an enterprise-ready container orchestration, based on a cloud platform that is reliable • Ease of deployment : these are containers after all! The only thing you have to keep in mind here is that someone has to learn and master containers and the orchestration layer for those. Kubernetes might not be the most accessible solution here, but it is, in my mind, the most mature and powerful. One last word, for you sceptics who still believe that Microsoft and Open-source are still far from each other : try to make a new build of your software for containers using Visual Studio : https://blogs.msdn.microsoft.com/jcorioland/2016/08/19/build-push-and-run-docker-images-with-visual-studio-teamservices/

I may have skimmed that subject a few times before, but as I get to the end of the (Microsoft) year, and begin a new one, it feels right to reflect for a while on what got me where I am now. The short version is : I got enough of cabling, servers, storage and operating systems, and wanted to move to something else, however related. Okay, that is VERY short. Allow me to develop that further. I started working in IT about 15 years ago. I did my duties in user support, moved to network engineering and implementation. At the same time, I discovered the wonderful world of Microsoft training and certification, and got my first cert around 2003, quickly followed by an MCSE (yes, on Windows 2000!). I switched back and forth between networking and systems engineering for several customers. I collected some knowledge along the way, mainly about hardware installation, cabling, storage and servers, but also about virtualization, networking, SAN. I continued my cert trip in parallel, maintaining my MCSE up to Windows 2016 and Azure. I also collected a few other certs : ITIL, Redhat RHCE (6 & 7), Vmware VCP & VCAP-DCD, Prince2 etc. I will say more about certification in a later article, keep in touch! To complete the brush-up, I tried my hand at project management, as well as people management. Let’s get to the point where it gets interesting. First time I heard about public cloud was at Tech-Ed Europe, probably in 2010. It was mostly limited to SQL server databases with many limitations. It was not really a hit for me. The subject kept reappearing : public cloud, private cloud, elastic computing, you’ve heard the talk. There were actually two triggers to my “Frederi, meet Cloud” moment. The first one was rather a long term evolution of my area of interest. After years spent working with the same company, and on the same software, I got to the point where I could understand the business side of my actions and responsibilities for our customers. It was a slow shift to a more end-user/application centric approach. This is where I try to push today : the major focus and metric is the end-user. If this user is not happy about his experience, then we (the whole team behind the software, from IT infrastructure to developers and designers) have failed. This is why I tend to ask the question early in the discussions : how is the application used? By who? The second trigger was more of a “a-ha” moment, specifically about public cloud. In a previous job, I was in an outsourcing team, focused on infrastructure. We had a whole Services department, whose job was to design build and deliver custom software. We almost never had a project in common. Until once we had a developer on the phone, and we had the most common conversation between dev and ops : Dev : “we have built a php application for that customer, and he wants to know if we can host and operate it, and what the cost would be” Ops (me) : “OK, tell me your exact need : OS, VM size, which web server, which version, how much disk space, a public IP etc?” Dev : “I do not know that” Ops : “in that case, I cannot give you an estimate. We can operate, but we need to know what” Follow a few days of emails trying to get those details ironed out and try to write a proposal. Two weeks later, we had the same dev on the phone : “Drop it, the customer has already deployed in Azure by himself”. That is when I realized that we, ops and infra, could not stay on the defense line and ask for what we knew best. We had to ask about the application itself, and we had to get into that “Azure” stuff. And that’s how I ended up in Azure, and mostly PaaS oriented ;)