Until now in Azure, if we talked about how to save costs in computing services, we had two alternatives (without going into software discounts):
Azure Reservations: They help us save money by booking a particular VM size for 1 or 3 years. The cost savings can be up to 72% (official figures from the manufacturer, which in my experience of 40% has not passed) compared to Azure prices in PAYG format. In this case, when we made a reservation of an instance, it does not affect the state of our resources, but we made the reservation against a specific size, obtaining the discount automatically if it matches our resources.
Spot Virtual Machines: This type allows us to have a machine for computing at a lower cost than normal, but with one condition: We do not have SLA, when Azure needs computing capacity, the first thing that will be rescinded are the Spot type machines, with which we would be left without the ability to have computing resources for this type of sizes.
But during Ignite ’22, a third avenue for computing resources was announced: Azure Saving Plans
And what does it provide me?
It allows us to save computing costs based on a fixed price per hour. In this case, a Saving Plan can save up to 65% the price compared to an Azure price in PAYG format (manufacturer figures, which in my experience of 30% has not exceeded), always depending on the term we choose (from 1 to 3 years).
And what is the main difference?
Basically in the way of reserving the resource, if for an Instance Reservation, for example, we reserve a size D4v4 in West Europe for one year, with Azure Saving Plan, what we do is set a fixed spending rate for a certain term (from 1 to 3 years without the possibility of cancellation), so that any computing resource that falls within the scope we have chosen can make use of that commitment and This saves us computing money from these resources.
How does it work?
Basically, we have to specify the amount of fixed money we want to spend per hour of computing, and automatically, all the resources that are contained within the scope of creation
Therefore, it is extremely important to keep in mind that this type of solutions do not fit with everyone, since not all of us have a large amount of computing resources that involve a fixed cost for our organization.
Likewise, we must specify how long we want to have this commitment (1 or 3 years) and the form of payment (monthly or annual)
When trying to create an ASP, the portal will offer us different alternatives to configure our ASP depending on the computation consumption we have, from the most conservative to the most aggressive strategy (although manually, we can also configure how much we are willing to pay per hour)
Once we have created the ASP, the party begins: How do I know that I am applying the ASP to my resources? The answer is simple, you must trust 😛
A sample of how it works is the following image:
If you look, the green line represents the amount of money I am paying in a fixed way every hour (remember that this is 24×7, so if we put € 5 / h they end up being approximately € 3600 per month), whether or not I use computing resources.
This last sentence is very important, whether or not you use resources, what does this mean? That, if I use 100% of my computing resources, and the price / hour is less than those € 5, I will pay € 5 / h yes or yes. On the other hand, if my 100% of computing resources / hour is greater than those € 5, I will pay € 5 in fixed format (which already contains a certain discount), and the remaining € 1, I will pay it at PAYG price (remember depending on the contract I have).
So here, we enter different price scales:
Scenario 1: In a certain time slot, I go below my set price à I pay my price per hour
Scenario 2: In a certain time slot, my computing consumption is what I have set in the ASP à I pay my price per hour
Scenario 3: In a certain time slot, my computing consumption is greater than the ASP created à I pay my price per hour + PAYG price not covered by the ASP
This is important to understand, because savings are automatically applied every hour, regardless of region, instance series, or OS.
What resources are contained in this type of solution?
As I write the article, different Azure resources are coming into play such as:
Azure VMs (excludes A, G, and GS series)
Azure Functions con Plan Premium
Azure App Service with Premium v3 or Isolated v2 Plan
Azure Dedicated Hosts
This does not mean that other resources will be included in the future, but I do not have more information.
And can I combine it with instance reservations?
Yes, without problem, in fact it is the most suitable formula to save costs, in this case, the instance reservations would always enter first, and everything that does not cover the instance reservation, would be subject to be covered by an ASP:
As we can see, everything that is not covered by the instance reservation or an ASP, would be paid at the normal compute price that we have established in Azure (here it will depend on the type of contract we have with Microsoft EA / CSP / PAYG)
And this ASP thing appears in Azure Advisor?
Yes, it should already appear in the Advisor as a saving measure for the compute services contained in Azure along with the reserves of instances
We must even realize that this option already appears in the Azure calculator:
Once I have made a commitment with ASP, do I have the possibility to cancel and/or change it?
No, it is not possible to cancel an ASP commitment, or change it for another, we will have to endure 1-3 years what we have configured, and if we fall short, we will have to configure a new ASP to cover the new demand (with the increase in time of this new ASP that supposes)
My personal recommendation is to always go to a more conservative configuration, more than anything because of the non-possibility of being able to cancel this type of commitments, so this will give us the opportunity to “play” with other configurations.
Reservations only apply to computing resources that have been identified and to a specific region
Azure Saving plan applies to all compute resources that are contained within that scope, so they provide us with greater flexibility and automatic optimization against reservations.
When to choose one or the other?
For compute resources with dynamic loads: Azure Saving Plans
For resources that are stable over time and run continuously, or don’t think about resizing: Azure Reservations
There is no one-size-fits-all formula, but the FinOps perspective is like this 😊.
There is no one sizes fits when it comes to Azure and cost optimization, but the focus of this session is to explain some tips & tricks during my daily life as a Cloud Solutions Architect
Some general tasks can be done monthly/quarterly to be sure that you Azure environment is up to date, taking into consideration that the optimization and your business run are the most important things here
Be advised that not all the things that can be done in Azure are being covered in this post, probably because at the time of the writing I didn’t have to
Why this post?
Every design in Azure has cost implications, before architecting something, we must consider the budget that we will need for the Project itself, taking into consideration thinks like:
Identity different boundaries for scale up
BCP taking into consideration the cost of the solution
Design and set up scalable architectures, focusing on metrics & performance
Start small and scale out as soon as the required performance needs it (I really love that one)
Choose PaaS and SaaS over IaaS, pay only for what you use as a consumer
Always, monitor, Audit & optimize the cost related
Ok I get it, but what are we going to cover?
For the next minutes I will explain some guidelines about cost optimization, in particular for the following topics:
Use of ARI
Use of Dev subscriptions
Optimal use of Azure App Services
Optimal use of Auto-Scale in App Services
Azure Data Factory Failed Pipelines
PaaS SQL Optimization
VM Right Sizing
Azure Hybrid Benefit
Blob Storage Lifecycle
Clean Orphan Resources
Use of Log Analytics
Use of Azure Advisor
Cost Management Preview (ACO Insights)
Azure Governance Dashboard
Before starting this post, I would recommend to create an Azure Inventory from your environment, with this tool, it is pretty simple: https://github.com/microsoft/ARI
And as you can observe, it will give you a great overview of what type of resources are you having, which use, locations, etc…Also, some of the sheets can be used to optimize your Azure Cost environment
Using the top-to-bottom approach, the first thing to pay attention to is Azure Dev/Test subscriptions, which are applicable for both enterprise and pay-as-you-gooffers. By placing your dev resources in those subscriptions, you will get lower prices for most common Azure services for the cost of excluding them from the regular vendor SLA commitments.
Optimal use of Azure App Services First, check that standard Plans and Premium plans has an associated application
I have seen a lot of empty App Services Plan, which leads to unnecessary cost to the customer, remember that having a right governance in your subscriptions it is algo a cost measure.
Another thing that I tend to do is to check the metrics for the plan, and check if are being used properly (scale down in case is needed, but remember the features needed in each case)
Focus on those DBs with 40%-80% of the DTU capacity, those are the most imporant to be scale up
Check if you really need the Georeplication, probably you don’t need to replicate your DB across regions (important point!!!), remember the first bullets of this post, we need to start small and then plan big, if we start to put all the georeplication modes to DBs that are not being use or for those in test, you’re wasting your money
With the help of metrics, review the use for the correct size & throughput
Consider autoscaling for those type of resources (it avoids consuming unnecessary resources)
And your VMs will automatically shutdown and start in the configured schedule, which for those test and PRE environments where Azure Reservations does not fit, are simply great, you will save a bunch of computation hours with this simply script
One thing that I do for all of my clients in order to optimize cost, is to check which version size are running for the VMs, this can be extracted from the ARI (remember the first tool):
Why? Because as you probably know, Microsoft is always optimising hardware in the Datacenter, so they are pulling new version of the VM size, so what’s the point? the older is the VM size, higher VM cost, so check out if there is any new VM size, and you will be able to save some money from each VM size.
Imagine that you have 100 VMs running in a v2 series, and changing from v2 to v5, represents a change in cost of 20€/VM/month, so in total the save is 2000€/month with only changing the VM to a newer version, not bad uh?
Azure Hybrid benefit
First question is: Do you have a software assurance with Microsoft? If the answer is yes, don’t waste more time and money, and apply it to your Azure Resources, it Will help to sabe up to 40% in cost (for VMs and SQL)
Transition information to a cooler Storage tier, to optimize performance and cost
Delete information at the end of the lifecycle
With this procedure I was able to save a lot of money in a recent IoT Project, all the information was stored in blobs, but once a certain period of time passed, we moved the information from one tier to another in order to cut storage costs
Check out costs related with networking, it may scary you
You Will need to identify which applications are using most of the egress bandwidth and review & redesign your infrastructure accordingly
Check which gateways are not being used, probably those which have a throughput lower tan 900MB/day
Check you Azure Express Route Circuits, probably the first provision of the circuit was greater than needed
Use Azure Monitor Agent and Data Collection rules over Log Analytics agent
Set retention per table and leave the workspace retention to its default
Set archival tier per table – To meet certain compliance rules, you may need some of the data available for a longer period of time
Configure diagnostic settings with only the logs that are needed and used
Use of Azure Advisor I must admit that I’m a fan of Azure Advisor, for any Project that i have, always i tend to revise Advisor in order to cut Azure costs
It helps to detect if a Virtual Machine runs on a VM size GREATER than what it needs (based on CPU utilization under 5% in the last 14 days). If the Azure Advisor reports an overprovisioned machine, you need to investigate its use and resize it to a more suitable size.
Security Essentials in Microsoft 365 are a must, probably, most of this recommendations are being followed by most of us, but just in case and as a reminder:
Are users configured with multi-factor authentication? Multi-factor authentication is necessary control for users that protects them from password attacks such as password guessing and credential theft. If a Microsoft 365 user account is compromised, an attacker may gain access to the user’s emails, files, chat history, and other sensitive data. So imagine if this happens to an admin… probably: GAME OVER
If the organization’s on-prem Active Directory is synchronized with Azure Active Directory, are only necessary objects synchronized? Organizations will commonly synchronize their on-prem AD with Azure AD. However, it is a best security practice to only sync those AD objects that require use within Azure AD
Is the number of users configured as administrators in Microsoft 365 appropriate for the size of the organization? Having more than one administrator in Microsoft 365 ensures that if one administrator is unavailable, another user can make changes to the tenant. as always my recommendation and Microsoft is that should be no more than five Global Admins (remember to have emergency access account as well)
Are dedicated administrative accounts used? Separate administrative accounts from personal accounts, and something important administrative personnel should use their privileged accounts only when it is required.
Are tenant Global administrators configured with working email addresses? Microsoft 365 Global Admins receive a variety of important email notifications that include service status, security events, and other information. So, it is important that organizations ensure that global admins use an email address that is configured to a working address.
Are Azure AD User Settings configured from non-default settings? By default, non-administrative users may access the Azure AD administrative portal and perform several different actions including:
• Register custom-developed applications for use within Azure AD
• Access the Azure AD administrative portal
• Allow user to connect their Azure AD accounts with their
• Invite external guest users
• Invited guest users can invite additional guest users
Each of these settings may have a security impact, depending on how the organization. If the your organization has not tackled any of these default settings to be more restrictive, you’ll need to do it, there are a lot of configurations to be done
Are users restricted from creating auto-forwarding rules within Outlook? When a user creates an auto-forwarding rule, emails sent to the account are automatically forwarded without user notification to an email box that the organization does not control. This may expose the organization to risk of loss of sensitive data.
As always, there a lot of best practices to follow, the previous recommendations are only a few of them, but it’s up to you to apply them or be in the risky way, stay safe!
I want to drop some lines about my experience deploying several projects of Azure Conditional Access
Always exclude your emergency accounts from the conditional access policies (remember if you don’t have an Emergency Account, you’re late), this is something that I always tell to my customers and I will never give up
Don’t enable new policies without communicate properly to the organization, and also to foresee the impact in the users (you will save a lot of tickets from the customer service)
Don’t enable policies that requires compliant or hybridAzureAdJoin devices without verifying the state of the devices in the Azure Portal (same as before, you will save tickets and system interruption from the end users)
Careful with including in the policies the application “all apps”, is it possible to have a disgusting surprise (in my case, it happened to me in Azure, I put some exclusions, but it seems that sometimes the portal calls randomly to other APIs that cannot be controlled (and do not exist in AAD), so the user received a block in the portal even if the policy makes sense for you)
If you go ahead with the policy with “All Cloud Apps” for the policies bases on devices, be sure to exclude in the policy the app “Intune Enrollment” or you won’t be able to enrol new devices in the portal
It is very easy to include multiple cases in one policy, but if you want to troubleshoot of what is happening, is it easier to segment the policy in multiple policies. Eat the elephant bite by bite, we have to put in the balance having and managing several policies or be able to troubleshoot correctly.
Is it recommended to include a naming convention in your policies, in a bird’s eye, you will be able to know what is the use for each policy (user, device, administrator, guest)
So, this is all, probably you’re following most of these recommendations, but if not, don be a fool 😉
As you probably have been reading in my previous posts, I’ve been talking about FIDO2 keys, and how it can be used as a secondary authentication when signing in AzureAD.
Today, I want to talk about OATH hardware Tokens, known as Time-based One Time Password Tokens as well.
As you are aware, some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.
The following table outlines when an authentication method can be used during a sign-in event:
But, OATH TOTP is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token.
In this post, I will show you how the OTP C200 token from Feitian can be configured in Azure AD and how it works.
First of all, what you have to do is to register the key in Azure AD, in order to do this, you will need the Serial Number from the Key, and the secret key provided by the manufacturer, and then you need to create a CSV file with all the information:
So, once the key has been configured for the user, which is the flow to access to the account?
I have compared the Authentication flow with the Fido2 Key Flow, the difference that you can appreciate is with FiDO2 Keys is not necessary to include my password
Finally, check out the following table from Microsoft, where you can see different persona cases and which passwordless technology can be used for each one of them
IMHO, FiDO Keys are great, but thinking as an end user they have problem: the first setup: We must rely on end user about how they configure the key and associate it with azure AD (remember the previous table). FiDO keys has the advantage to be able to be used to sign in instead of using a password in the computer.
In the other hand, OAUTH keys are great, because you as an administrator, can configure the keys in the AAD Portal, and once have been activated provide them to end users, without necessity to do any other action from the end user perspective, and the most important part, are very easy to use
Thanks to Feitian for providing such amazing tokens
Hi folks, summer is here and my holidays are very near, so I’m wrapping everything up to close my laptop and relax for a few weeks.
But before my deserved rest, I need to give you an FinOps advice:
If you’re like me and often makes demo setups in your Azure subscription that involve resources like Azure Firewall and Application Gateways, you probably have realize that there is no easy way to gracefully shutdown all those “hungry” resources to save some money.
To stop VMs, we can simply use the Azure Portal start/stop buttons, or use automation accounts or whatever, but Azure Portal doesn’t allow you to stop application gateway or Az Firewall. In such cases, Azure PowerShell helps:
# Get Azure Application Gateway
$appgw = Get-AzApplicationGateway -Name "appgw_name" -ResourceGroupName "rg_name"
# Stop the Azure Application Gateway
Stop-AzApplicationGateway -ApplicationGateway $appgw
# Start the Azure Application Gateway
Start-AzApplicationGateway -ApplicationGateway $appgw
After executing the stop, we will be able to see that the Operational State change after 1 minute or so: