Best Practices about how to cut costs in Azure

Introduction

There is no one sizes fits when it comes to Azure and cost optimization, but the focus of this session is to explain some tips & tricks during my daily life as a Cloud Solutions Architect​

Some general tasks can be done monthly/quarterly to be sure that you Azure environment is up to date, taking into consideration that the optimization and your business run are the most important things here​

Be advised that not all the things that can be done in Azure are being covered in this post, probably because at the time of the writing I didn’t have to

Why this post?

Every design in Azure has cost implications, before architecting something, we must consider the budget that we will need for the Project itself, taking into consideration thinks like:

  • Identity different boundaries for scale up
  • Redundancy
  • BCP taking into consideration the cost of the solution
  • Design and set up scalable architectures, focusing on metrics & performance
  • Start small and scale out as soon as the required performance needs it​ (I really love that one)
  • Choose PaaS and SaaS over IaaS, pay only for what you use as a consumer​
  • Always, monitor, Audit & optimize the cost related

Ok I get it, but what are we going to cover?

For the next minutes I will explain some guidelines about cost optimization, in particular for the following topics:

  • Use of ARI
  • Use of Dev subscriptions
  • Optimal use of Azure App Services​
  • Optimal use of Auto-Scale in App Services​
  • Azure Data Factory Failed Pipelines
  • PaaS SQL Optimization
  • Cosmos DB
  • VM Right Sizing
  • Azure Hybrid Benefit​
  • Blob Storage Lifecycle​
  • Networking
  • Clean Orphan Resources​
  • RIs​
  • Use of Log Analytics
  • Use of Azure Advisor
  • Cost Management Preview (ACO Insights)
  • Azure Governance Dashboard
  • Closing

Before starting…

Before starting this post, I would recommend to create an Azure Inventory from your environment, with this tool, it is pretty simple: https://github.com/microsoft/ARI

And as you can observe, it will give you a great overview of what type of resources are you having, which use, locations, etc…Also, some of the sheets can be used to optimize your Azure Cost environment

Also, another tip that I want to give, is you can start your journey to Cost Optimization with a self-done assessment, but it can give you some guidelines about where are you: https://docs.microsoft.com/en-us/assessments/

Use of Dev Subscriptions

Using the top-to-bottom approach, the first thing to pay attention to is Azure Dev/Test subscriptions, which are applicable for both enterprise and pay-as-you-gooffers. By placing your dev resources in those subscriptions, you will get lower prices for most common Azure services for the cost of excluding them from the regular vendor SLA commitments. 

Optimal use of Azure App Services
First, check that standard Plans and Premium plans has an associated application​

I have seen a lot of empty App Services Plan, which leads to unnecessary cost to the customer, remember that having a right governance in your subscriptions it is algo a cost measure.

Another thing that I tend to do is to check the metrics for the plan, and check if are being used properly (scale down in case is needed, but remember the features needed in each case)

Optimal use of Auto-Scale in App Services​

In my case, I can be able to scale down my resources, but first check features between standard and premium plans (or even between std o premium!). Also what it can be done is to scale up/down based on a schedule https://techcommunity.microsoft.com/t5/apps-on-azure-blog/azure-app-service-automatic-scaling/ba-p/2983300

Very useful for those workloads where we know that only are needed in certain periods of time

Azure Data Factory​

Review the failing pipelines​, if a pipeline is constantly failing to run, probably it will impact into the cost of your resource, so take action

Again, I have reviewed a lot of Pipelines in DF which are continuosly failing… take care of that as well

Paas SQL Optimization​

With monitor, check if the database needs all the DTUs provisioned, one thing I love to do, is to play with the different available plans for the SQL, if you’re running a version with a lot of DTU’s, implement a runbook in order to reduce the plan when you don’t need it​, for example, you can use: GitHub – francesco-sodano/azure-sql-db-autoscaling: This ARM Template deploys an Azure SQL Database with DTU Consumption plan (with a new Azure SQL Server) including all the resources required to perform Auto Scaling (scale up and scale down) based on Metric Alerts using a function app. Again, very useful for those workloads where we know that only are needed in certain periods of time

Focus on those DBs with 40%-80% of the DTU capacity​, those are the most imporant to be scale up

Check if you really need the Georeplication, probably you don’t need to replicate your DB across regions (important point!!!), remember the first bullets of this post, we need to start small and then plan big, if we start to put all the georeplication modes to DBs that are not being use or for those in test, you’re wasting your money

Cosmos DB

With the help of metrics, review the use for the correct size & throughput ​

Consider autoscaling for those type of resources (it avoids consuming unnecessary resources)​

Consider serverless options for Dev & Test environments or those environments where intermittent traffic is it used: Consumption-based serverless offer in Azure Cosmos DB | Microsoft Learn

VM Right Sizing​
One thing I love to do, is to shutdown VMs based in a Schedule​

The Schedule is set up with a tag in the resource, and the operation is done by an Automation Account (it could be a Logic App as well)​. For example, I love to use the following script:

Scheduled Virtual Machine Shutdown/Startup – Microsoft Azure | Automys

You can setup the following tag in the VMs

And your VMs will automatically shutdown and start in the configured schedule, which for those test and PRE environments where Azure Reservations does not fit, are simply great, you will save a bunch of computation hours with this simply script

In order to cut costs, we can use spot VMs for non priority tasks (it helps to save some money vs other azure VM sizes), you can get more info in: Use Azure Spot Virtual Machines – Azure Virtual Machines | Microsoft Learn

Get rid of those old VM sizes

One thing that I do for all of my clients in order to optimize cost, is to check which version size are running for the VMs, this can be extracted from the ARI (remember the first tool):

Why? Because as you probably know, Microsoft is always optimising hardware in the Datacenter, so they are pulling new version of the VM size, so what’s the point? the older is the VM size, higher VM cost, so check out if there is any new VM size, and you will be able to save some money from each VM size.

Imagine that you have 100 VMs running in a v2 series, and changing from v2 to v5, represents a change in cost of 20€/VM/month, so in total the save is 2000€/month with only changing the VM to a newer version, not bad uh?

Azure Hybrid benefit

First question is: Do you have a software assurance with Microsoft? If the answer is yes, don’t waste more time and money, and apply it to your Azure Resources, it Will help to sabe up to 40% in cost (for VMs and SQL)

If you want to know how much you can save with this, you can use the Azure Calculator for this purpose: https://azure.microsoft.com/en-us/pricing/hybrid-benefit/#calculator

Storage Lifecycle

With this procedure I was able to save a lot of money in a recent IoT Project, all the information was stored in blobs, but once a certain period of time passed, we moved the information from one tier to another in order to cut storage costs

Networking

Check out costs related with networking, it may scary you​

You Will need to identify which applications are using most of the egress bandwidth and review & redesign your infrastructure accordingly​

Check which gateways are not being used, probably those which have a throughput lower tan 900MB/day​

Check you Azure Express Route Circuits, probably the first provision of the circuit was greater than needed

So, check Azure Monitor: Monitor – Microsoft Azure

Clean Orphan Resources

Are you sure that everything that you have in your subscription are being used? Use this workbook and take action in your subscription: Azure Orphan Resources (microsoft.com)

Save Azure costs deleting those unused disks, Public IP’s which are consuming Storage and account cost (remember that in Azure Advisor we have these recommendations as well):

I’m sure that you will save a bunch of €€€ with this procedure

Use of Log Analytics

If you’re using Log Analytics to monitor your Azure Resoruces, you should add a Daily Cap into your Log Analytics Workspace: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/daily-cap#view-the-effect-of-the-daily-cap

Also a few tips:

  • Use Azure Monitor Agent and Data Collection rules over Log Analytics agent
  • Set retention per table and leave the workspace retention to its default
  • Set archival tier per table – To meet certain compliance rules, you may need some of the data available for a longer period of time
  • Configure diagnostic settings with only the logs that are needed and used

Use of Azure Advisor
I must admit that I’m a fan of Azure Advisor, for any Project that i have, always i tend to revise Advisor​ in order to cut Azure costs

It helps to detect if a Virtual Machine runs on a VM size GREATER than what it needs (based on CPU utilization under 5% in the last 14 days). If the Azure Advisor reports an overprovisioned machine, you need to investigate its use and resize it to a more suitable size.​

For this VM rightsizing purpose, I also use a script from Jos Lieben, which helps to put your underused VM in the right size in terms of load: Automatic modular rightsizing of Azure VM’s with special focus on Azure Virtual Desktop | Liebensraum

Reserved Instances

Reserved instances allow us to reduce cost, there are a lot of resources that can be reserved, take them into account when you’re designing your infrastructure

As you can see, there are a lot of Azure resources available to be reserved, make use of them 🙂

In Azure Advisor always recommend to reserve instances of our resources, don’t forget it​

Azure Budgets

Send notification when a certain amount of money is spent, this can be set at resource group or subscription level, and for example email to the application/subscription owner

Azure Cost Management

Remember to keep a closer look to the latest updates from Cost Management: https://azure.microsoft.com/en-us/blog/microsoft-cost-management-updates-november-2022/ I’m sure that you’ll take profit of those new features 😉

Insights, is the new feature of ACM allows us to have some insights about our daily spending in Azure resources, we can detect what is a tendency, and what is a cost anomaly in our subscriptions

Azure Governance Dashboard

If you want to deploy a High-Level Visualization in PowerBI of your azure resources, you can implement the CCO Dashboard from GitHub: https://github.com/Azure/ccodashboard

I know that this is more related with governance, but it helps to have a bird’s eye into the different resources and Azure subscriptions.

PRO TIP

If you really like those cost recommendations, there is a toll in github: https://github.com/helderpinto/AzureOptimizationEngine which can enchange the Azure Advisor recommendations and help you to optimize your environment

Closing

That’s all, probably some of the recommendations are already being followed by you, but I hope this post was interesting to you 😊

Till next time, merry Christmas and happy holidays!

Seven Essential Security Configurations for Microsoft 365

Security Essentials in Microsoft 365 are a must, probably, most of this recommendations are being followed by most of us, but just in case and as a reminder:

 

Are users configured with multi-factor authentication? Multi-factor authentication is necessary control for users that protects them from password attacks such as password guessing and credential theft. If a Microsoft 365 user account is compromised, an attacker may gain access to the user’s emails, files, chat history, and other sensitive data. So imagine if this happens to an admin… probably: GAME OVER

If the organization’s on-prem Active Directory is synchronized with Azure Active Directory, are only necessary objects synchronized? Organizations will commonly synchronize their on-prem AD with Azure AD. However, it is a best security practice to only sync those AD objects that require use within Azure AD

 

Is the number of users configured as administrators in Microsoft 365 appropriate for the size of the organization? Having more than one administrator in Microsoft 365 ensures that if one administrator is unavailable, another user can make changes to the tenant. as always my recommendation and Microsoft is that should be no more than five Global Admins (remember to have emergency access account as well)

 

Are dedicated administrative accounts used? Separate administrative accounts from personal accounts, and something important administrative personnel should use their privileged accounts only when it is required.

 

Are tenant Global administrators configured with working email addresses? Microsoft 365 Global Admins receive a variety of important email notifications that include service status, security events, and other information. So, it is important that organizations ensure that global admins use an email address that is configured to a working address.

 

Are Azure AD User Settings configured from non-default settings? By default, non-administrative users may access the Azure AD administrative portal and perform several different actions including:

• Register custom-developed applications for use within Azure AD

• Access the Azure AD administrative portal

• Allow user to connect their Azure AD accounts with their
LinkedIn account

• Invite external guest users

• Invited guest users can invite additional guest users

 

Each of these settings may have a security impact, depending on how the organization. If the your organization has not tackled any of these default settings to be more restrictive, you’ll need to do it, there are a lot of configurations to be done

 

Are users restricted from creating auto-forwarding rules within Outlook? When a user creates an auto-forwarding rule, emails sent to the account are automatically forwarded without user notification to an email box that the organization does not control. This may expose the organization to risk of loss of sensitive data.

 

As always, there a lot of best practices to follow, the previous recommendations are only a few of them, but it’s up to you to apply them or be in the risky way, stay safe!

 

Log Analytics Best Practices

Hi! You probably know that I am a fan of Log Analytics, so with this post I want to share with you what are my thoughts about best practices while designing and setup of Log Analytics in several deployments, let’s roll!

  • Use as few workspaces as possible: At the beggining I was using several workspaces (each one for subscription), but in the practice it is more useful to only have one. (The only thing to have separate workspaes would be money and retention). and if you want to control cost, use the table level retention feature!
  • For Long term retention move data to Storage Account 🙂
  • Use one WS for each region: depending in where are you working and laws, would be advisable to have different WS across region (EMEA, APAC, EEUU…)
  • Use Azure Policies to install the Monitoring Agents 🙂 it is very useful
  • Define proper RBAC: depending in which information you are ingesting to Log Analytics, will be important to some people have access to certain data.
  • Setup Alerting for events: Yes you are collecting a huge amount of data, but… are you creating alerts and monitoring rules for those important services?
  • Control the cost: It is easy to set up Log Analytics, but to put verbose data for all those services it is also easy, so your main goal would be to tweak the source of the data and the amount of information that you’re ingesting to log analytics

And finally, the last piece of information… keep an eye to the Log Analytics roadmap, to be updated is my daily nightmare, so… be patient with this

till next time!

Best Practices for Configuring the Global Admin Account in Office 365

Use the following best practices to secure your Global Admin account in Microsoft Office 365.

  1. For maximum security, use the maximum allowed password length (16 characters) for your Global Admin accounts.
  2. Always create at least one additional Global Admin account as a backup. This account doesn’t need an Office 365 license.
  3. Instead of using AdminName@YourDomain.com account for the Global Admin account, use the AdminName@YourDomain.onmicrosoft.comaccount and DO NOT assign any licenses.
  4. Always use a phone number and an Alternative email address for your Global Admin account so it can be used for verification by Microsoft, if there’s a need.
  5. Limit the number of Global Admins in your organization to as few as possible. Two Global Admins are ideal for most small to medium-sized organizations. The rest of the administrators should be assigned a Customized administrator role, such as Billing administrator, Dynamics 365 service administrator, Exchange administrator, Password administrator, Skype for Business administrator, Power BI service administrator, Reports reader, Service administrator, SharePoint administrator,  or User management administrator. Keep in mind you can assign multiple roles to an individual.

Recommendations using Skype For Business meetings

Currently, I am using more and more S4B to Schedule Skype meetings to communicate with other people that are not located in my office or even in my region.

By default, everyone that is invited to a Skype meeting is considered as a “presenter” and has full control over the meeting, but sometimes this configuration is not the appropriate for large meetings. Probably you want more control over the audio, video or the content presented over the meeting, so the intention of this post is to give some recommendations about using S4B for this situations.

To do this, the first thing that we have to take into account is that all this configurations are controlled over the Outlook client, so you need to create a new Skype meeting and then select meeting options in Outlook ribbon:

s4b

You will have a series of possible configurations:

Where do you want to meet online?

  • Select “a new meeting space”. This setting is required if you wish to change any of the default meeting settings.

These people do not have to wait in the lobby:

  • You will want to change this setting unless you want to manually let each person in and have an announcement as each person enters and exits.
  • Suggested options are to allow “People I invite from my company” and “Callers get in directly”.

Who’s a presenter?

  • By default, everyone from our organization is a “presenter”, which means they can control audio, video and screen sharing options.
  • Change this setting to “Only me, the meeting organizer”. This ensures that only the meeting organizer is a presenter. You can choose additional presenters as required.  For example, the person that schedules the meeting is automatically a presenter.  You can also “promote” the individual presiding at the meeting to a presenter to give them full capabilities.

Do you want to limit participation?

  • Presenters always have the ability to chat and share audio and video as well as presentations.
  • In a large meeting, it might be beneficial to mute participants audio and block video in order to provide better control over the environment and ensure a better experience for participants.
  • As a presenter you can un-mute participant’s audio on a case-by-case basis as needed.
  • Participants can also be elevated to presenters at any time to provide full access.

Once you are done making the changes you require, select the “ok” button or press the button to save your preferences for future meetings.

That’s all!

Best practices when updating Lync Server

Cumulative Updates (CU) are kind of a service pack that comes out quarterly for Lync Server and the clients. It includes fixes and some times new functionality is added.

For Lync Server 2010 is it possible to download from the following url: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11551

For Lync Server 2013, is the following: http://www.microsoft.com/en-us/download/details.aspx?id=36820

As you can see there are a lot of files to download and you could just download and update specific components or you can download the LyncServerUpdateInstaller.exe package that includes all the latest updates. So go ahead and download it and then copy the file to your Lync Servers.

To start the update process log in to your server. And start the Lync Server Management Shell

First, check that no users are talking on the phone or are in a meeting before you start the update. You can do this by running Get-CsWindowsService

l1
The next command would be to prevent new sessions for a while and drain the active connections. This can be done running Stop-CsWindowsService –Graceful
l2
As seen in the picture the services is now stopped.

3.Next thing would be to stop the World Wide Web service. By typing: net stop w3svc
4.Now Close all Lync Server Management Shell windows.
5.Install the cumulative update for Lync Server 2010 by running LyncServerUpdateInstaller.exe

l3
This will start the update tool and you should se what updates are needed and what version is already installed. (As you can see in the picture I have already installed the latest update package and it shows a green checkmark at every line. If there were some services that wouldn’t be updated this would show a red stop mark instead.)

Restart the computer if you are prompted to do so
he next step is something that is almost always forgotten. To update the Lync Server Databases (this step is normally not done if you just used Windows Update to update your Lync server and should then be done manually after Windows Update has updated your server.)

1.Start the Lync Server Management Shell: (Click Start, click All Programs, click Microsoft Lync Server 2010, and then click Lync Server Management Shell.)
2.To apply the changes made by LyncServerUpdateInstaller.exe to the SQL Server databases do one of the following:
1.On Standard Edition Server and Enterprise Edition: Front end servers, once you have installed update for core components, the updated sql files will be dropped on the server. Then run the following cmdlet to apply the changes:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn -UseDefaultSqlPaths

If the RTCDyn databases are removed after you run the cmdlet without the UseDefaultSqlPaths parameter, run the following cmdlet to restore the RTCDyn databases:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn -DatabasePaths

7.Now when the database is also up to date, its time to start the IIS & Lync Server services. At the command line, type:
net start w3svc
Start-CsWindowsService

And that’s all!