SECOND EDITION

E-Book series

The Developer's
Guide to Azure
New content on:
Cloud-native apps, dev tools,
DevOps, data & AI, and security
 The Developer’s Guide to Azure 2

The Developer's Guide to Azure

We're here to help
What can Azure do for you?

01 / 04 / 07 /
Getting started with the Azure Connecting your application Deploying your services and
application platform with data optimizing costs
Where to host your application Azure has your data needs covered How can Azure help you deploy your
Azure services and products for Azure SQL Database services and optimize costs?
app development Azure Database for MySQL, Infrastructure as code
Azure Communication Services PostgreSQL, and MariaDB Azure Blueprints
Making your application more Azure Arc‑enabled data services Tracking your Azure usage
performant Azure Cosmos DB Creating a billing alert
Azure Storage How to use Azure Billing APIs
Azure data analytics solutions

02 / Azure Purview
Azure IoT Solutions
08 /
Developer tools and
Microsoft Azure in action
developer cloud
The most comprehensive developer
05 / Navigating the Azure portal
tools and cloud Develop your first web app and
Adding intelligence to
Visual Studio and Visual Studio Code extend it with Logic Apps and
your application Cognitive Services
Build, release, and deploy with GitHub
+ Azure DevOps The role of AI in modern Ready for production
CI/CD application development
Security features Why choose Azure AI?
Better together: Visual Studio +
GitHub + Azure
Azure Applied AI Services
Azure Cognitive Services
09 /
Use your preferred programming Azure Machine Learning
Summary and resources
language Developer tooling for AI
Mixed reality Keep learning with Azure
Free resources extravaganza

03 / About the authors

06 /
Cloud-native applications
Securing your application
What do we mean by cloud native?
Cloud-native components How can Azure help to secure
Kubernetes on Azure your application?
Serverless on Azure Identity
Cloud native and open source Application security
How to build cloud-native applications Posture management
on Azure App access and connectivity
Logging and monitoring
Encryption
 The Developer’s Guide to Azure 3

The
The Developer's Guide to Azure is designed for
developers and architects who are embarking on their
journey into Microsoft Azure. In this guide, you will
learn how to get started and choose services that are

Developer's
appropriate for your scenarios.

From creating websites, databases, and desktop

and mobile applications, to integrating the latest

Guide to
technologies into your application, Azure does the
heavy lifting for you. Azure services are designed to
work together so you can build complete solutions that
last for the lifetime of your application.

Azure Whether you are just starting out, writing code for fun,
or a professional developer, developing with Azure puts
the latest cloud technology and best-in-class developer
tools at your fingertips. You can easily build for the
cloud in your favorite language.

Azure provides a broad range of services that enable

you to build rich applications and solutions so you can
focus on apps, not infrastructure.
 The Developer’s Guide to Azure 4

We're here @Azure on Twitter is the account to follow for news

and updates from the Azure team and community.

to help @AzureSupport on Twitter is operated by skilled Azure

engineers who respond quickly to issues that you tweet
to them.
As you begin your cloud journey, you might run into
some roadblocks. Fortunately, finding help is easy Azure Community Support provides a place for
due to the popularity of Azure. We have compiled the discussions with the Azure community and contains
following comprehensive list of helpful resources: answers to community questions.

With the Azure support plans, you will get access to Azure Advisor automatically makes personalized
Azure technical support teams, guidance for cloud recommendations for your Azure resources, including
design, and assistance with migration planning. You can what you need to do to be more secure, have higher
even acquire a support plan that guarantees a response availability, increase performance, and reduce costs.
from the technical support teams within 15 minutes.
Azure Service Health gives you a personalized view of
The official Azure documentation and guides give you the health of your Azure services.
an overview of everything in Azure and provide deep
insights through the documentation of each feature. Stack Overflow provides answers to Azure questions
and includes many active posts by members of the
Service Level Agreements (SLAs) inform you about Azure engineering teams.
the uptime guarantees and downtime credit policies
for Azure. Stay up to date with the latest releases and product
announcements on Azure at Azure updates.
 The Developer’s Guide to Azure 5

What can Azure By the time you finish reading this guide, you will be
able to:

do for you? • Automate your development process and be

more productive.
• Spend less time doing repetitive tasks and more
time creating reliable and secure app experiences
With Azure, you can get your work done faster, take
your users will love, using best‑in‑class
your skills to the next level, and imagine and build
development tools and integrated DevOps,
tomorrow's applications today.
including Visual Studio, Visual Studio Code,
GitHub, and Azure DevOps.
Azure provides a broad range of services that enable
• Grow your expertise and skills using the
you to build rich applications and solutions for the
resources that are presented in this guide.
cloud in your preferred language. Across our services
we have 1000+ new capabilities, from AI to Kubernetes, • Build on the code, languages, tools, platforms,

to containers, databases, and more, to ensure we’re and frameworks you already know and use.

keeping you ahead of the curve. Azure provides • Add new skills at your own pace and connect
end-to-end developer experience that helps you with a global community of your developer peers
create reliable, global, and secure applications faster. to advance your knowledge and career.
You can build your applications using your favorite • Use different hosting services that Azure offers:
programming languages, open-source frameworks, Azure Virtual Machines, Azure App Service, and
and tools, and host them on Azure. There is a vast containers and featured services.
collection of sample applications available to help • Build modern applications with a cloud-native
you get started and to inspire you with ideas for architecture.
your projects.
• Connect your application to data and include
AI capabilities.
The Developer's Guide to Azure will give you guidance
• Turn your ideas into reality!
and explain the benefits of hosting your application
on Azure.
Let's begin our journey by learning how to get started
with the Azure application platform.
 The Developer’s Guide to Azure 6

01 /
Getting
You have made the decision to build applications
on the cloud, and now you can't wait to begin!

Getting started on Azure is incredibly easy. All you

started
need to do is to sign up for an Azure free account.

With your Azure free account, you'll receive the

following, and you won't be billed unless you

with the
choose to upgrade:

• 12 months of popular free services

• USD 200 credit to explore any Azure service

Azure
for 30 days
• 25+ services, always free

Simply choose which programming languages,

application
tools, platforms, and frameworks you want to use,
and then start running your applications on Azure.
In this section, we will cover the following topics:

platform
• Where to host your application
• What to use, and when
• How to make your application more
performant

Let's start by talking about where you can host

your application on Azure.
 The Developer’s Guide to Azure 7

Where to host such as Internet Information Services (IIS) or Tomcat,

that is used to host HTTP-driven applications. Web

your application Apps can host applications written in .NET, Node.js,

Python, Java, or Go, and you can use the available
extensions to run even more languages.

Azure offers services designed to provide what you If you have an existing application that you wish to
need to deliver and scale every application. When you migrate to Azure, there is a vast number of tooling
use Azure services to run your application, you get options you can use, including Azure Migrate, Azure
scalability, high availability, a fully managed platform, App Service migration assistant, PowerShell scripts
and database services. Azure also offers the following for assessing and migrating .NET sites, and ASP.NET
options for running your application. app containerization and migration to Azure App
Service.

PaaS LEARN
MORE

Platform as a service (PaaS) is a complete development Official Azure developer

documentation
and deployment environment in the cloud, with
resources that enable you to deliver everything
QUICK
from simple cloud-based apps to sophisticated,
START
cloud‑enabled enterprise applications. Create an ASP.NET Core web app
in Azure
Azure App Service
Azure App Service allows you to host your applications
in a fully managed application platform loved by all
developers. Azure App Service provides you with Azure Spring Cloud
a collection of hosting and orchestrating services Azure Spring Cloud makes it easy to deploy Spring
that share features and capabilities. For example, all Boot microservice applications to Azure without
services in App Service have the capability to secure an any code changes. It is a fully managed service that
application using Azure Active Directory and can use lets you focus on building and running applications
custom domains. without the need to manage infrastructure. You can
deploy your JARs or code, and Azure Spring Cloud will
As one of the most widely used Azure services, Web automatically wire your apps with the Spring service
Apps can host your web applications or APIs. A web runtime. Azure Spring Cloud is jointly built, operated,
application is basically an abstraction of a web server, and supported by Microsoft and VMware while still
plugging into platform services to allow observability
during operation.
 The Developer’s Guide to Azure 8

You can develop and deliver Java apps using fully Containers
managed Spring Cloud components, including service
discovery, configuration management, and distributed While much more lightweight, containers are similar
tracing. Azure Monitor provides deep insights into to virtual machines (VMs), and you can start and
application dependencies and operational telemetry, stop them in a few seconds. Containers also offer
providing aggregate metrics for a holistic view of how tremendous portability, which makes them ideal for
different services interact. Powerful visualization tools developing an application locally on your machine
built into the Azure portal enable you to monitor and then hosting it in the cloud, in test, and later
average performance and error rates, along with rich in production.
detail into platform events that may be relevant to
performance decreases or errors. This allows you to You can even run containers on-premises or in other
detect issues before they impact users and continuously clouds—the environment that you use on your
improve your application performance. development machine travels with your container, so
your application always runs in the same ecosystem.
A large portfolio of Spring starters provides
native integration with Azure services such as Scale and orchestrate containers with Azure
Azure Cosmos DB, Azure Active Directory, and Azure Kubernetes Service
Key Vault. With Spring starters, you can make your Azure Kubernetes Service (AKS) makes it simple to
application more secure and connect it to various data create, configure, and manage a cluster of VMs that are
sources, all out of the box. preconfigured to run containers, with support for both
Linux and Windows containers.
Azure Spring Boot is a fully managed service with
scalable global infrastructure. This allows you to focus This means that you can use your existing skills to
on code with no need to manage infrastructure, and manage and deploy applications that run in containers
reduce downtime and deployment risk with turnkey on Azure.
support for blue-green deployments.
AKS reduces the complexity and operational overhead
QUICK of managing a Kubernetes cluster by offloading much
START of that responsibility to Azure. As a hosted Kubernetes
Deploy your first Azure Spring service, Azure handles critical tasks such as health
Cloud application
monitoring and maintenance.

Deploy Spring microservices to

Azure
 The Developer’s Guide to Azure 9

In addition, you pay only for the agent nodes within With Web App for Containers, your applications are
your clusters, not for the masters. As a managed hosted using a predefined application stack based
Kubernetes service, AKS provides automated on a Docker container. The Docker containers, both
Kubernetes version upgrades and patching, easy cluster Windows and Linux, can be deployed from any Docker
scaling, a self-healing hosted control plane (masters), registry, such as Docker Hub, Azure Container Registry,
and cost savings, since you only pay for running agent and GitHub.
pool nodes.
Azure Container Registry
With Azure handling the management of the nodes in Once you have created a container image to run
your AKS cluster, there are many tasks that you don't your application in, you can store that container in
have to perform manually, such as cluster upgrades. Azure Container Registry, which is a highly available
Because Azure handles these critical maintenance tasks and secure storage service, specifically built to store
for you, AKS does not provide direct access (such as container images.
with SSH) to the cluster.
Azure Container Registry is great for storing your
QUICK private Docker images.
START
Get started with Azure You can also use Container Registry for your existing
Kubernetes Service
container development and deployment pipelines.
Use the acr build command to build container images
in Azure. You can either build on demand or fully
Host containers in Azure App Service Web automate builds with source code commit and base
App for Containers image update build triggers.
Web App for Containers helps you to easily deploy and
run containerized web applications at scale.
Virtual machines
Just pull container images from Docker Hub or a private
Azure Container Registry, and Web App for Containers Hosting your application in a VM in Azure Virtual
will deploy the containerized application with your Machines provides you with a lot of control over how
preferred dependencies to production in seconds. you host your application. However, you're responsible
The platform automatically takes care of operating for maintaining the environment, including patching
system (OS) patching, capacity provisioning, and load the OS and keeping antivirus programs up to date.
balancing. You can run Docker containers on Linux and
Windows using Web App for Containers. You can use a VM to test the latest preview version
of Visual Studio without getting your development
machine "dirty."
 The Developer’s Guide to Azure 10

Azure DevTest Labs and Azure Lab Services provide Batch is well suited to running parallel workloads at
the ability to set up lab environments in Azure. These scale, such as financial risk models, media transcoding,
services enable developer teams to more easily manage VFX, 3D image rendering, engineering simulations, and
developer VM resources and costs in the cloud. many other compute-intensive applications. Use Batch
to scale out an application or script that you already run
Azure DevTest Labs allows you to set up an on workstations or an on-premises cluster, or develop
environment for your team. Users connect to VMs in software as a service (SaaS) solutions that use Batch as a
the lab and use them for their day-to-day work and compute platform.
short-term projects. This enables the lab admin to
analyze costs and usage, as well as setting policies to QUICK
optimize the team's costs. START
Get started on Azure Batch with
these step-by-step tutorials
Azure Lab Services lets you create managed lab types.
The service handles all the infrastructure management
for the lab, from spinning up VMs to handling errors
and scaling the infrastructure.
Azure Arc: Hybrid and
Azure Batch multi‑cloud environments
If you need to run large-scale batch or high-
performance computing (HPC) applications on VMs, Azure offers world-class tools and cloud services that
you can use Azure Batch. empower developers to build the applications of
the future. However, your company probably has a
Batch creates and manages a collection of thousands hybrid environment and wants the same best‑in‑class
of VMs, installs the applications you want to run, and development and management experiences for
schedules jobs on the VMs. You don't need to deploy your applications in Azure and in your on-premises
and manage individual VMs or server clusters; Batch environments, edge locations, and even on
schedules, manages, and autoscales your jobs so you other clouds.
only use the VMs you need.
Azure Arc offers simplified management, faster app
Batch is a free service, so you only pay for the development, and consistent Azure services anywhere.
underlying resources consumed, such as VMs, storage, As a developer, you can architect, design, and deploy
and networking. applications anywhere without sacrificing central
visibility, security, and control. You can get Azure
innovation and cloud benefits by deploying consistent
Azure data, application, and machine learning services
on any infrastructure.
 The Developer’s Guide to Azure 11

Some of the key features of Azure Arc include:

• Work faster with Azure turnkey applications
services such as App Service, Web Apps, Logic
Apps, API Management, and Event Grid across
clouds, datacenters, and at the edge.
• For your databases, deploy Azure Arc-enabled
Azure SQL and PostgreSQL Hyperscale on any
Kubernetes distribution and on any cloud.
• Use your favorite tools and existing DevOps
practices anywhere and build iteratively.
• Reduce errors with consistent policy-driven
application deployment and cluster operations at
scale from source control and templates.
• Take advantage of elastic scale, consistent
management, and cloud-style billing
models anywhere.

QUICK
START

Azure Arc Jumpstart

 The Developer’s Guide to Azure 12

Azure services
and products for
app development
As shown in Table 1.1, Azure services and products for
app development are designed to work together and
are highly optimized for developer productivity:

Table 1.1: Azure application services along with features

Let's dive further into Azure App Service features in

the next section.
 The Developer’s Guide to Azure 13

Azure App Service features For example, if you move 10 percent of your users to the
new version of your application in the deployment slot,
Azure App Service is one of the key services in Azure you can see whether the new features are functioning
that you can use to host your applications created with as expected and whether users are using them.
popular frameworks (.NET, .NET Core, Node.js, Java,
PHP, Ruby, or Python) in containers, or running on any When you are satisfied with how the new version of
OS. Azure App Service also adds the power of Azure to your application is performing in the deployment
your applications, including security, load balancing, slot, you can carry out a "swap," which exchanges
autoscaling, and automated management. the application in the deployment slot with that in
your production slot. You can also swap from the
Each of these services brings unique capabilities to the development slot to a staging slot, and then to the
table, but they all share some common features. production slot. Before doing this, the swap operation
verifies that the new version of your website is warmed
Scaling up and ready to go. When this has been confirmed,
Azure App Service runs on App Service plans, which the swap operation switches the slots, and your users
are abstractions from VMs. One or more VMs run now see the new version of the application—with
your Azure App Service, but since Azure takes care of no downtime. You can also swap back and revert the
them, it is not necessary for you to know which ones. deployment of the new version.
You can, however, scale the resources that run your
Azure App Service. You use deployment slots within environments such
as development, test, or production. You don't use
You can either choose a higher pricing tier (ranging deployment slots as environments because they all
from free to premium) or increase the number of reside in the same App Service plan.
application instances that are running. It's even possible
to have Azure App Service automatically scale the Those deployment slots should be separated for
number of instances for you, based on a schedule or security, scaling, billing, and performance. You can
metric, such as CPU, memory, or HTTP queue length. swap deployment slots manually through the Azure CLI
and Azure API Management. This allows DevOps tools
Deployment slots to perform swap operations during a release.
After deploying a new version of your application to
a deployment slot, you can test whether it works as Continuous deployment
expected and then move it into your production slot. To publish your application to App Service, you can use
services such as Jenkins and Octopus Deploy. You can
By setting up staging environments in Azure App also use the continuous deployment (CD) feature in
Service, you can route a percentage of traffic from your App Service.
production application to a deployment slot.
 The Developer’s Guide to Azure 14

The process does the following: TUTORIAL

1. Retrieves the latest source code from the
Map an existing custom DNS name
repository that you indicate to Azure App Service

2. Builds the code according to a template that you

pick (ASP.NET, Node.js, Java, and so on)
Additionally, you can ensure that your application is
3. Deploys the application in a staging environment served over HTTPS by using an SSL/TLS certificate. Just
and load-tests it bring your own certificate, buy one directly from the
4. Deploys the application to production after Azure portal, or create a free App Service managed
approval (you can indicate whether you want to certificate. When you buy an SSL certificate from the
use a deployment slot) Azure portal, you will receive an App Service certificate.
You can configure this to be used by your custom
This makes it possible for you to create a build-test- domain bindings.
release pipeline in App Service.
App Service managed certificates are free, are issued
Connect to on-premises resources by DigiCert, and offer the option to secure your web
You can connect external resources such as data stores applications hosted using a custom subdomain. They
to your app services. Depending on your requirements, are also managed by App Service and are renewed
you can connect to services on-premises through many automatically.
mechanisms, such as:
QUICK
• Azure Hybrid Connections START
• Azure Virtual Networks Purchase and configure an SSL
certificate in this walk-through
• Azure ExpressRoute

These resources do not need to be located in Azure—

they can be anywhere, such as on-premises or in your App Service Environment
own datacenter. In a multi-tier web application, you often have a
database or services used by your application in Web
Custom domains and App Service certificates Apps. Ideally, you want these services to be exposed
When you spin up an application in App Service, it only to the application and not to the internet. Given
exposes a URL—for example, https: //<your_custom_ that it provides the entry point for your users, however,
name>.azurewebsites. net. Most likely, you will want the application itself is often internet-facing.
to use your own custom domain, which you can do by
mapping that domain name to App Service.
 The Developer’s Guide to Azure 15

To isolate these support services from the internet, you Automatic OS and .NET Framework patching
can use Azure Virtual Network. This service wraps your Because you are using a fully managed platform, you
support services and connects them to your application don't manage your own infrastructure at all, but you do
in Web Apps so that the support services are exposed benefit from automatic OS and framework patching.
only to the application, and not to the internet. This
documentation describes the Azure App Service VNet
integration feature and how to set it up with apps in Azure Functions
App Service.
With Azure Functions, you can write the code you need
Sometimes, you want even more control. Maybe for a solution without worrying about building a full
you want your application to be wrapped in a virtual application or the infrastructure to run it. A function is
network in order to control access to it. Perhaps you a unit of code logic that's triggered by an HTTP request
want it to be called by another application in Web or an event in another Azure service, or is based on
Apps and be part of your back end. For this scenario, a schedule.
you can use an Azure App Service Environment. This
affords you a very high scale and gives you control over Some of the key features of Azure Functions include:
isolation and network access.

Snapshot Debugger for .NET

Debugging applications can be difficult, especially
if the application is running in production. With the
Application Insights Snapshot Debugger feature
of Azure Monitor, you can take a snapshot of your
in-production applications when code that you are
interested in executes.

The Snapshot Debugger lets you see exactly what went

wrong without impacting the traffic of your production
application. The Snapshot Debugger can help you to
dramatically reduce the time it takes to resolve issues
that occur in production environments. Additionally,
you can use Visual Studio to set snap points to debug
step by step. You can view the results in the Azure
portal or within Visual Studio.

Table 1.2: Capabilities of Azure Functions

 The Developer’s Guide to Azure 16

Input and output bindings connect your function Cold start/warm start
code to other services, including Azure Storage, Azure Cold start is a term used to describe the behavior of
Cosmos DB, Azure Service Bus, and even third-party an application and its tendency to take longer to start
services such as Twilio and SendGrid. Using Azure up after it has been inactive for a period of time. For
Functions, you can build small pieces of functionality functions running in Consumption and App Service
quickly and host them in an elastic environment that plan pricing models, when a function app has been
automatically manages scaling. inactive for a period of time, it will automatically scale
to zero instances. When new events come in, a new
With Azure Functions, it is possible to pay only instance needs to be specialized with your application
for functions that run, rather than having to keep running on it. Specializing a new instance may take
compute instances running all month. This is also called some time (latency) before the first event can be
serverless because it only requires you to create your handled.
application—you don't have to deal with any servers
or even the scaling of servers. You can write Azure To eliminate cold start latency, you can use the
Functions in .NET, JavaScript, Java, and a growing list Azure Functions Premium plan and configure the
of languages. number of pre-warmed instances. The Azure Functions
application will maintain the specified number of
An application that uses Azure Functions activates a pre‑warmed instances to more readily scale up to
function every time a new image file is uploaded to handle new events.
Azure Blob storage. The function then resizes the image
and writes it to another Blob storage account. Data
from the blob that triggered the function is passed into Azure Logic Apps
the function as the myBlob parameter, which includes
the blob URL. Use the outputBlob output binding You can orchestrate business logic with Logic Apps
parameter to specify which blob to write the result to. by automating a business process or integrating with
There's no need to write the plumbing for connecting SaaS applications.
to Blob storage—you just configure it.
Just like in Azure Functions, Logic Apps can be activated
QUICK by an outside source, for instance, a new message.
START Weaving together API calls to connectors, you can
Create your first Azure function create a (possibly complex) workflow that can involve
using the Azure portal
resources both in the cloud and on-premises.

Logic Apps has many connectors to APIs that can

connect to Azure SQL Database, Salesforce, SAP, and
so on.
 The Developer’s Guide to Azure 17

You can also expose your own APIs or functions as Power Apps
connectors to use in a logic app, making it possible for
you to easily perform actions against external systems Power Apps is a suite of apps, services, and connectors,
in your workflow or have your logic app activated by as well as a data platform, that provides a rapid
one of them. development environment to build custom apps
for your business needs. Using Power Apps, you can
The following is an example of a workflow in quickly build custom business apps that connect
Logic Apps: to your data stored either in the underlying data
1. The logic app is activated when an email platform (Microsoft Dataverse) or in various online
containing a shipping order arrives in and on‑premises data sources (such as SharePoint,
Microsoft 365. Microsoft 365, Dynamics 365, and SQL Server).

2. Using the data in the email, the logic app

Apps built using Power Apps provide rich business logic
checks on the availability of the ordered item
and workflow capabilities to transform your manual
in SQL Server.
business operations into digital, automated processes.
3. Using Twilio, the logic app sends a text message Furthermore, apps built using Power Apps have a
to the customer's phone indicating that the order responsive design and can run seamlessly in a browser
was received and that the item has been shipped. and on mobile devices (phone or tablet).

Power Apps makes the business app-building

QUICK
START experience accessible to everyone by empowering
Get started with Azure Logic users to create feature-rich, custom business apps
Apps without writing code. For professional developers,
Power Apps also provides an extensible platform that
allows developers to programmatically interact with
Just like Azure Functions, Logic Apps is serverless and data and metadata, apply business logic, create custom
scaled automatically, and you pay for it only when it connectors, and integrate with external data.
is running.
QUICK
START

Official Power Apps documentation

 The Developer’s Guide to Azure 18

Power Automate

Microsoft Power Automate is a SaaS offering for

automating workflows across the growing number
of applications and SaaS services that business users
rely on. While Logic Apps is aimed more toward a
developer audience, Microsoft Power Automate is
targeted toward business users, administrators, and
office workers.

Microsoft Power Automate offers an easier path toward

simple integration workflows. Logic Apps offers the
ability to extend Power Automate with more advanced
workflow capabilities. An example of additional
capabilities that Logic Apps offers is the ability to run
inline code within the workflow.

QUICK
START

Learn more about Power Automate

 The Developer’s Guide to Azure 19

Logic Apps versus Power Automate

Both Microsoft Power Automate and Logic Apps offer Both services can integrate with various SaaS and
designer-first integration services that can create workflows. enterprise applications; however, they are each targeted
at different users.
Here's a side-by-side comparison to help determine when
to use Power Automate or Logic Apps for a particular
integration scenario:

Figure 1.1: How to choose between Power Automate and Logic Apps
 The Developer’s Guide to Azure 20

API Management FURTHER

LEARNING

API Management allows you to create API gateways for Azure APIs + Microservices Guide
existing back-end services in a consistent manner.

With API Management, you can publish APIs to Azure API Design E-Book
external, partner, and internal developers to unlock the
potential of their data and services. Essentially, you can
use Azure API Management to take any back end and API Management in a Hybrid and
launch a full-fledged API program based on it. Multi-Cloud World

Some of the common uses of API Management include:

• Securing mobile infrastructure with API access
keys, preventing DOS attacks by using throttling,
or using advanced security policies like JWT
token validation.
• Enabling ISV partner ecosystems by offering
fast partner onboarding through the developer
portal and building an API facade to decouple
from internal implementations that are not ripe
for partner consumption.
• Running an internal API program by offering
a centralized location for the organization
to communicate about the availability and
latest changes to APIs, gating access based on
organizational accounts—all based on a secured
channel between the API gateway and the
back end.
 The Developer’s Guide to Azure 21

What to use, and when

Some of the services that run your application in Azure

can work together in a solution, while others are more
suited to different purposes.

While this can make it difficult to pick the right services,

Figure 1.2 will help you to identify which services in
Azure are right for your situation:

* Services with an asterisk have a free tier that you can use to get started at no cost.

● For lifting and shifting existing applications to Azure.

Figure 1.2: A quick summary on choosing an Azure service in various scenarios

 The Developer’s Guide to Azure 22

Using events and messages in By decoupling the systems, the web application

your application can work at a different speed from the web

service, and both can be scaled individually to the
Modern, globally distributed applications often have to application's needs.
deal with large amounts of messages coming in, so they
need to be designed with decoupling and scaling in
DOC
mind. Azure provides several services to help with event
ingestion and analysis as well as messaging patterns. Get started with Service Bus
queues
These services are also vital for creating intelligent
applications that make use of AI.

Service Bus Service Bus topics

The core of messaging in Azure is Service Bus. Service Just like Service Bus queues, Service Bus topics are a
Bus encompasses a collection of services that you use form of application decoupling.
for messaging patterns. The most important services
are Azure Service Bus queues and topics. Here are the differences between them:
• With a queue, multiple applications write
Service Bus queues messages to the queue, but only one application
Service Bus queues decouple systems from one at a time can process a message.
another. For example, a web application receives orders
• With a topic, multiple applications write
from customers and needs to invoke a web service to
messages to the topic, and multiple applications
process the orders. The web service will take too long to
can process a message at the same time.
process the orders, perhaps up to five minutes.
Applications can create a subscription on the topic that
One way to solve this problem is to use a queue to indicates what type of messages they're interested
decouple the web application from the web service. in. Just like queues, topics have features, including
The web application receives the order and writes it duplicate detection and a dead letter subqueue,
in a message on a Service Bus queue. Then, the web to which messages are moved when they fail to be
application informs the user that the order is being processed correctly.
processed. The web service takes messages from
the queue, one by one, and processes them. When
DOC
the web service has processed an order, it sends an
email notification to the customer that the item has Get started with Service Bus
topics
been ordered.
 The Developer’s Guide to Azure 23

Event Hubs Event Grid

Event Hubs can help enterprises capture massive Event Grid offers a different type of messaging—a fully
amounts of data to analyze or transform and move for managed publish and subscribe service that hooks into
later use. almost every service in Azure as well as into custom
publishers and subscribers.
Event Hubs is designed for massive data ingestion.
It effortlessly handles millions of messages per second. This is different from working with Service Bus queues
It retains messages for up to 7 days or indefinitely by and topics, for which you'd need to poll the queue
writing messages to a data store using the Event Hubs or topic for new messages. Event Grid automatically
Capture feature. pushes messages to subscribers, making it a real-time,
reactive event service.
You can use Event Hubs to filter data with queries as
it comes in and output it to a data store such as Azure Services inside and outside of Azure publish events
Cosmos DB. You can even replay messages. when a new blob is added, for example, or when a
new user is added to an Azure subscription. Event Grid
QUICK detects these events and makes them available to event
START handlers and services that subscribe to the events, as
Send events to and receive shown in Figure 1.3:
events from Azure Event Hubs

Figure 1.3: Flow of events from event publishers to event handlers

 The Developer’s Guide to Azure 24

Event handlers could be Functions or Logic Apps, which Azure SignalR Service
can then act on the data in the event. You can use Azure SignalR Service to simplify the
process of adding real-time web functionality to
Another important aspect of Event Grid is that it applications over HTTP that enables services to push
is serverless. This means that, like Logic Apps and content updates to connected clients. The service is
Functions, Event Grid scales automatically and does based on ASP.NET Core SignalR and is offered as a
not need an instance of it to be deployed. You just standalone, fully managed service in Azure.
configure and use it, and pay only when it's used.
SignalR can update connected applications in real
You can use Event Grid if you want an email notification time over HTTP without the need for the applications
every time someone is added to, or removed from, your to poll for updates or submit new HTTP requests. This
mailing list in Mailchimp. Event Grid is used to activate enables you to create seamless web experiences that
an application in Logic Apps and configured to listen to update information on the fly. For example, an auction
changes to the Mailchimp mailing list. Event Grid then application might use SignalR to refresh the latest bid as
signals to Logic Apps to send an email containing the soon as it happens, without completely refreshing the
name of the person who has been added or deleted page or constantly polling for information.
and the action that was performed.
Hosting a SignalR server yourself is not a simple task,
and it can be difficult to scale and secure properly.
TUTORIAL
When you use the fully managed Azure SignalR Service,
Monitor virtual machine changes setup is easy, and security, availability, performance,
with Event Grid and Logic Apps
and scalability are all managed for you.

QUICK
START

Create a chat room with SignalR

 The Developer’s Guide to Azure 25

Azure messaging services

Azure provides a myriad of options to perform
messaging and to decouple applications. Which one
should you use, and when? Figure 1.4 summarizes the
differences to help you choose.

Use for Max

Event Device Multiple Multiple Use for publish/ message
ingestion management Messaging consumers senders decoupling subscribe size

Service Bus
1 MB
queues*

Service Bus
1 MB
topics*

Event Hubs* 256 KB

Event Grid* 64 KB

SignalR
64 KB
Service*

* Services with an asterisk have a free tier that you can use to get
started at no cost.

Figure 1.4: A summary of Azure services for events and messages:

what to use and when
 The Developer’s Guide to Azure 26

Azure Some of the features of Azure Communication

Services include:

Communication • Deliver video, voice, chat, SMS, and telephony

experiences anywhere your customers are

Services (across your applications, websites, and

mobile platforms).
• Use a reliable global platform trusted by millions
of people daily.
Azure Communication Services is a platform with rich
• Reach more customers without compromising
communication APIs for deploying voice, video, chat,
security using a secure and compliant cloud.
or SMS capabilities within your applications across
any device, on any platform, using the same reliable • Connect people across web and mobile apps.

and secure infrastructure that powers Microsoft Add communication workflows to apps with

Teams. You can add communication features to your flexible SDKs and APIs for common platforms

applications without being an expert in communication and programming languages, including iOS,

technologies such as media encoding and real-time Android, Web, .NET, and JavaScript.

networking. Azure Communication Services supports

various communication formats:
QUICK
• Voice and video calling START

• Rich text chat Add chat to your app

• SMS

Add 1:1 video calling to your

app

Send an SMS message

 The Developer’s Guide to Azure 27

Making your Including Traffic Manager in your architecture is a great

way to improve the performance of your application.

application more
Azure Front Door
performant
Your users may be spread across the globe and, at
times, they may be traveling. This can make it difficult
After your application is up and running in Azure, you to ensure that they have a performant experience and
want it to be as performant as possible. Azure provides that your application is available and secure, regardless
a range of services that can help you with that. of location.

Azure Front Door can help.

Azure Traffic Manager
This service can route traffic from users to the most
Many modern applications have users all over the performant application endpoint for them to improve
world. Providing a performant experience for everyone performance. Front Door can route to available
is challenging, to say the least. The most obvious endpoints, while avoiding endpoints that are down.
problem you need to deal with is latency, the time it
takes for a signal or a request to travel to a user. The Traffic Manager does this as well, but in a different
farther away users are from your application, the more manner to Front Door. Front Door works at OSI layer 7
latency they experience. or the HTTP/HTTPS layer, while Traffic Manager works
with DNS. In other words, Front Door works on the
Azure Traffic Manager scales across regions, helping application level, and Traffic Manager works on the
to reduce latency and provide users with a performant network level. This is a fundamental difference that
experience, regardless of where they are. determines the capabilities of the services.

Traffic Manager is an intelligent routing mechanism Because of this difference, Front Door does a lot more
that you put in front of your Web Apps applications. than route users to available and performant endpoints.
Web Apps acts as an endpoint, which Traffic Manager
monitors for health and performance. Front Door allows you to author custom web
application firewall (WAF) rules for access control to
When users access your application, Traffic Manager protect your HTTP/HTTPS workload from exploitation
routes them to the Web Apps application in their based on client IP addresses, country codes, and
proximity that is most performant. HTTP parameters.
 The Developer’s Guide to Azure 28

If you need help choosing between Front Door and

Traffic Manager, consider the following guidance:

Figure 1.5: Choosing between Front Door and Traffic Manager

Other capabilities of Front Door include: • SSL termination

With this, you can secure your traffic from end to
• URL-based routing
end, from the browser to the application in the
This allows you to route requests for different
back-end pool.
URLs to different back-end pools (applications
that receive traffic, such as Web Apps). For • Session affinity
instance, http:// w ww.contoso. com/users/*
When you want users to be sent to the same
goes to one pool, and http:// ww w.contoso. com/
endpoint every time, session affinity is useful.
products/* goes to another.
This is important in cases where the session state
is saved locally on the back end for a user session.
• URL rewrite
This enables you to customize the URL that you
pass on to the back-end pool. Additionally, Front Door enables you to create rate-
limiting rules to battle malicious bot traffic. These are
just some of the unique capabilities of Front Door.
 The Developer’s Guide to Azure 29

Azure Content Delivery Network You can benefit from Content Delivery Network in
web applications as well as in mobile and desktop
One of the Azure services that can help you to applications. One way to use Content Delivery Network
make your application faster is Azure Content is to serve videos for a mobile application. Since
Delivery Network. videos can be large, you don't want to store them on
the mobile device—and neither do your users. Using
You upload your static files—videos, images, JavaScript, Content Delivery Network, the videos are served
CSS, and even static HTML files—to a data store, such as from the PoP. Since it is close to the user, this also
Azure Blob storage, and then couple Content Delivery improves performance.
Network to that.
QUICK
Content Delivery Network will then take those static START

files and replicate them to hundreds of points of Get started with Azure Content
Delivery Network
presence (PoP) all over the world. All you need to do in
your application is change the reference to the static
files to a different URL.
In the next chapter, you will look at the Microsoft
For example, the previous reference might have developer ecosystem, including the Visual Studio family
been ~/images/image.png, and it would now be of IDEs, GitHub, and Azure DevOps.
https: //example. azureedge.com/image.png.

Not only is this easy to do, but it also improves the

performance of your application in the following ways:
• It offloads serving content from your application.
Since it is now served by Content Delivery
Network, it frees up processing cycles for your
application.
• It brings static content physically closer to your
users by distributing it to PoPs all over the world.
 The Developer’s Guide to Azure 30

02 /
Developer
tools and
developer
cloud
 The Developer’s Guide to Azure 31

The most
comprehensive
developer tools
and cloud
The Microsoft developer ecosystem, including the Let's take a look at the key tooling and platforms that
Visual Studio family of IDEs, coupled with the power comprise Microsoft's developer ecosystem:
of DevOps platforms—GitHub, Azure DevOps, and • Visual Studio and Visual Studio Code:
cloud services in Microsoft Azure—provides the most World‑class IDEs built for everyone and
comprehensive end-to-end developer experience. runnable anywhere.
• GitHub and Azure DevOps: Community‑based,
"Microsoft has the world's most beloved developer tools
open-source, and enterprise-grade work item
with Visual Studio, and with GitHub hosts the developer
tracking, CI/CD pipelines, artifact storage,
community where the world comes together to build
and more.
software. Developers can use their favorite languages,
• Microsoft Azure: Azure is an excellent cloud
open-source frameworks, and tools to code and deploy
provider, offering the ability to host .NET, Java,
code to the cloud from anywhere, collaborating in
JavaScript/Node.js, Python, and more.
a secure way, and integrating different components in
no time." Now it's time to explore the Visual Studio family

– Scott Guthrie of tools, GitHub and Azure DevOps, and platform

integration services in more detail.
 The Developer’s Guide to Azure 32

Visual Studio inside the IDE. Visual Studio Live Share lets developers
collaborate in their IDE in real time by setting up a

and Visual Studio shared network session, allowing participants to edit

and work together as if they were sitting side by side.

Code Whether developers want to deploy their app locally, to

their own servers, or to Azure, Visual Studio makes the
process consistent and easy to set up. Deployment to
With Visual Studio and Visual Studio Code, you can Azure can be configured from within the IDE, regardless
develop your application wherever and however you of whether it's published directly, via FTP, through a
like. From game development to web applications CI/CD pipeline, to Azure PaaS services, or through a
and even Linux apps written in C++ or .NET, Visual Docker/Kubernetes container configuration.
Studio continues to be the IDE of choice for developers
working on Windows. Visual Studio Code is one of
the most popular editors for developers working on Visual Studio for Mac
any operating system and building apps with any
programming language or framework. Visual Studio for Mac is a full-featured IDE for
developers on macOS who build applications, games,
and services for iOS, Android, macOS, the cloud, and
Visual Studio the web. Modern technologies and frameworks like
.NET, Unity, C#, and F# enable you to rapidly innovate
Visual Studio is an integrated, full-featured with a world-class IDE. Visual Studio for Mac is designed
development environment providing teams natively for the Mac, while being powered by the same
and individuals with the end-to-end toolset for code editor, compiler, IntelliSense code completion, and
development, testing, debugging, and deployment. refactoring experience that you know and love from
Visual Studio offers a set of innovative and intelligent Visual Studio on Windows.
features that allows individual developers and entire
teams alike to be more productive. IntelliSense and
IntelliCode bring smarter code completion into the Visual Studio 2022
IDE and simplify repetitive tasks like refactoring.
Diagnostics and debugging features, such as Snapshot Visual Studio's upcoming release, Visual Studio 2022
Debugging and live integration with Azure Application coming in late 2021, will be full of performance
Insights, offer full visibility into your app's execution enhancements and a wide range of features to boost
history and debug state wherever it runs. Built- personal and team productivity. With 64-bit Visual
in Git and GitHub integration allows for seamless Studio 2022, developers can scale to large and complex
collaboration: developers can create and clone repos, solutions without running out of memory. Innovative
manage branches, and resolve merge conflicts right features such as Hot Reload for .NET and C++ apps, Live
 The Developer’s Guide to Azure 33

Preview for XAML apps, Web Live Preview for ASP.NET Visual Studio Code
apps, and IntelliCode whole-line completion will enable
developers to be productive in their app development Visual Studio Code is a cross-platform code editor
lifecycle. Improved Git and GitHub tooling and Live with binaries for Windows, macOS, and Linux. Many of
Share with integrated chat will enable developers to the features that make Visual Studio great can also be
collaborate seamlessly. found in Visual Studio Code, from classic IntelliSense to
newer features like IntelliCode and Live Share.
Visual Studio 2022 will also come with the latest
innovative tools for modern app development. Visual Leveraging an ecosystem of 30,000 (and growing) first-
Studio 2022 will have full support for .NET 6 and its party and third-party extensions and themes, Visual
unified framework for web, client, and mobile apps for Studio Code can be customized to the needs of each
both Windows and Mac developers. This includes the developer and supports working with virtually every
.NET Multi-platform App UI (.NET MAUI) for cross- programming language and framework, and tools like
platform client apps on Windows, Android, macOS, and package managers. Extensions for Azure allow building,
iOS. Developers will be able to use ASP.NET Blazor web deploying, and managing applications using a variety
technologies to write desktop apps via .NET MAUI. For of Azure services with a few clicks, while collaboration
C++ developers, Visual Studio 2022 will include robust is made simpler with extensions for GitHub pull
support for C++ workloads with new productivity requests and issues. You can even develop your own
features, C++20 tooling, and IntelliSense. We're also custom extensions that satisfy any unique needs you
integrating support for CMake, Linux, and Windows or your team may have. Visual Studio Code also allows
Subsystem for Linux (WSL) to make it easier for you to developers to work with remote hosts and machines,
create, edit, build, and debug cross-platform apps. via extensions like Remote-SSH and Remote-Containers
(for Docker containers), as well as GitHub Codespaces.

DOCS
Visual Studio Code is completely free to use on any
Visual Studio platform and is based on an open-source codebase.

GETTING
STARTED
Visual Studio 2022 Roadmap
Visual Studio Code

Visual Studio 2019 for Mac

Download Visual Studio Code
 The Developer’s Guide to Azure 34

Build, release, Planning and tracking

and deploy with Both GitHub and Azure offer management of the
product roadmap and backlogs as a part of agile

GitHub + Azure methodologies.   

DevOps
GitHub offers issues to track ideas, enhancements,
tasks, or bugs. GitHub also offers project management
with tagging, milestones, and Kanban boards to drive a
project forward.   
The Azure DevOps product management and
engineering teams at Microsoft joined GitHub under If a more structured process is desired, Azure Boards
a single leadership team to deliver on coordinated can be integrated into GitHub or used with other
roadmaps. This renewed focus on both offerings Azure DevOps services. Azure Boards supports agile
ensures that GitHub will continue to rise as the platform methodologies, including Agile, Scrum, and Kanban.
of choice for code management and CI/CD mechanics, Azure Boards enables you to track work with Kanban
while ensuring Azure DevOps continues to deliver the boards, backlogs, team dashboards, and custom
mature software development lifecycle features to reporting. For roadmap planning, Delivery Plans can
its users. be added to Azure DevOps from the Visual Studio
Marketplace, providing everything a team needs to
The GitHub and Azure DevOps team recognizes track a feature from ideation to production.  
that one solution doesn't always fit all, which is why
Microsoft allows customers to adopt hybrid GitHub and GitHub Boards
Azure DevOps environments. Two of the most well- Project boards on GitHub can help you organize and
known hybrid solutions are: prioritize your work using a Kanban approach to work
• Azure Boards-GitHub integration management. These boards are flexible and can be
used to track specific feature work, software roadmaps,
• Azure Pipelines-GitHub integration
and even release checklists.

The primary components of project boards include

DOCS
issues, pull requests, and notes. These components
Azure DevOps Public Roadmap are all visualized on the board as cards within one or
more columns. Cards can contain relevant metadata for
issues and pull requests, such as status, assignees, and

GitHub Public Roadmap who opened them. Notes can be used to create task
reminders, reference specific issues or pull requests,
or any other information that may be relevant to
the board.
 The Developer’s Guide to Azure 35

Project boards come in three different configurations: Repository and dev workflows
• User-owned project boards, related to
GitHub enables developers to share code and packages
personal repos
through its core repository capabilities, GitHub
• Organization-wide project boards, which can Packages, and npm. Azure Repos provides both Git
contain issues and pull requests on up to 25 and Team Foundation Version Control (centralized)
repositories within an organization repositories and Azure Artifacts for packages. Both
• Repository project boards, which are scoped to GitHub and Azure DevOps integrate with Azure
issues and pull requests within a single repository Container Registry, which provides a fully managed and
optionally geo-replicated instance for Docker images
Project boards can also be automated, allowing for and Helm Charts.
cards to move from one status to another. Trigger-
based workflows enable cards to assume specific GitHub Repos
statuses such as To do, In progress, or Done. Typically Repos are the heart of GitHub. Using standard Git
the triggers consist of simple events, such as issues format, you can manage your project's files, as well
being created, new pull requests being opened, issues as discussing and managing your project's work. You
being closed, or pull requests being merged. can restrict who is allowed to view or contribute to a
repository by changing its visibility level. You may select
Azure Boards public (default) or private, which keeps access restricted
Planning your work and tracking your progress are to users you wish to have access.
important tasks—and Azure Boards can help you
complete them. If you are using the free version of GitHub, you are
able to use unlimited public repositories with access
In Azure Boards, you can create a complete backlog to a full feature set, or unlimited private repositories
of work items (such as user stories) and plan them with a limited feature set. The limitations are in the
in sprints so your team can work iteratively to finish form of scoped access to GitHub Community support,
the tasks. Dependabot® alerts, storage limits, and other
constraints. Premium tiers offer the ability to increase
The whole planning system is optimized for working minutes/month on GitHub Actions and storage on
in an agile way. It even includes Kanban boards for GitHub Packages storage along with advanced features
managing your work. around pull request management, protected branches,
and repository insight graphs. Please see GitHub's
Everything can be customized to work in the best products listing for more information.
possible way for your teams, whether using Scrum,
another agile method, or the Capability Maturity
Model Integration (CMMI) process. You can create
and manage tasks, features, user stories, bugs,
requirements, issues, change requests, and more.
 The Developer’s Guide to Azure 36

Azure Repos Packages supports many commonly used package

Azure Repos uses standard Git. This means that you can managers, such as npm, RubyGems, Apache Maven,
use it with any Git tool and IDE, including Visual Studio Gradle, Docker, and NuGet. In addition, GitHub offers
and Visual Studio Code, as well as Git for Windows, container registry support for hosting Docker or OCI
macOS, Linux, Eclipse, and IntelliJ. When you follow images. Access tokens are required to publish, install, or
the Git workflow, you usually begin by creating your delete packages, keeping the lifecycle management of
own branch of the code to, for instance, add a feature. your packages secure.
Once you finish this, you commit your code to create a
pull request for that branch and submit it to the server. GitHub Packages also offers automation support. You
Users can see, review, test, and discuss this pull request. can integrate Packages with GitHub Actions, GitHub
Once it's good enough to be pulled into the main APIs, and webhooks to create DevOps workflows
branch, the request is accepted, and your development including your code, continuous integration (CI), and
branch can be deleted. deployment all in one interface.

With Azure Repos, you have a rich toolset to support Azure Artifacts
the Git workflow. You can link work items, such as user You can host all sorts of packages on Azure Artifacts,
stories or bugs, to pull requests so you know what including NuGet, npm, Maven, Python, and universal
each change is about. You can have discussions about packages. You can even use the Azure Artifacts feed
committed code and even comment on changes within to store packages from public sources, such as nuget.
code. Azure Repos also enables voting on changes in org and npmjs.com. When you store packages from
code, so a change only gets accepted once everyone on public sources on your feed, you'll be able to keep using
the team agrees to it. them even if they're no longer available on the public
feed. You'll also be able to leverage Azure Artifacts
Azure Repos offers unlimited private Git repositories. to review and validate each package for security
purposes within your feed. This is especially useful for
GitHub Packages mission‑critical packages.
GitHub Packages is a software package hosting service
that allows you to host your own packages privately Follow these simple steps to use Azure Artifacts:
or publicly. These packages can then be used in your 1. Create an Azure Artifacts feed.
projects or made available to other users.
2. Publish your package to the feed.

3. Consume the feed in your favorite IDE, such as

Visual Studio.
 The Developer’s Guide to Azure 37

CI/CD Actions uses YAML syntax to define workflows, events,

jobs, and steps within those jobs. Any workflow created
for your project will be stored in the repository under a
specific workflows folder (.github/workflows). Creating
Both GitHub Actions and Azure Pipelines provide a workflow is as simple as opening a new file and filling
fully automated CI and continuous deployment (CD) in some basic information, such as the workflow name,
capabilities. Users can define multiple environments, the event(s) that trigger(s) the workflow, and one or
each with their own approval rules, secrets, and more jobs. An example of a basic workflow can be
security permissions. For more complex scenarios, or seen below:
for developers using repositories outside of GitHub,
Azure Pipelines provides access to code from outside name: sample-github-actions
of GitHub along with centralized management of on: [push]
workflow templates and other features focused on jobs:
check-bats-version:
enabling secure deployments at scale.
runs-on: ubuntu-latest
steps:
GitHub Actions and Azure Pipelines can be used - uses: actions/checkout@v2
individually or together. Many companies will choose - uses: actions/setup-node@v2
- run: npm install -g bats
to automate builds using pipelines, and use GitHub
- run: bats -v
Actions to automate non-build workflows. You can also
store and serve internal packages and containers with
the GitHub Package Registry while keeping compiled This will, on pushing new code to the repository, check
binaries and other artifacts in Azure Artifacts. Both out the code, set up Node.js, install the bats package in
products offer deep integration with Azure through the global npm registry, and validate the installation by
an extensive library of tasks and actions in their requesting the version of the package.
respective marketplaces.
GitHub Actions has a wide variety of built-in actions for
your use, along with many more being contributed by
GitHub Actions the community daily. Over 9,000 actions can be found
by visiting the GitHub Marketplace and searching
GitHub Actions helps you automate tasks within your for Actions.
project that relate to the overall software development
lifecycle of your code. These actions are event-driven,
which allows you to configure one or more commands
to run after a specific event has occurred. Each event
triggers a workflow, which comprises one or more jobs.
Each job can have one or multiple actions, allowing for
highly configurable workflows to be constructed.
 The Developer’s Guide to Azure 38

Azure Pipelines

Azure Pipelines provides a lot of value in a small

amount of time. It enables CI for compiling and
testing code when changes come in, as well as CD for
deploying applications after changes are compiled and
tested successfully. We encourage every organization
to explore CI and CD, as these processes improve code
quality and reduce deployment efforts.

Azure Pipelines can help with CI and CD by offering

build and deployment pipelines. Each contains steps
to compile and test your code and deploy it to one or
more environments. The beauty of Azure Pipelines is
that it works with any type of code, no matter where
you store it—from C# on Azure Repos to Java on
Bitbucket, to Node.js on GitHub, or any other language,
Git, or SVN repository.

Azure Pipelines works very well with Azure services

to deploy your application in an Azure web app, for
instance. It also works with any service that runs in any
other environment, such as Google Cloud Platform,
AWS, or even on-premises in your own datacenter.
If you're already using CI tools such as Jenkins or
Spinnaker, you can easily bring your existing builds
and pipelines to Azure and take advantage of dynamic
agent plug-ins to reduce infrastructure requirements
and costs.

Make your pipelines as simple or as complex as you

want. Ideally, you want to automate as much as you can,
from the creation and destruction of your infrastructure
to the deployment and testing of your application.
Pipeline tasks are available for almost everything,
and you can access more tasks as extensions to Azure
DevOps in the Visual Studio Marketplace.
 The Developer’s Guide to Azure 39

Security features Between GitHub and Azure, we have a suite of tools and
services to help. Azure and GitHub provide the building
blocks to develop and scale DevSecOps practices:
• Shift security left with GitHub Advanced Security,
When developing an application, security needs to allowing issues to be detected as soon as they
be integrated into your DevOps process as much as are introduced into the codebase.
CI, testing, and work item tracking. In many CI/CD
• Understand the runtime behavior of your apps
platforms, proactive security scanning can be enabled
and infrastructure with Azure Monitor.
through the use of custom scripts or plug-ins to the
• Leverage secret scanning with GitHub.
platform itself. With GitHub, security is always at the
top of your mind. From helping to integrate security • Create policy as code with Azure Policy.

into your workflows to proactively scanning your • Secure your application using secret
repositories for potential vulnerabilities in your code or management with Azure Key Vault.
libraries, GitHub's powerful platform tools help take the • Uncover vulnerabilities and dependencies with
guesswork out of writing and maintaining secure code. GitHub code scanning and Dependabot.
• Integrate production instances with Azure
Security Center, your home for security
DevSecOps information and status.

DevOps best practices of CI and CD rely on heightened With GitHub and Azure, it's never been easier to
collaboration between software engineers and kickstart and scale your own DevSecOps practices
operations teams to accelerate software development. with our unified solution. This complete toolset offers
While DevOps delivers on the promise of faster ways for you to remove bottlenecks clogging your
software development, digital leaders face issues with delivery pipeline and provide the necessary controls for
the security and compliance of their code, workflows, compliance and security. By uncovering vulnerabilities
and infrastructure. Azure and GitHub provide the tools earlier, your teams save time remediating issues and
for any organization to implement DevSecOps, the achieving compliance, while also minimizing any
evolution of DevOps, where developer, security, and associated costs. So, they can focus on their main
operations teams foster a culture of collaboration to goals: propelling innovation with efficient and secure
achieve continuous security. software delivery.
 The Developer’s Guide to Azure 40

GitHub Advanced Security GitHub Dependabot

GitHub Advanced Security is a suite of advanced GitHub Dependabot creates automated pull requests
application security capabilities that helps developers to help keep your dependencies secure and up to date.
find and fix issues within their workflow. GitHub Dependabot monitors security advisories for Ruby,
Advanced Security consists of code scanning and secret Python, JavaScript, Java, .NET, PHP, Elixir, and Rust.
scanning capabilities along with Security Overview. Pull requests are created immediately in response to
new advisories. When there's remediation for a new
Code scanning provides an automated security review security threat or an updated version of referenced
with every Git push. It provides accurate, actionable components, Dependabot creates pull requests
security reviews within the developer workflow and that include release notes, changelogs, commit
offers an opportunity to fix issues before merging code. links, and vulnerability details. These pull requests
Code scanning is powered by GitHub's CodeQL engine are then reviewed and committed by developers or
and integrates with any static application security maintainers—keeping dependencies secure and up
testing (SAST) engine while providing the same user to date.
experience that developers love.
If you want to improve the quality of your software and
Secret scanning watches your repositories for known learn more about automating your build and release
secret formats and notifies you as soon as secrets are processes, download and read these free resources:
found. Secret scanning supports 45+ commonly used
secret patterns (including Azure, AWS, Google Cloud,
DOCS
npm, Stripe, and Twilio) and custom secret patterns.
Effective DevSecOps
Security Overview provides a high-level view of
the application security risks to which a GitHub
organization is exposed. This view includes code
GitHub Advanced Security
scanning, secret scanning, and Dependabot results,
along with associated risks.

GitHub Dependabot
 The Developer’s Guide to Azure 41

Better together:
• Collaboration platforms provide developers
with access to communicate and coordinate

Visual Studio +
with team members and leverage the collective
knowledge of the open-source community.

GitHub + Azure
• Advanced cloud services give developers more
tools to innovate and experiment with building
apps for a variety of platforms.

Visual Studio, GitHub, and Azure provide developer

DOCS
teams with the tools, platform, and service to support
modern app development. By combining the advanced Visual Studio documentation
development, testing, and debugging features of
Visual Studio with the open-source knowledge base
and automation power of GitHub, Microsoft gives
Visual Studio + GitHub
development teams all the tools they need to work
efficiently and collaboratively. GitHub Enterprise and
Azure DevOps make it easier to manage progress,
measure team metrics, and optimize processes.
Visual Studio and GitHub work seamlessly with Azure, GitHub Codespaces
providing developers with the most advanced toolset
for code-to-cloud workflows. Codespaces provides fully configurable cloud
development environments, available in your browser,
With the combined power of Visual Studio, Azure, through Visual Studio Code, or any other suitable
and GitHub in Visual Studio subscriptions, you are editors like Emacs or Vim.
able to bundle key tools and services to empower
your developers to quickly and efficiently deliver Codespaces includes everything developers need to
modern apps: work with a specific repository, including an editor, a
• Tools like CI and CD built into GitHub and Azure terminal, support for common languages, frameworks,
DevOps allow automating workflows such as and databases. It is completely configurable, allowing
running automated tests and deploying to you to create a customized development environment
test environments, increasing the agility and for your project, and allowing developers to personalize
productivity of development teams. their experience with extensions and dotfile settings.
 The Developer’s Guide to Azure 42

• Fast and personal onboarding: Once you have

Codespaces offers many benefits to teams, including:
your environment configured, new developers
• A standardized environment: You can can use the Code drop-down button on any
create one Codespaces configuration that will GitHub repository within an organization
allow anyone using your repository to have a and select ‘Open with Codespaces’ to trigger
consistent experience when working with your a new dev container's creation. While initial
code. This experience is consistent for users startup times vary by repository architecture,
accessing Codespaces via both Visual Studio background processes ensure the new codespace
Code and the browser-based experience, as seen will be created with all the appropriate
in Figure 2.1: dependencies and configured.
• A secure environment: Developing in the
cloud allows you to keep one source of truth
for your repository. If all of your developers are
using Codespaces, this eliminates the need to
clone the repository locally or having to install
dependencies locally as root. There is also an
option to configure GPG signing of Git commits
from within Codespaces as an additional layer of
proof, citing which developer authored a change.

DOCS

GitHub Codespaces

Dev Containers in Codespaces

Using GitHub Codespaces in

Visual Studio Code

Figure 2.1: Browser experience for Codespaces

 The Developer’s Guide to Azure 43

Use your extensions for any Azure services you may be using.
Leveraging your .NET skills and Azure, you can begin

preferred writing code that will host your application on Azure,

consume other cloud services from your application,

programming and even take advantage of modern serverless

architectures to increase the resiliency and scalability

language
of your application.

DOCS

Developers have their tools, languages, and frameworks Key Azure Services for .NET
developers
of choice, and Azure supports a wide array of developer
options. From .NET to Java, JavaScript, Python, and
more: you have the ability to develop in your stack of Configure Visual Studio for Azure
choice and the flexibility to use different languages development with .NET
and frameworks. Azure supports running applications
written in these languages seamlessly.
Configure Visual Studio Code for
Azure development with .NET

.NET and Azure

.NET development on Azure
configuration checklist
If your preferred development stack is .NET, then
the Visual Studio family of IDEs and GitHub have you
covered. Using anything from .NET Core to legacy
.NET Framework versions (4.x), to newer revisions like
.NET 5 and 6, all editors offer first-class support for JavaScript, Python, and Java on
various installations of SDKs. IntelliSense, package
Azure
management, and integrations with local and cloud-
based services all work right out of the box. JavaScript and Node.js, Python, and Java developers
are also set up for success in Azure. Visual Studio
For Azure support, the Visual Studio family offers a and GitHub offer extensive support for developing,
best-in-class experience when developing for targets building, and deploying applications written in these
such as Azure App Service, Cognitive Services, Blob languages and frameworks. Simply install the runtime
Storage, Event Hubs and Event Grid, Cosmos DB, of your choice and any corresponding extensions and
and others. This experience is also available within you're immediately able to start coding.
GitHub Codespaces by installing the required
 The Developer’s Guide to Azure 44

From Java runtimes to different versions of Node.js or Azure services that is compatible with Windows,
Python, you can rest assured that your development macOS, and Linux. Likewise, Azure PowerShell is a set
experience will be consistent using Visual Studio, of cmdlets that allows you to manage Azure resources
GitHub, and Azure. Azure App Service (web and from the PowerShell command line.
function apps) offers support for applications written
in any programming language, including Docker Regardless of the development platform or deployment
containers. target, Microsoft has a rich offering of development
tools and cloud services to meet your needs. From
For Java developers, Azure App Service offers Java 11 Visual Studio 2022 to Visual Studio Code to GitHub
on both Linux and Windows, allowing developers to Codespaces, there is an IDE that will rise to the
run JAR files or even WAR files through Apache Tomcat challenge and enable your productivity.
v8.5 and v9.0 hosted in App Service. Linux services
also support the two latest LTS versions of Java, while The software development lifecycle is also completely
Windows services support the three latest LTS versions. covered with platform offerings from GitHub as
well as Azure DevOps. Tracking your work, building
Python support is available for 2.7, 3.6, and 3.7 on App and deploying your code, testing, and managing
Service, giving developers the flexibility to deploy their artifacts are easily handled. With GitHub, integrated
apps using a targeted runtime. There is also support for DevSecOps features such as Dependabot and GitHub
running apps using Gunicorn as well as hosting apps Advanced Security allow you to rest easy knowing that
written in WSGI frameworks such as Django and Flask. vulnerabilities are always being scanned for.

With Microsoft Azure, you have a world of cloud

DOCS
services at your fingertips. Runtime support for
Azure App Service: Node.js, languages such as Java, Python, and Node.js in addition
Python, and Java support
to .NET expands the possibilities of what you can
build in Azure, as well as where your code is deployed.
Whether from the IDE or the command line, interacting
SDKs and command-line tools with Azure as a part of the development cycle is
Azure includes a collection of SDKs for .NET, Node.js, facilitated for everyone.
Python, Java, and more. These are built on a common
core for easy use of Azure services, with a focus on In Chapter 3, Cloud-native applications, we will be
consistency, familiarity, and language idiomaticity. taking a look at cloud-native application development,
which further expands on the core architectural
Command-line tools are also available for managing patterns, components, and methodologies for creating
Azure services and applications using scripts. The Azure applications that leverage the full potential of the cloud.
CLI is a set of commands used to create and manage
 The Developer’s Guide to Azure 45

03 /
Cloud-native
applications
 The Developer’s Guide to Azure 46

What do we mean faster, smarter, and more adaptable. Developers want

to go from ideation to code running in the cloud

by cloud native? seamlessly. Microsoft combines development tools

with Azure to create a highly efficient inner loop for
cloud‑native development. This combination provides
everything you need as a developer, from source code
Almost any application can run in the cloud one way management, editors and IDEs, and infrastructure as
or another. Even for legacy applications, you can use code to container registries and continuous integration/
virtual machines and have them running in the cloud. continuous deployment (CI/CD) toolchains, all designed
But to take full advantage of what the cloud offers, you to work together. Whether you want to quickly deploy
will need applications to be cloud-native. Designing code from Visual Studio or Visual Studio Code or use
applications for the cloud allows you to use the best a CI/CD pipeline from GitHub or Azure DevOps, the
of what the cloud can offer and benefit from the latest process is fast and simple. You can quickly deploy
innovations in the public cloud. your code and test new functionality and features in
Microsoft Azure.
When transitioning to the cloud, there are many
options. Whether the choice is to replatform, refactor,
NOTE
rearchitect, or even rewrite the application to fully
Shift to the left is a practice
leverage the scalability and elasticity of cloud services, in software development in
Azure can help you. For cloud-native applications to be which teams focus on increasing
quality by testing earlier and
intelligent, AI can be used to provide advanced insights.
deploying more frequently.
Being cloud native also means embracing a potential
global footprint and tuning individual microservices or
cloud services for optimal performance under load. Speed of development is not the only challenge; you
also want your applications to be resilient and scalable.
The software development lifecycle is consistently High availability and uptime are very important in
shifting to the left, moving feedback loops closer the digital-first era. If an application is not available,
to developers and validating functionality very customers will quickly lose interest and go to a
quickly. As this trend continues, you need to be competitor whose application is more reliable.
 The Developer’s Guide to Azure 47

Over the past several years, you must have seen story
after story about data breaches and compromised
applications that expose sensitive information. As
more businesses embrace digital transformation, the
resiliency and security of application infrastructure
and data are of the utmost importance. Microsoft
Azure offers built-in tools that can help you create
highly available geo-distributed applications, along
with intelligent threat protection in real time. With
scalable services, you can create applications that can
withstand high demand and achieve cost savings at the
same time.

Using cloud-native design patterns you can achieve the

agility, reliability, scalability, and security demanded
by the next generation of applications. Developing
with managed services in mind takes the guesswork
out of the infrastructure layer and allows developers to
focus on what matters—solving business problems by
producing world-class applications.

QUICK
START
Build cloud-native applications
in Azure
 The Developer’s Guide to Azure 48

Cloud-native If you do not have such constraints, you can optimize

for developer productivity architecture. Then you

components can build microservices using event-driven functions

without having to worry about servers, allowing you to
focus on code, rather than infrastructure.

By having a cloud-native approach, app developers can When applications are built as microservices, the
overcome the challenges they face every day around release velocity can increase because changes to any
agility, reliability, and security. Not all applications are component are easier to make. Microservices make
the same, and in some cases, it is important to prioritize applications easier to scale and faster to develop,
certain characteristics over others. Regardless of the enabling innovation and accelerating the time to
need, however, there are several basic building blocks market. These microservices can be delivered as
for cloud-native applications, which include: containers, which package application code and
dependencies together to increase portability, or as
• Microservices
functions, which offer an event-driven compute-on-
• Containers demand experience that extends with capabilities to
• Functions implement code triggered by events. Often, these
• APIs microservices are surfaced as lightweight APIs and are
• DevOps shipped using DevOps processes and tools to automate
build, test, and delivery (see Chapter 1, Getting started
When it comes to a cloud-native architecture, with Azure Application Platform, and Chapter 2,
it can be implemented in two different ways— Developer tools and developer cloud).
optimizing for infrastructure control or optimizing
for developer productivity. QUICK
START

Infrastructure control provides control on what you are Azure Architecture Center –
Cloud Design Patterns
running, where you are running it, and how it performs.
When you have requirements such as the need to use
a legacy code base or custom libraries that require
runtime access, you want to optimize for infrastructure
control and use containers with Kubernetes to
orchestrate them.
 The Developer’s Guide to Azure 49

Kubernetes on Azure Kubernetes Service

Azure As a central pillar of cloud-native practices, AKS

is an enterprise-grade, managed Kubernetes
service. Because it is a fully managed system, Azure
handles critical tasks such as health monitoring and
A common pattern of modern applications is to maintenance, while developers can focus on code.
run microservices hosted in containers. Containers
are lightweight, standalone, executable packages AKS has built-in best practices like Azure Advisor
of software that include everything needed to run notifications to help optimize your Kubernetes
an application: code, runtime, system tools, system deployments with real-time personalized
libraries, and settings. recommendations. It features multi-layer security
across operating systems, compute resources, data,
Microsoft Azure offers many choices on how to run networking with consistent configuration, identity,
containers. One of them is Kubernetes, also known as secret integration with Azure Key Vault, and policy
K8s, an open-source orchestrator that allows you to management. Also, AKS increases operational efficiency
automate the deployment, scaling, and management of with support for automatic cluster upgrades and the
containerized applications. ability to schedule service maintenance operations to
off-peak hours.
When running Kubernetes on Azure, there are several
options to choose from, including: AKS makes it simple to deploy a managed Kubernetes
cluster in Azure as it reduces the complexity and
• Azure Kubernetes Service (AKS)
operational overhead of managing Kubernetes by
• Azure Red Hat OpenShift offloading much of that responsibility to Azure. When
• Arc-enabled Kubernetes deploying an AKS cluster, the Kubernetes management
• Application services on top of Kubernetes plane, control plane nodes, and worker nodes are
deployed and configured for you.
Let's look at each of these options and see its benefits.
QUICK
START
Deploy an AKS cluster using the
Azure CLI

Kubernetes on Azure
 The Developer’s Guide to Azure 50

Azure Red Hat OpenShift Azure Red Hat OpenShift provides built-in CI/CD. You
can create automated builds, tests, and deployments
Red Hat OpenShift is an enterprise Kubernetes of applications using OpenShift Pipelines, a serverless
container platform created by Red Hat. OpenShift is all CI/CD system designed to create and scale a pipeline
about choosing a platform to power your applications using GitHub Actions, or using existing pipelines.
today by automating processes and reducing
complexity, allowing you to rapidly deliver without QUICK
roadblocks. When running Kubernetes in production, START

you often need to add additional services to get basic Azure Red Hat OpenShift
functionality such as authentication, logging, and
CI/CD. Those are separate components that you must
integrate, manage, and keep up to date on your own.
Furthermore, when using new features to build modern
applications such as Serverless and Service Mesh, this Arc-enabled Kubernetes
means even more integration and testing.
With Azure Arc-enabled Kubernetes, you can attach
Azure Red Hat OpenShift allows developers to focus on and configure Kubernetes clusters located either inside
what matters. You can take advantage of the enhanced or outside Azure and bring cloud operations anywhere.
user interface for application topology and builds in the
web console. It allows you to build, deploy, configure, Azure Arc can manage applications running on
and visualize containerized applications and cluster Kubernetes at scale through advanced DevOps
resources more easily. techniques like GitOps. It provides a single pane of
glass with central visibility through the Azure portal and
You can bring code from your Git repository or governance and compliance of your applications and
an existing container image and build it using Kubernetes clusters through Azure Policy.
source‑to‑image (S2I) builds or deploy solutions from
the developer catalog, such as OpenShift Service
NOTE
Mesh, OpenShift Serverless, or Knative.
GitOps is a way to operate
infrastructure in continuous
delivery by using tools
TUTORIAL developers are already familiar
with, like Git and CI/CD tools.
Create an Azure Red Hat
OpenShift 4 cluster

QUICK
Deploy an application from START
source to Azure Red Hat
Azure Arc-enabled Kubernetes
OpenShift
 The Developer’s Guide to Azure 51

Application services on top of If the project requires you to have more control over

Kubernetes the infrastructure (like running on-premises, on the

Edge, or in a different cloud), this can be accomplished
Developers have been taking advantage of the Azure with Azure Arc. Any Kubernetes cluster connected
application platform services for the last few years to through Azure Arc is a supported Azure App Service
develop modern apps. These purpose-built services target. Thanks to Azure Arc and portable app services,
enable developers and operations teams to focus on we can run the same code anywhere and create hybrid
the business requirements and not have to spend and multi-cloud applications.
additional resources managing the infrastructure
behind these services. To enable developers of You can develop and innovate faster with Azure's suite
on-premises applications to experience that same of application services as it comes with features and
productivity gain, Microsoft has enabled Kubernetes options that are optimized for developer productivity.
as a target for running many Azure platform services, Capabilities such as deployment slots, blue-green
managed through Azure Arc. The platform services deployments, web consoles, App Service Editor, and
supported are: extensive logs, among others, can make your life a
• App Service little easier.

• Functions
QUICK
• Logic Apps START
Set up an Azure Arc-enabled
• Event Grid
Kubernetes cluster to run
• API Management App Service, Functions, and
Logic Apps
 The Developer’s Guide to Azure 52

Serverless on By doing so, Azure functions provide increased agility,

improved resilience, and scalability.

Azure It comes with support for multiple languages and

integration with other services like Azure Key Vault and
Azure DevOps and provides flexible hosting options
Serverless is a way of hosting your applications in the to support critical enterprise workloads. All of this is
cloud while completely abstracting the underlying integrated with development tooling: Visual Studio
infrastructure. It is about increasing productivity by Code, Visual Studio, and other editors such as IntelliJ
focusing on the code that powers your application or Eclipse.
without taking care of infrastructure. Publish the code
to Azure, and Azure will take care of scaling, operating,
DOC
and securing the underlying application code.
Getting started with Azure
Functions
Microsoft Azure offers several serverless services,
including:
• Azure Functions Serverless on Azure
• Azure Logic Apps
• Azure Static Web Apps
• Azure Event Grid

Let's look at these options more closely and see what Azure Logic Apps
they bring to the table.
Azure Logic Apps is a cloud-based platform for creating
and running automated workflows for integrated apps,
Azure Functions data, services, and back-end systems with a library of
more than 450 connectors.
Azure Functions is a serverless solution in Azure that
allows you to focus on the code that matters most to You can quickly develop highly scalable integration
you, while Azure Functions handles the rest. solutions, allowing you to easily connect to any system
or data source.
Azure Functions makes event-driven programming
easier with state-of-the-art autoscaling, and triggers QUICK
and bindings to integrate with other Azure services. START
Create integration workflows with
You can run a piece of code in response to an event and Azure Logic Apps in the Azure
scale without having to worry about infrastructure. portal
 The Developer’s Guide to Azure 53

Azure Static Web Apps Azure Event Grid

With Azure Static Web Apps, you have the flexibility Azure Event Grid simplifies event-based applications
to deploy static HTML, JavaScript, and CSS files from a with a single service for managing the routing of events
GitHub repository or another source into a managed, from any source to any destination.
Azure-hosted website. A free tier exists for hobby or
non-commercial needs, and a standard tier allows for You can easily build applications using an event-based
more production-appropriate needs. SSL certificates architecture by subscribing to a source and defining
are included, as are at least two custom domains and at event handlers or Webhook endpoints to which you can
least three staging environments. send domain events. Event Grid has built-in support for
events coming from Azure services, but also supports
QUICK your own events through custom topics.
START
Building your first static site
QUICK
with Azure Static Web Apps
START
Install Event Grid extension
on Azure Arc-enabled
Kubernetes cluster
 The Developer’s Guide to Azure 54

Cloud native and DOCS

open source
Check out featured open source
projects and products

Blazor | Build client web apps

with C# | .NET
It can be said that cloud native and open source have
a symbiotic relationship. Cloud-native apps are built
on open-source technologies when possible, focusing
Open Service Mesh
on architectural modularity and enabling them to
be platform-independent. "Cloud native" means
flexibility of deployment targets. Microsoft invests in
open‑source software in several ways in order to help ANNOUNCEMENT

Azure users build the best possible solutions. There are Gain flexibility to run
open‑source applications your
several areas of investment:
way with Microsoft Azure
• Ensuring open-source technologies perform well
on Azure
• Open-source communities (Apache, Linux, the Overview of open source
.NET Foundation)
on Azure
• Tools and integrations to help with Azure
deployments Open source has fundamentally changed software
• DAPR – Distributed Application Runtime, a development. With the increase in open-source
lightweight framework for building modern adoption, it must run smoothly on Azure.
distributed applications
More than half of all the cores on Azure are running
With added commitments to supporting open-source Linux, and Microsoft has heavily invested in
functionality in Azure as well as the advent of more enhancing its performance, reliability, security, and
modern runtimes for service-based applications such resiliency. Azure provides you with enterprise‑grade,
as DAPR, open-source technologies are an essential managed open-source software databases like
building block for individuals and organizations looking MySQL and MariaDB, Linux operating systems,
to build solutions that run on Azure. analytics, and machine learning services to bring AI to
your application.
 The Developer’s Guide to Azure 55

• The .NET Framework: It is a cross-platform and

Microsoft's contributions span several areas: Linux,
open-source development platform. You can
the Kubernetes ecosystem with projects like DAPR or
develop many types of applications with .NET,
Open Service Mesh, programming languages, web
across all operating systems and any device. You
frameworks, and technologies such as .NET, Node.js,
can also choose from object-oriented languages
Python, PHP, and many more.
such as Visual Basic and C# or include functional
programming with F#. There is also managed
DOC support for C++. With .NET, you can build
once and run anywhere. The .NET open-source
Open source on Azure
ecosystem is directly supported by the .NET
Foundation, a non-profit organization dedicated
to cultivating an innovative and commercially
friendly community around .NET.

Open-source cloud projects

QUICK
Three cloud-oriented, open-source projects that START

Microsoft participates in are as follows: What is Kubernetes?

• Kubernetes: Microsoft works closely with
the Kubernetes project, sharing knowledge,
contributing, and shaping its future. Microsoft Microsoft Build of OpenJDK™
is now the third-leading corporate contributor
and works to make Kubernetes more
enterprise‑friendly and accessible.
.NET Framework
• Java: Microsoft participates in and contributes
back to the Java community. Microsoft's Build
of OpenJDK is a long-term support (LTS)
.NET Foundation
distribution of OpenJDK that is open-source and
free for anyone to deploy anywhere. This allows
you to focus on developing Java applications and
delivering value without being concerned with
licensing requirements or costs.
 The Developer’s Guide to Azure 56

Flexibility of choices for tools, Distributed Application Runtime:

languages, and integrations DAPR
Azure lets you build and run your apps on your terms, Stateless microservices are a common pattern for
in any environment, with integrated support for architecting modern cloud-native applications, and
open‑source tools, languages, and frameworks. You can DAPR can help you accelerate development.
develop your apps using your favorite tools, languages,
and third-party integration. Also, you can deploy DAPR is an open-source project whose goal is to
Docker-based containers running any app to Azure simplify writing microservices by providing building
App Services, PowerShell scripts to Azure Functions, blocks that abstract away common challenges of
static websites, and many more. distributed applications such as service-to-service
invocation, HTTP and gRPC requests, secret and
With AKS, you can run virtually any code by installing state management, and input and output bindings. It
any library or runtime. Even more managed services like provides support for multiple programming languages,
Azure Functions provide support for a wide range of such as .NET, Java, Python, or Go. DAPR applications
programming languages. can be run on-premises, in any cloud, or on an edge
device without having to change a line of code from
There are also integrations within Visual Studio and one to another.
Visual Studio Code that allow you to deploy, test, and
run applications in the cloud. DAPR simplifies distributed applications and
acts as a glue that binds the application to the
infrastructure capabilities.

QUICK
START

Get started with Dapr

 The Developer’s Guide to Azure 57

How to build Business-critical applications

cloud-native There are several things you need to consider

when it comes to building modern business-critical

applications on applications:
• Scaling in order to handle increased traffic

Azure
and bursts
• Low latency so users have the same experience
anywhere in the world
• High availability to achieve maximum uptime
Depending on the requirements of the software you are
building, you may have to take different architectural A design example for modern business-critical
approaches to comply with business needs. Microsoft applications is shown in Figure 3.1:
Azure offers tools and services that can accommodate
any scenario.

Some examples of possible scenarios are:

• Business-critical applications
• API-first applications
• Real-time data processing
• Geo-distributed applications

Let's take a closer look at each scenario and see what

Figure 3.1: Business-critical application design in Azure
it requires.

You can have instant, elastic scaling that handles traffic

and sales bursts without managing infrastructures using
a number of services—for example, you can use AKS.
Low-latency data access from anywhere in the world
for fast, robust user experiences can be achieved with
Azure Cosmos DB. Finally, for high availability, you can
place services across multiple datacenters and ensure
that an application has absolutely no downtime.
 The Developer’s Guide to Azure 58

API-first applications Real-time data processing

With an API-first approach, the biggest challenge Real-time data processing can be a challenge when
is how to secure, govern, and catalog the APIs. You multiple data sources are in play. Azure offers tools that
can create an API gateway and developer portal in a can help with real-time data ingestion and processing
matter of minutes and publish APIs easily for internal or pipelines, capable of detection and notification
external use. within seconds.

Figure 3.2: API-first design in Azure Figure 3.3: Real-time data processing design in Azure

This approach allows you to easily handle any data This way, any data change can be processed just a
schema change and adapt quickly to rapid changes. moment after the change occurred. With a secure API
You can connect to back-end services running gateway, you can connect to back-end services running
anywhere and manage, secure, and optimize all APIs in anywhere. Elastic provisioning of compute capacity,
one place no matter where they run. without the need to manage the infrastructure, allows
you to focus on data and provide cost savings in
the process.
 The Developer’s Guide to Azure 59

Geo-distributed applications The Microsoft Azure infrastructure is composed of

more than 160 datacenters in more than 60 different
The geo-distributed approach has two main goals: regions. With services such as Azure Front Door or
• Provide a seamless experience to its users Traffic Manager, you can create globally distributed
anywhere in the world. applications. This way, you can ensure that applications
are up and running even with issues in one of the
• Provide high availability and maximum uptime.
datacenters. As the application is hosted in multiple
In Figure 3.4, you can see a possible architecture for a locations, users are routed to the closest instance,
geo-distributed application. AKS is placed in several providing minimum latency and delay.
different regions and network traffic is controlled
with Traffic Manager to direct the user to the closest Building cloud-native applications is all about
available AKS instance to complete the request. leveraging purpose-built cloud services that allow you
to develop faster, deploy more frequently, innovate,
and be scalable. Microsoft Azure offers dozens of
services to choose from when designing and building
cloud-native applications. These services come
with support for many programming languages,
frameworks, and runtimes, and offer excellent
integration capabilities. They also come with robust
built-in features that can help you monitor, secure, and
improve your applications.

Whether in the cloud or on-premises, the management

of infrastructure such as AKS is easier than ever using
Azure Arc. And with Azure Arc-enabled services like
App Services, you can safely deploy applications to
local clusters for testing, knowing they will operate the

Figure 3.4: Geo-distributed application design in Azure

same way in the cloud.

With investments in key areas in the open-source

community, Microsoft continues to build on the
strength of using open-source solutions, especially with
cloud-native applications. From language support for
many major programming languages to contributions
to the community, like DAPR, the opportunity to
embrace open-source offerings in your own application
is more prevalent than ever.
 The Developer’s Guide to Azure 60

Armed with a library of design patterns, business

cases, and means to implement them, your journey
to design and develop a cloud-native application
is greatly improved when using Azure. With design
frameworks such as the Cloud Adoption Framework
and the Well-Architected Framework, you have solid
field-tested guidance on how to efficiently adopt cloud
technologies and develop applications with a focus on
cloud-native traits.

There are several things that all applications have

in common, with the goal of microservices and
cloud-native to abstract away the complexities of
many of them, such as where and what is running
the application. Components such as CPU, memory,
and networking are a few examples, with much of
this chapter focused on those. However, there is one
additional component that has not been addressed.
Where will your application store its data?

In the next chapter, we will dive deeper into the various

designs and architectures that can be used for data
storage and how that plays into the business's data
estate. Once application data is stored, it's then the
job of data scientists and engineers to utilize machine
learning and artificial intelligence to discover and
transform the data into meaningful conclusions and
decision points. But storing data comes with many
caveats, such as compliance, security, and balancing
costs. We’ll explore all these topics next.
 The Developer’s Guide to Azure 61

04 /
Connecting
your
application
with data
 The Developer’s Guide to Azure 62

Azure has your Azure makes it simple to mix and match data solutions
of varying volumes, varieties, and velocities while

data needs providing out-of-the-box world-class performance,

security, and governance. By abstracting data estate

covered complexities, developers can focus on solving business

problems and delivering value.

As a developer or architect, at some point in the What can Azure do for your data?
application design and creation process, a decision
must be made as to what type of data should be By choosing Azure data solutions to store or process
collected, along with its format and where it will be corporate data, businesses gain access to fully managed
stored. Additionally, an important key parameters like Platform as a Service (PaaS) services that free up
costs, performance, growth, security, compliance, and valuable time and resources, time and resources that
the data lifecycle need to be considered in determining can be focused on new ways to delight business users
the perfect data solution for the system. When and unlock data insights and business opportunities.
progressing through all the options, realize it is highly By removing the hardware and software management
likely that no single data solution will be able to meet components, architects and developers can focus on
the final needs of the users of the system. designing impressive, data-focused business solutions.

Data is valuable and a strategic asset. Taking a big- Developers can take advantage of industry-leading
picture approach and being open to new ideas around innovations, such as built-in security with automatic
data storage and data processing can lead to incredible monitoring and threat detection, automatic tuning
opportunities for taking applications to new heights for improved performance, and turnkey global
and ensuring a stable and organized data estate. distribution and replication. Moreover, any cloud
investments are protected by financially backed
Whether the solution is a traditional relational service-level agreements (SLAs).
database-based application; a stream-based analytics
solution; a data mart or data warehouse; or a storage Whatever the business needs dictate, Azure data
facility for structured and unstructured data, slow- or solutions will help get applications to production
fast-flowing data, or small data or big data via Lambda faster, scale them widely, and manage them easily, all
or Kappa architectures, Azure has an answer! while maintaining security and compliance with laws
and regulations. Not only that, but Azure's services,
such as machine learning and artificial intelligence, are
designed to be integrated together easily with a few
clicks of the mouse.
 The Developer’s Guide to Azure 63

Additionally, Azure data solutions can help solve some Finally, Microsoft has been continually recognized as a
of these important questions: leader by Gartner for the past 7 years in a row.
• What data do you have?
• Is it trustworthy?
Where to store your data?
• Can people access the data needed to make the
right decisions?
Today's data storage options are numerous. Picking
• How can you enable faster business insights? the right one for the target application can be a
• What's the compliance exposure? daunting task even for developers and architects who
have been around since the creation of traditional
relational database management systems (RDBMSes).
Why trust Azure with your data?
Today's business problems typically require much more
No matter what role you may play in the lifecycle of than what RDBMS can provide. Navigating the potential
the data estate, it is everyone's responsibility to be solutions for a new or potential modernization of an
cognizant of its security and integrity. When it comes to application is a vital skill for developers and architects.
data in Azure, Microsoft's trusted data principles put
the control in your hands: Azure provides many types of data stores with the
• You control your data. flexibility to support any data storage and processing
scenario where it is on-premises, hybrid, in the
• You choose your data location.
cloud, or on the Edge. For quick prototyping and
• Microsoft secures your data.
proof‑of‑concept tasks, many of these services have a
• Microsoft defends your data. free tier or 30-day trial period.

For example, Azure allows the data location to be As we progress through the various solutions, we will
chosen from several best-of-class datacenters around make frequent reference to the Azure Architecture
the world to meet any compliance or regulatory Center, which will provide you a helpful reference
requirements that businesses may be required to architectures to help visualize potential data solutions.
adhere to.

NOTE
In terms of security, many Azure services support Almost all storage options
a Bring Your Own Key (BYOK) feature that allows mentioned in this section can be
for the encrypting of data using privately owned used as activators and bindings
for Azure Functions.
keys. Additionally, Microsoft defends the data
stored in Azure from known bad actors using
Indicators of Compromise (IoCs) that are compiled Let's now take a closer look at each storage option.
from a vast set of inputs from the Microsoft Graph
Security API.
 The Developer’s Guide to Azure 64

Azure SQL Some other advanced features include:

• Geo-replication, based on Always On Availability

Database Group (AOAG) technology, which replicates data

to other geographical regions in real time.
• Dynamic data masking, which masks sensitive
data for certain users at runtime.
If the requirement is to utilize traditional relational
• Auditing, which provides a complete audit trail
databases with tables, columns, and rows to store data,
of all the actions that are performed on the data.
Azure SQL Database is a great choice. However, there
are many other open-source options you will explore • Automatic database tuning, which monitors

later in this chapter. the performance of the database and tunes it

automatically.

Azure SQL Database is a relational database system like • Transparent Data Encryption (TDE), which
on-premises Microsoft SQL Server. Azure SQL Database adds a security layer to protect data at rest from
runs in the cloud, so it's fully managed, performant, unauthorized or offline access.
scalable, automatically backed up, and includes many • Always Encrypted, which allows developers
other advanced features, such as flexible and responsive to store and query encrypted data within
serverless compute as well as Hyperscale. the database, and protects sensitive data by
encrypting it on the client side, never allowing
Databases in Azure SQL Database are extremely reliable the data or the cryptographic keys to appear in
and robust and offer an SLA that guarantees 99.99 plaintext inside the database engine.
percent uptime. From a cost standpoint, consider
the fact that running SQL PaaS and IaaS workloads
on Azure can be up to 86% less costly than other Get more compatibility with
cloud platforms, which makes yet another compelling
Azure SQL Managed Instance
argument for using Azure.
When migrating databases from a source such as an
Because Azure SQL Database communicates on-premises hardware-based instance or a virtualized
over the same protocol as SQL Server, the same instance of SQL Server, the application may be using
familiar tools developers used previously, such as features of SQL Server that may not be available in
SQL Server Management Studio (SSMS), Azure Data Azure SQL Database. In these cases, it may be possible
Studio, and Visual Studio Code, will continue to to migrate to Azure SQL Managed Instance. Because of
work seamlessly. its design, Azure SQL Managed Instance provides many
more features that provide parity with SQL Server and
yet provides the benefits of a fully managed service. For
example, features such as Linked Server and SQL Agent
are supported by Azure SQL Managed Instances, but
not by Azure SQL Database.
 The Developer’s Guide to Azure 65

Azure Database Azure Database for MySQL

for MySQL, Azure Database for MySQL is a relational database

service powered by the MySQL Community Edition

PostgreSQL, and database engine. It is a fully managed database-as-

a-service offering that can handle mission-critical

MariaDB
workloads with predictable performance and
dynamic scalability.

See Intelligent apps using Azure Database for MySQL

In addition to Azure SQL Database, Azure provides for a reference architecture using Azure Database
managed data solutions for MySQL, PostgreSQL, and for MySQL.
MariaDB. As with all Azure PaaS services, simply create
a new instance and focus on building applications, not
the underlying infrastructure. Additionally, many of the Azure Database for PostgreSQL
same cloud-based platform features, such as scalability
and security in Azure SQL Database, are also available Azure Database for PostgreSQL is a fully managed
in these open-source alternatives. database instance based on the community version
of the open-source PostgreSQL database engine.
Microsoft is committed to making Azure the best cloud Azure Database for PostgreSQL supports several of the
for OSS by bringing together community and Azure latest major PostgreSQL versions and includes many
innovations. This commitment is most visible with popular PostgreSQL extensions. As a managed service,
PostgreSQL, where the Azure engineering team has enjoy AI-powered performance optimization and
made multiple contributions to the global PostgreSQL enterprise-grade security and compliance, including
open-source project. enhanced security capabilities with Azure Defender. As
with other open-source offerings, it is scalable and
All three of these offerings provide the following offers flexibility and high availability with up to
features: 99.99% SLA.
• Built-in high availability with no additional cost
Build apps at any scale with high-performance,
• Predictable performance
horizontal scaling with Azure Database for
• Scaling as needed within seconds
PostgreSQL Hyperscale (Citus). Hyperscale supports
• Secured protection of sensitive data at rest and databases with sizes of up to 100 TB with fast backup
in motion and restores and rapid scale up and out capabilities.
• Automatic backups and point-in-time restore for Use Azure Arc-enabled PostgreSQL Hyperscale to
up to 35 days run on the infrastructure of choice, including hybrid
• Enterprise-grade security and compliance and multi-cloud options, while benefiting from Azure
• Support for Python, PHP, Node.js, Java, Ruby, cloud features.
.NET, and more
 The Developer’s Guide to Azure 66

See Intelligent apps using Azure Database for The Azure Database for PostgreSQL Flexible
PostgreSQL for a reference architecture using Azure Server deployment option provides maximum
Database for PostgreSQL. flexibility and control with a choice of a single zone
or zone-redundant high availability, with up to 99.99
SLA and the ability to leverage custom maintenance
Flexible Server windows for planned database maintenance. Enjoy
a simplified end-to-end deployment experience with a
Azure Databases for MySQL and PostgreSQL support low cost of ownership. Reduce the time to market with
a new deployment model—Azure Database for tight integration with Azure Kubernetes Service, Azure
MySQL Flexible Server and Azure Database for App Service, and more.
PostgreSQL Flexible Server. Flexible Server provides
more options when it comes to configuration and
customization, for example, more support for platform Azure Database for MariaDB
features and additional configuration parameters for
fine-grained tuning. Compared to the single-server Azure Database for MariaDB is a relational database
deployment option, Flexible Server provides better cost service based on the open-source MariaDB Server
optimization with start-stop capabilities and burstable engine. It is a fully managed database-as-a-service
instances. Burstable instances are great for scenarios offering that can handle mission-critical workloads with
where you don't have steady workloads and/or need predictable performance and dynamic scalability.
more compute power only at peak times.
 The Developer’s Guide to Azure 67

Azure Azure Arc organizes, governs, and secures Windows,

Linux, SQL Server, and Kubernetes clusters

Arc‑enabled data across datacenters, the edge, and multi‑cloud

environments right from Azure, by surfacing

services them in the Azure portal for single pane of glass

management via many of the features afforded by
the Azure Resource Manager (ARM).

Supporting applications with data solutions that reside Azure Arc-enabled data services enable cloud
on-premises or in other cloud providers without advantages (such as scalability and self-service
continuous or direct Azure connectivity doesn't have provisioning, and unified management) in on-premises
to be difficult. Begin the journey to Azure by exploring environments. It also enables them to be always current
Azure Arc-enabled services. by receiving frequent updates.

Companies have significant, existing investment Database services currently enabled by Azure Arc
on‑premises, and are looking for a consistent include Azure SQL (Azure SQL Managed Instance) and
experience as they expand to the cloud and the edge. Azure Database for PostgreSQL Hyperscale.
Many organizations are taking a hybrid approach when
it comes to the cloud. See Azure Arc hybrid management and deployment
for Kubernetes clusters and Manage configurations
Microsoft is committed to providing a true hybrid for Azure Arc-enabled servers for reference
experience that's seamless and enables access to architectures using Azure Arc.
the latest innovations, regardless of where the
data lives. Azure has been built to enable seamless
hybrid capabilities when it comes to development,
deployment, and management across on-premises
servers, public clouds, and edge devices. Azure Arc
now enables Azure data services to run anywhere,
on any infrastructure across on-premises, Edge, and
third‑party clouds.
 The Developer’s Guide to Azure 68

Azure Cosmos DB In addition to all these features, Azure Cosmos DB

offers five data consistency levels that allow the
fine‑tuning of the distributed data system. Choose from
models ranging from strong to eventual consistency.
Azure Cosmos DB is a fast and flexible NoSQL database
built for cloud-native applications of any scale. Its key With speed and flexibility, applications of any size or
features include: scale will benefit from superior performance, elasticity,
• Guaranteed availability and speed at any scale, and reliability.
with SLAs for 99.999 percent availability and less
than 10ms latency on reads and writes. See Gaming using Cosmos DB and Globally
distributed applications using Cosmos DB for
• Open APIs for MongoDB, Cassandra, and Graph
reference architectures using Cosmos DB.
data; and a Core (SQL) API with SDKs for .NET,
Java, Node.js, and Python.
QUICK
• Serverless and autoscale options automatically START
match resources to demand without having to
Get started with Azure Cosmos DB
plan or manage capacity.
• The free tier enables the development and
testing of applications with free database
operations and storage for the lifetime of
the account.
• Geo-replication, which distributes data to any
Azure region globally in real time for higher
availability and low latency.
• Automatic indexing of data and flexible schema,
which simplifies data ingestion and distribution.
• Out-of-the-box no-ETL analytics with Azure
Synapse Link, enabling advanced analytics
over real-time operational data stored in Azure
Cosmos DB, with no performance impact or
data movement.
 The Developer’s Guide to Azure 69

Azure Storage Blob Storage

Azure Blob Storage stores large, unstructured data—

literally, blobs of data. This data can be video, image,
Azure Storage is one of the most reliable and audio, text, or even virtual hard drive (VHD) files
performant services in Azure. Azure Storage offers for VMs.
five types of storage that all benefit from the following
shared features: There are three types of blobs, page, block, and
• Geo-redundancy, which replicates data to append blobs:
different datacenters, allowing for recovery if a • Page blobs are optimized for random read
disaster causes an individual datacenter to fail and write operations and are perfect for storing
• Encryption of data at runtime a VHD.

• Custom domains • Block blobs are optimized for the efficient

uploading of large amounts of data. These are
perfect for storing large video files that don’t
The five Azure Storage types are Blob, Table, Queue,
change frequently.
Files, and Disk Storage (as shown in Figure 4.1):
• Append blobs are optimized for append
operations, such as for storing operation logs
Let's take a closer look at each storage type and what
that can’t be updated or deleted.
it offers.

Figure 4.1: Data storage types

 The Developer’s Guide to Azure 70

QUICK
TUTORIAL
START
Get started with Azure Blob Get started with Azure
Storage Queue Storage

Table Storage Files

Azure Table Storage is an inexpensive, extremely You can use Azure Files as a drive from which to share
fast NoSQL key-value store. Key-value stores are files. It uses the Server Message Block (SMB) protocol,
very flexible. For example, one key can contain data meaning it can be used with Windows and Linux and
describing an order and another key could describe accessed from either the cloud or on-premises systems
customer information. Table Storage does not have when a direct path to Azure is available. By design,
defined data schemas, making it very flexible. Azure Files SMB shares are blocked from the internet.
Like the other services in Azure Storage, Azure Files is
scalable and inexpensive.
DOC

Get started with Azure Table

Storage DOC

Get started with Azure Files

Queue Storage

Azure Queue Storage is an unusual type of storage. Disk Storage

While it's used to store small messages of data, its
main purpose is to serve as a queue. Queues are used Azure Disk Storage is like File Storage but specifically
by putting messages in them and allowing other meant for high I/O performance. It is perfect for use as
processes to pick them up. A Queue-Based Load a drive in a VM that requires high performance to run
Leveling pattern decouples the message sender from SQL Server, for instance. Disk Storage is available only in
the message processor, resulting in performance and the premium pricing tier of Azure Storage.
reliability benefits. Queue Storage is found in previous
versions of Windows such as MSMQ.
 The Developer’s Guide to Azure 71

Azure Data Lake Storage See Modern data warehouse for small and medium
business for a reference architecture with Azure Data
The previous data stores were intended for regular Lake Storage.
application use or for use with VMs. Azure Data Lake
Storage, on the other hand, is storage for big data QUICK
applications. It provides massively scalable, secure data START

lake functionality built on Azure Blob Storage. Use it Get started with Azure Data Lake
Storage using the Azure portal
to store large amounts of data in its native format—
structured, unstructured, or anything in between. The
point of Data Lake Storage is to hold your raw data so
that it can be analyzed, transformed, and moved when
needed. Host static websites on Azure
Storage
The following are the main characteristics of Azure Data
Lake Storage: Another exciting feature of Azure Storage is static
• Unlimited storage capacity. A single file can be website hosting. This static website feature only uses
larger than one petabyte in size—200 times Blob Storage as its data store and can be used to host a
larger than what other cloud providers offer. static website on Azure Storage. Simply upload the files
of the static website to Blob Storage and indicate which
• Scalable performance to accommodate
file is the default document (such as index.html) and
massively parallel analytics.
which one is the error document (such as 404. html).
• Data can be stored in any format, without
The website will run quickly for very little cost—in fact,
a schema.
only pay for the storage used, since the static website
feature doesn't cost anything extra. Additionally, when
This is a very different approach from the using geo-redundancy (which is enabled by default),
traditional data warehouse, where data schemas are the website will be up and running even if the primary
defined upfront. datacenter fails.

It is also possible to store the massive amounts of

data generated from Internet of Things (IoT) devices
(collecting temperature data, for example) in Data Lake
Storage. By using Azure Data Lake Storage, it is possible
to filter the data and create a view of it with multiple
time granularities. Storing the data in Data Lake Storage
is inexpensive and allows data to be stored for many
years at a very low cost.
 The Developer’s Guide to Azure 72

Azure data
analytics solutions
Just as important as where and how an application No matter how large, small, or complex the data
stores data is how that data is analyzed to get business might be, Azure has a solution that can meet any data
insights. Azure provides cloud-scale analytics solutions analytics requirement.
that cover all major data analytics scenarios and,
in most cases, are faster and less costly than other As shown in Figure 4.2, Azure provides solutions for
cloud providers. ingestion, storage, operations, preparation, serving,
and visualization. Each of these will be covered in
Whether the solution requires simple data movement more detail from a developer's perspective in the
and transformations, real-time analytics, or big data following sections.
analysis driven by AI and machine learning models
that requires days, weeks, or months of processing, For more architecture diagrams for data solutions,
Azure data analytics solutions enable businesses to reference the Azure Architecture repo.
get valuable and actionable insights from data to drive
business outcomes.

Figure 4.2: Azure Data Analytics solutions diagram

 The Developer’s Guide to Azure 73

• Bring together both relational and non-relational

Azure Synapse Analytics data, such as Cosmos DB and Azure Data
Lake Storage.
Azure Synapse Analytics (formerly Azure SQL Data
• Perform interactive, batch, streaming, and
Warehouse) brings together limitless enterprise data
predictive analytics with a rich T-SQL experience.
warehousing and big data analytics, providing the
freedom to query data based on business needs, using • Perform advanced analyses with Apache Spark
either serverless or dedicated resources—at scale. using Python, Scala, R, and .NET.
Azure Synapse Analytics brings these worlds together • Apply an Apache Spark pool and Synapse
with a unified experience to ingest, explore, prepare, pipelines in Azure Synapse Analytics to access
manage, and serve data for immediate business and move data at scale.
intelligence and machine learning needs • Deep integration of Azure Machine Learning,
Azure Cognitive Services, and Power BI.
Data engineers can use a unified, code-free visual
• Link Power BI workspaces to Azure Synapse
environment for managing data pipelines, and business
Analytics workspaces to enable the ability
analysts can securely access datasets and use Power BI
to query and report on data via Power BI
to build dashboards in minutes.
integration.

With Azure Synapse Analytics, enabling BI and machine

learning is a breeze. It is deeply integrated with See Real-Time Analytics on Big Data Architecture for a
Power BI and Azure Machine Learning to expand the sample architecture using Azure Synapse Analytics.
discovery of insights from data and apply machine
learning models.
TUTORIAL

Azure Synapse Analytics offers a range of benefits. Creating a Synapse workspace

Some of these are:
• The flexibility of choosing to use serverless or
dedicated resources. QUICK
START
• Using linked services and the 95+ native
Create an Azure Synapse
connectors, ingest data from data sources no Analytics SQL pool
matter where data resides—in Azure, in other
clouds, or on-premises.
• Using pipelines, you can handle data
transformations, data flows, define schedules,
and so on.
 The Developer’s Guide to Azure 74

Azure Data Factory Azure Synapse Link

With Azure Data Factory, you can create a Azure Synapse Link is Microsoft's preferred solution for
comprehensive pipeline that performs a complete analytics on top of Cosmos DB data.
extraction, transformation, and loading (ETL) process.
Azure Synapse Link for Azure Cosmos DB is a
Data Factory can help you move data from on-premises cloud‑native hybrid transactional and analytical
to the cloud, within the cloud, or to on-premises—it processing (HTAP) capability that enables the running
doesn't matter where your data resides. Data Factory of near real-time analytics over operational data in
also provides a variety of built-in connectors that Azure Cosmos DB. Azure Synapse Link creates a tight
you can use to easily connect to various data sources, seamless integration between Azure Cosmos DB and
including SQL Server, Azure Cosmos DB, Oracle, and Azure Synapse Analytics.
many more.

While moving data, you can also filter it, clean it up, or Azure Analysis Services
transform it with an activity in the pipeline, such as the
Apache Spark activity. In addition, Data Factory allows Azure Analysis Services is used to create a semantic
the scheduling and monitoring of pipelines, as well as a model of data, so users can access it directly with
path to lift and shift SQL Server Integration Services visualization tools such as Power BI. This is a managed
(SSIS) packages to the cloud. cloud service—it is scalable, data is stored redundantly,
and when not using it, you can pause the service to
See Hybrid ETL with Azure Data Factory for a minimize costs.
reference architecture using Azure Data Factory.
With Azure Analysis Services, you can provide modeled
QUICK data directly to users in a very performant way. Users
START can query millions of records in seconds because the
Create a data factory using the model lives completely in-memory and is periodically
Azure Data Factory UI
refreshed. You can get data into the semantic model
from anywhere; data sources can be in any cloud or
on-premises.

See Enterprise business intelligence for a reference

architecture using Azure Analysis Services.

QUICK
START
Create an Azure Analysis
Services server using the
Azure portal
 The Developer’s Guide to Azure 75

Azure Data Lake Analytics SQL-like language or custom code. After querying
and filtering the stream of data, Stream Analytics can
Another Azure service for performing data analytics natively output the result to many Azure services,
tasks is Azure Data Lake Analytics. With this service, including Azure SQL Database, Azure Storage, and
you can analyze, process, and transform potentially Azure Event Hubs.
massive amounts of data from Azure Storage and Azure
Data Lake Storage. See Stream processing with Azure Stream Analytics
for a reference architecture using Azure Stream
Azure Data Lake Analytics allows you to create and Analytics.
submit jobs that query data, analyze it, or transform
it. You can write these jobs in U-SQL, which is an QUICK
SQL‑like language, and extend U-SQL with Microsoft R START

and Python. Create a Stream Analytics job

using the Azure portal

Only pay for the jobs that are submitted and run, and
the service scales automatically depending on the
power the jobs need. Azure Data Lake Analytics is
typically used for long-running analytics jobs against Azure Time Series Insights
massive amounts of data.
You can use Azure Time Series Insights to get quick
See Scalable Data Science with Azure Data Lake: An insights on large amounts of typically IoT-type data.
end-to-end Walkthrough for a sample of using Azure This service gets data from Azure Event Hubs, IoT Hub,
Data Lake Analytics. and custom reference inputs, and it retains that data for
a specified amount of time.

TUTORIAL
With Azure Time Series Insights, users can query and
Create your first U-SQL script analyze data through a visualization tool as soon as it
through the Azure portal
comes in. Time Series Insights not only analyzes data
but also ingests and holds it for a while. Time Series
Insights is optimized for IoT and time-based data, and
contains its own data visualization tool.
Azure Stream Analytics
Check out the Azure IoT reference architecture which
The Azure Stream Analytics service is used to analyze, includes Azure Time Series Insights.
query, and filter real-time streaming data. Stream
Analytics can get its data from many services, including
DEMO
Azure Blob Storage, Azure Event Hubs, and Azure
Explore a Time Series Insights
IoT Hub. You can analyze the data by using a simple demo environment from your
browser
 The Developer’s Guide to Azure 76

Azure Databricks HDInsight

Azure Databricks provides a unified analytics platform HDInsight allows you to run specialized clusters of
with a host of tools and capabilities. Within Databricks, open‑source data analytics tools. The advantage
you can run optimized versions of Apache Spark to do of running these tools in HDInsight is that they're
advanced data analytics. managed, which means you don't have to maintain
VMs or patch operating systems. Plus, these tools can
In addition to Spark-based analytics, Databricks scale and easily connect to one another, other Azure
provides interactive notebooks and integrated services, and on-premises data sources and services.
workflows and workspaces that you can use to
collaborate with the entire data team, including data You can run potentially massive, specialized clusters
scientists, data engineers, and business analysts, all of of different types, such as an Apache Hadoop cluster.
whom have access to specialized tools for their specific It enables you to process and analyze data with
requirements. Hadoop tools such as Hive, Pig, and Oozie. You can
spin up an Apache HBase cluster, which provides a very
Databricks is fully integrated with Azure Active fast NoSQL database, or you can create an Apache
Directory, which gives you the ability to implement Storm cluster, which is geared toward analyzing data
granular security. With Databricks, you can perform streams, and provides a framework for processing
Spark-based data analytics on data that comes from a and analyzing massive amounts of data. HDInsight
variety of places. Additionally, you can plug Databricks can also run a cluster for Microsoft Machine Learning
into Power BI to create and show powerful dashboards. Server (previously Microsoft R Server). Finally, you
can create a cluster that runs Apache Kafka, which is
See Ingestion, ETL, and stream processing pipelines a publish‑subscribe messaging system used to build
with Azure Databricks for a sample reference applications with queueing mechanisms.
architecture.
See Interactive querying with HDInsight for a sample
reference architecture using HDInsight.
EXERCISE
Run a Spark job on Azure
Databricks using the Azure
TUTORIAL
portal
Extract, transform, and load
data using Apache Hive on
HDInsight
 The Developer’s Guide to Azure 77

Azure Data Explorer Power BI

Use Azure Data Explorer for a fast, fully managed, Power BI is a suite of business analytics tools that
and highly scalable data analytics service for real- deliver insights throughout an organization. Connect to
time analysis of large volumes of data streaming from hundreds of data sources, simplify data prep, and drive
applications, websites, IoT devices, and more. unplanned analysis. Produce beautiful reports, and
then publish them for the organization to consume on
Azure Data Explorer allows you to natively export Kusto the web and across mobile devices.
queries that were explored in the web UI to optimized
dashboards. With Azure services and Power BI, your application
can turn data processing efforts into analytics and
See Azure Data Explorer interactive analytics and reports that provide real-time insights. Whether
Streaming using HDInsight for reference architectures. data processing is cloud-based or on-premises,
straightforward, or complex, single-sourced, or
massively scaled, warehoused, or real-time, Azure and
Azure Data Studio Power BI have the built-in connectivity and integration
to bring business intelligence efforts to life.
Azure Data Studio is a cross-platform database tool for
data professionals using on-premises and cloud data Power BI has a multitude of Azure connections
platforms on Windows, macOS, and Linux. available, and the business intelligence solutions allow
for the creation of data insights unique to the business.
Azure Data Studio offers a modern editor experience Use Power BI to connect as few as one Azure data
with IntelliSense, code snippets, source control source, or many, and then shape and refine the data to
integration, and an integrated terminal. It's engineered build customized reports.
with the data platform user in mind, with the built-
in charting of query result sets and customizable See Enterprise business intelligence for a reference
dashboards. architecture using Power BI.

The source code for Azure Data Studio and its data
providers is available on GitHub under a source code Common Data Model
EULA that provides rights to modify and use the
software, but not to redistribute it or host it in a cloud The Common Data Model simplifies bringing together
service. data from multiple systems and creating a shared data
language for business and analytical applications to
use. The Common Data Model metadata system makes
it possible for data and its meaning to be shared across
applications and business processes such as Microsoft
PowerApps, Power BI, Dynamics 365, and Azure.
 The Developer’s Guide to Azure 78

Table 4.1 shows a comparison of the various capabilities

offered by the Azure suite of data analytics services:

* Services with an asterisk have a free tier to get started with at no cost.

Table 4.1: Data Analytics in Azure

 The Developer’s Guide to Azure 79

Azure Purview Chief data officers and compliance teams can gain a
bird's-eye view of their data, especially sensitive data,
with Purview Data Insights, to assess data usage across
the organization.
The growing amount of data you have today makes
it very difficult to discover and catalog. With Azure Additionally, Azure Purview enables the following:
Purview, you can have a central location for your data • Improved data tracking and understanding
catalog where you can register data sources across through metadata. Data remains at its source
the enterprise. This enables better data understanding location, but a copy of the metadata is added to
and a central location that provides a seamless data Azure Purview with reference to the data source
consumption process. location. As metadata is indexed, a data source
search is easy and understandable to users.
As data becomes fundamental for maximizing
• Eliminates operational silos by enabling business
business value, managing and governing that data
and technical data analysts, data scientists, and
across growing on-premises, multi-cloud, and SaaS
data engineers to find trustworthy, valuable data.
environments is essential.
• Tracks data through lineage, thereby allowing a
view into data moves from one source to another
Azure Purview sets the foundation for effective data
through ETL processes and pipelines.
governance by helping with automated metadata
discovery, AI-powered classifiers, and end-to-end • Provides a better understanding of data changes

lineage. With the help of built-in connectors and and how data is affected by different processes

Apache Atlas APIs, unify data across on-premises, and applications.

across clouds, or in external SaaS apps such as Dropbox • Using classification and sensitivity label
and Slack. insights, the business can better track sensitive
information.
At the heart of Azure Purview is the data map, which
provides automated scanning and classification of See Data governance with Profisee and Azure
metadata at cloud scale. Purview for a reference architecture using Azure
Purview.
Data consumers across the business interact with the
data discovered in the Data Map using the Purview
Data Catalog. The Data Catalog enables effortless
discovery for data consumers by offering capabilities
such as semantic browse and search, business
glossaries, and visual data lineage.
 The Developer’s Guide to Azure 80

Azure IoT Azure IoT Hub

Solutions At the core of Azure IoT is Azure IoT Hub, a flexible

cloud Platform as a Service (PaaS) that connects,
monitors, and manages IoT devices in a secure and
scalable manner.
The recent explosion of IoT devices, such as sensors,
drones, and cameras, is driving significant growth in You can use IoT Hub to ingest massive amounts of
data at the edge. And the promise of 5G means even messages that typically come from IoT devices, such
more data, from more endpoints, in more places, as messages that contain data from temperature
providing even more of a need for intelligence and sensors. What's more, IoT Hub establishes two-way
analytics to be processed as close to the source as communication with devices and allows for the
possible. execution of code on devices.

These applications and features of these IoT devices When devices send messages to Azure IoT Hub, it can
are virtually unlimited, but they all tend to have one either store them or route them to another service, such
thing in common: they generate a lot of data. In many as Azure Event Grid, for analysis or action.
cases, it is not practical to forward that data to Azure
for processing, and it makes more sense to do the You can also create bidirectional communication
processing on the device, or even more likely, a specific tunnels using device streams. Azure IoT Hub device
edge device. streams facilitate the creation of secure bidirectional
TCP tunnels for a variety of cloud-to-device
Azure provides a robust and scalable platform for communication scenarios.
managing these devices and then getting valuable
insights from them.
Azure IoT Hub Device
Refer to the Azure IoT reference architecture to see
Provisioning Service
how all the following solutions work together.
The Azure IoT Hub Device Provisioning Service (DPS)
provides Azure IoT Hub with zero-touch, just-in-time
provisioning of devices to the appropriate IoT hub
without intervention, allowing for the provisioning of
devices in a secure and scalable manner.
 The Developer’s Guide to Azure 81

Azure IoT Central It's possible to run many Azure services at the edge to
help with certain scenarios—and the list of available
Azure IoT Central is a Software as a Service (SaaS) services keeps growing. For example, using Azure
offering that enables IoT developers to create rich IoT IoT Edge, it is possible to push the Azure SQL Edge
applications just by navigating through wizards. modules to devices and gain the power to stream,
collect, and process that data right on the edge device
There's no need to perform any coding or in-depth itself, whether it is in a connected, semi-connected, or a
configuration—IoT Central does it all by provisioning disconnected environment. Table 4.2 lists just some of
and configuring everything needed. these:

Azure IoT Central provides a jump-start in creating Use this on

Service goal
and running new IoT solutions via several industry- Azure IoT Edge

specific app templates for retail, energy, healthcare, Build and deploy AI models Machine Learning
and government. Alternatively, it is also possible to
start with a blank, custom app template to build a Customize computer vision Custom Vision
models for use cases Service
fully customized solution with Azure IoT Central.
Process real-time
Through app templates, it is possible to get up and Stream Analytics
streaming data
running very quickly, without the need for years of
Process events using
programming experience. However, if further control Azure Functions
serverless code
and customization are needed, it is possible to tweak
the solution according to solution requirements. SQL Edge Azure SQL Edge

Comply with Industry 4.0

Azure Industrial IoT
interoperability standards
Azure IoT Edge Build custom logic Custom module

In modern IoT applications, data processing can

occur in the cloud or on the device side. Device-side Table 4.2: Services available on Azure IoT Edge
processing is referred to as "edge computing”. Edge
computing is very useful for circumstances where it is
not possible to rely on a connection to the cloud. Using Azure IoT Edge, it is possible to run machine
learning algorithms locally and provide instant
Azure IoT Edge is managed from IoT Hub, enabling feedback on their findings to local applications.
the seamless transition of workloads to the edge. This
reduces the time spent by devices sending messages to See IoT Edge data storage and processing for a
the cloud and allows offline scenarios as well as faster reference architecture using IoT Edge.
reactions to status changes.
 The Developer’s Guide to Azure 82

Azure SQL Edge Azure Digital Twins

Microsoft has extended the most secure Microsoft SQL The world of IoT tends to lend itself to many IoT
engine and machine learning to the edge with Azure devices and sensors that function in connection
SQL Edge. By using Azure SQL Edge, devices gain the with environments and business systems. In many
ability to: cases, extra context must be added when attempting
• Stream, store, and analyze time series data using to understand the data IoT devices capture. This
time-windowing, aggregation, and filtering can include the environment in which the various
capabilities, and achieve deeper insights by devices operate.
combining data types such as time series
and graphs. For instance, for a temperature sensor, temperature
data by itself doesn't disclose much information
• Enjoy consistent app development and
without some extra context. When basic temperature
management, from the cloud to datacenters to
data is supplemented with external data, such as which
the edge—develop once and deploy anywhere.
room the sensor is in, what data other devices in the
• Conduct real-time scoring, detect anomalies,
room provide, how many people are in the room, or
and apply business logic at the edge using the
how people are moving in the room, a much better
built‑in machine learning (ML) capabilities.
picture of what the temperature data means is created.
• Process data at the edge before forwarding it By utilizing Azure Digital Twins, it is possible to more
to the datacenter and cloud storage to optimize effectively model the physical environment in which the
network bandwidth and cost. IoT devices reside.
• Deploy and update from Azure or the
enterprise portal for consistent security and Leveraging their domain expertise on top of Azure
turnkey management. With SQL Edge, gain Digital Twins' flexible modeling, enterprises can build
high availability and disaster recovery, as contextually aware solutions. With Azure Digital Twins'
well as industry-leading data protection and next-generation IoT solutions, customers can track the
security tools. past, control the present, and predict the future.
• Expand device architecture coverage to include
ARM-based devices on top of x64-based
architecture, choose Windows or Linux as
the operating system, and run SQL Edge in a
connected or disconnected environment.
 The Developer’s Guide to Azure 83

There are many scenarios where Azure Digital Twins can Windows for IoT
be helpful:
• Predicting maintenance needs for a factory Windows 10 IoT is a member of the Windows 10
family that brings enterprise-class power, security, and
• Analyzing real-time energy requirements for an
manageability to IoT. It leverages Windows' embedded
electrical grid
experience, ecosystem, and cloud connectivity, allowing
• Optimizing the use of available space for
organizations to create their IoT with secure devices
an office
that can be quickly provisioned, easily managed, and
• Tracking daily temperatures across several states seamlessly connected to an overall cloud strategy.
• Monitoring busy drone paths
• Identifying autonomous vehicles Windows 10 IoT comes in two editions:
• Analyzing occupancy levels for a building • Windows 10 IoT Core is the smallest member
• Finding the busiest cash register in a store of the Windows 10 family. While only running
a single app, it still has the manageability and
security expected from Windows 10.
Azure Digital Twins allows for the management of
• Windows 10 IoT Enterprise is a full version of
permissions to data and devices in the context of the
Windows 10 with specialized features to create
physical world. By leveraging Azure Active Directory
dedicated devices locked down to a specific set
(Azure AD), it is possible to specify that only certain
of applications and peripherals.
users can access data from a certain physical location.

QUICK Before attempting to manufacture a device, it's best to

START first prototype the device with Windows 10 IoT Core to
Get started by finding available gain an understanding of what features will be needed
rooms using Azure Digital Twins
and what configurations are required when it's time to
manufacture.

Azure Security Center for IoT Windows Server IoT 2019

Azure Security Center for IoT provides threat Windows Server IoT 2019 is a full version of Windows
prevention and analysis for every device, for both Server 2019 that comes with enterprise manageability
IoT Edge and IoT Hub, across the entire IoT solution. and security for your IoT solutions. Windows Server IoT
It provides unified visibility and control, along with 2019 comes with all benefits of Windows ecosystems,
adaptive threat prevention with built-in intelligent offering a seamless experience with familiar tools for
threat detection and response for your workloads both development and management.
wherever they reside—the edge, on-premises, in Azure,
or in other clouds.
 The Developer’s Guide to Azure 84

Acquire further knowledge on using Azure IoT solutions Learn more about data and data analytics in Azure by
in the following free learning path: downloading and reading the following free e-books:

RESOURCE RESOURCE
HUB HUB
Securely connect IoT devices to
Proof of concept playbook
the cloud

Azure Synapse Analytics Toolkit

Whatever your requirements for handling data are,
Azure has multiple options to choose from. For storing
data, you can choose different data storage options. For
transactions, you can choose between services that can
handle structured or unstructured data, or both. When
it comes to data analytics, you can choose between
different services that offer a premium data science
experience. In IoT, you can again choose between
different services that can accommodate any scenario.
The best part is that all these services come with built-
in integration with other Azure services and offer a
seamless developer experience. Azure data services
enable you to enrich your application, focus on what
matters, and develop faster and with higher quality.
 The Developer’s Guide to Azure 85

05 /
Adding
intelligence
to your
application
 The Developer’s Guide to Azure 86

The role of
AI in modern
application
development
Artificial intelligence (AI) brings human-like capabilities
into software. The ability to use AI and use it well can
distinguish a software product from its competitors,
streamline business processes, and reduce manual
labor costs.

AI capabilities can be categorized into four pillars: visual

perception, natural language processing, speech, and
decision-making.

Visual perception

Visual perception allows the application to see. AI can

interpret and process images and video streams
using Azure services such as Custom Vision, Face,
and Computer Vision that can automate image and
video analysis for many purposes, including security
and regulatory compliance. For example, AI can
identify people to ensure that they are in approved
work areas, identify whether they are wearing a
hard hat in designated areas, and use spatial analysis
to ensure a safe distance between a worker and
dangerous machinery.
 The Developer’s Guide to Azure 87

Natural language processing Decision-making

Natural language processing (NLP) allows an Decision-making AI can use data from past experiences
application to understand written and spoken to apply correlations to current situations and take
language. One of the most common application of appropriate actions. Use Azure Machine Learning
NLP is in digital assistant software. In addition, NLP is to develop custom models, or take advantage of
also used in online chatbots, language translation, and the powerful inferencing engine readily available
speech output (synthesis) scenarios. Leveraging Azure in the Anomaly Detector service. For example, the
services such as Text Analytics, Speech, and LUIS can health and efficiency of factory equipment directly
improve overall customer satisfaction. For example, impacts the profitability of a company. Therefore, the
implementing a chatbot on the company website that company can use sensors on the equipment to gather
can detect and converse with a user in their preferred real-time telemetry to obtain identifiable trends that
language. It can also identify the sentiment of an lead to failure. These trends are encapsulated in a
interaction as being positive or negative to recognize trained model and applied to the factory's incoming
potential areas of improvement and automation on telemetry data stream. This practice enables predictive
the website. maintenance, warding off unexpected downtime
and expense.

Speech

Speech AI recognizes speech input and can synthesize

spoken output. When combined with NLP, it enables
a human-computer interaction that is known as
conversational AI. As with the previous example
of a website chatbot that interprets text, the same
technology applies to the spoken word. The Azure
Speech service provides speech-to-text, text-to-
speech, speech translation, voice assistants, and
speaker recognition capabilities.
 The Developer’s Guide to Azure 88

Why choose Mission-critical

Azure AI? Azure AI services enable organizations to deploy

mission-critical AI solutions with confidence as they
are hardened for the most demanding workloads. It
provides features for high-use and in-demand services
Azure AI provides curated services built upon decades at Microsoft, such as Office, Xbox, and Microsoft Teams.
of research and responsible AI practices. Azure AI For example, over the course of a few months, more
provides the tools and technology to responsibly than 1.8 million hours of meetings were transcribed
deliver mission-critical AI solutions on your terms. in real time with Microsoft Teams. Over 1 billion
PowerPoint slides are consumed each day, and over 80
million personalized experiences are delivered daily on
On your terms Xbox. Performing at scale is one of the main focuses of
Azure AI.
Azure AI focuses on empowering developers of all
skill levels and enabling them to use the tools and Mature AI/ML organizations can leverage MLOps
languages of their choice. Azure bridges the gap by (also known as DevOps for machine learning) to
making AI accessible for all skill sets. ensure development, collaboration, model versioning,
validation, deployments, monitoring, and governance
Data scientists can use familiar tools to analyze data through efficient and reproducible pipelines.
and train models using Azure Machine Learning. In
addition, there are free-to-use standard libraries such
as PyTorch, TensorFlow, and scikit-learn as well as Responsible
notebook experiences that use popular languages like
R and Python. Lastly, Azure AI has an uncompromising commitment to
responsible AI. Azure AI is built upon the most trusted
Those entirely new to the AI and machine learning cloud, Azure. As a result, Azure boasts the best privacy
(ML) space can choose from a comprehensive set of controls, responsible AI capabilities, and the most
domain-specific pre-trained models or use AutoML compliance certifications of any cloud in the world.
to determine the best solution for a problem space. In
addition, visual tools are available to ease into AI, such This chapter provides an overview of Azure AI and
as Azure Machine Learning designer, Custom Vision, mixed reality services, including:
and Form Recognizer. • Azure Applied AI Services
• Azure Cognitive Services
In addition to supporting the most popular ML
• Azure Machine Learning
frameworks, Azure AI also provides model portability to
various form factors from devices, phones, databases, • Developer tooling for AI

and cloud services. Furthermore, Azure AI services • Mixed reality

allow exporting of models in the ONNX format, which
is optimal for model distribution.
 The Developer’s Guide to Azure 89

Azure Applied AI tool provides a visual canvas to author bots. Azure

Bot Service also provides integrations across multiple

Services channels/products and device form factors without

affecting the bot code. Using native integration with
Azure Cognitive Services gives the bot the ability to
speak, listen, and understand users.
Azure AI is a set of services built upon the Azure
infrastructure. These services are deeply integrated Digital virtual assistants can be built using Power
within Azure's data, app development, and compute Virtual Agents with little or no code. With Power
services and tools. Azure Applied AI includes services Platform and Azure Bot Service, you can use PaaS
like Azure Bot Service, Azure Form Recognizer, and or SaaS platforms and start developing in a way that
Azure Cognitive Search. The goal of Azure Applied AI makes sense for you. There is also seamless integration
is to provide responsible AI capabilities to modernize between Power Virtual Agents and Azure Bot Service.
existing business processes in an accelerated yet secure This integration enables professionals from multiple
fashion. Additionally, you can visit Azure Resources for disciplines to collaborate on a single solution,
AI developers for self-paced learning resources. democratizing the creation of some parts of the
conversational experience and accelerating innovation.

Azure Bot Service Azure Bot Service makes it easy to create a bot and
provides the following support:
Azure Bot Service provides the tools and frameworks • It provides a way for hosting and managing bots
necessary for building conversational AI solutions, such built using the Microsoft Bot Framework.
as a virtual assistant for a website. The complexity of
• It integrates natively with Cognitive Services.
interpreting the context of an interaction with each user
• It allows you to connect bots to customers'
and providing rich, sensible, human-like responses is
channels (Facebook, Microsoft Teams, Slack,
greatly simplified with AI.
and more).

The Bot Framework SDK is available for C#, Java, • It is a fully managed service in Azure.

JavaScript, and Python. Developing a bot using the Bot

Framework SDK does not require any Azure resources,
EXERCISE
as local development is possible via the SDK and the
Bot Framework Emulator tool. If a more code-free Create a bot with Azure Bot
experience is desired, the Bot Framework Composer Service
 The Developer’s Guide to Azure 90

Azure Form Recognizer a rich search experience over private, heterogenous

content in web, mobile, and enterprise applications.
Azure Form Recognizer is a data extraction service
There are many options available for working with
that applies advanced ML to accurately extract text,
Azure Cognitive Search and great features to make
key-value pairs, tables, and structures from documents.
searching easier for users, including the following:
Custom Azure Form Recognizer models can be trained
by manually labeling a few sample documents and then • Geo-search lets users explore data based on the
implementing them into a production environment, proximity of a search result to a physical location.
either on-premises or in the cloud. Azure Form • Language analyzers from Apache Lucene
Recognizer also provides prebuilt models for many and NLP from Microsoft are available in
popular documents, such as receipts, business cards, 56 languages.
invoices, and identity documents. • Semantic search capabilities, powered by deep
learning models that understand user intent,
Azure Form Recognizer also offers flexible and surface and rank the most relevant search results.
secure deployments to ingest data from documents
• Monitoring and reporting provide details
in the cloud or at the edge. Data extracted can then
surrounding search terms and how performing
be enhanced by applying search indexes, business
the search was.
automation workflows, and more. As with all Azure
• User experience features, such as sorting and
services, Azure Form Recognizer takes advantage of
paging search results, and intelligent filtering.
Azure's built-in enterprise-grade security to protect
data and model assets.
QUICK
START
Azure Cognitive Search Create your first Azure Cognitive
Search index in the portal

Azure Cognitive Search is the only cloud search service

with built-in AI capabilities that can enrich all types
of information, such as vision, language, speech, or
even custom models to identify and explore relevant Azure Metrics Advisor
content at scale. In addition, Azure Cognitive Search
uses decades of experience with the Microsoft natural Azure Metrics Advisor is an AI analytic service that
language stack currently integrated into Bing and proactively monitors metrics and diagnoses issues in
Office products. As a result, developers can spend more time series data. The service automates the process of
time innovating and less time maintaining a complex applying models to your data. It provides a set of APIs
cloud search solution. and web-based workspace for data ingestion, anomaly
detection, granular analysis, and diagnostics without
Azure Cognitive Search provides developers with requiring knowledge of ML concepts.
approachable infrastructure, APIs, and tools to build
 The Developer’s Guide to Azure 91

• Tracking faces and identifying who is in the video

Azure Metrics Advisor enables building AIOps,
and at what timestamp. Azure Video Analyzer
predictive maintenance, and business monitoring
has the same capability for audio, for which it
applications on top of the service. Azure Metrics
recognizes who is speaking and when.
Advisor can:
• The service recognizes visual text in a video,
• Analyze multidimensional data from multiple
such as text on a slide, and makes it part of
data sources
the transcript.
• Identify and correlate anomalies
• Azure Video Analyzer can perform sentiment
• Configure and fine-tune the anomaly detection analysis, identifying when something positive,
model used on your data negative, or neutral is said or displayed.
• Diagnose anomalies and help with root
cause analysis Figure 5.1 shows the results layout in the Azure Video
• Provide real-time notifications through email, Analyzer service:
web, Teams, and Azure DevOps hooks

GET
STARTED

Azure Metrics Advisor

Azure Video Analyzer

Figure 5.1: Demonstrating the results in the Video Analyzer portal
Azure Video Analyzer is built upon Azure Media
Services and Azure Cognitive Services. The Azure
Video Analyzer service can analyze and extract face, Figure 5.1 displays the result of creating a transcript
language, vision, and speech data from audio and of audio and video from a media file. The transcript
video files using a pre-built model. Media files may be is editable and translatable to other languages.
uploaded to the service using the Video Analyzer portal Azure Video Analyzer has also recognized text on
or the API. the slide behind the speakers and marks it as "OCR."
Azure Video Analyzer provides this functionality
In addition to many others, Azure Video Analyzer has
for individual applications by embedding the
the following key capabilities:
Cognitive Insights widget.
• Transcribing of text in a video. The resulting
transcript can be refined manually and used to TRY IT
train Azure Video Analyzer to recognize industry OUT

terms such as "DevOps." Upload your first video to Azure

Video Analyzer
 The Developer’s Guide to Azure 92

Azure Immersive Reader

Azure Immersive Reader is an inclusive tool designed

for implementing proven techniques to improve
reading comprehension for new readers, language
learners, and people with learning differences such
as dyslexia. Azure Immersive Reader also supports
translations to more than 100 languages.

With the Azure Immersive Reader client library, you can

leverage the same technology used in Microsoft Word
and Microsoft OneNote to improve accessibility in
custom applications.

QUICK
START
Make your first Azure Immersive
Reader request

In this section, we looked at Azure Applied AI services

and tools. Learn more at Azure Resources for AI
developers to follow a self-paced learning path. In the
next section, we will look at Azure Cognitive Services.
 The Developer’s Guide to Azure 93

Azure Cognitive Custom services, such as Custom Vision and Language

Understanding, provide pre-configured ML models

Services and a visual interface to train custom models using

domain‑specific data and imagery specific to the
application under development.

Azure Cognitive Services is a set of pre-trained, In addition to these services, Cognitive Research
customizable AI models based on Microsoft AI Technologies contain innovative APIs and SDKs for
research, enabling access to sophisticated language, researchers and developers looking for emerging
vision, decision-making, and speech capabilities cognitive capabilities. One such experimental service
through simple API calls. Azure Cognitive Services does is Project Gesture, which enables the AI model to
not require previous ML experience for integration. recognize gestures such as waving a hand and use them
In addition, many of these existing models are as actionable feedback in application user experiences.
extensible by training with custom data to fit specific
knowledge domains. Let's take a closer look at some Cognitive
Services offerings.
Cognitive Services provides a robust set of APIs to
incorporate ML and AI into applications. RESOURCE
HUB

Table 5.1 shows a series of categories and a list of APIs Hands on with AI
that are currently available. Note that this list keeps
growing, and we will cover a few of these services in the
Access a 4-week learning path
following sections.
to grow your skills and get
certified

Decision Language Speech Vision

Anomaly Language Speech-to- Computer

Detector Understanding Text Vision
Decision
Content QnA Maker Text-to- Custom
Moderator Speech Vision
Text Analytics In this category, we look at Cognitive Services
Personalizer Speech Face API
Translation offerings that help you make decisions based on
Translator
trends in data; we will cover the Anomaly Detector
Speaker
Recognition and Personalizer services.

* All services have a free tier that you can use to get started.

Table 5.1: A quick glance at the Cognitive Services APIs

 The Developer’s Guide to Azure 94

Anomaly Detector A list of examples of what a user may say (utterances)

Anomaly Detector allows embedding of anomaly is provided to the LUIS service to train a model. These
detection capabilities into applications. For example, examples could be "Book a flight to Seattle" or "Cancel
automated alerts, triggering emergency workflows, my flight to Washington D.C." From these utterances,
or providing a visual cue on a monitoring interface the intent of the user must be determined. An intent
for users to watch incoming time series data represents a task or action that the user wants to
for inconsistencies. accomplish. Thus, the intent is the purpose or the goal
of a user's utterance.
Using Anomaly Detector doesn't require any prior
experience in ML. The RESTful API enables developers After the LUIS service creates an ML model based on
to integrate the service into an application and process the examples provided, it can extract information from
it quickly. the natural language that users put in.

Personalizer STEP BY
Personalizer helps applications choose the most STEP

relevant content to show a user based on their user Create a new application in the
LUIS portal
behavior, collective trends, and real-time information
provided by the current context.

Content can be any unit of information, such as text, Translator

images, URLs, or emails. Personalization helps boost Translator is an AI service for real-time and batch
application usability and enhances user satisfaction, text and document translation. This service provides
as the Personalizer service is based on reinforcement translations across 90 languages and dialects, powered
learning capabilities. by the latest innovations in neural machine translation.

Translator supports various use cases, such as

Language translation for call centers, web page localization, and
internal enterprise communications.
Azure Cognitive Services also has services to help you
with language understanding and comprehension. With Translator, you can create customizable
translations by building custom models to handle
Language Understanding (LUIS) service domain-specific terminology. Translator also offers
Use the LUIS service to understand the semantic secure and flexible deployment options, including
meaning of what users are saying on social media, in deployment of Translator as a containerized application.
chatbots, or speech-enabled applications. For example,
let's look at how a user can book a flight using LUIS. QUICK
START

Get started with Translator

 The Developer’s Guide to Azure 95

This section looks at services for transcribing speech With Text-to-Speech, choose from more than 250
to text and converting text to speech to enable voices and 70 languages and variants. Differentiate
conversational experiences. This functionality is made applications using a customized voice and use voices
available in applications via the Speech SDKs available with different speaking styles and emotional tones
in multiple programming languages and via the full to fit specific use cases. The application of Text-to-
REST API. As with many Azure AI services, multiple Speech is common in text readers and customer
model deployment options are available. By deploying support chatbots.
models as a container, data does not need to leave
the cloud to be processed, resulting in a more secure With the level of customization available in
solution as the power of Speech services is brought Text‑to‑Speech, create lifelike voices that are unique
closer to the data. to an organization.

Speech-to-Text QUICK
Speech-to-Text is an AI service that accurately START

transcribes spoken audio to text. It allows quick and Get started with Text-to-Speech
accurate audio transcription in more than 85 languages
and variants.

Speech-to-Text enables the creation of customized

models to enhance accuracy for domain-specific Vision
terminology. It can extract additional value from
spoken audio by enabling search or analytics on In this category of Cognitive Services, we look at APIs
transcribed text or facilitating an action based that help you extract information and create meaning
on sentiment. from images and videos.

QUICK Custom Vision

START The Custom Vision service can train custom models
Get started with Speech-to-Text based on images specific to the application domain.
Creating a Custom Vision model is as simple as
uploading and labeling a few images to provide the
service with training data. While only five images
Text-to-Speech are required to begin the training process, more
Text-to-Speech is an AI service that converts text to images can be uploaded and tagged to create a more
lifelike speech. It enables building apps and services accurate model.
that speak naturally through speech synthesis.
 The Developer’s Guide to Azure 96

You can use custom models by making calls to the

Custom Vision API and providing it new images—the
service will identify objects it has been trained to seek.

The model created with the Custom Vision service

can be deployed to the "intelligent edge," meaning
the model and API can run somewhere other than the
cloud, such as on an on-premises server in a Docker
container or on a separate device, such as a phone.
This flexible deployment option enables disconnected
scenarios as these services run locally and do not
require an internet connection. A local deployment also
has a relatively small footprint—only the model and the
API need to be deployed, not the training data.

In addition to Custom Vision, the Computer Vision

API offers built-in intelligence to process images and
return information based on visual features. In addition,
Computer Vision boasts in-demand AI services such as
optical character recognition (OCR), Image analysis, and
Spatial analysis.

QUICK
START
Create your own Custom Vision
project

In summary, Microsoft Azure offers the most

comprehensive set of Cognitive Services offerings.
These services are pre-trained, customizable AI models
that are all based on Microsoft AI research. These
services do not require prior machine learning or AI
experience and are integrated into applications via
SDKs and REST APIs. Trained models are also portable
and consumable on-premises and in the cloud.
 The Developer’s Guide to Azure 97

Azure Machine
The ML process works as follows:

• Data containing patterns is collected and

Learning •
prepared for the ML algorithm.
The ML algorithm is used to train a model to
identify these patterns.
• The trained model is deployed so that it can be
Azure Machine Learning empowers developers
used to recognize patterns in new datasets.
and data scientists with a wide range of productive
• Applications use services or libraries to use
experiences for building, training, and deploying
the trained model and take actions based on
machine learning models more quickly. It also helps
the results.
accelerate the time to market and foster team
collaboration with industry-leading MLOps (DevOps for
machine learning). The crucial part of this process is that it is iterative.
Thus, the ML model can be improved constantly by
First, let's introduce ML. training it with new data and adjusting the algorithm to
distinguish correct results from wrong ones.

What is machine learning? RESOURCE

HUB

ML is a field of computer science that gives A data scientist's guide to

building on top of Azure AI
computers the ability to learn without being explicitly
programmed. ML is achieved using one or more
algorithm technologies, such as neural networks, deep
learning, and Bayesian networks.
Azure Machine Learning service
What's involved in ML? Figure 5.2 shows the basic
workflow of ML: Azure Machine Learning is applied in various scenarios,
such as predictive analytics, data recommendations,
and data classification. This platform appeals to new
and existing data engineers and data scientists as it
supports many popular languages, such as Python, R,
and the Azure CLI, and open-source technologies such
as TensorFlow, PyTorch, and scikit-learn. In addition,
AutoML and Azure Machine Learning designer provide
a low-code/no-code entry system for those who need
Figure 5.2: Basic workflow of ML
little assistance getting started with ML concepts.
 The Developer’s Guide to Azure 98

Azure Machine Learning is a complete service that Azure Machine Learning designer
offers end-to-end capabilities. Prepare data; train, test,
and deploy models, and track their lifecycle through the Azure Machine Learning designer is the code-
model registry. For example, a data scientist creates a free approach to prep data and train, test, deploy,
notebook to train and register a model. This notebook manage, and track machine learning models. There
can be run within Azure Machine Learning workspace, is no programming required—each step is visually
Synapse Notebooks, or Azure Databricks. The data constructed using drag-and-drop modules.
scientist can then deploy the model on a Kubernetes
container cluster in Azure Kubernetes Service. The Azure Machine Learning designer is a feature of
the Azure Machine Learning workspace resource. This
QUICK workspace acts as a centralized place to work with and
START store all the artifacts related to ML.
Get started with Azure Machine
Learning by using the Azure
portal In the designer, a project begins by creating a pipeline
from scratch or by starting with one of the many
prebuilt samples, including one for predicting
flight delays and another for customer relationship
Azure Machine Learning studio management (CRM) prediction:

Azure Machine Learning studio is the web portal

experience for data scientists and developers.
Azure Machine Learning studio combines no-code
(designer) and code-first (notebook) experiences as an
inclusive data science platform. Users can choose their
experience based on the type of project and the level
of their expertise. Azure Machine Learning studio also
offers an automated ML experience where multiple
ML experiments are run in parallel to identify the ideal
algorithm for a scenario, all via the studio's intuitive
user interface.

Figure 5.3: Using a custom R script for flight delay prediction

 The Developer’s Guide to Azure 99

Figure 5.3 shows a pipeline in Machine Learning

designer that uses a customized R script to predict
whether a scheduled passenger flight will be delayed
by more than 15 minutes. This particular pipeline was
created using the "Sample 6: Use Custom R Script—
Flight Delay Prediction" sample pipeline.

TUTORIAL

Predict automobile prices with

the designer

AutoML

Automated machine learning, also referred to as

AutoML, automates the time-consuming, iterative
tasks of ML model development. Traditional ML model
development is resource-intensive, requiring significant
domain knowledge and time to produce and compare
dozens of models. This process is automated with
AutoML, resulting in obtaining production-ready ML
models quickly and efficiently.

During training, Azure Machine Learning spawns

several pipelines in parallel to analyze various
algorithms and parameters. Each iteration produces
a model with a training score. The higher the score,
the better the model is considered to "fit" your data.
AutoML will stop once it hits the exit criteria defined in
the experiment.

In this section, we looked at the tools and capabilities

that are part of Azure Machine Learning. Azure
Machine Learning can save time, improve model
accuracy, and enable reliable deployments when
building custom models.
 The Developer’s Guide to Azure 100

Developer tooling
for AI
This section looks at two main frameworks that can AI Toolkit for Azure IoT Edge
help developers infuse AI into their applications;
ML.NET and AI Toolkit for Azure IoT Edge. First, let's Using ML models locally on devices (the intelligent
explore these frameworks. edge) delivers a powerful advantage: it enables
disconnected, local processing on a device without
relying on an internet connection or incurring the
ML.NET latency of a web service call to get results.

ML.NET is an open-source and cross-platform ML The AI Toolkit for Azure IoT Edge provides tooling to
framework with support for macOS, Windows, and package machine learning models in Azure IoT Edge-
Linux. ML.NET brings ML to .NET developers, allowing compatible Docker containers and expose those models
them to integrate ML into new or existing web, as REST APIs. The Docker containers are deployed as an
mobile, desktop, gaming, and Internet of Things (IoT) IoT edge module on the device and run by to the local
applications. IoT Edge runtime infrastructure.

ML.NET Model Builder provides an easy-to- The AI Toolkit for Azure IoT Edge contains examples
understand visual interface to build, train, and deploy for getting started, is fully open source, and is
custom ML models. Prior ML expertise is not required. available on GitHub.
Model Builder supports AutoML, which automatically
explores different ML algorithms and settings to help In summary, using these frameworks allows developers
you find the one that best suits your scenario. to reuse all their knowledge and skillsets to start
building intelligent algorithms and experiences without
QUICK having to start from scratch. With ML.NET and Azure
START services such as Azure Machine Learning, developers
Get started developing on can be productive quickly and easily.
Azure AI
 The Developer’s Guide to Azure 101

Mixed reality
Applications are no longer limited to a 2D environment. Azure Spatial Anchors works with applications built
The world is now the canvas for applications. Various on Unity, ARKit, ARCore, and Universal Windows
IoT sensors, mixed reality, and computer vision are Platform (UWP) and are consumed with a HoloLens
combined with spatial intelligence to bring data to life device, iOS‑based devices supporting ARKit, and
in 3D. Android‑based devices supporting ARCore.

As with all Azure services, Azure Spatial Anchors and

Azure Spatial Anchors spatial data can be made accessible to users through
Azure Active Directory.
In the world of mixed reality, integrate digital
information within the context of a physical
TUTORIAL
environment. As an example, render a hologram of a
Get started by sharing spatial
game character on the kitchen counter. With Azure anchors across sessions and
Spatial Anchors, digital content is placed in physical devices
locations and consumed by users using your choice of
devices and platforms.

Here are some example use cases enabled by Remote Rendering

Spatial Anchors:
• Multi-user experiences make it easy for people When using 3D models in scenarios such as design
in the same place to participate in shared mixed- reviews and medical procedure plans, they need to be
reality experiences. as detailed as possible—every detail matters.

• Way-finding is a method of connecting two or

With Remote Rendering, 3D models are rendered in
more spatial anchors and creating a relationship
the cloud and streamed to devices in real time—with
between them. These connected points of
no compromise in visual quality.
interest make an experience where the user must
interact with them to complete a task.
• Persisting virtual content in the real world
can enable a user to place an object (such as a
calendar) on a room wall that people can see
using a phone application or a HoloLens device.
 The Developer’s Guide to Azure 102

Azure Kinect DK

Azure Kinect DK is a developer kit with advanced AI

sensors that provides sophisticated computer vision
and speech models. Kinect contains depth sensors, a
spatial microphone array with a video camera, and an
orientation sensor as an all-in-one small device with
multiple modes, options, and SDKs.

The Azure Kinect DK development environment

consists of multiple SDKs:
• A Sensor SDK for low-level sensor and
device access
• A Body Tracking SDK for tracking bodies in 3D
• A Speech Cognitive Services SDK for enabling
microphone access and Azure cloud-based
speech services

This chapter covered the many Azure services and tools

that can help build intelligent apps and services. The
choice to consume a prebuilt model or to develop a
new custom model is available to all skill levels. Azure
AI services allow you to build on your own terms and
deploy mission-critical workloads with enterprise-grade
security and scalability.
 The Developer’s Guide to Azure 103

06 /
Securing
your
application
 The Developer’s Guide to Azure 104

How can Azure

help to secure
your application?
Have you ever had a security incident with one of
your applications? You might have had one without
even knowing it. With Azure, you can protect data,
applications, and infrastructure with built-in security
services that include security intelligence to help you
rapidly identify evolving threats, enabling you to
respond promptly.

Azure can also help you implement a layered, in-depth

defense strategy across identity, data, hosts, and
networks. With services like Azure Security Center, you
can get an overview of your security posture, protect
against threats, and view recommendations for how to
improve security.

Most importantly, you'll be notified as soon as there

might be a security incident—so you'll always know
whether there is a threat. This way, you can take
immediate steps to secure your assets.

In this chapter, we will cover the following topics to

help you understand how Azure can help you to secure
your application:
• Identity
• Application security
• Posture management
• App access and connectivity
• Logging and monitoring
• Encryption
 The Developer’s Guide to Azure 105

Identity The Azure AD enterprise identity service provides

single sign-on (SSO) and multi-factor authentication
to help protect your users from 99.9 percent of
cybersecurity attacks.
An important part of your application's security is
authenticating users before they can use it—but
authentication is not an easy thing to implement. Azure AD Application Proxy
You need to store user identities and credentials
somewhere, implement credentials management, Azure AD Application Proxy provides SSO and
create a secure authentication handshake, and so on. secure remote access for web applications hosted
In this section, we will look at some of the services on‑premises. Applications that you would likely want to
and tools that Azure offers to make it easy for you to publish include SharePoint sites, Outlook Web Access,
authenticate your users and secure your applications. or other line-of-business (LOB) web applications. These
on-premises web applications integrate with Azure AD,
the same identity and control platform used by
Microsoft identity platform Microsoft 365. End users can access your on-premises
applications the same way they access Microsoft 365
Microsoft identity platform (Azure Active Directory) and other SaaS applications integrated with Azure AD.
provides all of the things previously listed, and more,
out of the box. You store your user identities in Azure
AD and have users authenticate against it, redirect Azure AD Identity Protection
them to your application only after they have been
authenticated. Azure AD takes care of password Azure AD Identity Protection is a cloud-based tool
management, including resolving common scenarios that helps organizations protect user identities, as well
such as forgotten passwords. Azure AD Conditional as detecting and investigating identity-based risks.
Access takes this further to enable organizations to set The tool also enables the export of risk detection data
intelligent policies for granular access control. to your Security Information and Event Management
(SIEM) tool.
Since Azure AD is used by millions of applications every
day—including the Azure portal, Outlook.com, and Azure AD Identity Protection is powered by intelligent
Microsoft 365—it's able to more readily detect and algorithms that analyze 6.5 trillion daily signals from
act on malicious behaviors using Azure AD Identity Azure AD, Microsoft accounts, and Xbox accounts. This
Protection. For instance, if a user were to sign in to analysis enables you to take advantage of Azure AD
an application from a location in Europe and then, Identity Protection to identify many risk types, such
one minute later, sign in from Australia, Azure AD as leaked credentials, unfamiliar sign-in properties,
would flag this as malicious behavior and ask the malware-linked IP addresses, atypical travel, and
user for additional credentials through multi-factor many more.
authentication.
 The Developer’s Guide to Azure 106

DOCS Managed identities for Azure

Learn more about Azure AD resources
Identity Protection
How do you keep credentials out of your code
completely? You can start by using Key Vault, but where
do you store the credentials to connect to Key Vault?
The managed identities for Azure resources feature
Key Vault provides a solution. You can use managed identities for
a lot of services in Azure, including Azure App Service.
As part of your security architecture, you need a You simply fire up a managed identity with a button to
secure place to store and manage certificates, keys, enable your application to acquire Azure AD tokens at
and other secrets. Key Vault provides this capability. runtime and then use those credentials to access other
With Key Vault, you can store the secrets that your services, including Key Vault, Azure SQL Database, and
applications use in a single secured, central location Azure Storage. Credentials are managed completely
that leverages the FIPS 140-2 Level 2 validated by the infrastructure. Your application can simply
Hardware Security Module (HSM). authenticate with other services without you having to
worry about protecting or rotating credentials.

DOCS
LEARN
What is Key Vault? MORE
How to use managed identities
for Azure resources in App
Service and Azure Functions

One example of using Key Vault with a web application

is to use it to securely store a connection string. Your
application would get the connection string from Key
Vault instead of the configuration system. This way,
administrators can control the secrets, and developers
never need to worry about them. Key Vault also stores
SSL and other certificates used to secure the traffic to
and from your applications over HTTPS.
 The Developer’s Guide to Azure 107

Application Application Gateway

security Application Gateway is a dedicated virtual appliance

that provides an application delivery controller (ADC)
as a service. It offers various layer 7 load balancing
capabilities for your application and allows customers
Application security is about securing your applications, to optimize web farm productivity by offloading
their data, and the interactions between the different CPU-intensive SSL termination to Application Gateway.
components of your apps. In the previous section, we Application Gateway also provides other layer 7 routing
looked at authenticating your users. In this section, we capabilities, including the round-robin distribution of
cover the different Azure services that enable you to incoming traffic, cookie-based session affinity, URL
secure your applications. path-based routing, and the ability to host multiple
websites behind a single application gateway.

Azure Front Door

Azure Web Application Firewall
Azure Front Door is a global, scalable entry point
that uses the Microsoft global edge network to create Azure Web Application Firewall (WAF) is a managed,
fast, secure, and highly scalable web applications. cloud-native service that provides powerful protection
With Azure Front Door, you can transform your global for your web applications. Azure WAF helps protect
consumer and enterprise applications into robust, your web applications from malicious attacks and
high‑performing personalized modern applications common web vulnerabilities, such as SQL injection and
with content that reaches a global audience cross-site scripting.
through Azure.
Azure WAF detects malicious attacks, as defined in the
Azure Front Door provides enterprise-grade global OWASP Core Rule Set, and blocks those attacks from
load balancing to boost your applications' reliability, reaching your application. It also reports on attempted
performance, and security. With Azure Front Door, or ongoing attacks so that you can see active threats
you can always keep traffic on the best path to your to your application, thereby providing an extra layer
application, improve your service scale, reduce of security.
latency, and increase throughput for your global
users with edge load balancing, SSL offload, and LEARN
application acceleration. MORE
Read about Azure Web Application
Firewall
Azure Front Door also offers a modern content delivery
network (CDN) with built-in security. It protects you
against network- and application-layer attacks at the
edge with Web Application Firewall, Bot Protection, and
DDoS Protection.
 The Developer’s Guide to Azure 108

Azure WAF can also be seen as an overlay service on

top of Application Gateway and Azure Front Door. To
help you decide which service to use for your scenario,
Figure 6.1 shows a simple flow chart:

Figure 6.1: Decision tree for choosing the right Azure service based on your requirements
 The Developer’s Guide to Azure 109

Azure Firewall Azure DDoS Protection

Azure Firewall is a managed, cloud-native network You've heard about it on the news, and you certainly
security service that protects your Azure Virtual don't want it to happen to your enterprise: applications
Network resources. It's a fully stateful firewall as a are targeted by distributed denial of service (DDoS)
service with built-in high availability and unrestricted attacks all the time. These types of attacks are
cloud scalability. becoming more common and can overwhelm your
application to the point that no one can use it anymore.
Azure Firewall enables you to have centralized network- DDoS Protection offers protection from DDoS attacks
and application-level connectivity policy controls as through a free tier (Basic) and a paid tier (Standard).
well as intelligence-based traffic filtering. Azure Firewall
has built-in TLS inspection for your selected encrypted You don't have to do anything to enable the Basic
applications and offers the ability to detect and block tier—it's automatically enabled for every customer as
malicious traffic through an advanced IDPS engine. part of the Azure platform. This service protects your
applications against the most common DDoS attacks
You can use Azure Firewall to secure your Azure virtual by performing real-time monitoring and mitigation,
networks in hybrid connectivity scenarios through and it provides the same defenses as those used by
deployments behind VPN and ExpressRoute gateways. Microsoft Online Services (MOS).

LEARN The Standard tier provides additional mitigation

MORE capabilities that are tuned specifically to Azure Virtual
Read about Azure Firewall Network resources. It's simple to enable, and you
don't have to change your applications—everything
is done at the network level. Plus, with the Standard
tier, you can customize the Basic tier protection with
your own policies that focus on your specific use cases
and applications.

DOCS

Azure DDoS Protection

 The Developer’s Guide to Azure 110

Posture Continuous assessment helps you discover potential

security issues, such as systems with missing security

management updates or exposed network ports. A list of prioritized

findings and recommendations can trigger alerts or
other guided remediation.

Securing your application is a dynamic challenge

DOCS
that requires you to have the right tools to monitor
and investigate threats quickly and efficiently. This Azure Security Center
is where you will need tools such as Azure Security
Center and Azure Defender to have a centralized
view for monitoring and policy controls. Depending
on your needs and the security requirements of your
organization, you might be able to address all your Azure Defender
requirements with Azure Security Center, or you might
need to look into Azure Defender. Azure Defender is a cloud-native tool that provides
threat protection for workloads running in Azure,
on‑premises, and in other clouds. It's natively
Azure Security Center integrated with Azure Security Center and can integrate
with your existing security workflows, such as SIEM
Azure Security Center provides unified security solutions and vast Microsoft threat intelligence, to
management and advanced threat protection across streamline threat mitigation.
hybrid cloud workloads. It offers centralized policy
controls to limit exposure to threats and rapidly find Azure Defender protects your hybrid cloud workloads
and fix vulnerabilities. against threats. Azure Defender enables extended
detection and response (XDR) capabilities to protect
In addition, Security Center supports integration with your workloads against threats such as remote desktop
third-party solutions and can be customized with protocol (RDP) brute-force attacks and SQL injections.
automation and programming capabilities.

You can use Security Center to analyze the security

state of your compute resources, virtual networks,
storage and data services, and applications.
 The Developer’s Guide to Azure 111

You can use Azure Defender to ensure the security of

your Azure resources. It protects your data in Azure
VMs, on-premises, and in other clouds, and it detects
unusual attempts to access storage accounts and
malware uploads to Azure Storage. Azure Defender can
also scan container images in Azure Container Registry
for vulnerabilities and protect Azure Kubernetes
Service instances.

DOCS

Azure Defender

Protect your web apps and APIs

with Azure Defender

BLOG

Azure Defender in the

deployment process
 The Developer’s Guide to Azure 112

App access and API Management

connectivity APIs should be secure. This is true for APIs you create
yourself as well as those from third-party vendors.
To assist in making your APIs secure, you can use
API Management. This is basically a proxy you put
In this section, we will look at the Azure services and in front of APIs that adds features such as caching,
tools that can enable you to secure the connectivity throttling, and authentication or authorization.
of, and access to, your application. We will review tools
and services to help you secure your APIs and connect With API Management, you secure an API by
securely to your virtual machines (VMs), and we'll requiring users to create a subscription to it. This way,
see how you can securely connect your on-premises applications need to authenticate before they can use
network to Azure. your API. You can use various authentication methods,
including access tokens, basic authentication, and
certificates. Additionally, you can track who's calling
Azure Bastion your API and block unwanted callers.

Azure Bastion is a fully managed PaaS offering that API Management supports multiple pricing tiers up to
provides secure and seamless RDP and SSH access to 99.95% SLA guarantee. The Consumption pricing tier
your VMs directly through the Azure portal. Azure offers the ability to have the API Management service
Bastion is provisioned directly in your virtual network automatically scale to handle the load.
and supports all the VMs in your virtual network using
SSL (Secure Socket Layer) without any exposure through While security is critical, API Management offers
public IP addresses. other capabilities that can help streamline your
development and testing workflow, such as test
With Azure Bastion, you can limit the public exposure data response mocking, publishing multiple API
of your VMs' IP addresses. Exposing the Bastion host versions, introducing non-breaking changes safely
as the primary exposed public access point helps to with revisions, and giving developers access to your
reduce public internet exposure and limit threats such API's autogenerated documentation, catalog, and
as port scanning and other types of malware targeting code samples.
your VMs.

TUTORIAL
LEARN
MORE Get started with API Management
Read about Azure Bastion
 The Developer’s Guide to Azure 113

Azure VPN Gateway private zones removes the need to introduce custom
DNS solutions that could increase the overall attack
One of the many options for connecting Azure to surface with independent updating and management
your on-premises network is VPN Gateway. This requirements.
lets you set up an encrypted site-to-site (S2S) VPN
connection between an Azure virtual network and your
DOCS
on‑premises network.
Read more about DNS private
zones
Because the traffic is encrypted, it's secure—even when
it travels over the public internet. VPN Gateway can
send encrypted traffic between Azure virtual networks
over the Microsoft network.
Cross-premises VPNs
You can also create encrypted point-to-site (P2S)
connections from your computer to Azure. This way, Azure supports two types of cross-premises VPN
you have your own private, secure connection to Azure connections: P2S VPN and S2S VPN. A P2S VPN
even when you're on the road. connection lets you create a secure connection to your
virtual network from an individual client computer.
TRY IT This type of connection is established from the client
OUT computer, which is useful for telecommuters who want
Get started by creating an Azure to connect to Azure virtual networks from a remote
VPN gateway with PowerShell
location. A P2S VPN is also useful when you have
only a few clients who need to connect to a virtual
network. In contrast, an S2S VPN connection is used
to connect your on-premises network to an Azure
Azure DNS private zones virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN
tunnel. This type of connection requires a VPN device
The DNS is responsible for translating (or resolving) located on‑premises that has an externally facing public
a service name to its IP address. Azure DNS is a IP address.
hosting service for DNS domains, providing name
resolution using the Azure infrastructure. In addition to
DOCS
internet‑facing DNS domains, Azure DNS now supports
private DNS domains as a preview feature with Azure Read more about P2S VPNs
DNS private zones. Security benefits arising from
private DNS zones include the ability to create a split
DNS infrastructure. This enables you to create private
Read more about S2S VPNs
and public DNS zones with the same names without
exposing internal names. In addition, the use of DNS
 The Developer’s Guide to Azure 114

Azure ExpressRoute

Azure ExpressRoute lets you extend your on‑premises

networks into the Microsoft cloud over a secure
private connection facilitated by a connectivity
provider without traversing the public internet. With
ExpressRoute, you can establish a private connection to
Microsoft cloud services, such as Azure, Microsoft 365,
and Dynamics 365.

Azure Load Balancer

You can use load balancers to increase the availability

of applications. Azure supports both external and
internal load balancers, which can be used in a public
or internal configuration.

In addition, you can configure load balancers to

support high-availability (HA) ports, where an HA ports
rule is a variant of a load balancing rule configured on
the internal standard load balancer. You can provide
a single rule to load balance all TCP and UDP flows
arriving on all ports of an internal load balancer.

LEARN
MORE
Read about load balancer and
HA ports rules
 The Developer’s Guide to Azure 115

Logging and Azure Sentinel's built-in workflow orchestration and

task automation.

monitoring QUICK
START

Get started with Azure Sentinel

Being able to record and explore logging and
monitoring data is a critical part of any security
strategy. You need tools and services that enable you to
monitor and investigate threats, issues, and risks as they
arise. In the following sections, we will review the Azure Azure Monitor
tools and services that can help you collect and analyze
logging and monitoring data. Azure Monitor enables basic monitoring for Azure
services by collecting metrics, activity logs, and
diagnostic logs. The metrics collected provide
Azure Sentinel performance statistics for different resources, including
the operating system associated with a VM.
To get a good overview of the security status of your
organization and all of its users, applications, services, The activity log will show you when new resources
and data, you can use a security information and event are created or modified. You can view this data with
manager (SIEM) and security orchestration automated one of the explorers in the Azure portal and send it to
response (SOAR) platform. Azure now offers an Log Analytics for trends and detailed analysis, or you
AI‑powered SIEM and SOAR solution in the form of can create alert rules that will proactively notify you of
Azure Sentinel. critical issues.

Use Azure Sentinel to collect data from your

organization, including data about users, applications, Azure Monitor Logs
servers, and infrastructure assets such as firewalls and
devices running in the cloud and on-premises. It's easy Azure Monitor Logs contains different kinds of data
to collect data from your organization with the built-in organized into records with different sets of properties
connectors. As data is being collected, Azure Sentinel for each type. Azure Monitor Logs is especially useful
detects security threats and minimizes false positives for performing complex analysis across data from a
with its smart machine learning algorithms. variety of sources.

When there is a threat, you'll be alerted and can Log Analytics within Azure Monitor allows you to write,
investigate it with AI, utilizing decades of cybersecurity execute, and manage Azure Monitor log queries in the
work at Microsoft. You can respond to incidents with Azure portal.
 The Developer’s Guide to Azure 116

Azure NSG flow logs Azure Security and Compliance

Blueprint
A feature of Network Watcher, Azure NSG flow logs
allow you to view information about ingress and egress Azure Security and Compliance Blueprint for HIPAA/
IP traffic through a network security group (NSG). Flow HITRUST – Health Data & AI provides tools and
logs can be analyzed to gain information and insights guidance to help deploy a platform as a service (PaaS)
into network traffic and security, as well as performance environment for compliance with the Health Insurance
issues related to traffic. Portability and Accountability Act (HIPAA) and the
Health Information Trust Alliance (HITRUST).
While flow logs target NSGs, they are not displayed in
the same way as other logs and are stored only within a This PaaS offering supports ingesting, storing,
storage account. analyzing, and interacting with personal and
non-personal medical records in a secure, multi-
tier cloud environment deployed as an end-to-end
Application Insights solution. The blueprint showcases a common reference
architecture that could be applied to use cases beyond
Application Insights is an extensible application healthcare and is designed to simplify the adoption
performance management (APM) service for web of Azure.
developers on multiple platforms. It includes powerful
analytics tools to help you diagnose issues and
DOCS
understand what users do with your application. It
works for applications on a variety of platforms hosted Read more about the Azure
Security & Compliance Blueprint
on-premises or in the cloud, including .NET, Node.js,
and J2EE.

Application Insights integrates with your DevOps

process and has connection points to a variety of
development tools. It can monitor and analyze
telemetry from mobile applications by integrating with
Visual Studio App Center.
 The Developer’s Guide to Azure 117

Azure security technical and

architectural documentation
Azure maintains a large library of security technical
documentation that supplements security information
with individual services. White papers, best practices
documents, and checklists are included on the Azure
security information page.

Also covered are core public cloud security topics

in diverse areas, including network security, storage
security, compute security, identity and access
management, logging and auditing, cloud workload
protection, PaaS security, and more.

Learn more about Azure security by using the following

free resources:

RESOURCE
HUB

Read more about Azure security

DOCS

Secure your cloud applications

in Azure

Azure security baseline for

App Service
 The Developer’s Guide to Azure 118

Encryption
• Always Encrypted encrypts data within client
applications prior to storing it in Azure SQL
Database. It allows the delegation of on-premises
database administration to third parties and
maintains separation between those who own
By default, your data is encrypted in Azure when it's
and can view the data and those who manage it
stored in Azure SQL Database, Azure Synapse Analytics
but should not access it.
(formerly Azure SQL Data Warehouse), Azure Database
• Azure Cosmos DB requires no action from
for MySQL, Azure Database for PostgreSQL, Azure
you—user data stored in Azure Cosmos DB
Storage, Azure Cosmos DB, or Azure Data Lake Storage.
in non‑volatile storage (solid-state drives) is
All this encryption works automatically, and you don't
encrypted by default, and there are no controls
need to configure anything when you use it.
to turn it on or off.

To help meet your security and compliance

requirements, you can use the following features to You can use the following features to encrypt data
encrypt data at rest: in transit:
• Azure Disk Encryption encrypts Windows • VPN Gateway can be used to encrypt traffic
and Linux infrastructure as a service between your virtual network and your
(IaaS) VM boot and data volumes using on‑premises location across a public connection,
customer‑managed keys. or between Azure virtual networks.
• Azure Storage encryption automatically • TLS/SSL encryption protects data when it's
encrypts data prior to persisting in Azure traveling between cloud services and customers.
Storage, and then automatically decrypts the TLS (Transport Layer Security) provides strong
data when you retrieve it. authentication, message privacy, and integrity.
• Azure client-side encryption supports • SMB 3.0 encryption in VMs running Windows
encrypting data within client applications before Server 2012 or later can be used to make
uploading it to Azure Storage or other endpoints transfers secure by encrypting data in transit over
and then decrypting data when downloading it Azure virtual networks.
to the client.
• Transparent Data Encryption (TDE) encrypts Over the last few pages, we looked at the different
SQL Server, Azure SQL Database, and Azure services and tools that Azure offers to help you secure
Synapse Analytics data files. Data and log your application. As we have seen, securing your
files are encrypted using industry-standard application in Azure is a shared responsibility between
encryption algorithms. Pages in a database are you and Azure. Azure provides lots of good tools to
encrypted before they're written to disk and are secure your application and data by default, such as
decrypted when they're read. out-of-the-box encryption and SSL certificates for your
apps. Now, it's your turn to use the services and tools
we reviewed in this chapter to secure your application
in Azure.
 The Developer’s Guide to Azure 119

07 /
Deploying your
services and
optimizing costs
 The Developer’s Guide to Azure 120

How can Azure

help you deploy
your services and
optimize costs?
Azure has cloud services for every type of organization, It's also possible to develop applications in containers
including those that need Azure for their datacenters. and deploy them in containers, on-premises, or in the
You can deploy your applications either on the public Azure cloud. Additionally, you can script your complete
Azure cloud, on-premises, or even on other cloud infrastructure by means of infrastructure as code
platforms. You can also manage your on-premises (IaC) using tools such as Azure Resource Manager
applications hosted on virtual machines (VMs) or in templates, Bicep, and Terraform.
Kubernetes seamlessly from the Azure portal through
the use of Azure Arc. You get to choose how portable Let's explore these options in more detail.
your applications should be.

With Azure Arc-enabled app services, you can host

Azure app services within a Kubernetes cluster that has
been onboarded with Arc. Currently in public preview,
this allows you to deploy to targets such as web apps,
logic apps, and functions within a cluster and manage
them like any app service from the Azure portal. This
means you can utilize Kubernetes for your application
needs and use the Azure portal for a single-pane-of-
glass management experience. It also enables you to
deploy and run Azure services in Kubernetes clusters
that are on-premises or even on different clouds,
expanding your ability to deploy and centralizing
management in a convenient one-stop shop.
 The Developer’s Guide to Azure 121

Infrastructure Azure Resource Manager

templates
as code All Azure services introduced in this guide are based
on Azure Resource Manager, which you can use to
document your environment using IaC thanks to Azure
IaC captures environment definitions as declarative Resource Manager templates. These templates are
code, such as JSON documents, for automated JSON files that describe what you want to deploy and
provisioning and configuration. This enables you to what the parameters are.
use the same version control used for source code with
infrastructure deployment templates. It's easy to create Azure Resource Manager templates
in Visual Studio and Visual Studio Code using Azure
There are many benefits of using IaC:
resource group project templates. You can also
• It lowers the potential for human error while generate Azure Resource Manager templates from the
deploying and managing infrastructure. Azure portal by clicking the Automation Script button,
• It deploys the same template multiple times which is available on the menu bar of every resource
to create identical dev, test, and production in the Azure portal. This creates the Azure Resource
environments. Manager template for the given resource and even
generates code for building the resource using the
• It means the cost of development and test
Azure CLI, PowerShell, .NET, and others.
environments can be reduced by creating them
on demand.
After you have an Azure Resource Manager template,
The more you automate and catalog with version you can deploy it to Azure by using PowerShell,
control, the higher confidence levels in the reliability the Azure CLI, Visual Studio, and the Azure portal.
and quality of your IaC definitions will rise. When Alternatively, you can automate its deployment in a
consistency is reached, the risk threshold is lowered, continuous deployment pipeline using Azure DevOps
allowing more frequent deployments. This paves the or GitHub Actions.
way for acceleration in other areas, such as canary
testing, A/B or blue/green deployments, and more. A great example of deploying resources to the cloud
using Azure Resource Manager is the Deploy to Azure
Choosing an IaC provider is a decision that should button found in many GitHub repositories.
not be made lightly. While providers have similarities
between them, each may have nuances that could
help (or hurt) your overall automation strategy. Your Introducing Bicep
particular use cases for IaC will ultimately guide you to
the appropriate choice for your application. Bicep is a new flavor of IaC, developed and published by
Microsoft. It uses the same underlying Azure Resource
Manager model to create infrastructure, but uses a
YAML-based syntax to provide greater readability.
 The Developer’s Guide to Azure 122

The domain-specific language behind Bicep Terraform with Azure

declaratively defines resources and allows you to have
a first-class authoring experience in Visual Studio and Hashicorp's Terraform is an open-source tool for
Visual Studio Code. provisioning and managing cloud infrastructure.
Terraform's template-based configuration files enable
Some benefits of using Bicep over other IaC you to define, provision, and configure Azure resources
methods include: in a repeatable and predictable manner.
• Support for all Azure resource types, even those
in preview Terraform is great for deploying infrastructure
across multiple cloud providers and on-premises.
• A simple syntax that makes Bicep files easier to
This enables consistent tooling for managing each
read and manage in comparison to JSON
infrastructure definition within Azure and across other
• A first-class authoring experience, including rich
cloud providers.
type-safety and IntelliSense
• A flexible model that allows you to break code Terraform's template-based configuration files enable
up into reusable modules, allowing for sets of you to define, provision, and configure Azure resources
resources to be deployed in one module in a repeatable and predictable manner.
• Integration with other Azure services, such as
Policy, template specs, and Blueprints Terraform shares a lot of capabilities with Azure
• A stateless run model, where no infrastructure Resource Manager templates. However, it also includes
state (or state files) are required the ability to create reusable modules for deploying
• Open-source and free to use and configuring infrastructure. These modules can
be shared across multiple Terraform projects or even
While still in its early stages, Bicep holds promise in used multiple times within the same project. This
terms of readability and composition, especially if can be leveraged to save a lot of time automating
you are already used to YAML formatting with other infrastructure deployments.
deployment types such as Kubernetes. The stateless
nature of Bicep may also be appealing to those who
may not like managing state files, especially if there is a Additional IaC tools
need for remote state storage.
There are additional IaC tools that can be used. You
can bring your existing skills and tools, including
DOCS
Ansible and Chef, to provision and manage Azure
Set up Bicep development and infrastructure directly.
deployment

Compare Bicep and JSON side by

side using Bicep Playground
 The Developer’s Guide to Azure 123

Azure Blueprints
It's easy to use Azure Resource Manager templates,
resource groups, user identities, and access rights and
policies to design and create a complete infrastructure.
But how do you keep all of these things together? And
how do you keep track of which environments each
piece of infrastructure has been deployed to and which
version of the artifact is deployed now?

Organize all your infrastructure artifacts with Azure

Blueprints. Azure Blueprints provides a mechanism
that allows you to create and update artifacts, assign
them to environments, and define versions. You can
store and manage these artifacts as well as manage
their versions and relate them to environments.

This will help you to organize your infrastructure

and create a context for Azure Resource Manager
templates, user identities, resource groups, and policies.

Azure Blueprints enables you to simplify large-scale

Azure deployments by packaging key environment
artifacts into a single blueprint definition. Then, you
can easily apply the blueprint to new subscriptions
and environments, including fine-tune control and
management through versioning.

QUICK
START
Get started by defining and
assigning an Azure blueprint in
the Azure portal
 The Developer’s Guide to Azure 124

Tracking your You can use the Azure portal or various APIs for export
automation to integrate cost data with external systems

Azure usage and processes. Automated billing data export and

scheduled reports are also available.

TUTORIAL
With Azure products and services, you only pay for
what you create and the Azure resources you use. It's Optimize costs from
recommendations
important to keep track of what you are using and the
costs involved.

Azure Cost Management Azure Advisor

and Billing
Azure Cost Management also works with Azure Advisor
Using Azure Cost Management and Billing, you can to provide cost optimization recommendations. Azure
monitor and control Azure spending and optimize Advisor helps you optimize and improve efficiency by
your Azure resource usage. Azure Cost Management identifying idle and underutilized resources.
gives you the tools to plan, analyze, and reduce your
spending to maximize your cloud investment. Azure Advisor, for example, monitors your VM usage
for seven days and then identifies underutilized VMs.
Reports in Azure Cost Management show the usage- VMs whose CPU utilization is five percent or less, and
based costs of Azure services and third-party Azure whose network usage is seven MB or less for four or
Marketplace offerings. Costs are based on negotiated more days, are considered low-utilization VMs.
prices and factor in reservations and Azure Hybrid
Benefit discounts. Collectively, the reports show
your internal and external costs for usage and Azure
Marketplace charges.
 The Developer’s Guide to Azure 125

Creating a
billing alert
Azure Cost Management alerts can be used to Cost alerts can easily be viewed within the Azure portal.
monitor your Azure usage and spending. Cost alerts All alerts will show the alert type. A budget alert shows
are automatically generated based on when Azure the reason why it was generated and the name of the
resources are consumed. Alerts show all active cost budget it applies to. Each alert shows the date it was
management and billing alerts together in one place. generated, its status, and the scope (subscription or
management group) that the alert applies to.
When your consumption reaches a given threshold,
alerts are generated by Azure Cost Management. The possible statuses for alerts include "active" and
There are three types of cost alerts: "dismissed." An active status indicates that the alert is
• Budget alerts notify you when spending, still relevant. A dismissed status indicates that someone
based on usage or cost, reaches or exceeds the has marked the alert to set it as no longer relevant.
amount defined in the alert condition of the
budget. Azure Cost Management budgets are Select an alert from the list to view its details. Alert
created using the Azure portal or the Azure details show more information about the alert. If a
Consumption API. recommendation is available for a budget alert, then a
link to the recommendation is also shown. You can also
• Credit alerts notify you when your Azure
navigate to Cost analysis, where you can explore costs
credit monetary commitments are consumed.
relating to the alert's scope.
Monetary commitments are for organizations
with enterprise agreements. Credit alerts are
generated automatically at 90% and 100% of
your Azure credit balance. Whenever an alert is
generated, it's reflected in cost alerts and in the
email sent to the account owners.
• Department spending quota alerts notify
you when department spending reaches a fixed
threshold of the quota. Spending quotas are
configured in the EA portal.
 The Developer’s Guide to Azure 126

How to use Azure

Billing APIs
Azure Billing APIs can be used to pull usage and
resource data into your preferred data analysis tools.
These APIs are implemented as a resource provider
and are part of the family of APIs exposed by Azure
Resource Manager.

There are three Azure Billing APIs available:

• Usage API: Used to get consumption data for an
Azure subscription
• RateCard API: Used to get meter (AKA resource)
metadata information along with prices
• Invoice API: Used to download invoices

Azure Billing APIs are exposed as REST APIs that can be

integrated into custom application scenarios. They can
be used to get better insights into your cloud spend
during the month, your estimated consumption, and
a few other things. They can be queried and stored in
a database for later use, or they can be integrated into
reporting solutions such as Power BI to give greater
flexibility when accessing and displaying billing data.

As we've seen throughout this chapter, there are many

options available for not just cloud services, but also for
codifying configurations using IaC via several different
providers. Using platform-native tools such as Azure
Cost Management and Azure Advisor, you can get
a clear picture of your spending as well as areas for
right-sizing. Alerts can be created to monitor specific
spending trends, and reporting is easy using the built-in
Azure Billing APIs.
 The Developer’s Guide to Azure 127

08 /
Microsoft
Azure in
action
 The Developer’s Guide to Azure 128

Navigating the This opens the search box for Azure Marketplace, where
you will find everything from web applications to Linux

Azure portal servers, as shown in Figure 8.1:

In this section, you will learn how to develop your first

web application and database in Azure. For those who
are new to Azure, we have provided you with a quick
tour of Azure, starting with the Azure portal.

The Azure portal is a web-based, unified console that

provides an alternative to command-line tools. You can
manage your Azure subscription with the Azure portal
and build, manage, and monitor everything from simple
web apps to complex cloud deployments. It allows you
to create custom dashboards for an organized view of
resources and configure accessibility options for the
best experience.

Dashboards provide a focused view of the resources

in your subscription that matter to you the most. The
default dashboard is provided to get you started. You
can customize this dashboard to bring the resources
you use frequently into a single view.

Any changes you make to the default view, only affect

your experience. However, you can create additional
dashboards for your own use or publish customized
dashboards and share them with other users in
your organization.
Figure 8.1: Azure Marketplace pane

Finding and adding services in the Azure portal can

be done in several ways. To create new services, select
+ Create a resource on the Azure home screen, or do
the same within the left-hand navigation menu, which
can be expanded by selecting the hamburger icon in
the upper-left corner of the Azure portal.
 The Developer’s Guide to Azure 129

The Azure Marketplace pane is pre-populated with

popular services grouped into categories. If this list
does not include what you are looking for, then you
can use the Search services and marketplace box to
type in a search keyword. When you find the service
you want from the search results, you need to select
it and a wizard will take you through its configuration
and deployment.

To learn more about how to navigate the Azure portal,

use Azure Quickstart Center, a guided experience
in the Azure portal available to anyone who wants to
improve their knowledge of Azure. For organizations
new to Azure, it is the fastest way to onboard and set up
your cloud environment.

Check out this quickstart tutorial and other

additional resources.

TUTORIAL

Create a Linux VM in the

Azure portal

Get started with Azure

Weekly webinar: Azure demo and

live Q&A

Now, let’s use the Azure portal to create a new VM.

 The Developer’s Guide to Azure 130

Develop your For example, if a user creates a to-do item with the text
"family dinner next Friday at 7:00 PM," the application

first web app and will create a calendar item for that specific Friday at 7:00
PM with the subject "family dinner."

extend it with This can be set up using the Logic Apps feature

Logic Apps and

of Microsoft Azure App Service and Language
Understanding (LUIS), as follows:

Cognitive Services
• The .NET Core application writes the to-do item
in the SQL database.
• The logic application is triggered by every new
row created in the database.
• The logic application takes the to-do item text
We will use this tutorial to develop and deploy a sample
and passes it to LUIS.
to-do list application to Azure. You will learn how to
create a .NET Core app and a SQL database in Azure, • LUIS analyzes the text and creates a calendar

connect the app with the database, and deploy it to item in your Microsoft 365 calendar if the text

Azure App Service. You will also learn how to update the contains a date and time.

data model and redeploy the app, stream diagnostic logs

from Azure, and manage the app in the Azure portal. You don't have to change your application to add this
functionality. Logic Apps and Cognitive Services are
To prepare for this tutorial, you will need additional services that simply analyze the data that's
Git v2 or higher, .NET Core, and Visual Studio Code already there.
installed on your device.

Creating LUIS
Extending applications with Logic
Apps and Cognitive Services First, you'll create LUIS so that you can use it later in
your logic application.
Once you have your app and the database deployed
in Azure, you can start adding additional features. You can use the LUIS portal to build a language model.
A powerful feature of your application could be the First, you need to add some entities, which are items
ability to analyze the content of to-do items and then in the text the service will recognize. Then, you enter
automatically create calendar appointments for tasks utterances, which are sample texts that represent the
that include a specific date. intent you want to detect.
 The Developer’s Guide to Azure 131

Here is an example of an utterance:

"family dinner next Friday at 7 PM"

QUICK
START

How to create LUIS

Creating the logic application

Next, to integrate LUIS into the application, create

an Azure logic app. Within the logic app, the LUIS
connector can be used to add actions to integrate LUIS
with your applications.

When using LUIS actions, you enter the API key for
your LUIS service, so the logic app can connect to
and integrate with your Language Understanding
service. Then, you configure the logic app to pass
the particular utterance text to LUIS and use it for
recognizing utterances.

For example, a "LUIS—Get prediction" action could

be added to a logic application that connects to a SQL
database that's triggered when a new row is created.
The logic app could pass in text retrieved from the
database row to LUIS so that it can perform utterance
recognition. Then, the logic app could save the result
back to the database, or use it to execute additional
actions to perform tasks based on those results.
 The Developer’s Guide to Azure 132

Ready for There are deployment slots for staging, load

testing, and production, which is always the original

production app service—in our example, the .NET Core web

application. In fact, you can have as many deployment
slots as you wish without incurring additional costs.

So far, we've been pushing code from our local Git All the deployment slots run in the same App Service
repository to Azure. This is fine if you work alone, but if plan, which is what you pay for. Having additional
you work in a team, you'll need another type of source deployment slots in an App Service plan will
control, such as Azure Repos, one of the services in consume resources such as CPU and memory, so you
Azure DevOps, or GitHub. need to be mindful of how additional slots might
impact production.

Setting up continuous delivery You can create new deployment slots from the

with GitHub Deployment Slots menu item in the web app. You need
to run the web application in the Standard or Premium
With your application running in Azure, you could use a pricing tier because the free plan doesn't come with
GitHub repository to push your code and then link that additional deployment slots.
to your web application so that changes are deployed
automatically in a continuous delivery pipeline. In each deployment slot you create, you can configure
the deployment options as we did earlier to deploy
Continuous delivery can be configured using the code automatically. You can even work on different
Deployment Center feature of Web Apps through the source code branches for different environments and
Azure portal. This feature enables you to choose the automatically deploy specific branches to specific
location of your code as well as options for building and deployment slots.
deploying it to the cloud.
Additionally, you can test your final version in
a deployment slot and then swap it with the version
Setting up staging environments in the production slot. This warms up the application
before it swaps, resulting in a deployment with
Using web apps from the Azure App Service, you no downtime.
can set up a staging slot to test new versions of your
application through deployment slots. Deployment
slots are application services with which you can test
your code before you promote it to the next slot.
 The Developer’s Guide to Azure 133

Scaling the web app Setting up monitoring and alerts

When your web app is inundated with lots of traffic Azure Monitor Application Insights provides another
and user activities, you can scale up your web app to powerful way to track applications. This monitoring
accommodate the increased traffic. Conversely, when tool provides information about your application, such
your web app is idling, you can scale it back to reduce as how many visitors used it, how many exceptions
costs. Thanks to the automatic scaling feature of occurred, and where they occurred in the code.
Azure App Service, you can achieve this with ease. The Unlike diagnostic logs, Application Insights requires a
best part of this feature is that it only takes a matter nominal fee.
of seconds to adjust the scale settings and you do
not even need to make any changes to your code or
redeploy your application. Adding Secure Sockets Layer

To use this feature, you need to run the web apps in the When an application is ready for production, you need
Standard or Premium pricing tier. Alternatively, you can to confirm that it's secure. Besides authentication and
use the Free tier to run a single instance of a web app. authorization, serving the web application over HTTPS
is one of the most important security measures you
You can learn more about how to scale your application can take. This is because, without HTTPS, intruders
in Azure App Service here. could see the traffic among your resources and use this
information for malicious purposes, like signing in to
your application. Additionally, HTTPS is a requirement
Using diagnostic logs for leading-edge features such as service workers.

An efficient way to monitor an application is by using Serving traffic to your web application over Secure
diagnostic logs to see live diagnostic logging from the Sockets Layer (SSL) is possible by importing an SSL
web app. You can even pipe the logs into the console certificate into Web Apps and binding it to one of
window. To do this, run the following command in your custom domain names. You can either import
Cloud Shell: your own SSL certificate or purchase one through
Azure App Service Certificates. This service makes it
az webapp log tail --name <app_name> easy to buy and validate certificates. After importing
--resourcegroup <myResourceGroup>
the certificate, couple it to one of the domain name
bindings of your web app. You can do all this from the
You'll be able to see diagnostic logs when you use the TLS/SSL settings in the web app.
web application to generate some traffic.
 The Developer’s Guide to Azure 134

Notifying users about new

versions
Your business will benefit from making users aware of
new production releases. By extending the continuous
integration/continuous delivery (CI/CD) process in
Azure builds, you can use a Logic Apps workflow to
manage social media communication, such as sending
out tweets or publishing posts with release notes.

An Azure pipeline could be instrumented to trigger the

logic app to execute after a release pipeline has finished
publishing new application changes. Alternatively, the
Events feature of the App Service web application could
be configured to trigger a logic app based on events
emitted from Azure App Service, such as when the
deployment slots are swapped.

Learn more about architecting Azure solutions in these

free resources:

RESOURCE
HUB

Azure for Architects

Architect great solutions

in Azure learning path on
Microsoft Learn
 The Developer’s Guide to Azure 135

09 /
Summary
In this guide, we introduced the power that Azure
can bring to your applications. Using Azure, you
can do incredible things with your applications,
including hosting and scaling your web applications,

and
taking advantage of containers, and using AI in your
applications, while only paying for what you use.

You've learned that Azure has services for almost

resources
every scenario, so it can help you no matter which
programming language you use or which platform
you write applications for. Before we wrap up, we will
provide you with some valuable resources to help you
embark on your Azure journey.
 The Developer’s Guide to Azure 136

Keep learning Azure Certifications

Earn certifications that show you are keeping pace with

with Azure today's technical roles and requirements.

Azure communities and meetups

Join our community-led meetups, where you'll learn
With your Azure free account, you get all of this—and from your peers about solutions to common problems,
you won't be charged until you choose to upgrade: fun projects, and what's new in Microsoft Azure.
• 12 months of popular free services
• USD 200 credit to explore any Azure service for
Microsoft Learn
Learn new skills and discover the power of Microsoft
30 days
Azure products with step-by-step guidance.
• 25+ services, always free

Learn TV
Azure tips and tricks Start your journey today by exploring our Azure
Browse a collection of useful ideas to help you become learning paths and modules, including Learn TV, which
more productive with Azure. features the latest digital content so you can always
keep updated on the latest announcements, features,
Azure Friday and products.
Take a look at Azure services and features with the
Microsoft engineering team.

Microsoft.Source
Receive a regular digest of relevant technical content,
events, and training. Learn about new technologies and
find opportunities to connect with other developers
online and locally.
 The Developer’s Guide to Azure 137

Free resources
• Get up and running with Kubernetes: With
the Kubernetes collection, you'll get multiple

extravaganza
resources that will help you gain the knowledge
and hands-on experience necessary to get
started with Kubernetes—all in one place.
• Cloud Analytics with Microsoft Azure: Maximize
your BI impact by bringing data together from all
In addition to this guide, there are many other free
your sources with Azure Synapse Analytics.
resources related to Azure, including the following:
• Introducing Microsoft SQL Server 2019: Find
• Azure for Developers: A list of developer
out what's new in Microsoft SQL Server 2019,
resources for app development.
a platform for secure and compliant modern
• Azure for Architects: A comprehensive guide for
data management.
Azure architects.
• Azure Networking Cookbook: Configure,
• Azure Strategy and Implementation Guide: Get
manage, monitor, and troubleshoot networks
a step-by-step introduction to using Azure for
more effectively with networking solutions
your cloud infrastructure and learn how to create
from Azure.
a successful cloud adoption strategy with new
• Building Intelligent Cloud Applications: Build
innovations, capabilities, and security features
and deploy scalable deep learning and machine
from Microsoft Azure.
learning models using serverless architectures
• Learn Azure in a Month of Lunches: A practical
with Azure.
way to learn Azure from scratch over a month
of lunches. Thanks to the wealth of prebuilt solutions in Azure, the
• Azure Proof of Concept Guide for Developers: days of having to write complicated plumbing are over.
Prove whether a concept works or not before your Free yourself up to work on the things that matter to
organization makes a significant investment. Learn you by taking advantage of all that Azure offers. We
how to create and execute a proof of concept for hope you continue to consult this guide to become
developing applications in Azure, from a well- better acquainted with the vast range of Azure services
designed plan to measurable test results. and determine which ones best fit your needs.
• Azure Serverless Computing Cookbook:
Find use cases, hands-on recipes, and
tutorials for quickly configuring your own
serverless environment.
 The Developer’s Guide to Azure 138

About the authors published by Packt Publishing. He has been recognized

as a Microsoft MVP for his contributions to the tech
community. You can follow Jack on Twitter at
@jlee_consulting.
Has Altaiar
Has is a passionate and award-winning technologist Josh Garverick
with over 15 years of professional experience in large Josh Garverick is a Microsoft MVP in Azure and
corporate, government, and digital agencies. In his application lifecycle management who has over
work, Has focuses on Data, IoT, AI, and DevOps. He 15 years of experience in software development.
has successfully delivered many secure, scalable, He has experience using DevOps best practices
and award-winning projects for a variety of fields as well as with architecting and modernizing
including medical, financial, and utilities. Has is also applications to enable the adoption of Azure. He is the
a Microsoft MVP (Most Valuable Professional) and a author of the book Migrating to Azure: Transforming
regular organizer and speaker at local and international Legacy Applications into Scalable Cloud-First
conferences. You can follow him on LinkedIn @altaiar Solutions, published by Apress. You can follow Josh
or on Twitter @hasaltaiar. on Twitter at @jgarverick or on LinkedIn at https://
linkedin.com/in/josh-garverick.
Ingrid Babel
Ingrid Babel is a senior technical product manager at Mustafa Toroman
Microsoft Azure. Her goal is to help developers use the Mustafa Toroman is a solution architect focused on
full potential of the cloud by creating content that's cloud-native applications and migrating existing
accessible to anyone and at any level. You can follow systems to the cloud. He is very interested in
her on LinkedIn at https://www.linkedin.com/in/ DevOps processes and cybersecurity, and is also an
ingridbabel/. Infrastructure-as-Code enthusiast and DevOps Institute
Ambassador. Mustafa often speaks at international
Jack Lee conferences about cloud technologies. He has been an
Jack Lee is a senior Azure certified consultant and MVP for Microsoft Azure since 2016 and a C# Corner
an Azure practice lead with a passion for software MVP since 2020. Mustafa has also authored several
development, cloud, and DevOps innovations. He books about Microsoft Azure and cloud computing.
is an active Microsoft tech community contributor
and has presented at various user groups and Vahe Minasyan
conferences, including the Global Azure Bootcamp Vahe Minasyan is a technical project manager on
at Microsoft Canada. Jack is an experienced mentor the Microsoft Azure product marketing team. His
and judge at hackathons and is also the president passion is to help developers use the power of Azure
of a user group that focuses on Azure, DevOps, and for their software development needs. You can reach
software development. He is the co-author of Azure Vahe on LinkedIn at https://www.linkedin.com/in/
for Architects, Azure Strategy and Implementation vaheminasyan2/ and you can also find him on GitHub.
Guide, and Cloud Analytics with Microsoft Azure,
 The Developer’s Guide to Azure 139

Authors from previous editions

Michael Crump Barry Luijbregts

Michael Crump works at Microsoft on the Azure Barry Luijbregts is an independent software architect
platform and is a coder, blogger, and international and developer with a passion for the cloud and authors
speaker on various cloud development topics. He's courses for Pluralsight.
passionate about helping developers understand the
benefits of the cloud in a no-nonsense way. You can reach Barry on Twitter, @AzureBarry, and
through his website at https://www.azurebarry.com/.
You can reach Michael on Twitter, @mbcrump,
and follow his live coding stream at
https://www.twitch.tv/mbcrump.

Chris Pietschmann
Chris Pietschmann is a principal cloud and DevOps
solution architect with Solliance, and a Microsoft MVP
with Azure and IoT. He's passionate about helping
individuals and teams be more productive in the cloud.

Follow his blog at https://build5nines.com.

PUBLISHED BY Microsoft Press, A division of Microsoft Corporation

One Microsoft Way, Redmond, Washington 98052-6399

Copyright © 2022 by Microsoft Corporation. All rights reserved. No part of
the contents of this book may be or transmitted in any form or by any means
without the written permission of the publisher.
This book is provided "as-is" and expresses the author's views and opinions. The views,
opinions and information expressed in this book, including URL and other Internet
website references, may change without notice. Some examples depicted herein are
provided for illustration only and are fictitious. No real association or connection is
intended or should be inferred.
Microsoft and the trademarks listed at www.microsoft.com on the "Trademarks"
webpage are trademarks of the Microsoft group of companies. All other marks are
property of their respective owners.
The Developer’s Guide to Azure 140