The slides I used for my "Securing an Azure Functions REST API with Azure Active Directory" session (SAFwAD for short) at Intelligent Cloud Conference in Copenhagen.
5. “Azure Active Directory (Azure AD) is
Microsoft’s cloud-based
identity and access management service.
Azure AD helps your employees
sign in and access resources”
Azure Active Directory
6. • Seamless, highly secure access
• Comprehensive identity protection
• Efficient management and compliance at scale
• Customer and partner identities
• Identity platform for developers
• Identity for IaaS (infrastructure as a service)
Azure Active Directory
9. Free FREE!
Basic € 0,844 kr 6,294 user / month *
Premium P1 € 5,06 kr 37,761 user / month *
Premium P2 € 7,59 kr 56,641 user / month *
“Pay as you go” feature license.
* Annual commitment
Pricing tiers
10. “Azure Active Directory (Azure AD) B2C is
an identity management service
that enables you to customize and control
how customers sign up, sign in, and manage their profiles
when using your applications.
This includes applications developed for
iOS, Android, and .NET, among others.”
Azure AD B2C
13. “Accelerate your development with an
event-driven, serverless compute experience.
Scale on demand and pay only for the resources you consume.”
Azure Functions
14. • Take advantage of serverless compute with Functions
• Manage your apps instead of infrastructure
• Optimize for business logic
• Develop your way
Azure Functions
15. Web application backends
Mobile application backends
Real-time file processing
Real-time stream processing
Automation of scheduled tasks
Extending SaaS applications
What you can do with Functions
16. Two major versions: 1.x and 2.x
Current version: 2.x
Both supported for production
Runtimes
17. Supported languages
Language 1.x 2.x
C# GA (.NET Framework 4.7) GA (.NET Core 2)
JavaScript GA (Node 6) GA (Node 8 & 10)
F# GA (.NET Framework 4.7) GA (.NET Core 2)
Java N/A Preview (Java 8)
Python Experimental Preview (Python 3.6)
TypeScript Experimental GA (Supported through transpiling to JavaScript)
PHP Experimental N/A
Batch (.cmd, .bat) Experimental N/A
Bash Experimental N/A
PowerShell Experimental N/A
18. App Service Plan
Run your functions just like your web, mobile, and API apps. When you are already using
App Service for your other applications, you can run your functions on the same plan at no
additional cost.
Consumption plan
When your function runs, Azure provides all of the necessary computational resources.
You don't have to worry about resource management, and you only pay for the time that
your code runs.
Running Azure Functions
20. Scaling can vary on a number of factors
Might scale differently based on the trigger and language selected
• A single function app only scales up to a maximum of 200 instances.
• A single instance may process more than one message or request at a time.
• HttpTriggered only be allocated at most once every 1 second.
• New instances will only be allocated at most once every 30 seconds.
Scaling behavior
21. Long running
• Keep the runtime short (default < 5m; max. 10m)
Stateless
• Don’t use state in the host
• Idempotent
Cold start
• Fast start up times
• Keep them small
Control
• ‘They’ control scaling
• ‘They’ control when your host is alive
• You control the code!
Best practices
23. • Billed based on per-second resource consumption and executions
• Execution Time: € 0.000014/GB-s
kr 0.000101/GB-s
• Total executions: € 0.169 per million executions
kr 1.259 per million executions
• Monthly free grant: 1 million executions
400.000 GB-s
Calculation resource consumption: avg. mem. Size in GB x execution time in ms.
Mem rounded to nearest 128 MB, max 1.536 MB.
Execution time rounded up to nearest 1 ms.
Minimum: 100 ms & 128 mb
Pricing – Consumption plan
24. Functions REST API
Table Storage
One weekend, 7 stages
Approximately 80.000 API requests
98.6% had a response time of < 250 ms
96% had a response time of < 30 ms
Total costs: € 3,14
Reference case - Cultural festival
25. Consumption plan++
• Enhanced performance
• VNET Access
Billed per second, based on vCPU-s and GB-s
Premium plan (preview)
27. Available on General-Purpose V2
Special container: web$
Files in this container are:
• served through anonymous access requests
• only available through object read operations
• case-sensitive
Provided at no additional cost
Static website hosting
29. Enables application developers to authenticate users to
- Cloud Active Directory
- On-premises Active Directory
• Configurable token cache that stores access tokens and refresh tokens
• Automatic token refresh when an access token expires and a refresh token is available
• Support for asynchronous method calls
Active Directory Authentication Library (ADAL)
30. Enables Single Page Applications to authenticate users with
- Microsoft Azure Active Directory accounts
- Microsoft accounts
- Accounts in social identity providers like Facebook, Google, LinkedIn etc.
Interacts with
- Microsoft Azure Active Directory
- Microsoft Azure AD B2C
- Microsoft accounts
Microsoft Authentication Library (MSAL)
Preview for JS
33. Angular 4/5/6/7 ADAL Wrapper
Can be used to authenticate Angular applications against Azure Active Directory v1
endpoint.
Adal-angular4
34. Wrapper of the core MSAL.js library
Suitable for use in a production environment
The same production level support as current libraries
Changes may impact your application
When GA: update within six months
@azure/msal-angular
38. Serverless abstracts away the compute
Triggers & Bindings abstract away the services you interact with
Dual abstraction
39. Example: Blob Trigger on a consumption plan
Up to 10-minute delay processing new blobs
Solution:
Switch to App Service plan with Always On enabled.
Use Event Grid trigger with your Blob storage account.
Triggers
40. public static async Task Run(
[BlobTrigger("upload/{name}", Connection = "scs")]Stream addedBlob,
string name, ILogger log)
{
// Setting up my BlobStorageRepository (it's a wrapper)
var connectionString = Environment.GetEnvironmentVariable("scs",
EnvironmentVariableTarget.Process);
var blobStorageRepository = new BlobStorageRepository(connectionString);
await blobStorageRepository.AddFileAsync("copied", name, addedBlob);
}
Bindings 1/3
As an IT admin, you can use Azure AD to control access to your apps and your app resources, based on your business requirements.
As an app developer, Azure AD gives you a standards-based approach for adding single sign-on (SSO) to your app, allowing it to work with a user's pre-existing credentials.
As a subscriber, you're already using Azure AD.
Image 1: Mobile application backends
Image 2: Automation of scheduled tasks
V2 The current version where new feature work and improvements are being made
monitors the rate of events and determines whether to scale out or scale in
Heuristics for each trigger type
For example, when you're using an Azure Queue storage trigger, it scales based on the queue length and the age of the oldest queue message.
Second bullet: there isn't a set limit on number of concurrent executions.
The minimum execution time and memory for a single function execution is 100 ms and 128 mb respectively.