Azure Resource Tagging for Charge-Back

Resource tagging in Microsoft Azure is a feature introduced with Azure Resource Manager (ARM).  Resource tagging enables you to attach multiple key/value pairs to resources for categorization and management.

In Microsoft Azure you can place tags on individual ARM based resources or you can place tags on the resource group level.   You cannot place tags on resources created under the Azure Service Manager (ASM / classic) model. 

Tags are commonly used for charge-back purposes in large organizations.   In these cases, resources are tagged with a cost center or some other identifier that would relate the resource back to the entity which should be charged for the usage of the resource.    These tags will then show up in the enterprise Azure usage report as demonstrated in the image below.

See tags in billing

Although there is a resource group field in the usage report, not all of the resource types return the resource group name to the Azure usage reporting system.   This means that you cannot rely on the resource group name field in the usage report as a way to monitor usage for all resources in that group.  

When working with tagging it is import to remember:

  • You can only tag resources created through the Azure Resource Manager (ARM).  Classic resources created through Azure Service Manager (ASM) cannot be tagged.
  • If you place tags at the resource group level, those tags will not be automatically placed on all resources within that group.   There is no tag inheritance, however, you can use a scheduled PowerShell task to copy tags from the resource group to all ARM based resources in that group.
  • The Azure usage report does have a field for Resource Group Name.  It may be tempting to use a resource group name as a way to identify resources for charge-back.   This will not work because not all resources output their resource group to the Azure usage report.

Below are a few additional resources which I find valuable when working with resource tagging:

Azure Resource Tagging Best Practices
Using tags to organize your Azure resources – Tags and billing
Using Resource Groups and Tagging in Azure Government

Azure Marketplace with ISV Solutions in Azure US Government

Microsoft has just announced the general availability of the Azure Marketplace for Microsoft Azure US Government regions.

Microsoft has partnered with some of the top ISVs to provide Azure  US Government customers with more options for finding the right solutions and quickly spinning up applications that suit their needs. Azure Marketplace is your online store for Virtual Machine images, VM extensions, and more that enable ISVs to offer pre-configured, Azure certified software to customers on the Azure US Government cloud.

To find out how to provision an image, check out the Azure Marketplace for Government technical documentation, here. We are constantly adding new images and services, so check back often if you don’t see the solution you’re looking for! You can see the full list of images available in Azure Government here.

Over the past week the following solutions have been made available in the Azure Marketplace for US Government regions:

If you are an ISV or software partner that would like to publish your images, check out this blog post on the Azure Government blog.

Cisco CSR1000V in Azure US Government Regions

Microsoft recently announced that the Cisco CSR1000V is now available in the Azure US Government regions.

Cisco CSR1000v provides best in class routing capabilities that support full path encryption with the strongest cipher suites available in the market, L4-L7 firewall capabilities and L7 visibility and control. Using Cisco CSR1000v in concert with the Azure Government Cloud delivers on the value proposition of ensuring Government data receives the protection of Cisco’s security capabilities in the Azure cloud environment they trust.

Because Cisco CSR1000V runs full featured Cisco IOS-XE, management of CSR1000V simply becomes another location inside an already deployed Cisco based network and plugs in easily to existing management tools and operations.

How to Deploy Cisco CSR in Azure Government
Go to the solution templates for 2-NIC and 4-NIC Cisco CSR1000v in Azure QuickStart Repo on Github, found at the links below. They can be found by searching for Cisco CSR1000v, or clicking below. They can be found by searching for Cisco CSR1000v, or clicking below. For step by step deployment instructions for solution templates from Github in to Azure Government Cloud, see our technical documentation.

How Does Licensing the CSR 1000V Work on Azure Government Cloud?
If you want to connect your enterprise network to Azure the CSR 1000V supports Bring Your Own License (BYOL).  This means you buy a license from Cisco or a partner and install that license to the CSR 1000V running on Azure Government Cloud.

Read more on the Azure Government Blog

More goodness in Azure US Government

More great announcements have come out in the past couple days regarding Azure US Government.  Below are the highlights.

G-Series VMs
The G-Series provides more memory and more local solid state drive (SSD) storage than other Azure virtual machine sizes.  G-Series VMs provide up to 32 cores and 448GB of RAM!  In addition to massive memory and local SSD storage, the G-Series provides unparalleled computational performance by using the latest Intel Xeon processor E5 v3 family, ideal for your most demanding applications.  Find out more about G-Series VMs here.

F5 BIG-IP virtual appliance
F5 is pleased to announce the general availability of its BIG-IP Virtual Edition (VE) application delivery controller (ADC) solutions in the Microsoft Azure US Government Cloud. Customers who want to deploy mission-critical government applications in Microsoft-managed and physically-isolated datacenters within the continental United States can now take advantage of F5’s market-leading application services to make their applications faster, more available, and more secure.  Read more about this announcement here.

Red Hat VM Images in a Pay-as-you-go Model for Azure Government.
We are happy to announce that government customers can now deploy Red Hat Enterprise Linux 6.8 and 7.2 VM images in a Pay-As-You-Go model directly from the Azure Government Marketplace with per-minute billing.  This is following our partnership announcement with Red Hat in Azure Government on July 27th, 2016.  As more and more government customers move to the cloud, we realized that there was demand for a fully supported version of Linux with the agility that Azure Government. We’ve added this capability to meet this demand.   Read more about this announcement here.

Two new Azure US Government Regions Announced

Today Microsoft announced their intent to open new Azure US Government regions in Arizona and Texas.  Slated to be generally available in 2017, the new regions will add to their existing regions in Virginia and Iowa and are new additions beyond the Department of Defense regions recently announced. Now, Azure has a total of six dedicated regions for government customers – more than any other cloud provider.

You can learn more about this announcement from a recently blog post by Tom Keane, General manager for Microsoft Azure.

More new features in Azure Government

Today the Microsoft Azure engineering team has released several new features into the Azure US Government regions:

Azure Batch
Azure Batch is our job scheduling and compute pool management service that helps developers easily scale their compute-intensive workloads to tens, hundreds, or thousands of virtual machines without having to manage the infrastructure. As a managed service, Azure Batch handles the heavy lifting of provisioning, monitoring and scaling virtual machines.  Additional information on Azure Batch can be found here.

Redis Cache
Azure Redis Cache is a distributed, in-memory, managed cache that helps you build highly scalable and responsive applications, by providing you with fast access to your data. It’s based on the popular open-source Redis Cache, and it gives you access to a secured, dedicated Redis cache that’s managed by Microsoft.   Additional information on Redis Cache can be found here.

Service Fabric
Service Fabric is a mature, feature-rich microservices application platform with built-in support for lifecycle management, stateless and stateful services, performance at scale, 24×7 availability, and cost efficiency.  Service Fabric integrates with Azure features and services, making operations and management simpler, and leveraging the power of Azure cloud.  Service Fabric is available at no additional cost in Azure – you only pay for the underlying compute, network and storage used by your Service Fabric Cluster and microservices. Additional information on Service Fabric can be found here.

Virtual Machine Scale Sets (VMSS)
VM Scale Sets are a way to manage Azure VMs as a group, providing easy deployment and management options, and simple ways to integrate with Azure autoscale and load balancing. If your machines can all be configured the same, you can reduce the overhead of managing them individually, and elastically scale your VMs to match the workload. VM Scale Sets are available at no additional cost over the compute resources being used, and are available in all regions that support Azure Resource Manager.  Additional information on VMSS can be found here.

VM-series Expansion
The following VM series sizes are now available for Microsoft US Azure Government customers:

  • A1-A7 VM series for ARM
  • D/DS VM series for ARM
  • Dv2 VM series for ARM and Classic
  • F VM series for ARM

To keep up on the latest information on Microsoft Azure US Government, visit the official blog at: https://blogs.msdn.microsoft.com/azuregov/

New features in Microsoft Azure Government

Over the past several days, Microsoft has released multiple new features into the Microsoft Azure US Government regions.  Below are the highlights.

New Portal – Generally Availability
The new portal which enables access to Azure Resource Manager (ARM)  features such as role based access control, tagging, resource groups and new IaaS resources is now generally available.  You can access the new portal at http://portal.azure.us

Azure App Services – Generally Availability
Azure App Services provides developers a platform to build, deploy and run powerful web and mobile applications.  Included in this release are Web Apps, API Apps, and Mobile Apps.   Additional details can be found on the Azure Government blog.

Log Analytics and Microsoft Operations Management Suite Portal – Generally Available
Log Analytics is a service in Operations Management Suite (OMS) that helps you collect and analyze data generated by resources in your cloud and on-premises environments. It gives you real-time insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers regardless of their physical location.  You can read more about OMS on the Azure Government blog.

Azure SQL Data Warehouse – Generally Available
Azure SQL Data Warehouse is a cloud-based, fully managed database capable of processing massive amounts of data, both relational and non-relational. Built on our massively parallel processing (MPP) architecture, SQL Data Warehouse allows you to manage your data quickly and flexibly.  Additional details on the Azure SQL Data Warehouse can be found here.

SQL Server Stretch Database – Generally Available
SQL Server Stretch Database part of SQL Server 2016 that allows you to selectively, securely and transparently migrate your on-premise cold or historical data, to Azure. Allowing you to free up disk space and reduce your enterprise storage costs, without impacting your existing business operations and applications. It allows you to take on that journey to the cloud, on your terms.  Additional details on SQL Server Stretch Database can be found here.

Azure Blueprint Program
Azure Government Engineering is pleased to announce the initial release of the Azure Blueprint program! The program is designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government.  Details of this new program can be found here.

Storage Service Encryption in Azure US Government

Azure Storage Service Encryption (SSE) for Data at Rest is now available as part of the deployment of the ARM storage resource provider in Azure US Government regions

The official documentation for SSE states:

Azure Storage Service Encryption (SSE) for Data at Rest helps you protect and safeguard your data to meet your organizational security and compliance commitments. With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. The encryption, decryption, and key management are totally transparent to users.

Once a storage account is enabled for SSE all new blob data written to the storage account will be encrypted with 256-bit AES encryption managed by Microsoft.  Any existing blob data in the storage account will not be encrypted until some change occurs to the data which causes it to be written back to storage.

To get started with SSE in Azure US Government you first need to create a ARM storage account and place it in a new or existing resource group.  This can be accomplished with the
New-AzureRMStorageAccount PowerShell command.

Enabling SSE on an ARM storage account is done with the
Set-AzureRMStorageAccount PowerShell command and passing in Blob as a option for the EnableEncryptionService parameter.  For example, if you have a storage account named myencryptstorage in a resource group named storagerg you would run the following PowerShell command to enable SSE:

Set-AzureRMStorageAccount –Name myencryptstorage –ResourceGroupName storagerg –EnableEncryptionService Blob

To Verify that SSE is enabled on the storage account shown above you can run the command shown below.  A return of true indicates that encryption is enabled on the storage account.

(get-azurermstorageaccount –ResourceGroupName storagerg –Name myencryptstorage).Encryption.Services.Blob.Enabled

For a complete description of SSE and answers to frequently asked questions, please review the official Azure documentation.

ARM In Azure US Government

Yesterday afternoon Microsoft deployed providers for several Azure Resource Manager (ARM) services into all Azure US Government regions.  These new providers enable users to create and manage ARM storage, networking, compute  and data resources through Azure PowerShell.  Support for these new resource providers will be enabled in the Azure preview portal at a future date.

With this latest update the following ARM features have been enabled:

Compute (PowerShell)

  • Virtual Machines
  • Service Fabric

Networking (PowerShell)

  • Application Gateway
  • ExpressRoute
  • Load Balancer
  • Virtual Networks
  • VPN Gateway
  • Network Security Group

Data & Storage

These providers work hand in hand with the previously deployed ARM infrastructure which enables resource groups, tagging, templates and role base access control.

It is expected that additional resource providers will be deployed over the coming months which will enable even more capabilities in Microsoft Azure US Government regions.  To view the resource providers currently available in Azure US Government you can run the following PowerShell command: 
Get-AzureRmResourceProvider –ListAvailable

Azure SQL DB v12 Now in Azure US Gov

Today Microsoft has announced the general availability of the latest service version of Azure SQL Database (v12) in Microsoft Azure US Government.

Benefits of using Azure SQL v12

  • Compatible: Near-complete SQL Server 2016 engine compatibility.
  • Performant: Increased Premium performance levels at no additional cost and support for larger database sizes.
  • Secure: Intelligent security and protection including Azure Active Directory authentication support. 
  • Reliable: Improved backup, recovery, and replication times.  

More details can be found soon on the Azure Government Blog.

Technology Blog