Episode 175 – File Shares for Clients in the Cloud with Azure Files

Episode 175 – File Shares for Clients in the Cloud with Azure Files

by | Apr 30, 2020 | Podcast

Podcast: Play in new window | Download (Duration: 57:02 — 39.2MB)

Subscribe: Spotify | Amazon Music | Pandora | iHeartRadio | Email | RSS

In Episode 175, Ben and Scott talk about using Azure Files as a remote file share in the cloud for client devices and the things you’ll want to think about to get everything up and running.

Download New Tab

- Welcome to Episode 175 of the Microsoft Cloud IT Pro Podcast recorded live on April 24, 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users, where we discuss the topic or recent news and how it relates to you. In this episode, Ben and Scott discuss Azure file shares for client devices, domain controllers, Azure AD networking and other cloud services and how they all fit together.

- The thunder is never done, all the tornadoes rolling through. It was nasty last night.

- You know what? I did not hear a thing. I may or may not have been up until like, 2:30 the night before working on stuff and then I crawled in bed at like 12:30 last night. I was so tired, I passed out and I woke up when one of my kids came in our bedroom at some time, 4:00 a.m. and my wife was like, "Did the thunder wake them up?" I was like, "Was it thundering?" I never heard a thing.

- Man, corona times have not been kind to my sleep schedule. It's turned into like, aah, let's watch a movie and then the movies over and it's aah, maybe I would like just one TV show or let me read this book for a little while or whatever it happens to be. So I think last night, I was up until... Last night, I was late, it was 3:00 a.m., hence, my coffee brewing slowly this morning. So I heard that whole storm all through and the whole thing. I was sitting in my kitchen, it was awesome coming through, it was a good one. I like a good storm.

- So I woke up and I was actually bummed it didn't wake me up 'cause I'm the same way, I love a good thunderstorm, especially at night. For whatever reason, those night thunderstorms and the lightning lights up the whole house and the thunder just rolls. I don't know, it's cathartic for some strange reason, as long as there's not a tornado blowing my house down.

- Yeah, well, there's that whole thing, but it was definitely a good thunder and lightning storm and it was tornadoes and stuff farther to the north, but not so much for us. So, it was just a good rain event.

- Yes, I will say not growing up in Jacksonville, I have been impressed with the geographic surrounding of Jacksonville and how it seems to deter most storms from hitting us. Like we never really seem to get tornadoes or really bad storms from the west because of the river and because we're sitting just down low enough. I think the Gulf of Mexico messes up a lot of them and then the way Jacksonville's kind of set in on the coast if you're going up the Florida coast and up in the Georgia and South Carolina, it seems to deter any hurricanes from really having a direct hit on Jacksonville.

- Yes, it is the farthest point west on the East Coast. Like when you think about that dip in, so it's not just Florida to Georgia and all that, like pull out a map and look all the way up, it is the farthest point west, from Maine all the way down to us.

- What about the Keys? Don't the Keys loop back into the west?

- They do, but they're sitting actually like--

- They're just sitting in the middle of the ocean.

- They are, right? But they're all the way down at that eastern tip of Florida is, think about like going down to Miami and you're pretty much a straight line down to the Keys from there. So they are still farther east than we are, but as a chain of islands, they stretch pretty far over, but at that point, they're underwater anyway .

- Got it.

- So as a landmass with too big bodies of water like you talked about, between the ocean and the river, being a pretty substantial river, but at least nice and wide, it's good enough to pick up a lot of the weather that comes through here.

- I remember that growing up in Michigan too. I mean, like Michigan is significantly bigger than the river but Michigan was spared at least a lot of the bad thunderstorms and tornadoes and all of that because of like Michigan. They would hit Wisconsin, the lake would break it all up before it hit Michigan. I went and spent a week in Wisconsin. It was like tornadoes every day. Don't go to Wisconsin.

- Don't go to--

- Sorry to anybody that's from Wisconsin that's listening. I much prefer Michigan to Wisconsin.

- You're gonna start a fight or something.

- Probably. I have some good stories about Wisconsin and Michigan, but we don't need to talk about those today.

- As IT professionals in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or Teams Azure costs, they don't always realize how much work is involved in obtaining that information, sifting through cluttered CSVs and a complex mess of metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend. ShareGate Overcast lets you group resources into meaningful cost tabs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure, whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs and it's only available in ShareGates Overcast. Find out more on sharegate.com/itpro.

- Should we talk about what I was staying up late playing with today?

- Yeah, it sounds like you were staying up late doing things that I was not. While I was watching, crappy movies and contributing to Netflix viewing hours, you were doing real work, supposedly.

- Well, so supposedly 'cause it all started with a client question which led to me playing with this, with my own domain and Azure tenants 'cause I don't wanna break anything. So, to set this up, Azure Files with... So Azure Files has been able to do SMB for a while. You can use the like storage account name and the private key to actually map a network drive to Azure Files, all of this. They have recently and I think it's still certain aspects of this are still in preview.

- Yes, they are.

- They rolled out the ability to do Azure Files over SMB, leveraging either Active Directory or Active Directory Domain Services to authenticate users to the file shares, rather than using a storage name and a key so that all of those NTFS type permissions can be used or supported through a mapped Azure file share. But there are a ton of restrictions and requirements and prerequisites around doing that, which could lead to the question that we were actually debating before we started recording of should you actually do this and if you do this, what all do you need to think about? Because this has led me down a massive rabbit hole of VNets and DNS and AD and AD DS and all of that.

- Yes and you're leveraging preview services, which is even, well preview functionality I guess, which makes it even more interesting. So, when you initially came and you had asked me the question of, okay, I'm trying to stand up a file share and I'm doing the domain authentication thing and it's really a pain and in the back of my head, I'm thinking isn't that relatively new and probably in preview and my first question back would be, well, why do the preview functionality, right? Especially, if it's for a customer. Like typically, we don't wanna take customers into preview stuff, even if it's public preview, because if we just consider Azure life cycle, there's no guarantee that a preview service ever actually goes GA'd. So obviously, Azure Files is GA'd and all that kind of stuff and it's sitting there ready to go, but Microsoft could look at this feature where they're doing SMB file shares with AD, with Azure AD rather, and with on-prem AD and they can say like, "Yeah, I don't wanna do on-prem AD anymore, "I'm only gonna do AD "because that's an easier scenario to support."

- Well, but it's not just AAD, it's AAD DS. It doesn't support AAD.

- Yeah.

- Remember? We gotta clarify these two.

- I get my storage confused because there actually are parts of storage, like blobs and containers which do support Azure Active Directory for role based access controls and things. So you can totally do AAD authentication there. Anybody who thinks Azure Storage isn't a confusing service being that it's a storage account, but it's not just a storage, it's blobs, its files, it's tables, its queues, its disks, it's--

- Right, it's got sub services.

- It's static websites, it's like 10 other different things, it's amazing.

- Azure Files are gonna be like the Teams of Office 365 or everything's just gonna get sucked into the storage fortex.

- Well, if you think about it, storage is kind of important, right? In the grand scheme of things and the overall fabric because what is Azure? It's a bunch of hosts who are running hypervisors and it's a bunch of file servers that are pulling configuration off of storage controllers and things like that, right? So, at the end of the day, storage is what makes--

- Storage is important.

- It makes the world go round.

- Which is digressing. So, this whole storage authentication thing, I'm not gonna say it's just Azure AD DS. Should I go through the prerequisites and what I found and then we can keep talking through this scenario?

- Sure, just to lay out the scenario, what you're trying to do is you're trying to stand up a file share in Azure that is available to clients, not to other servers that exist out there.

- Yeah, so you're not going to a server.

- But to individual clients and you require per user authentication from each of those clients to the file share, right? Okay.

- Right. So, scenario being client does not want to use SharePoint or OneDrive because they don't want to deal with the whole sync thing and files and demand thing and having to access the browser and maybe not being able to sync all their files based on hard drive sizes and all that. They like traditional file shares on-premises, but they want to be in the cloud, they wanna be able to work from anywhere. So, said client wants to be able to go to Starbucks or go home or be in the office and be able to map to their network drive the same way they would if they're on-premises and they're not a huge client, so they actually don't have a current VPN to get to their on-premises server from off premises. They can't VPN into their office. Internet connection is okay, but it's not like a large enterprise network that has Cisco, has VPN, has all of that stood up. So they were like, well, what if we just move everything to the cloud and we can map this network drive from anywhere using our traditional AD usernames for securing all of this across all of our users?

- I always love when customers come up with their technical solution, right? Like they have a business problem they're trying to solve. The technology that solves that problem really shouldn't matter as long as it aligns to the business outcome. So, what is the process, the workflow or the outcome that we're trying to solve and then you can backfill technology around that. They're going backwards. They're coming to you with the technology and saying, "Hey, make this work." And then--

- Yes, because I had spent some time with them. We looked at SharePoint for maybe six or seven months and ultimately the decision was, we don't wanna use SharePoint. We want to use Azure Files. So, I was tasked with figuring out can this be possible, does this work, especially given some of these new features combined with preview? So for this all to work, you do still require Azure AD, but it also requires either an on-premises AD server or Azure Active Directory DS or Domain Services. So you have to have one of those two synced with your Azure AD and have your users synced in both places and then you can go configure this file share for either Active Directory authentication or Azure Active Directory DS authentication, but it's still also using Azure AD in the background.

- Correct.

- And the problem we started running into, well, the first problem we ran into is SMB 3.0, which Azure File uses, goes over port 445.

- It does.

- Almost every ISP block's port 445.

- They do, true story.

- So, first problem was okay, we need VPN for it, which we can talk about that more later and then we got VPN setup, we started testing this and there's a bunch of prerequisites. Your machines either have to be Hybrid Azure AD joined or they have to be AD joined, but once you get all this set up and configured, when you go to authenticate to map your network drive, your computer, even though it's using Azure AD synced with AD Domain Services or AD, it like, reaches out, but then it's like, oh, I also still have to use Domain Services or Azure AD. So it requires access to both Azure AD using new UPN and Azure AD, but then it like takes a side route and goes and has to ping to your domain server or your Azure Active Directory Domain Services server to actually do the verification for your map network drive, which means that if you're at home or if you're somewhere not in your local network or anywhere for that matter, you have to be able to properly authenticate against either a domain controller or Azure AD Domain Services wherever you are, which means that it has to either go over that same VPN that you can use to bypass the port 445 rule or it just has to be a publicly available domain controller, which we all know is a bad idea.

- Yeah, almost kind of like gives you the sense of that as you talk through it and the requirements, that while it works with clients like Mac and Windows, like it works with Windows 10 and generic SMB mounts and totally doable with a Mac and things like that. It's almost like they're not meant to be used that way.

- Yeah, yeah.

- Back to that shoehorning functionality .

- Yes, exactly. But, what fun would life be if I didn't try to shoehorn in some functionality that wasn't meant to be using preview features?

- Oh boy.

- I like to live life on the edge.

- Yes, it's a fun world you live in. So you have a number of problems or technical blockers that you need to solve along the way there. You need to configure identity in the cloud. So, some type of probably replication and resiliency on the domain side of things.

- Because the first question there is, do you do a server, running Active Directory in the cloud and replicate or do you use Azure AD DS? You need something in the cloud.

- Yes, so there's that piece and that's certainly its own can of worms and decision matrix right there. And then, you also need a VPN, as you said. So, where does that VPN endpoint leave and how are your clients going to connect to that VPN? I'd imagine maybe one of the first inclinations is, you might think in the back of your head, well, I have clients, let me connect the clients through Point-to-Site VPNs and just hook them straight up to the gateway. There's some limitations to Point-to-Site VPNs depending on the size of your customer. There are limits to the number of connections that you can have going in at any given time, which could be a limiting factor for you there. And then once you're into the VPN, there's all the routing and network security and other things that need to come into play for that client to not only talk to the DC itself, but to be able to get back to Azure Files and do all that fun stuff.

- Yes. I think you covered the biggest ones that I've encountered so far.

- Yeah, those would be most of them. So let's break some of down 'cause I think it's an interesting conversation just based on some of the paths you went down and some of the things potentially broke and we can probably talk through why they broke or why they work that way and maybe we'll leave like the whole decision about should you attach clients to Azure Files up in the air.

- So, first problem was domain controller, do I go the Azure AD DS route or do I put another server up in Azure that's just a server 2016, I think server 2019 is out there, stand it up as another domain controller and do domain replication from on-premises to the cloud.

- Yap, well, I might ask myself another question first. So, is your customer going to have more than one 128 connections at any given time, like, are there more than 128 clients that need to connect to this file share?

- And that would be a no. This is like 10 or 12 users connecting occasionally because most of the time they're in the office, which also brought up that Azure File Sync, could come into this at some point in time. They want to be able to connect to the cloud as their backup option.

- Got you.

- If they're not in the office. Something like when this whole last month happened and all of a sudden, nobody can get to their file shares unless they're in the office because they have no VPN.

- Gotcha, gotcha. All right, so that makes more sense. That's all good. Once we get through this whole thing, I might spin it on you and ask you why you didn't go another way with it 'cause I'm coming up with some other ideas as we talk through it.

- We'll see, that's good 'cause I could use... I always like more ideas. All right, so connections, we aren't a problem.

- So we need a VPN and we know we're going to be under the limits for Point-to-Site VPNs and standing all that. So we're good there, so we know we're gonna need a VNet and we're at least gonna need a VPN to connect to. And now, like you said, we need to figure out what domain or directory service are we going to leverage. Are we gonna leverage Azure Active Directory Domain Services, which is AD DS, but it's a projection of your Azure AD into a pair of managed domain controllers. So DCs that you don't RDP into, but you do have access to hook up with things like, a doc and all your tooling that you use today to manage Active Directory. So that's one path you can go down. So don't pay for servers, but pay for the service and the projection and the resiliency and SLA and everything comes with that or stand up your own and manage your own.

- Yap, which standing up and managing your own is definitely cheaper. I looked that Azure AD DS and I think it starts around $140 a month. It's a set fixed price 'cause obviously, this isn't a service that you can spin up and spin down, it's just always running. So it starts at 140 and goes up from there based on... I can't even remember, I think it was based on number of users and there's some functionality that's included in different levels, but it's not cheap considering you can stand up a whole server for like 50 or 60 bucks and AD is not a process intensive service on a Windows Server, but you are left with managing a Windows Server and you don't necessarily have HA.

- Well, you do have HA, so they are redundant pairs.

- Well, not in the DS, not if there's you spin up you own server, unless you spin up two servers.

- Not if you spin up your own. All right, yeah, so if you do AD DS, it is a redundant pair, but if you do your own server, then it's on you to figure all that out and then come up with your resiliency model, are you going to use single instance VMs with premium disk to get some type of SLA at least at the VM level? Are you gonna do availability sets? Are you gonna do zones? What does that look like and how many do you actually need?

- Yep, exactly. And then you're doing all your own patching and server management and if that server crashes and all that.

- Yeah, you're living in IS land for sure.

- Yap, so I asked about... And then I was talking to you a little bit the other day and I said okay, so what does that migration path look like? Let's say I have AD on-prem, I want to go all cloud only. So I'm doing AD on-prem Hybrid with Azure AD to sync all my users up, but now I'm getting rid of all my on-prem servers. So maybe I just wanna go Azure AD DS and deprovision my on-prem AD. Is that a migration path or what does that look like to go cloud only with Azure AD and Azure AD DS and then deep provision that Hybrid Azure AD Connect service and my on-prem AD server.

- Yes, it doesn't eliminate the VPN problem and having to connect to the DCs 'cause you still have that client authentication issue to get over.

- Right, and you still need your VPN for your port 445 going into another topic. So, there's no way to get around this VPN issue.

- You do, so all that stuff stays. Really what you've done is you shifted your... At that point, you've shifted your DCs from on-prem to Azure just inside of IaaS. But you've still got the hookups and the conductivity and all the other things that come in. So I'd be worried about a couple things in there in general, by saying my DCs are only gonna live on the cloud. Since you said your users are theoretically in normal times in the office, the majority of the time, I would want them talking to the most network close authentication service that they could. And then maybe if they were going into something like Windows Virtual Desktop or something like that up in Azure, then okay, there's your kind of file share, and you're all set and ready to go and you've got your DCs up in Azure. But if you really wanted to get rid of them, you would do AD Connect. So you would do your hybrid identity, and do all your projections from on-prem to AD. And you could configure AD DS at any point in here, 'cause that's just a projection from your Azure AD. And then once all your identities are there, and all the things that you need to do, 'cause all AD Connect is gonna do is synchronize users groups, and kind of some limited in the grand scheme of things metadata up, it's not synchronizing your computers that are showing to the domain. So that's a whole nother issue that you'd have to solve. But you could take AD Connect, and then once everything's up there users and groups, just rip AD Connect down, get everything, all the synchronization going into the new domain, rejoin all the computers to the new domain that lives up in Azure, 'cause they've got to get back in there, right? You're probably still gonna wanna manage them with GPOs and things like that. So all that gets in place and then stand down the on-prem DCs. Now I think one of the issues there is AD DS was not a real replica of your on-prem domain. So it's not all the same FSMO roles and everything else. If you don't catch everything, there's potential that you leave something behind, you'd almost want, like if this is really for backup, maybe a redundant pair of read only DCs or something like that up in Azure, that are ready to go that somebody could hook up to through that VPN on a Point-to-Site perspective. And they'd authenticate to the most network close DC. Or if they were on-prem, they'd still be able to authenticate to the one that's there. Best of both worlds maybe.

- Yeah, so it's not really a migration from AD to AD DS. It's more of a let's go have all three of them running. And then let's just remove one and make sure that you manually copied, rebuilt, did everything in Azure AD DS that you had in your on-prem DS.

- Yap, you've just got to be very cognizant of the limitations of AD DS as a projection from Azure AD, it's not the same exact type of thing. So yes, it lets you join computers and servers to domain. Yes, it has GPOs. But it doesn't have all the functionality that you're gonna get in your on-prem AD. And especially when I think about client management, you're probably doing GPOs that rely on things like ADMX templates. Maybe you're managing Office client installs, or I'm sorry, Microsoft 365 Apps for enterprise 'cause you haven't moved--

- I just wanted to say, I was trying to figure out how to get you to say that this episode.

- I had to say it twice this week in a presentation and it feels really dirty, like what, just Office Pro Plus people.

- That's a mouthful.

- It is. But you still have management that you need to do there. So then do you look downstream of saying, well do I move over to cloud policy or some other type of service, which, arguably--

- Like what it's been up into, right?

- Right, there's all these options out there. But all you wanted was a file share. And now all of a sudden, you have this technical implementation and the spread of things that operationally is turning into a little bit of a nightmare, who's gonna maintain all this stuff and keep it patched and up to date and ready to go and write all the guides for what do we do when the VPN is down and everything else that comes along the way. So that's kind of AD DS, I think when you weigh the two out in a lot of scenarios, AD DS has a place. It's quite often the path of least resistance when I think about like friction and time to implementation to just stand up new DCs, As you said, they're often cheaper to run, they can run on lower cost hardware and lower cost VM sizes, you might wanna upsize them while you're kind of configuring everything the first time and then scale them down a little bit later once everything's up and running. But it tends to be a known path, where AD DS can still have some pain points, especially if you haven't worked with it before. And you haven't really taken the time to dig through all the documentation and the FAQs and things like that.

- Yeah, I feel like going through all of this as I was digging around with it and playing with it. AD DS serves a purpose a lot more when you're gonna keep all your existing on-prem domain controllers. And Azure AD DS is simply a way to extend your Active Directory to the cloud in order to do just LDAP authentication against a cloud service without standing up another VM in the cloud.

- Yep, that seems to be what I'm seeing. I've actually used it. I've seen it used in some creative ways. And I had a customer that we ended up going down the AD DS path for, just based on how they were set up. So they were a customer who had a number of disconnected domains on-prem, that didn't have trusts or anything like that in place. So they couldn't stand up AD Connect once and have everything routed through from all these domains, user at Contoso, user at Fabrikam, all those kinds of things into AD at the same time, but relying on some of that functionality that you have where you can do the disconnected domain sync now. And you can bring all those disparate domains for those M&A scenarios into Azure AD. And what they were able to do was they were able to take six different disparate domains and user namespaces, all those use your UPNs, get them all sinking into Azure AD, which was something they didn't have access to, they couldn't put them all in the same resource domain or user domain or things on-prem. And then they were running a lot of their shared services in Azure. So every server that they stood up in Azure was joined to that AD DS instance, it wasn't joined back to company ones AD or company twos AD or company threes. And that way, if I was a user from company one, or company three, or company five, I could log into the servers in Azure to do operations and management, and run my applications. And I was able to authenticate through and do all the things that I needed to do, 'cause servers still need, like this classic auth, Kerberos or NTLM, and all that good stuff. There are use cases for it. I think you just need to understand what your use cases are. If you're just looking at AD DS and saying, alright, this is gonna be a rip and replace, replacement for my existing Domain Services. Quite often, I don't think that's exactly the case today. Give it time and it'll probably get there. It's just not there today.

- And we don't currently know when it'll get there because it has been a slow deployment or rollout.

- It has some quirks to it. I've seen AD DS deployments where you go and you stand it up the first time and you go to do your sync. And it doesn't matter if you have five users in your Azure AD or you have 25,000. You'll just hit the sync button, and you might come back like 48 hours later, and it hasn't started sinking yet. And then you go, oh, what do I do? How do I fix that? The answer is you don't, you call support and hang on the phone.

- And wait a long time. Interesting.

- All right, so you go down that path and I think you weigh the two out, you probably look at DCs.

- Yep, and that's kind of, as I've played with it, and looked at it. And as we talked about it the other day, and even based on what I've seen, you have pretty much convinced me that if we go down this route, that is the way to go in this particular case, which lead to question two. But based on time, we should probably do question two next time, or should we keep going have a really long episode? Let's keep going, it's corona times.

- Okay, yeah, nobody's listening. Nobody's driving anywhere to listen to the podcast, our numbers have actually dropped. It's kind of interesting. And I've seen that side tangent, kind of across the board. I'm in a few different podcasts groups and all of that and people are saying, overall podcast numbers seem to have declined because nobody's commuting anymore. And that's what everybody listen to podcasts.

- Yeah, I'm finding as a rabbit podcast listener. I mean, I subscribed to a lot of podcasts and listen to a lot of things. I'm just falling behind. It's the drain of the times that catches up with you. So where I might have gone and been done with work and just tried to decompress for 30 minutes. Now it's turned into kids are at home, everybody's at home, things are going on, and all of a sudden there's that other Zoom invite for like a happy hour and you haven't talked to people in weeks 'cause you're quarantined and you like, aah I gotta get like, your self isolating or whatever it is, you just have all these other competing things going on. And I am falling behind on all sorts of things which I intend to listen to at some point. It's just gonna take me a while to get there.

- Yep.

- Outlook Add-ins are a great way to improve productivity and save time in the workplace and Sperry Software has all the Add-ins you'll ever need. The Save as PDF add-in is a best seller and is great for project backups, legal discovery and more. This Add-ins saves the email and attachments as PDF files. It's easy to download, easy to install and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, sperrysoftware.com and see for yourself how great say this PDF is. Listeners can get 20% off their order today by entering the code Cloud IT. That's Cloud IT, C-L-O-U-D-I-T all one word at checkout. Sperry software work in email, not on email.

- Okay, so after that side topic, after that brief commercial on podcast listenership, tidbit of random information. So let's just say for argument's sake, we've decided we're gonna put our DC in the cloud, Azure, it's a server we're doing IS we're gonna stand up a brand new domain controller up there. Now I have all my machines that are still on-prem. And I am going to, again, for argument's sake, because we wanna shift to this whole cloud only model, we are going to eventually will replicate AD for now, but eventually that on-premises domain controller is gonna get depreciated, removed. So our only domain controller is gonna be in the cloud, but I still want to be able to join machines to it. I still need to authenticate against it for something like, Azure file shares and the scenario we talked about. Now I have a whole other set of problems or challenges, I won't call them problems, challenges or things to think about because I have to be able to connect to it to go into my computer, my settings, join domain, and then actually reach out to that domain controller, especially in the case which my own tenant is in this case where I wanted my domain to sync up to Azure AD properly. So my UPN suffix is intelligent.com, which is also my website, which also has public DNS records. So DNS resolution can be a little challenging because I need intelligent.com to resolve to my internal domain controllers, as well as to my external domain controllers if I wanna hit my website, and all of that, going over this VPN connection to it hit my DC.

- Yes.

- Does that make sense?

- It does. Basically, if you wanna be able to authenticate to the DC, you have to be hooked up to the network. And that means you need all the routing and game resolution and other things in place.

- Yes. So I am partway through that. I think I might have it figured out, but we had to record a podcast. So I'll go back to it today. But essentially, same type of thing. I'm using the same VPN gateway because I needed that VPN gateway anyways, for my Azure file shares over SMB. And what I was struggling with last night was to get all of my DNS settings set up properly. So I could join a Windows 10 machine that's running as a VM on my laptop, connected over VPN to join this domain controller sitting up in Azure and the leverage the DNS in Azure so that I actually hit that instead of going out and trying to hit my public website when I tried to join the domain. So my DC up there has, oh and stop this all off. Don't ask the story behind this. I have two virtual networks that I have peered in Azure AD. And my domain controller sits in one virtual network and my VPN gateways sits in another virtual network. So I'm connecting to VPN, connecting to the virtual network in Azure, going over the peering connection between one virtual network to the other virtual network in order to hit my domain controller sitting in said network.

- Yap, so you got a hub spoke.

- Because I like to make things complicated.

- You're trying to make your 12th person entity the largest enterprise in the world.

- Well, this is just my personal, this is a one person entity. This is me right now.

- You and all the voices in your head that told you this would be a good idea to go down this path. Yeah, some interesting things start to happen along the way there I think, as you discovered, particularly with name resolution, when you have a VNet in Azure, there's kinda three DNS models that you can go with, you can do Azure provided DNS, which gives you resolution within the VNet itself. So I stand up VM one and VM two. And I can ping VM one and VM two, and they'll resolve by name, and all those kinds of things, I can do and I slick ups and CM, and I can actually pull their private IPS and I'm all good. Sometimes you don't wanna do that. And you wanna do, bring your own DNS. So you do BYOD DNS, and you take your VNet, and you set your VNet settings to say, no, this is my DNS server. That way, when clients query the VNet for DNS, it's going to point them back to your domain controller, and go like, oh, why are we doing this VNet level, because remember that's where all your network configuration is driven from, you really don't make changes to the NICs on VMs in Azure, you make changes to the configuration of the virtual NIC outside and then that's projected down to your virtual machine, or your virtual machine gets its configuration from there. So you've got to have that resolution end-to-end. So peering is kind of interesting, because you've also got peering with a VPN gateway. So you now you need to allow gateway transit on one end, but not the other end. And you need to make sure that your potential routing and things are in place, you might need UDR at some point, depending on how else you wanna shift traffic around in there. You get all that up and running, I bet your primary VNet, you were going in and saying like, "Oh, this is great. "I'm gonna set it to my custom DNS." And if you stood up VM one next to DC one, they would totally resolve and they do what they need to do. But you introduced that VNet peer. Which then makes resolution a little bit weirder 'cause your client, so you're hooked up on that Point-to-Site VPN or Site-to-Site whatever you're using. So your client now, where is it pulling its DNS from, it's pulling its DNS from the same VNet as the VPN gateway, which most of us I think, would just leave in Azure provided DNS by default. Because it's just a hub, right? It's sitting there doing what it needs to do, let it do it.

- Right, which is what I did.

- Yap, you might see the VM on the other side, but it's gonna resolve as the internal name with the cloud at .net, and all that, and not as the proper NetBIOS name that you're gonna need to join the network. So probably some more configuration to do where now you take the peered network and the peered network that or the hub rather, is also needs to have its DNS configuration updated, so that it pulls its DNS from the DC over in the spoke.

- Yeah, and that was the hint that we found for anybody that finds themselves in a wonky scenario such as myself. I was going out and pinging it and I was like, well, when I do an NsLookup, and I'm looking for my domain controller, it's coming back with this internal.cloudapp.net, not my domain and you were like, I bet your DNS was wonky in that VNet that you have your gateway in. And low and behold, it was.

- Yep, so that's one option is go down that path. The other option is, if you're just doing this for POC, you can't use a host file because of the whole SRV record thing the server records, but you can use an LMHOST file to go ahead and point to your DCs. It's a pain in the proverbial rear end to set it up. But you can do it. I think the other thing to think about is identity is really a core service. It's typically, maybe when you just look at kinda your topological design and you're thinking about how to approach that with your customer, your identity, your firewall, your logging and management. Those are all core services, right or shared services. They're not really application or kind of segment specific. So something like your DC may not actually be living in a spoke in your final configuration, it might be closer in the hub anyway, which will make things a little bit easier.

- Yes, in theory, had I done this properly, and I didn't already have some of these VNets configured and I was paying attention to what I was doing at 2:00 a.m. the other night, I would have just put my gateway in the same VNet with my domain controller instead of in a separate one. And at this point in time now, it's just can I actually do this? Realistically, I should probably just go delete my gateway and go standard up in my other VNet and save myself some hours. But again, I get into this and I look at this as learning and figuring this out. And how does this all work together? And can I get it to work? Not necessarily, is this the way I should do it?

- Absolutely, I'm not saying you shouldn't try things out.

- Yes, but I've wholeheartedly agree with you.

- I just wanna make sure we have the conversation in case somebody actually does end up listening to this and they go, "Oh, that's people are going down some crazy path." Or somebody looks at it and they're like, "Hey, they sound like they know what they're talking about. "Maybe I should go do that." I always like to talk about the other ways you can do it too.

- Yes, don't do it the way I did it unless you have a very specific reason other than it was 2:00 a.m. and I created my gateway in the wrong subnet and I wanted to experiment with is.

- Alright, so DC up, client connects and VPNs there. Theoretically, you can just hook up to files now.

- Theoretically, I think, oh, so Azure Files now gets really weird. Should I talk about Azure Files in the security there?

- Absolutely.

- So as they rolled all this out now, we can connect, we're gonna assume that you can... So first thing you should do with Azure Files is once you get all of this figured out, go connect with the storage account in the key to make sure you can actually connect that your routing is going properly. Because at this point in time, assuming you're connected to VPN, you have your network set up right. Download the VPN client to, this is another thing. There's a VPN client that does an executable that goes sets up the whole network and the routing and everything in your Windows 10 machines. Don't touch that until your network is all configured. Because what that executable is doing is downloading a configuration file making a bunch of changes. If you change your network, your VPN client doesn't get that change. And you actually have to just disconnect, remove that VPN connection, go download it again, go set it up again, and get all those network changes. So we're gonna assume all of that took place. I can connect with a storage account name and key. But now I wanna connect using my username instead of that storage account key so I can leverage all the normal NTFS file permissions and permission folders in this Azure file share differently and all of that stuff. So first, the machine you do all this from has to be domain joined and there's some certain PowerShell scripts, you have to go run to actually set up your file share in Azure to be able to authenticate against AD. And those do have to be run from a domain controller, so you go run those scripts. Now your Azure Files are set to authenticate with an AD server. And there are a couple levels of permissions that you need to set and the documentation does walk through all this, but you have to set the RBAC permissions on the file share itself. There are three permissions in RBAC for SMB, specifically, an SMB, I think it's an SMB file reader, an SMB file contributor, and an SMB... It's like, it's not advanced contributor, it's something else, but it's another level up from contributor. So the first thing you have to do is go in set these RBAC permissions. This is gonna look against Azure AD for these RBAC permissions, which is why you have to have everything synchronized together. That does not give you access to the file shares that just gives you that RBAC permission to leverage the Azure service. Now you can go mount it, again with that primary key and your storage account name, and then right click in Windows and go into the properties in security, and then start setting the security on the shares and the folders and the files looking back against your domain controller. So there's both of those permissions that have to be set. And then once all of that is done, assuming whatever client you're connecting to, can connect to both Azure AD and to your domain controller. You can go in and do a typical net use, point it to the Azure file share, you can do a slash you and throw in your UPN from Azure AD, or you can just do the net use and it'll prompt you for a username and password. Type all that in and in theory, you have a map to network drive that's using your typical permissions coming from a domain controller.

- Mm-hmm, in theory.

- In theory, again, taking all those prerequisites and everything we just talked about being configured perfectly for that to even work.

- Yes.

- And there you have it. And there was something else I had to do. I'd have to dig through it. But I did also have to create a private endpoint for my Azure Files. And I can't remember at what point in time they hit that and why I had to do that.

- Why would you want, why?

- 'Cause it's a private endpoint that points to a private IP for my... maybe I didn't need this. This may have been one of my testings. When I was trying to play with everything. I don't think I actually need this.

- So I don't think you would off the top of my head, you could connect across the public endpoint and do things that way. The private endpoint would arguably be more secure for you, especially 'cause your VPNing in, that way your VPNing in. And when they go to connect to the file share, they're actually connecting through the private endpoint. And they're routing straight into the storage service. And even though the public FQDN is still there, nobody can connect to it that way, they can only come through the private endpoint.

- I think this was when all of my testing was going on to try to figure out how all these configurations worked. I think I created this. And yeah, as we're talking about it, looking at it, I don't think I actually need it anymore.

- Hey, look, you simplified things, while making it--

- I simplified things or get rid of a private endpoint connected to a storage account. That yes, that in theory would all work and that would provide you a way to actually be anywhere as long as you connected to the VPN first, you could go mount these file shares as a user instead of using that primary storage key. And then one thing, this client had talked about is, they're like, well, when I'm on-premises, then can I speed up my connection? Because now inevitably, you're going over the internet, you're connecting to a file share. And if you're pulling 100 meg, 200 meg files back and forth over a VPN connection to an Azure file share. It's not gonna be nearly as quick.

- Especially a Point-to-Site connection.

- Yes, especially Point-to-Site connection. It's not gonna be nearly as quick if you're just pulling it off your local server. So then they were like, "What can we do like the Azure File Synced?" So you can have a cached copy locally in the office and use this as kind of a backup emergency option. If we wanna get to those files from externally. And also if you're doing Azure File Sync, it does give you some of that DR type scenario where our office catches fire, we lose our server. And now we, again we have this backup option, we have all of our files up in Azure Files where we can get to them, restore them, do all that if the need arises.

- Mm hmm, it would be there. And it would all be very nifty. Lots of moving parts.

- Yes, that is the biggest thing I took away from this is, this is not, I come from the Office 365 said, this is not stand up an Azure or a SharePoint site and do a sync. There's a lot of moving parts, a lot of routing, a lot of networking. There's a lot of stuff to figure out and take into consideration if you wanna go this route. So you said you had one other thing too, that you were gonna throw out there as why didn't you just do this? What is your thoughts on this whole configuration setup other than SharePoint a lot easier.

- SharePoint would have been easier, you should have just convinced them to go that way. And if SharePoint wasn't there thing, there's lots of other file storage services out there. Like, I don't know, Box or Dropbox. Pick one of those--

- ShareFile or yes.

- Yeah, if files is your thing, and per user authentication is your thing. And you want it to be resilient and live in the cloud. Here you go. There's the right tool for the right job.

- Right, we had an episode a while back about that. About picking the right tools, specifically when it comes to cloud storage.

- Yeah, so I think one of the other things to maybe think about is, you're doing this as a one off scenario. And you're doing it for the time when those users need to be away from the office and kinda have that remote connectivity through. I think another thing to think about would be what if you didn't have the VPN, and you didn't have that whole client setup piece, and maybe you didn't do Azure Files. You just went with a traditional set of DCs and a replicated file share that lived in the cloud. So say you did like DFSR or something like that over a Site-to-Site VPN connection from the office, you have your clients rather than coming across a VPN and dealing with that headache, maybe just stand up like Windows Virtual Desktop or RDS services, and something like that, and have them connect to that service when they need to. So okay, you need to go to the cloud, your remote, here's your desktop in the cloud, it can talk to all the things you need to talk to, without all those routing issues and everything else that you've kind of run into along the way with ports and protocols. 'Cause then it's just a 443 connection. And anybody can do that. And you'd have more control over sizing, latency, performance, I think you'd have some better client controls there 'cause you'd already have the DCS and Azure, you'd still have AD, but it might let you even move away from Azure Files, which you might not need in this scenario and just have, like you said, like a regular file share running up there, and maybe make it a little bit better like that customer unset file share on their DC say, "Hey, we're gonna Azure, we can make it better." But you really don't need a path service like we can live IaaS and it's a known quantity.

- What if you just did Windows Virtual Desktop, so same thing you're talking about Windows Virtual Desktop, DC sitting in Azure, again, now, you're not dealing with VPN, you're not dealing with network 'cause you're all sitting on the internal Azure network. And you just did Azure file shares with Windows Virtual Desktop and a DC and Azure, because like you said, now you're not dealing with port 445. Everything is in the same VNet, you don't have any routing issues. You can join your Windows Virtual Desktop to your domain, Azure file shares should work, significantly easier. And you could also go that route. You're not gonna have the latency there. Because again, you're going over all that internal networks at this point in time.

- Yeah, I mean, it depends on how you're gonna use it, right? Do you need that per user authentications, probably the biggest thing in there. And just based on the path you're going down with per user authentication and the way it is today being a preview back to that lifecycle thing, it might be easier to go with known quantity, and say, this is gonna be supported and ready to go. Especially, I'd imagine you're looking at something like this for a customer because of the time that we're in. They're coming up with some specific needs based on what's going on today. And we don't know how long what's going on today is gonna go on. And sometimes that roadmap for Azure Files is a little murky. So you might have some other options in there that potentially simplify things or maybe give you some other costs levers or controls.

- Yep, and we did start going down that path, or at least having some of those initial conversations about maybe you do leverage Windows Virtual Desktop for everything because at that point in time, now every computer in the office is essentially just a thin client. It's a terminal, can even be an iPad. With those nifty new keyboards and mice that are hopefully coming today via UPS. And your office computer could just be pretty much anything at this point in time, because you're just connecting to Windows Virtual Desktop and doing everything in the cloud.

- I think it depends on how you look at it. I was maybe thinking of it more as your file share scenario where it's a backup. So maybe you have a limited size host pool. But because it lives in Azure, it can scale when it needs to. So it's not a problem that it's only I forgot maybe one available desktop post sitting there. Because it's gonna be able to scale from one to 12 on demand as users are coming in and out versus having 12 or however many you need running all the time. And then it truly is that backup scenario.

- Yeah, and that's kind of one of those key differentiators is I think this might start as a backup and then turn into maybe this is our everyday functionality, or everyday scenario, we'll just kinda have to see where this goes. But it has been a very interesting exercise on my part to figure all this out.

- Yeah, is always fun to play with new stuff. Welcome to Azure.

- Yes, thanks. I've actually been doing a little bit more Azure stuff. I have a couple other projects that are tied all into Azure IaaS, it's bringing me back to my roots as a system admin and dealing with servers and racks. Only some of it's a little bit more abstract now.

- It's all just in a JSON file someplace.

- Yes, I did not have like these predefined Azure DNS things before to figure out crazy VPN routes and VNet peerings.

- Yeah, but now you've done it--

- It can't work over a peer.

- You'll never forget.

- That's the theory. That's the hope, the plan. All that. All right, well, thanks for this extended episode.

- Yeah, no, thank you. It's fun.

- It was. And we have lots more stuff that we can talk about. We actually have like three or four topics today. So we've got lots more fun stuff coming in the future. So go enjoy your cloudy day while you sit inside in social isolation. Don't work too hard. Go take a walk in the beach. Have you gotten out there yet? Have you gone out and taken a walk on the beach?

- I have not gone to the beach yet. It's been a week. We're going out on the boat this weekend. So that's plan.

- Nice. That sounds nice and relaxing.

- Yeah, all right, man. Well, until next week.

- All right, enjoy.

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out, so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show. Feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

Scroll back to top

(more…)

Episode 174 – Azure Web App for Containers

Episode 174 – Azure Web App for Containers

by | Apr 23, 2020 | Podcast

Podcast: Play in new window | Download (Duration: 35:13 — 24.2MB)

Subscribe: Spotify | Amazon Music | Pandora | iHeartRadio | Email | RSS

In Episode 174, Ben and Scott dive into Azure App Service for Linux and Azure Web App for Containers as a hosting option for microservices and more.

Download New Tab

- [Ben] Welcome to episode 174 of the Microsoft cloud IT Pro podcast recorded live on April, 16, 2020. This is the show about Microsoft 365 and Azure from the perspective of IT Pros and end users. Where we discuss the topic or recent news and how it relates to you. In this episode, we talk about Azure services for Linux and Azure Web Apps for containers as a hosting option for microservices.

- [Scott] You've made it to another Friday.

- [Ben] Is that what day it is?

- [Scott] It is, as Rebecca Black, do you remember that song Friday?

- [Ben] Oh no, please, please

- [Scott] Yes, no.

- [Ben] No, no!!!

- [Scott] I asked her, Well hold on. As she taught us, Friday is the day that comes after Thursday, right? Yesterday was Thursday, Thursday, today it is Friday, Friday partying, boom.

- [Ben] But that would assume that I knew that yesterday was Thursday.

- [Scott] Yeah, well, I'm just telling you like, "Hey, Rebecca Black could help you get through COVID-19."

- [Ben] No, it hurts.

- [Scott] Just to throw, Just to throw that out there for you.

- [Ben] Well, we're almost through it, we have our escape plan now right? As of yesterday?

- [Scott] Yeah.

- [Ben] Although there's no timeline on our escape plan, it's just a plan. This is how we're going to escape at some point on time.

- [Scott] Well It's phased and it's gated. It's very devopsy. They got that going for them,

- [Ben] Yes.

- [Scott] But, you know beaches are reopening today. We got that going for us.

- [Ben] They are. But only for a few hours right? Cause I saw they're opening today at five but then it was like five to 8 p.m. And then 8 a.m. to 11 a.m.

- [Scott] Yes, yeah.

- [Ben] Which means--

- [Scott] Six hours a day.

- [Ben] They are essentially trying to avoid people going out and hanging out all day because let's face it in Jacksonville nobody goes to the beach from eight till eleven, unless you're gonna go for a walk or run or something like that. And same thing from five to eight. It's hey, you can go take a walk, you can go take a run, you can go exercise, but you're not gonna go lay out and party at the beach all day.

- [Scott] Yeah, no, it's one of those I go kinda like two ways about it. Cause you know people are gonna abuse it.

- [Ben] Right.

- [Scott] No matter what. There's gonna be lawn chairs and things out there now people have to patrol it and all those kinds of things but I am genuinely looking forward to just going back to the beach and being able to like stick my feet in the ocean again. Like that's one of the advantages of living here.

- [Ben] Right.

- [Scott] And being close to all of that, so... Yeah, I'm sad I can't take a lawn chair with me, but I'm not gonna be one of those people. But I am totally gonna go stick my feet in the ocean.

- [Ben] Oh did they say no lawn chairs too?

- [Scott] Yeah, they don't want you, like you said, congregating or any kind of chance of that going on.

- [Ben] I missed that part. It was interesting though because of the--

- [Scott] It was in like the Sheriff's webcast about it.

- [Ben] Okay.

- [Scott] So it's not in the official thing but they did call it out in the Sheriff's one so I think they're gonna be kinda going by and talking to people.

- [Ben] So did you read the whole article, this made me laugh. Primarily because it's so interesting to me. I have family in other states and everybody has their different definition of essential activities when they put these stay at home orders in place. It's like, hey you can only go on the beach for essential activities. And in Florida, based on governor, the governor's executive order, essential activities include, participating in recreational activities consistent with social distancing guidelines such as walking, biking, hiking, fishing, running, swimming, taking care of pets and surfing.

- [Ben] So if you're in Florida, surfing, swimming, I mean I get some of it's exercise based but then you look at places like Michigan where they're not even allowed to do any residential or commercial construction projects. Those are considered nonessential. In Florida surfing is essential.

- [Scott] As it should be. I have a weather reporting app. So I don't surf but I go out and go paddle boarding, and the weather reporting app follows all the cameras up and down the beaches and the inner coastal here just so, sometimes it's not about even like wind speed or tide or things like that, it's really just about how calm it is out there cause there's some parts of the inner coastal and things that are--

- [Ben] Do you ever go paddle boarding in like six foot waves?

- [Scott] You know sometimes I would, but my paddle boards and inflatables so just so its a little bit more implorable for me to get around. And it needs to be like really calm and really flat in the ocean, just to kinda keep the stability needed. It's not a paddle board that you wouldn't necessarily surf in on

- [Ben] Got it.

- [Scott] You know if I went out and bought like an eleven foot board that was a hard deck, then I could do some different things, but, yeah. I'm looking forward to having the ability to have just at least one extra option for something to do.

- [Ben] Yeah. No I get it, like, I totally wish we lived closer and who knows. If this goes on much longer we may just drive out there some morning just to let the kids go run around and walk on the beach for a little bit. Because we are starting to get a little stir crazy.

- [Scott] Just bring your bikes, you park at my house, you make the kids ride their bikes to the beach and then make them ride back and they're all good and tired, you know.

- [Ben] Oh, except then they fall asleep in the car on the way home, and then they don't want to take a nap.

- [Scott] Well it just means you get to drive the car around longer. It needs to be run anyway, you know, it's not like you're going out every day anymore.

- [Ben] We were talking the other day, we couldn't even remember the last time we put gas in the car.

- [Scott] It's been a while so I had to run an errand yesterday or at least I thought I had to run an errand, where I was just gonna go pick up my dog's medication, like flea and tick stuff right, we were in and out.

- [Ben] Yep.

- [Scott] And so I was walking out of the house and my wife said, oh don't worry about it. I've got to go out later to pick up groceries so I'll go do it. And I thought to myself, you know, I'm already like halfway out the door. I put my keys in my pocket you know, I got like my wallet in my pocket, this hasn't happened in a long time, this is oh exciting. So I kinda stood there in the garage with the garage door open, looking at my car and I said, all right well I'm just gonna start it up, cause it's gotta be started anyway. And then that turned into, well I should really just drive it around the neighborhood. So one friend I used to like lazy roll, just kinda like basically around the long block which you know takes like 10 minutes to drive around the neighborhood and do all that. And I was like yeah, I got to drive a car today. That was crazy.

- [Ben] Did you put your seat back, roll down your windows and crank up your music too?

- [Scott] No, I really should have though. You know everybody likes to see that Malibu rolling through.

- [Ben] You know you gotta show it off. Oh here is your new quote Scott, this came from Michigan's governor. Speaking of quotes from governors, ''It is better to be six feet apart right now than six feet under.''

- [Scott] Yes. True statement, your outlook on things, yes, that is absolutely true.

- [Ben] All things that make us laugh. Yeah I have all kinds of those. I will say the memes out of all this have been great. So, with all of that, all that said, should we talk about other stuff, like cloudy, cloudy stuff

- [Scott] Yeah.

- [Ben] Since its, is it cloudy today? It supposed to be raining this week. That's the only downside of the beaches opening it's supposed to rain all weekend.

- [Scott] I will make do.

- [Ben] All right, take an umbrella.

- [Ben] Outlook Add-Ins are a great way to improve productivity and save time in the workplace. And Sperry Software has all the Add-Ins you'll ever need. The save as PDF Add-In is the a best seller and is great for project back ups, legal discovery and more. This Add-In saves the email and attachment as PDF files. It's easy to download, easy to install and Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, s-p-e-r-r-y-s-o-f-t-w-a-r-e.com and see for yourself how great save as PDF is. Listeners can get 20% off their order today by entering the code cloudIT. That's cloudit, C-L-O-U-D-I-T, all one word at checkout. Sperry Software work in email not on email.

- [Ben] So Azure Web Apps, its something you said you have been working on recently. And you said we should talk about it.

- [Scott] Yes, that is in fact true. So I have been doing a fun little project at work. It's a little bit of a transformational project of taking an existing series of microservices that are all hosted in Azure Kubernetes service today. And seeing if we can't break those microservices out, and potentially host them in another hosting container or another provider that's gonna allow us to run those Web Apps. And do it with the same performance characteristics and monitoring kinda operational insights we need, but at a much cheaper cost. So if you think about something like AKS, you know you stand up a cluster and typically you want some kind of a HA because it's a cluster, so you gonna want multiple things like multiple nodes in a node pool. You've got an AKS, the way it works is you spin up a cluster, you get a cluster master. The cluster master is a VM but Microsoft doesn't charge you for it, it's part of the management plans so the master is, the maser is free. But you do pay for the underlying compute. So for every node that you spin up in a node pool, then you're gonna pay for each one of those nodes. So, you know you take two DS2 RD2SV3's you know, that cost whatever they cost, 70, 80 dollars a month US,

- [Scott] And okay, well actually no, those are more those are like the DS1's.

- [Ben] D2, aren't those like 140?

- [Scott] Yeah, yeah, they're like 140 right.

- [Ben] The v3's are--

- [Scott] So you spin up two of those and that's 280 dollars and those VM's need to be on all the time, right? So the master talks to them and you want that HA and that's kinda like you're baseline and where you wanna be at. And that's before you start talking about other services you might consume on the side. So like in the case of microservices, they talk to an Azure SQL Database, so there's consumption there. There's storage consumption for diagnostics, there's all the things that you need to spin up with, you know, log analytics and Azure Monitor for containers and all these other things. So there's been some releases over the last year or so in Azure Web Apps that potentially give us a way to host those microservices, natively within Azure Web Apps, and gain some efficiencies. Performance characteristics, we want to keep the same so, you know so we should keep doing load testing, and make sure we're bassline for Latency and average response time, things like that. But from a cost perspective with Azure Web Apps, your unit of compute is your App Service plan. An App Service plan can host multiple Web Apps inside it. So if I can find a good App Service plan tier to host all these microservices in, and keep the performance bassline the same, it should theoretically, be a little bit cheaper, better, faster to operate and stand up along the way. You know there's some things that you are gonna get with Web Apps. Like you're gonna be potentially fixed in storage size. Your App Service Plan determines whether you can use custom domains, and SSL and things like that along the way. But you know if you can find a way to land in a like Linux Web App in a standard service tier, the standards service tier starts at about $70 a month and you know, you can scale up to 10 instances within those. And even if you go to like the premium tier, you get into the premium tier at least here in the US and like east US and east US too, it's 73 bucks a month to start the premium tier. And things like that can scale up to thirty instances, they support auto scale, customer domains, SSL. You can do, kinda all the things you need to do within there potentially to stand up those workloads and get them to where they need to be.

- [Ben] Got it.

- [Scott] So in this case, like we looked and we said okay what's a good like target service plan size, just based on performance characteristics of existing apps cause we were actually kinda leaving a bunch of compute on the table inside those existing AKS nodes. They were kinda sized up a little bit further than they needed to be. But even if we had downsized them, cost would have been a thing particularly when factored in storage and everything else. So we just started out kinda simple and said hey, can we run it in a standard plan like, could I run it in an S1, if I severely restricted the RAM, like an S1 app service plan is one core and 1.75 gigs of RAM. But again it's only 70 bucks a month so if I can run it inside of that for the Core Compute, 280 versus 70, all of a sudden I've got a bunch of flexibility and I can dos some other things there.

- [Ben] Right, because now your Web Apps are naturally highly available. You're not having to go make sure you have two VM's and configure all that for your high availability. It's all just built right into the app service.

- [Scott] It's supported within the App Service, yeah. So there's this concept of instances that you can run. So effectively kinda how many scale units, or you know, what is your horizontal scale look like within the App Service. So by default you usually run with one instance but you can go in and change that configuration and say, I always wanna run with two instances or three instances. And then maybe have things like auto scale rules based on CPU or some other metric that you're gonna target auto scale. And in the case of these service plans right, being able to scale to 10 instances or you know, 30, 50, you know, depending on your service tier.

- [Ben] How do the resources compare then when you're talking like VM's? Because obviously you can also go out and get a VM that has a gig of RAM and a single core. It is really cheap. But then those resources are also having to go to the underlying OS. When you do this in the Web Apps, are you getting essentially the same amount of resources, figure you're still getting like a core and a gig of RAM, but then it's dedicated 100% to your Web Application and to those microservices. It's now having to share those resources with some underlying OS.

- [Scott] Well I mean there's an underlying OS. So you're picking whether you're on Windows or Linux, you're just saying you don't want to have to worry about patching the underlying VM there. So kinda the way it works in Azure Web Apps, have you ever heard of ACU's?

- [Ben] Ah, yes.

- [Scott] All right so an ACU is an Azure Compute Unit, just for those that aren't familiar with it. And they're meant to be a way to bassline or compare CPU performance across these different size and series, right. So when I come out and I say, okay a D2S_v3, and you got what the heck is a D2SV3 and how do I compare that to DS1V2,

- [Ben] Yep

- [Scott] Well you would potentially do that through something like ACU's along the way. They start at A0, actually it's a little bit easier to start at like the A1 kinda family. So A1's are one core to one vCPU, so it's a one to one relationship. And the ACU, the Azure Compute Unit is 100. So now you got like a nice solid whole number that you can work off of there. So when you go to kick your App Service Plan and what your unit of compute is, like if I went in and selected an S2, in the standard series. Well an S2, a line core, so it's tow cores and it's 3.5 gigs of RAM. Then you go like what does that really equate to in CPU performance cause two cores in a D series versus an A series, they're actually gonna have kinda some different metrics to them.

- [Scott] So then I can walk in and I can say, okay, well an S2 is 200 total ACU. It's an A series Compute equivalent, like I know where I have landed in there and I can start to figure out what I'm getting for my money, with the features that are offered to me. Right if I go into the premium tier where I can do like Isolated Networking and some other things, you know, those are gonna be like DV2 series equivalents and you start to get into, all the way up to like, 8X metrics, like you can do like 840 total CPU. Like 420 gigs of memory and in a P3v2. So it gives you a little bit of a bassline and kind of a way to figure it out. So if you looked at say in this case, the node pool, you knew you were running IS or Apache or whatever it is on a VM, and you know what kind of VM you're on, now you can play with it a little bit and see like hey, would I actually be able to step down from a D series to an A series? Which potentially has some significant savings for me? You know, am I really CPU bound or am I memory constrained, dis-constrained? What's the constraint for my application as you stand it up?

- [Ben] Got it, okay so, you have all of that. You've figured out how those resources are laid, how are you going to go from one to the other. But now you actually have to move those microservices, or those containers. What do you have to think about then as you take these microservices that maybe you're running in AKS, and you wanna push them into one of these app service plans, is it just like a lift and shift or is there some reconfiguration that has to go on there? Cause, I honestly completely miss this and I had no idea you could actually run microservices in app service plans now.

- [Scott] So specifically containers, right, we're talking about taking container applications that are already containerized.

- [Scott] And being able to bring them over, so in the case of AKS running the Docker container runtime or kinda move in out ready. You know we should be able to natively come over to a service like Web Apps for containers running on Linux which already has sudoku for runtime as well, and stand a container up the same way. So you could always do microservice hosting, right, just deploy your Web App as the run times or kinda the server side static frameworks, whatever you had going on. In your Azure Web Apps that was fine. But the nice thing here is, we just lifting a container and getting it to where it needs to be. So there's a couple of things like in this particular case that ended up being kinda interesting. So, if you think about standing up a, something like an AKS cluster, so it's a container orchestrator, so it's bringing things to you like service discovery. There's certainly networking components to it. So if I'm deploying a microservice on a cluster, how does traffic from the outside hit an IP? And how does it know to hit that IP and then be routed all the way to that backend service, specifically to you know, microservice A versus microservice B. So that all happens with other service load balancers you might deploy. And typically you need, you want some kind of ingress controller where maybe you can have more play within the routing of that traffic. You might not always want, like, just a standard kinda load balancer service in there. So for this one, it was an existing implementation of traffic so it's just a kinda of way for us to stand up websites and do the routing and things like that within that cluster. But that meant that traffic was going away when we came over to the other side. So in AKS the way everything was set up is there was a root URL. So, you know there was msclouditpropodcast.com and that was kinda the homepage.

- [Scott] And then the API's were all stored in virtual directories, virtual routes underneath there. So you would have like Slash API 1's, Slash API 2's, Slash API 3. So everything was in the same canonical and fully qualified domain name. And when went to Azure Web Apps, well that changed a little bit. Because we can't run multiple containers in, we can't run like a whole container group in Azure Web Apps.

- [Ben] Got it.

- [Scott] Inside the same Web App. So, what was, you know, five or six containers that were all effectively the same website, from a routing perspective. Actually became, five or six separate websites on the other side. So there was some reconfiguration that needed to be done there, right. Like things like, okay, so you know a dynamic configuration for which API end point we talk to, where there was only one URL, now there needed to be, you know one distinct like environment variable that we could set for each API so that you could still talk to the right place and grab the right thing. But the really cool thing there is because its all just containers right, so we can go change the code , we can spin it up, we can create a container image and we can spin that up very quickly within Azure Web Apps. And it turns out that with Azure Web Apps it's potentially even a little bit easier for us to do the deployment. So something like that dynamic configuration where it was all running inside either a native Kubernetes deployment or in this case, everything was being deployed with Helm and Helm charts and you know, you're setting dynamic values for environment variables and things like that. In Azure Web Apps you've got just native just, app settings like there's configuration per Web App. And all you have to do is go set those keys within the app service within the Web App configuration. And they're automatically projected as environment variables within the Web Apps. Within the containers that are running within the Web App and within that runtime. It was super sleek and super kind of turnkey just to spin up a container and run it was a very quick thing to. It felt nice and easy and way easier than potentially, you know depending on your feelings on it, muck with a bunch of YAML to do like the existing Kubernetes and Helm deployments for going through.

- [Ben] As IT professionals in the Cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So when stakeholders from finance or other departments start asking about a specific project or team's Azure costs, they' don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSV's and a complex mess of metadata in order to manually create custom views and reports. It's a real headache. On top of helping you understand and reduce your organization's overall Azure spend, ShareGate Overcast lets you group resources into meaningful cost hubs and map them to real world business scenarios. This way you can track costs in the way that makes most sense with your corporate structure. Whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/itpro.

- [Ben] Got it so really from that migration standpoint than from moving from one to the other, there's not a whole lot that has to change in your containers other than kinda how those different API's talk to each other. How those different containers would talk to each other. Other than that, a lot of it it's just, more or less a lift and shift of containers into the App service.

- [Scott] Yeah it's really saying hey, can we validate this, like from just a very much like raw proof of concept side. Like do these things work, yes or no. And then what kinds of efficiencies can we light up along the way? So for something like Web Apps on containers, so in this particular case, if you think about kinda container lifetime right, you have a, something like a Docker file that builds the container. So you build that container and then you wanna push that container image to a registry. And then you wanna be able to pull from that registry based on a container name and a tag and things like that. So we were using Azure Container Registry, or ACR, as our container registry. So it's a Docker compatible container registry supports like Docker Push, Docker Pull, things like that along the way. So it's a nice private registry so you don't have to go to Docker Help or anything like that. We looked at ACR and kinda the way existing builds were going on today. So existing builds were happening on build agents as part of like a continuous deployment, like a CI and CD pipeline. And to do those builds, you need to have the Docker daemon, not just the Docker Client, but you need to have like the full Docker runtime to be able to do a Docker build. So that means that you need a Linux server stood up or if you're doing Windows containers, you know you need that compatibility. But you effectively need a unite of compute to do your build for you. So if we looked at, like the CI, CD deployment side that meant we always had to make sure we were picking the right build agent. Did it have the right version of Docker on it? Was it bootstrapped the right way and doing the right things to be able to execute builds based on our Docker files? And it was just like an extra piece that you needed in there so, being that everything is in ACR, we actually wanted to see if we could light up some new options there. So one of the things that happened inside ACR is it has a future called ACR build tasks. So what you can do is you can send a Docker file, basically kinda like, think about like, maybe zip it up in like Atar, or gzip and you can send it up to ACR. And ACR will do your build for you. So the unit of compute is built into ACR itself. I don't need that separate build agent to run Docker build and then do a push to the registry for me. So it kinda simplifies things right. What was potentially two different steps and two different commands and having to worry about logging into a registry and things like that, now in that CI, CD pipeline it's just running an Azure CLI command and making sure that I'm authenticated to the CLI through a service principal or user that has access to that registry. Which is really kinda cool. So why is it good that I can do things, like do this ACR Build Task, or this ACR task directly inside of ACR? Or if you think about one off builds, like one of my struggles with Docker has always been, am I on a computer that has all the tooling installed that I need? Do I already have the Docker Client? Do I already have the Docker daemon? Am I in an environment where I can actually do a Docker build? And sometimes the answer is no, right. You don't know, you might be at like a customer's environment and on like a laptop that they provided for you and you can't even install Docker on it, right. So not a lot is locked down. Well the cool thing about ACR Build tasks is it's the unit for compute and its doing the Docker build for me just based on my Docker files. That means that I can perform Docker builds, from places where I don't have access to the Docker daemon. So for me, that means that I can go in into this environment if you think about just Azure, I can fire up Cloud Shell now, and all I need to do is have access to that Docker file from Cloud Shell so I can still do something like a git clone, and clone that Docker file out of that repository it lives in. And then I can just send that file to ACR build task. There is no way I could build a container natively inside a Cloud Shell, cause Cloud Shell is already running in a container, right. You know its like too many levels of virtualization removed.

- [Ben] Its container inception.

- [Scott] Yeah, so all of a sudden you've gained this really cool new ability. And it has simplified that pipeline, potentially right. What was two distinct actions, a build and a push, now it's just becomes a single action which is a build task for me. And I'm off to the races and ready to go. Which is really, really kinda cool. Like it really simplified overall environment deployment. Cause now from a deployment perspective in the past, you would to like to stand up say, like a new Dev environment for a developer, they had to have all that tooling locally. Now that everything's is 100% Azure native including the Docker builds, now we were able to go to those developers and we can just give them a Bash script and they can go into Cloud Shell and run a Bash script and come back in 10 minutes and everything is just kinda done for them.

- [Ben] Nifty. So you could do all of this now from a Chromebook?

- [Scott] Yeah, oh yeah. Yeah, no I've been living in like,

- [Ben] An iPad.

- [Scott] Just a web browser and yeah it's all been going swimmingly. I been really impressed with it. There's certainly somethings that have changed along the way. I think that particularly like operationally. So it wasn't so much can we do, it's yeah it can be done and certainly there's that cost component to it. But can you continue to run the service and the, in the way that you need to run it. So if you think about kinda of AKS PaaS service. But ultimately you get a lot of insight there right? You can dig pretty deep under those VM's and things like Azure Monitor containers with the dependency agents, like they're giving you some pretty raw numbers that then you can then assume in tooling that maybe you're already familiar with like, Grafana or Prometheus for doing dashboards and kinda optics for operations. By going to kinda of 100% Azure native services, some of that changed. So potentially like telemetry that you get out of that Web App for container, well because it's running in Azure Web Apps if you haven't instrumented the container, so it's talking to something else like app insights. Which in this case it wasn't instrumented for that. You know rather than saying, okay lets make another big code change and implement app insights across the board, lets see what we can get out of native Azure metrics. So metrics through like Azure Monitor, are just based on the existing resource providers, so in this case, Microsoft websites. So what are the metrics that I can get out of Microsoft websites? And now that I don't have Grafana or Prometheus for my dashboard, you know what can we do with maybe building out Azure dashboards or using things like workbooks to get those visualizations back to were they need to be. And so you know the security team and the operations team can understand where things lay out for these applications in their updated architecture. And kind of what that looks like. That might change things a little bit, you might be locked in to say, you might be look at, like CPU time as a metric from a virtual machine. Well in Azure Web Apps you know you can do an aggregation across like average CPU usage. Effectively the same thing. But it might look a little bit different you might have to figure out just what is that difference and does it fit my need, and is it really there and ready to go for me.

- [Ben] Got it. Very cool. More stuff to play with. I don't have time to play with all this stuff.

- [Scott] Yeah it was really sleek as just kinda of a validation exercise, to say, hey do these things work? And can we figure out where the pain points are gonna be, or you know potentially where those rough edges are gonna be with that service, you know, app service on containers are on the way. So we certainly ran into things, like we had a container which was just a .net core. But output was one of the microservices, but that was just through like it's initial build process it was ready to come up on port 8080 internally. And then you know you're just doing port mapping at the service level in AKS to say like, no it's really 443 mapping to 8080 on this container and blah blah blah. So we had some things to get over like that and there was another .net core, another .net core API that was misbehaving a little bit in Azure Web App. So it turns out that Azure Web Apps when it goes to start your container , one of the ways it figures out container health for a website is just by effectively doing pings into it. So by pinging your website just on port 80. So for some of these API's just based on routing, cause they were at /API/1, /API/2, things like that. If you just went to /API/1, just like the root homepage or root route of the API, we weren't actually returning any responses so things like Azure Web Apps would die. And it would just fail to container. It would say I can't start it, because the website is not up. It's like hold on, the websites there, you just need to look in this other place. Or we needed to, in some case, like some cases like shut off availability checks just to get the apps up an running. And then over time we can fix those errors and kinda get them to where they need to be. And do that more transformational remediation. So from a lift and shift, or just a straight up like re-host prospective going from AKS to Web Apps for containers, super minimal change. Like if I hadn't had to change those environment variables, they wouldn't have been a reason to change anything along the way. Right, it would have been just a straight one to one. And then potentially these other more transformational changes pick up and are like hey, lets make that API run the right way so that we can keep availability checks on cause that's kind of an important thing.

- [Ben] Right. Very cool.

- [Scott] Yes.

- [Ben] Some thing of an exercise.

- [Scott] It was definitely different. It was something to do that was potentially a little bit different from virtual machines and tag in into some new stuff. And potentially solve some pain points. Like, honestly, like I walked away, and I was, at the end of it I was like, this ACR build tasks thing, I can use this all the time in my workflow now. Even for demo's and webinars and things like that. Where now I don't need to worry about, you know was my hyper VVM for Ubuntu up to date and ready to go. Cause I always had to have a separate VM to do that. You know you can't do it inside of a WSL1 today, like you can't do that Docker build cause again you don't have the Daemon there. So it just simplified like a bunch of things and I just thought that was like one of the coolest features cause it's gonna make my life a lot easier for demonstrations and webinars and everything else being a little selfish.

- [Ben] Yeah, definitely. Alright, sounds good. Well thanks for that episode.

- [Scott] Yeah, no worries.

- [Ben] Another from Azure one. So go enjoy your weekend now. Go get out to the beach. Get some fresh air.

- [Scott] Yeah, it is one of my goals.

- [Ben] Alright, sounds good. Well enjoy, good talking to you. And will talk to you again next week.

- [Scott] Thanks.

- [Ben] If you enjoyed the podcast go leave us a five star rating in iTunes. It helps to get the word out so more IT pro's can learn about Office 365 and Azure. If you have any questions you want us to address on this show or feedback about this show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

Scroll back to top

(more…)

Episode 173 – Zoom, Teams, and Slack, Oh My!

Episode 173 – Zoom, Teams, and Slack, Oh My!

by | Apr 16, 2020 | Podcast

Podcast: Play in new window | Download (Duration: 34:30 — 23.7MB)

Subscribe: Spotify | Amazon Music | Pandora | iHeartRadio | Email | RSS

In Episode 173, Ben and Scott talk about their experiences with online meeting platforms such as Zoom, Microsoft Teams, and Slack as all of us continue to cope with remote work.

Download New Tab

- Welcome to Episode 173 of the Microsoft Cloud IT Pro podcast recorded live on April 9, 2020. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users, where we discuss a topic or recent news and how it relates to you. In this episode, with the recent uptake in usage of Microsoft Teams, Zoom and Slack, Ben and Scott compare the tools and discuss why people should stop pitting these tools against each other. This is not our sleepy Scott and Ben. This is our wide awake Scott and Ben. I don't know if that would be better or worse.

- Tell you what, it would be something.

- It would be something.

- Oh, so.

- Here we are, week 534 of staying at home.

- Of Isolation.

- I no longer know what day it is. I no longer know what month it is. It's just another day. I was thinking of "Groundhog Day." Remember the movie, "Groundhog Day?"

- Do I remember it? I've been watching it lately. Yes, it's an excellent movie.

- It is we're reliving "Groundhog Day". We just wake up and it's always today. It's never tomorrow.

- Yeah. If you're looking for another fun Bill Murray movie, in this time of isolation and sitting back and you've never seen it, you should go check out, "What about Bob?"

- What about, I remember "What about Bob?"

- "What about Bob?" is one of those classics that just holds up over time.

- You know what?

- So well. Baby steps.

- I need to go watch it again. It has been a long time. I think I only watched it once.

- It's time to get back in. And have you finished up, "Tiger King" yet?

- I have not started and I refuse to start.

- Oh, c'mon! Don't be that way. We can have a whole discussion about whether Carol actually killed her husband. What did Joe do? Oh man, we gotta get you into it.

- No, I have talked to people and everybody is like, it is absolutely terrible but I guess, then, I watched the whole thing cause I just had to see the train wreck.

- Yeah, you know we tried to stop after episode one but then you know they auto play so quick. I swear the vendor searches starting things quicker now. I've noticed on both Netflix and Prime, you're sitting there, Prime is really fast. Prime Video, it's three seconds and the next thing starts, the next episode, and you're going whoa, hold on! I didn't even have time to grab the remote, so yeah.

- That's funny. Yeah, it's funny that's what I keep hearing from people. They're like, I watched the first episode or I watched first episode and a half and it was so terrible I was gonna turn it off but I couldn't. Isn't that the epitome then, of a great, a great job by the writers or something? To create something that everybody thinks is so terrible they wanna stop watching it but they can't.

- Yeah, I will tell you. It was shot in an excellent way. The team that shot it and made the documentary, they're great at getting the shot. They have some of just shocking conversations with people. You don't even know how they got them on video to the point where you think it's a movie but then, you recognize that these people are just that dumb to say these things on camera. Or maybe they're that cerebral and that smart? I really don't know. Just some of the things, like you watch through the B-roll they have is great through the whole thing and they weave an excellent story. If you're looking to waste 5 hours of your life, it is there.

- There is always that. As IT professionals, in the cloud era, sometimes it feels like we don't speak the same language as the rest of the organization. So, when stakeholders from Finance or other departments start asking about a specific project or Teams Azure cost, they don't always realize how much work is involved in obtaining that information. Sifting through cluttered CSVs and a complex mess of metadata in order to manually custom views and reports. It's a real headache. On top of helping you understand and reduce your organizations overall Azure spend, ShareGate Overcast, let's you group resources into meaningful cost tops and map them to real world business scenarios. This way, you track costs in the way that makes most sense with your corporate structure whether it's by product, business unit, team or otherwise. It's a flexible, intuitive and business friendly way of tracking Azure infrastructure costs. And it's only available in ShareGate Overcast. Find out more on sharegate.com/ITpro. So, with a terrible segue, should we move from talking about video on Netflix and Amazon and all the fun video we've watched to video on meetings. And some of the discussion that's happened in the last couple of weeks around different web conferencing platforms, and I've may even pull some other platforms in here because it's been interesting. As everybody has gone and started working from home to see this whole, really a battle, is what I would call it between specifically Teams and between Zoom.

- Yeah, let's get in to it. I'm excited.

- And just some of interesting things too, you've noticed. You said you've noticed there's some Teams with edu. But I will say I had an update. So, transparency, I use Zoom every week. We use Zoom for the podcast. We're using it right now. And if anybody wants to join, our meeting code is, no, I'm not gonna do that. But I could.

- C'mon, you could though.

- I could though. Because I've installed a couple Zoom updates. Zoom has been throwing out updates daily, over the last week or so. I don't know when this update happened. Because in all fairness, we last used Zoom when we recorded six days ago. And I haven't started another Zoom meeting since then. But you used to click on our link for our podcast that would let you right in. You could do all of that. Today, you went to join and it said, you have to wait for Ben to start the meeting. And then, I started the meeting and you joined. And then, I got a pop up that you were waiting in the, I don't know, if they call it the lobby or whatever, you were waiting and I had to admit you.

- I did not make, I just thought your Zoom OPSEC was getting that much better and you were trying to annoy me, in all the wrong ways.

- Yes and I didn't. I have not updated. Well, I did update the meeting invite. It may have gone and pull out some different settings. But I did not update any settings or anything around our meeting. Other than, I did have to reschedule it cause we're recording on Thursday instead of Friday. And all of this stuff just got turned on by default for a pre-existing scheduled meeting. So, I am not doing any better at my Zoom OPSEC. Apparently, Zoom is and rightly or wrongly, they just went and enabled all of the stuff on my meetings that I already had scheduled. I had no idea. Who knew? So, one piece of advice, if you are using Zoom and you want some of these settings at the way they were originally, you may wanna go look at your settings. You may have to make some changes or people might not be able to get into your meeting until you get there.

- I think there's somethings like that. Yeah, they have just been pushing out all these updates and it's like every other day, I've seen an update to the Zoom client, locally. But there have been some good blogs other there from folks like Liam Cleary had a really good one: Still using Zooms for meetings; Wanna still keep using Zoom for meetings; here are somethings that you might wanna take a look at. Just to make sure that you are maybe positioned the right way and that you have setup some of this settings in a manner that actually puts you in a better place.

- Yeah and they did add a security tab at the bottom now, too. So, I have a separate tab now where I can just click security and I can go do it, go in and do things like enable that waiting room or lock the meeting and choose what I want to allow participants to do. So, there's some really nice updates that have come out of this. I think, getting on my soapbox for a minute, the part that bugged me about all of this, when all of this came out was, I'm not gonna call anybody out by name, there were some people that were non-Microsofties, there were some Microsoft people that I saw saying this is everybody all of a sudden jumped on, Zoom is terrible. Go use Teams because Zoom has horrible security. It was instilling this sense of fear in a bunch of people that used Zoom. Saying that it was terrible--

- Ah yes, the FUD.

- Right. Saying it was this terrible, insecure platform. Stop using it all together. And yes, there were obviously some security things that have come out of this. There's been some security things about the whole end-to-end encryption and where it's sending data. But at the end of the day, even before all of this, I have used Zoom for years. There were certain settings you can enable. You have always been able to password protect meetings. You've always been able to set different 10 digit invitation URLs. They've had those 10 digit URLs forever. There were ways you could protect it. And I genuinely was not worried about using Team or Zoom when all of this stuff start coming out. My daughter was using Zoom meetings for other stuff. I was like, you know what, I know the people running the meetings. I'm sitting here, I'm seeing the meetings, I'm seeing how they have it set-up. You could secure your meetings fairly well if you knew what you were doing, made the right settings, made the right adjustments. I will give them that, yes, it's not as secure as Teams. If you look at the URL to join a Teams meeting, it is significantly longer. There is more security around Teams. But at the end of the day, I felt like Zoom got a little bit of a bad rap from some people in terms of how terrible they were portraying the platform to be.

- Yeah, I think it's certainly a training thing and that tends to be something. Any new tool, any time you install the piece of software, if your first inclination is just to next, next, next your way into it, you're gonna be on the happy path or the easy path. And for stuff like Zoom, that's why Zoom is really popular. Cause it's super easy that the friction's not there.

- Yup.

- I could just give you a URL and you can join my meeting and I can record it on my end. Like, in the case of the podcast here, to get audio out of it. If we have guests on or things like that, it is super simple. Versus stuff like Teams, there's no such thing as just training someone on Teams. I could train you all day on Teams and you probably still won't know how to use it effectively within your organization or for the purpose. Like, you have to go through and do so much more, right? You even go and you look at Microsoft's training material for Teams, it doesn't start with how to use the Teams client, it starts with an entire adoption program.

- Right?

- Right.

- How do we drive organizational change to get everybody to use this tool in a fundamentally different way and change their business? Where Zoom is just, I wanna have a meeting.

- Right.

- Let's meet now.

- Yes.

- And that's where they excel. They do the meet now button better than the meet now button inside of Teams which just confuses everybody when like, oh my god this channel's having a meeting, what's going on?

- Right, exactly and I think you hit on the other thing that bugs me is, you mentioned the purpose of it. And that was the other aspect. Like, the Zoom meetings my daughter has been on, it's a non-profit, small organization, everybody that does it as volunteer, they don't have IT staff. They're not gonna go stand up Teams. Teams is so much more than what you said, a meet now. I wanna do a quick video meeting. I wanna do it once a month. I want all these girls to be able to get on and talk to each other and try to continue their normal face to face meetings, in person or as not in person but as close as they can by doing video. I don't need the collaboration. I don't need the document sharing. I don't need the planner. I don't need all these other, in this case, I don't need all these other baggage that comes with Teams just to do a meeting. I just want to do a video meeting. Zoom is amazing for that. Now, you wanna collaborate. You wanna pull in documents. You want a whole sweep of products where you can work together as an organization, oh and by the way, as a part of all of that functionality, you get to do meetings also, great. Teams is going to blow Zoom away. When it comes to, I need to collaborate with my co-workers and have all of this stuff in one spot. And that's the other part that gets to me is, these two tools, while they get compared a lot, have two very different purposes as their core underlying business vision, as their core underlying, this is what our business is about. Zoom is about meetings. Teams is about collaboration.

- Yeah, very much so. They are different tools for different jobs. And you'll lump them into that same category and it starts to muddy the waters pretty quickly.

- Yeah, so that's some of what's bugged me. It was and some of this came out of, have you seen, part of, started reading, "The Infinite Game" by Simon Sinek?

- I have not. Do I need to go read another and yet another book? Cause I've been reading a lot of books--

- You should.

- in my down--

- So, this was really interesting because in "The Infinite Game", he compared Microsoft and this is kinda taking a little bit of a tangent from this topic. But he talks about all these companies, Amazon, Microsoft, Apple, big companies. But this relates to any company, and how all of these companies are in an infinite game. So, when you think of a game and this is gonna kinda give a little synopsis, a game has a defined starting point. It has rules. It has an ending point. And there is a pre-agreed upon condition for who the winner of is the game, right? You always know who wins the game.

- Unless it's global therma-nuclear war and war games but yes, I digress.

- Yes, unless it's that. In business, all of these companies talk about winning. We beat such and such company. Let's just go to the Teams example. Microsoft tries to say, we beat Zoom. We're gonna beat Zoom. Or Teams is saying we're gonna beat Slack. How does a company actually beat somebody? There's no rules for how you play. These companies can do whatever they want to. They tend to follow certain strategies but there's no defined rules of how you play the game of business. There's no defined ending point of when you finish the game of business. It is an infinite game. And as a company, all you're trying to do is to keep playing the game. You're not trying to beat anybody else. Your sole purpose in business is to not, is for your business not to close, to continue to play the game. So, this whole book is about how you shift that mindset from I'm gonna go beat whoever with my company to I just wanna keep playing the game. I wanna stay in business. I just wanna keep going and going and going. My mindset should not be about beating somebody. It should be about continuing to play.

- Gotcha! That all make sense.

- So, yeah. It's, it was a really interesting book in just how that switch in mindset can affect different companies and how some companies have done it better than others. And he does draw a lot of, I feel like everybody draws parallel but he draw some things from Apple, from Microsoft and some of his involvement from both of those companies. So, yeah. Outlook add-ins are a great way to improve productivity and save time in the work place. And Sperry Software has all the add-ins you'll ever need. The Save As PDF Add-In is a best seller and is great for project back ups, legal discovery and more. This add-in saves the email and attachments as pdf files. It's easy to download and easy to install. And Sperry Software's unparalleled customer service is always ready to help. Download a free trial at sperrysoftware.com, S-P-E-R-R-Y-S-O-F-T-W-A-R-E .com and see for yourself how great Save As PDF is. Listeners can get 20% off their order today by entering the code, CLOUDIT. That's CLOUDIT, C-L-O-U-D-IT. All one word at check out. Sperry Software work in email not on email. That was that. And this was my other soapbox item was I pull Slack into this too. Cause you keep hearing, so you keep hearing too that Teams wants to beat Slack, right? They keep, this is the new Slack. This is better than Slack. Our growth rate is better than Slack.

- So, let's throw that out there. And that is 100% pure marketing, right?

- It is.

- That is all that is. So, if you look at Slack from a functionality perspective versus like Teams, it becomes a nice place to put the comparison box up and say, well we do this and they don't do that. But they're fundamentally different things and they're on totally different scales.

- Right.

- You've got, four to five x the number of daily active users in Teams. Teams is built on this whole other platform with Azure and SharePoint and Exchange and all this stuff. I hate the Teams versus Slack comparison cause they are, like very much like, Teams and Zoom are not the same. Teams and Slack are not the same. The things that I do in Slack and the Slack communities that I'm part of, we get so much more done in Slack and I fundamentally believe we could not transition some of those conversations and processes and just the way those conversations naturally occur over to something like Teams without it having be just like an absolute poop show. Whether that's driven from like the UI. Don't get me started on how, have you ever met a person, let's talk about UI in Teams.

- Yup.

- Have you ever met somebody who's actually figured out the way to do a reply the right way in a thread? I've been using Teams for years and I still need to think about where I'm clicking. But if you're in the mobile client, it's all good and it just works. I can walk in, my wife's a teacher and so she's at home now and as they do remote learning. The school system she works for, they're using Teams for all their remote learning for their kids, right? That's really cool to see all that stuff used. I can go in and like look over her shoulder just as I walk to the kitchen and the threads are horrible, right? I mean, I work with a business of 20 people. It's the core company I work for and I dread going into Teams sometimes. Just cause I cringe every time I see somebody can't reply to something the right way. Right and that's just one thing that Teams does horribly that Slack does perfectly, right? Cause it's just a big stream of chats and everybody can figure it out. I never felt lost in Slack before they added threading.

- Yeah, no, I absolutely agree and I do the same thing. The threads and to be fair I do run across the same problem in Slack, is that sometimes I forget to start a thread and I just keep replying instead of starting threads. But for whatever reason, Teams is significantly harder. I do the same thing, where I go in and I reply and I'm like, oh that should have been a reply under that message, not, reply with a new chat instead of a reply. I don't even know how to describe the difference between the two. But that's been that other comparison is, I keep seeing Teams versus Zoom and Teams versus Slack. And they do, kinda like you said, they fall in the same boat for me. It's not comparing apples and apples when you're comparing either one of those.

- They are 100% different tools for different jobs.

- Yup.

- Right. I could see some organizations out there hopping into like Office 365 or M365 and never having to use Teams for chat. So, throw the security thing out the window and go back to ease of use and getting in there. They might just use Office 365 groups and planner. And then, they're all set. They're still chatting over in Slack or whatever they used to use before they came to Teams cause they don't wanna have to drag a user community with them kicking and screaming and bleeding from banging their head against the wall so hard for trying to figure out how we got there. And then, you've got like Slack adding functionality like join a Microsoft Teams call and doing things like that it's all over the place now.

- Right. And I totally get that. So, because I'm on a Mac, I had to suffer with Skpe for business whatever their client was. That was still 2011. The whole Skype for business thing has always been weird on a Mac until Teams came to fruition. So, I would say up until probably six or eight months ago, I was in that boat of, I do Office 365 for everything. Unless I have to have a meeting with you, in which case, we're gonna use Zoom because it works and it's easy and we're not gonna spend the first 15 minutes of our meeting banging our head against the wall trying to figure out why we can't hear each other, trying to figure out how to share screens. It was very much that use case. Because I'm solo, independent contractor, everybody that was coming to the meeting was external. Nobody was in my Teams client or I was using Skype which was horrendous on the Mac and Zoom worked and I needed something for meetings that worked. So, I was in that boat of, you know what, I'm using Office 365 and Skype. I have Teams they're great but they don't work. So, I'm gonna use Zoom. And same thing with Slack, I am in Slack and Teams daily. I'm probably a part of 15 different Slack groups. I'm a guest in 10 or 12 different Teams tenants. I use them all and it's based on the client's needs and where they are and based on the type of people that are in the group. And like you said, the interaction. Are we collaborating around projects? And are we using planner and SharePoint and all of those? And the chat in Teams is kinda that benefit. It's our core driver. Great, we use Teams. It works. There are definitely things that are fundamentally more confusing that are a little bit more of a challenge. But at the end of the day, when you look at all the requirements, Teams fits it best. Other ones, all we really need to do is chat. We don't care so much about files. We're not having regular meetings. It's a big group. I mean, one of the Slack groups I'm in is, I forgot how many people are in it, 20,000? 20,000 people in a Slack group that we never meet. Everybody just needs a place to chat, share ideas, talk. And for that, Slack is great. I cannot imagine having a Team with 20,000 people all from different organizations.

- I could bring you into some enamor communities. There's some messy ones--

- Well, but that brings enamor. So, are we gonna try some enamor in Teams now too?

- You know the other interesting thing or one of the things that I would say Slack does a lot better even in their free tiers, let's not get into the whole free versus paid and all that but Slack is arguably more stable when it comes to change. So, for example, one of the things I do in Slack, one of the groups I participate in is built around product and product feedback.

- Yup.

- So, simple things like monitoring an RSS feed for a Twitter search or heck, just native Twitter integrations for searching, for monitoring Twitter searches or for watching individual hashtags or even users things like that. That stuff is just rock solid. Those plugins don't really change. They just get better over time, right? All those integrations that you can add in?

- Yup.

- Versus something like Teams, same thing over in Teams, I would like to just monitor @ mentions back to my company that connector has changed two or three times in the last couple years. Every single time, it's gotten worse. And it's been deprecated to the point where they've even just taken it out on Teams and now they want you to use Flow to do everything or power automate with a Flow, rather--

- Don't get me started on that one.

- And the functionality is not the same, right? It continues to, the only constant with something like Teams is that it's always changing underneath you, right? So I can look at Zoom, back to how we started this conversation with. Okay, the settings changed for how you join a meeting but the fundamentals of how we perform the meeting did not change, right? Once we were in, it was still easy to get our audio going. We could still do the recording. It was all just right there and it was front and center. Slack does a big redesign but fundamentally the core things that you know about it to be true and that you've learned about it, are still true. Teams comes through and does a change and it's like, who moved my freaking cheese again?

- Yeah.

- It's just gone. And that stuff is like, that's the killer thing. And what drives you to, Teams is, you have to have this whole adoption program. It can't be just training. It needs to be more holistic versus these other tools that just do what they need to do.

- Yup.

- They don't have to be everything to everybody, right? Zoom does not need to be the best chat messaging platform across multiple meetings at the same time. All you have to do is click a link and go join a meeting

- Right.

- That's pretty easy. Slack, same kinda thing. Like yeah, you could do meetings and all that stuff in there but what do we need to do? We need to be a great organizational cross team chat platform. Can we do that? Yes, done.

- Yup, exactly. And then, going back to Teams, you have, we need enterprise collaboration, we need it to be secure. Cause that's the other thing, one thing Teams does really well is because it's in that whole ecosystem, you're data's gonna be secure. You can do DLP on chats. You can do the Microsoft information protection to protect sensitive content. Fundamentally, Teams is probably going to be more secure than any of the other platforms because that's Microsoft's target. They're targeting enterprise. They are targeting companies that may care more about security than they do ease of use. And users are maybe not gonna be able to do things quite as easily or again, they just need the integration. They need everything to tie together seamlessly without going in, installing all these integrations and going and buying five different products that you all cobble together to get work because everything is built right in, so--

- Well, don't get me started. I think Teams feels very cobbled together sometimes when you go to do things.

- So, there are some parts that does feel cobbled together. We're not talking about private channels here, Scott. Speaking of cobbled together

- In general, it's not clear right? You have to much. I mean, I sit there and I listen to my wife talking in the kitchen. I will leave the door to the office. Still, three weeks into this, they're still talking about, well, a student clicked on planner and what does that mean and how do they add a planner plan into this channel and what's going on? And what's happening, right? The issue I see with my wife's organization from a school perspective, they had to get in to these tools so quick that because it's not easy to use. They haven't gone through the adoption thing. They've barely gone through the training thing. Teachers are creating custom training videos for their students for how to do things and they don't know the native features of something. There was one this morning. A teacher wanted to call out, good job to a bunch of students in a particular class who had done their homework the night before. But they just did that in just a single post in a channel. They didn't @ mention anybody so the students will never see it because the teacher posted it at 6:00 a.m. By the time those students come in to school at 11:00 a.m. for their first conference, all the other chats are gonna have pushed that way up the screen.

- Right.

- Right.

- So, you get no notification and even if they had @ mention them, was that enough for the students. Potentially you gotta think about the kids there, right? How is a kid gonna react better? Are they gonna react better to seeing a red exclamation around a number when they login to Teams? Or would they react better if, when they click the exclamation, like oh, what's wrong? Maybe they saw something like a praise post with a nice big banner that says, here you go, you've done something nice. But if I never told you about @ mentions and the type ahead stuff, yeah, I know it's there but it's janky and it's been throttled and up, down, left, right as this whole thing kicks off so it barely works now. Not that it ever really worked before. You go ahead and combine something like that and you don't know that, hey praise is there or not even animated gifs or things like that but being able to do custom memes and all that. That would all be great stuff for kids and they just don't know that it's there. That's like one little feature, right? That could change a kid's day.

- Right, although to be fair, some of that exists in Slack too. Slack is the same thing. If you don't @ mention somebody they may never see it. You still need to know about the @ mentions and some of the plugins in Slack, some of those, the gif, they have the button right underneath the message. You click the button to do gifs. Where in Slack, you actually have to know to get one installed, the gif integration and then you have to know about the slash commands to do giphy or gif whatever it is, there's a few different ones there. So, I think some of it too at the fundamental level, well, some of the things are definitely a lot easier in one platform versus the other. At the end of the day, it still comes down to training. There were a lot of people who got thrown into a lot of stuff without just having adequate training any of it, regardless of the platform and what it is. Slack maybe easier to find stuff because it tends to be a little bit, it's not as enterprisey so I think the training tends to be a little bit simpler. It's easier to figure out how to do stuff by just googling it. Versus Teams you tend to dive into some of that enterprisey training type stuff. And not just the basic how to. I don't know, it's--

- Yeah. We'll see how it goes for some organizations, right? The Department of Ed in New York City just said, you have to stop using Zoom. So, they've been remote learning for a couple of weeks and they're two weeks into it. And then, okay now there's a new edict, you can't use Zoom. So, you've gotta go to either Google or Microsoft provided services. Like things, the district and county and education system are licensed for.

- Yeah.

- That'll all be very interesting.

- It will be.

- But let's come back and see what happened in New York City in three weeks for their schooling.

- Yeah, we can have this conversation all over again. I have started doing some videos though, Scott. I started, you saw some of them, on YouTube. I started doing short little Teams videos on how to do something in two minutes or less like @ mentions or group chats or some of that basic stuff cause I have found that people just don't always know how to do that and understand it. So, if you wanna go watch two minute YouTube videos, self promotion, I have two minute YouTube videos that I've been slowly trickling out there on how to do different things.

- Intelligink

- Yes, The Intelligink YouTube channel. We can link it in the show notes because we have the power to affect your show notes.

- Yup now, we just gotta teach you how to create a custom playlist for that. Oh, you do have one

- I do!

- Teams into, look at that, I found it all on my own.

- You could know how to use YouTube. Congratulations, Scott! I also have a Teams webinar out there that I did a week or so ago. I threw that out there, with a bunch of Q&A. That one is also more of the basic end user stuff. I need to do an admin one cause people have been asking for one. But so far, I've been doing the end user stuff. So, go check that out. That's all I have. I can get off my soapbox now. But end of the day, I'm just tired of seeing the comparison between some of those products because fundamentally, like we said, they have different purposes, different uses, something's are better at something than other things are. Use what works best for you based on your requirements.

- That's it! Really, that's what it boils down to. And recognize the tools and things like that. So, we already talked about Zoom has security issues and it's not really N10 encrypted and all that. Okay so, I'm not a top secret government organization. We're not dealing in rocket science secrets, here.

- Right.

- Like, do I really care?

- All right so my call got routed through China. Okay, what did I give up there?

- Yeah, did China really not know you were doing that already anyways? I mean, really.

- They heard us talk about you know Zoom, Teams and Slack, oh, no!

- Yes.

- So, you have to be cognizant of those kinds of things and yeah, all these stuff's a trade off, blah blah blah

- You know what, if they take down their firewall and let people listen to--

- It's okay.

- If they take down their firewall and let people listen to us in China, they'd be able to figure it all out without trying to hack Zoom. I don't think we have any downloads from China. I can't remember. I'll have to go look. I don't know. We can end with that, I got nothing else.

- All righty, well, let's do it then. I need more coffee, anyway.

- Yeah, I do too. I'm almost out. Go enjoy your week. Glad you're feeling better. You sound much better and we will talk to you the next week.

- All right, thanks Ben!

- If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions, you want us to address on this show or feedback about the show, feel free to reach out via our website, Twitter or Facebook. Thanks again for listening and have a great day.

Scroll back to top

(more…)