Azure Spring Cloud – Create an Azure Spring Cloud instance

An Azure Spring Cloud cluster can be created either using the Azure portal or the Azure CLI. In this first module, we will configure the necessary tools, and create our first cluster.

Set up the Azure CLI

If it isn’t already installed on your machine, install the Azure CLI. You can check the version of your current Azure CLI installation by running:
Bash

az --version

Ensure your Azure CLI is logged into your Azure subscription.

Bash

az login # Sign into an azure account
az account show # See the currently signed-in account.

Ensure your default subscription is the one you intend to use for this lab, and if not, set the subscription using:

Bash

az account set --subscription

Install the spring-cloud extension for Azure CLI, by running:

Bash

az extension add -n spring-cloud -y

Congratulations, the Azure CLI is now ready to create your first cluster!

 

Create an Azure Spring Cloud instance

In this section, we will create our Azure Spring Cloud instance using Azure CLI. It is possible to do exactly the same configuration using the Azure portal.

First, you will need to come up with a name for your Azure Spring Cloud instance.

  • The name must be unique among all Azure Spring Cloud instances across all of Azure. Consider using your username as part of the name.
  • The name can contain only lowercase letters, numbers and hyphens. The first character must be a letter. The last character must be a letter or number. The value must be between 4 and 32 characters long.

To limit typing, set the variable  RESOURCE_GROUP_NAME  to the name of the resource group created in the previous section. Set the variable SPRING_CLOUD_NAME to the name of the Azure Spring Cloud instance to be created:

Bash

RESOURCE_GROUP_NAME=spring-cloud-workshop
SPRING_CLOUD_NAME=azure-spring-cloud-workshop

With these variables set, you can now create your resource group. In the following script, the resource group is located in the eastus region (using the -l eastus argument), but you can choose a region closer to you for better performance (use az account list-locations to list all available regions):

 

Bash

az group create \
-g "$RESOURCE_GROUP_NAME" \
-l eastus

And then create the Azure Spring Cloud instance:

Bash

az spring-cloud create \
-g "$RESOURCE_GROUP_NAME" \
-n "$SPRING_CLOUD_NAME"

This command takes time to complete, you can continue reading while it completes.

For the remainder of this workshop, we will be running Azure CLI commands referencing the same resource group and Azure Spring Cloud  instance. So let’s set them as defaults, so we don’t have to specify them again:

Bash

az configure --defaults group=${RESOURCE_GROUP_NAME}
az configure --defaults spring-cloud=${SPRING_CLOUD_NAME}

Public and private IP addressing in Azure

In your manufacturing company, you are moving resources into Azure, starting with a database server. You want to ensure that the database server is accessible for clients in your on-premises network. Public resources like web servers must be accessible from the internet. You want to ensure that you plan IP addresses that support these requirements.

In this unit, you’ll explore the constraints and limitations for public and private IP addresses in Azure. You also will look at the capabilities that are available in Azure to reassign IP addresses in your network.

IP address types

There are two types of IP addresses that you can use in Azure:

  • Public IP addresses
  • Private IP addresses

Both types of IP addresses can be allocated in one of two ways:

  • Dynamic
  • Static

Let’s take a closer look at how the IP address types work together.

Public IP addresses

Use a public IP address for public-facing services. A public address can be either static or dynamic. A public IP address can be assigned to a VM, an internet-facing load balancer, a VPN gateway, or an web application gateway.

Dynamic public IP addresses are assigned addresses that can change over the lifespan of the Azure resource. The dynamic IP address is allocated when you create or start a VM. The IP address is released when you stop or delete the VM. In each Azure region, public IP addresses are assigned from a unique pool of addresses. The default allocation method is dynamic.

Static public IP addresses are assigned addresses that will not change over the lifespan of the Azure resource. To ensure that the IP address for the resource remains the same, you can set the allocation method explicitly to static. In this case, an IP address is assigned immediately. It is released only when you delete the resource or change the IP allocation method to dynamic.

Basic and Standard SKUs

For public IP addresses, there are two types of SKUs to choose from: Basic and Standard. All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses. With the introduction of SKUs, you have the option to specify which SKU you would like the public IP address to be.

Basic

Basic public IPs can be assigned by using static or dynamic allocation methods. Basic IPs have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and a fixed outbound originated flow idle timeout of 4 minutes. Basic IPs are open by default. We recommend that you use network security groups to restrict inbound or outbound traffic. Network security groups are recommended but optional for restricting inbound or outbound traffic.

Basic public IPs can be assigned to any Azure resource that can be assigned a public IP address, such as network interfaces, VPN gateways, application gateways, and internet-facing load balancers. They do not support availability zone scenarios. You must use a Standard SKU public IP for an availability zone scenario.

Standard

Standard SKU public IP addresses always use the static allocation method. They have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and a fixed outbound originated flow idle timeout of 4 minutes.

Standard IPs are secure by default and closed to inbound traffic. You must explicitly allow inbound traffic by using a network security group.

Standard IPs can be assigned to network interfaces, Standard public load balancers, application gateways, or VPN gateways. For more information about Standard load balancers, see Azure Standard Load Balancer overview. Standard IPs are zone-redundant by default and optionally zonal (they can be created zonal and guaranteed in a specific availability zone).

Public IP address prefix

You can’t bring your own public IP addresses from on-premises networks into Azure. Based on the location of the resource, an IP address is assigned from a pool of available addresses. Public IP addresses are allocated from a range that’s unique to each region in each Azure cloud. Public IP addresses can’t be moved between regions; all IP addresses are region-specific. If your business needs to have data centers in different regions, you would have a different public IP address range for each region. You can use technology like Azure Traffic Manager to balance between region-specific instances.

To ensure a static range of public IP addresses, you can create a public IP address prefix. You can’t specify the addresses when you create the prefix, but after the prefix is created, the addresses will be fixed. The IP addresses will be a contiguous range. The advantage of a public IP address prefix is that you can specify firewall rules for these IP addresses with the knowledge that they will not change. You can assign the addresses from a public IP address prefix to any resource in Azure that supports public IP addresses.

Private IP addresses

Private IP addresses are used for communication within a virtual network. Private IP addresses are used within Azure Cloud Virtual Network virtual networks and your on-premises networks. They can be set to dynamic (DHCP lease) or static (DHCP reservation).

Dynamic private IP addresses are assigned through a DHCP lease and can change over the lifespan of the Azure resource.

Static private IP addresses are assigned through a DHCP reservation and do not change throughout the lifespan of the Azure resource. Static private IP addresses persist if a resource is stopped or deallocated.

IP addressing for Azure virtual networks

A virtual network is a fundamental component that acts as an organization’s network in Azure. In the virtual network, the administrator has full control over the IP address assignment, security settings, and security rules. When you create a virtual network, you define a scope of IP addresses. Private IP addressing in Azure works the same way as it does in the on-premises network. You choose the private IP addresses that are reserved by the Internet Assigned Numbers Authority (IANA) based on your network requirements:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

A subnet is a range of IP address within the virtual network. You can divide the virtual network into multiple subnets. Each subnet must have a unique address range, which is specified in classless inter-domain routing (CIDR) format. CIDR is a way to represent a block of network IP addresses. An IPv4 CIDR, specified as part of the IP address, shows the length of the network prefix.

Consider, for example, the CIDR 192.168.10.0/24. “192.168.10.0” is the network address. The “24” indicates that the first 24 bits are part of the network address, leaving the last 8 bits for specific host addresses. The address range can’t overlap with other subnets in the virtual network or with the on-premises network.

The first three IP addresses are reserved for all subnets by default in Azure. For protocol conformance, the first and last IP addresses of all subnets also are reserved. An internal DHCP service within Azure assigns and maintains the lease of IP addresses. The .1, .2, .3, and last IP addresses are not visible or configurable by the Azure customer. These addresses are reserved and used by internal Azure services. 

In Azure virtual networks, IP addresses can be allocated to the following types of resources:

  • Virtual machine network interfaces
  • Load balancers
  • Application gateways

What is Azure Active Directory?

While they share a similar name, Azure AD is not a cloud version of Windows Server Active Directory. It’s also not intended as a complete replacement for an on-premises Active Directory. Instead, if you are already using a Windows AD server, you can connect it to Azure AD to extend your directory into Azure. This approach allows users to use the same credentials to access local and cloud-based resources.azure-vs-windows-ad

Azure AD can also be used independently of Windows AD. Smaller companies can use Azure AD as their only directory service, using it to control access to their applications and SaaS products such as Office 365, Salesforce, and Dropbox.

 

Directories, subscriptions, and users

Microsoft offers several cloud-based offerings today – all of which can use Azure AD to identify users and control access.

  • Microsoft Azure
  • Microsoft Office 365
  • Microsoft Intune
  • Microsoft Dynamics 365

When a company or organization signs up to use one of these offerings, they are assigned a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, web sites, and databases are always associated to a single subscription. Each subscription also has a single account owner who is responsible for any charges incurred by resources in that subscription. If your organization wants the subscription to be billed to another account, you can transfer ownership of the subscription. A given subscription is also associated to a single Azure AD directory. Multiple subscriptions can trust the same directory, but a subscription can only trust one directory.

Users and groups can be added to multiple subscriptions – this allows the user to create, control, and access resources in the subscription. When you add a user to a subscription, the user must be known to the associated directory as shown in the following image.users-subs-and-directories

If you belong to multiple directories, you can switch the current directory you are working in through the Directory + subscription button in the Azure portal header.directory-and-subscription

Here you can also decide how the default directory is selected: last visited, or a specific directory. You can also set the default filter for displayed subscriptions. This is useful if you have access to several subscriptions but typically only work in a few of them.

Creating a new directory

An organization (tenant) always has one default Azure AD directory it’s associated with, however owners can create additional directories to support development or testing purposes, or because they want to have separate directories to synchronize with their local Windows Server AD forests.

 

  1. Sign into the Azure portal .
  2. Select Create a resource from the left sidebar, Identity from the Azure Marketplace, and then Azure Active Directory from the list.
  3. Choose a name for the directory that will help distinguish it from your other directories. If the directory you’re creating is to be used in production, choose a name for the directory that your users will recognize as the name of your organization. You can change the name later if you want.
  4. Enter the domain name associated with it. The domain must not be known to Azure or you will get a validation error. The default domain name will always have the suffix .onmicrosoft.com. While this default domain cannot be changed, later you can add a custom domain owned by your organization so defined users can use a traditional company email such as john@contoso.com.
  5. Select the country the directory should reside in. This will identify the region and data center where the Azure AD instance will live and it cannot be changed later.create-directory
  6. Select Create to create the new directory. This will create a free tier directory where you can add users, create roles, register apps and devices, and control licenses .

Once the directory is created, you can navigate to the dashboard that lets you control all aspects of the directory.

Let’s explore one of the primary elements you’ll work with in Azure AD: users.