I have had the distinct pleasure of being one of the first people to implement a SMB over QUIC POC. It was in a proof of concept I did with Windows Server 2022 Azure Edition in public preview.
That was a fun and educational excercise. As a result, I learned a lot. As a result, I decided to write a lab and test guide, primarily for my own reference. But also, to share my experience with others.
I am convinded it will fill a need for people that require remote access to SMB file shares without a VPN. Next to that, the integration with the KDC proxy service make it a Kerberos integrated solution. In addition, the KDC Prosy service has the added benefit of allowing for remote password changes.
We recently used a symbolic link to an Azure file share to transparently replace a local folder in which data sets are cached for download. That means that the existing service transparently copies the data sets to an Azure file share without having to change anything in the code to do so. With a small adaptation of the code, we can now provide download links to data in the Azure file share so this process is also transparent for the clients downloading the data sets.
You can already guess the reason for this exercise. We did this to fix a bandwidth issue on-premises by creating an easy workaround with minimal code changes. As more and more clients download more and more data sets, this service consumes too much bandwidth. This means we have to throttle the service and/or implement QoS to it. While this helps the other services using that internet connection, it does nothing to improve download speeds for the clients. This is just an example and is not meant as architectural or design advice. It is an interim fix to an existing problem. This trick is something that is used with AKS as well for example.
How to add a symbolic link to an Azure file share
Create an Azure file share
Create a storage account and create a file share.
Dealing with the credentials needed for this is easy. All we need to do is add the information into the credential manager as a Windows credential. That would be the user, the password, and the file share UNC path. Note that here the password is our storage account key.
Grab the info you need from the “connect” settings for your Azure file share. We will not map the the files hare to a drive, so there is no need to run this PowerShell script.
So in this example that is: Internet or networkk address: \\datasets.file.core.windows.net\fscache User name: localhost\datasets Password: real2Nonsense4Showing8AfakeStorage28Accountkey/goobledeGookStuffa/AndSomeMoreNonsentMD==
We will add these credentials to the Credential Manager as Windows Credentials.
That is it, if you entered everything correctly, this will work.
Creating the symbolic link
Once you have added the credentials creating the symbolic link is very easy.
You do need to take care you create the symbolic in the right place in your folder structure. But other than that, that is all you need to do.
The symbolic link is available and can be used transparently by the service/application.
To test the file share in Azure you can upload or download data via azcopy or Azure Storage Explorer. The download functionality in our case is handled in the code, But here is a quick example of how to do a download it via azcopy using a shared access key signature.
Pro tip: if you need to remove the symbolic link but keep the data, use rmdir “E:\Download\Cache” and not del “E:\Download\Cache” or you will delete the data. That might not be what you want.
Mind you, this was the easy and quick fix for a problem this service was facing. This is not a design or architecture. We are considering replacing the symbolic link solution with Azure File Sync. With a bandwidth cap and QoS on-premises, we would offer the primary download link to the cloud. There they can get all the bandwidth Azure can offer. Next to that, we would have an alternative link, marked as slow, that still points to the on-prem version of the data. This means the current implementation is still fully functional even when the Azure files share has an issue. Sure, the local copy comes with a significantly reduced performance, but it provides a failsafe.
Well, the future lies in turning this into a solution running 100% in the cloud. Now, due to a large number of dependencies on various on-premies data sources, this is a long-term effort. We decided no to let perfection be the enemy of the good and fixed their biggest pain point today.
For sure, the use of a symbolic link to access an Azure file share is not something that will amaze people that have been working in the cloud for a while. It is however a nice example of how the use of Azure combined with on-premises services can result in a hybrid solution that solves real-world problems
This particular scenario enables them to distribute their data sets without having to worry about bandwidth limitations on-premises. That means they do to invest in a bigger internet pipe and a firewall with more throughput, or having to port their service and all its dependencies to a full-blown Azure solution.
Sometimes successful and cost-effective solutions come in the form of little tweaks that allow us to fix pain points easily.
I have the distinct pleasure of having been invited to speak at the Extra Evening December MC2MC user group. It is on the 17th of December 2020. This will be my final live and virtual event for the year 2020!
For the occasion I will be giving a talk to introduce you to Azure Virtual WAN and why this is really for everyone. You might not think so yet, but I am sure you will see where the future of Azure networking is heading, and why.
Register, it is free!
So, join us. The event is free, but for your time, but we hope you learn something. You can register on the MC2MC website for this event
My talk starts at 18:45 and after that session they have some more great sessions by fellow MVPs lined up.
18h30 – 18u45: Welcome
Azure Virtual WAN for everyone
18h45 – 19u30: Azure Virtual WAN for everyone by Didier Van Hoye (Microsoft MVP Cloud and Datacenter Management). We’ll look at what Azure Virtual WAN is, why you would use it, and what its “state of the union” is at the time of speaking. We will look at why small and medium enterprises should also adopt it as Azure Virtual WAN is for everyone, not just the global fortune 500. We’ll touch on how to use Azure Firewall Manager with Azure Virtual WAN HUB and show you the custom route tables along with some examples.
Offensive Azure Security
19h30 – 20h15: Offensive Azure Security by Sergey Chubarov (Microsoft MVP Azure). These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that’s may become weakest link in the chain. A demo-based session shows attacks on the weakest link. Penetration testers and red teamers will find steps that can be used in their assessments, defenders will get ideas on what should be protected. The session includes: – Bypassing authentication & MFA – Getting control over Compute – Extracting secrets – Pentesting Azure AD Connect
20h15 – 20h25: Break
I know what you did last project
20h25 – 21h15: I know what you did last project (common mistakes we make in Azure) by Mustafa Toroman (Microsoft MVP Azure). One of major benefits of Microsoft Azure is vast number of services we can choose from. But huge amount of services can create problems like what service to choose in specific situations or what to avoid. Do we select IaaS or PaaS? Or maybe go serverless? What type of database do we choose? Azure SQL, Managed Instance, or something else? And when to go with Azure Cosmos DB? Based on years of experience and hundreds of projects, this session shares do’s and don’ts when designing your solutions in Azure. Avoid usual traps and create rock solid applications in cloud!
Azure DevOps for Ops without Dev
21h15 – 22h00: Azure DevOps for Ops without Dev by Vukašin Terzić (Microsoft MVP Azure). DevOps philosophy doesn’t really apply to non-developers who are not creating and releasing new versions of applications every week. Or does it? In this session, I will talk about how to leverage Azure DevOps tools to boost your productivity and project management and how to save and execute your scripts and ARM templates.
22h00 – 23h00: Social BYOB (Bring-Your-Own-Beer) teams meeting
I hope to see you there and I wish you all a festive period to end 2020 and start 2021.
GeekSprech(EN) Podcast Episode 50 – Azure Virtual WAN
Yes, 2020 can end well. I was on GeekSprech(EN) Podcast Episode 50 – Azure Virtual WAN! I had the distinct pleasure of being invited to join Eric Berg on the GeekSprech (Geek Speak) Podcast. That invitation came times perfectly to have me on episode 50, which is kind of cool right?
In GeekSprech(EN) Podcast Episode 50 – Azure Virtual WAN we have an informal chat about, you guessed it, Azure Virtual WAN. While this a very rich and rewarding subject, that I like very much, I was wondering how this would go. You see there is just so much to tell, so many links to make, and relations to show between all the moving parts this subject normally leads to a lot of whiteboarding.
Podcasting and whiteboarding don’t mix, so we just talk, but I must say the time flew by. I had fun and just chatting informally with a fellow geek was just so much fun. For those of you reading this in the future, we are in lockdown 2 of over 8 months of the Corona/Covid-19 global pandemic. So having a talk over a drink at a conference or user group is just not happing right now.
More podcast on the horizon?
Are there more podcasts in my future? Well yes, probably so. This was my first ever podcast and I hope you like it. We had fun doing making it. Frankly it does taste like more and next year, if all goes well we’ll be doing some podcasting with a very smart fellow Belgian technologists about. We think that will be both fun and educational. The basis for those podcast plans are chats and discussion we have on technologies amongst our selves. But for now, you can join in the fun right here. Enjoy!