
Azure is now bigger, faster, more open, and more secure - deegles
http://azure.microsoft.com/blog/2015/01/08/azure-is-now-bigger-faster-more-open-and-more-secure/
======
panarky
Bigger, faster, more open, more secure ... what's missing from this list?

Oh, that's right, how about more uptime?

    
    
      Provider               Outages  Total Downtime
      ---------------------- -------- --------------
      Amazon EC2                  12     2.01 hours
      Google Compute Engine       65     3.27 hours
      Microsoft Azure VMs        102    42.80 hours
    

Source: [https://cloudharmony.com/status-1year-of-compute-group-by-
re...](https://cloudharmony.com/status-1year-of-compute-group-by-regions-and-
provider)

And this doesn't show the other Microsoft cloud services that have even worse
reliability.

At my company we invested a lot of time trying to make Azure Service Bus and
Visual Studio Online work. Both were so dreadfully unreliable as to be
unusable.

~~~
mindstab
Hey, at least it's not Veriozon cloud which just told users to power down
everything today in preparation for a scheduled 48 hour outage.

[http://www.computerworld.com/article/2865802/verizon-
warns-e...](http://www.computerworld.com/article/2865802/verizon-warns-
enterprise-cloud-users-of-48-hour-shutdown.html)

~~~
panarky
In CloudHarmony's assessment of 49 cloud compute providers, Microsoft Azure
was literally dead last in total downtime.

Number 49 out of 49 services.

If Verizon is offline for the entire time, maybe they'll be number 50.

------
erazor42
We run 50+ linux server on azure (west europe) and it's a nightmare, vm reboot
unplanned,VHD diseappear. Timeout or unreachable blob files on HDInsight (with
PIG)... Slow load balancer not really configurable. Website slow++. I won't
recommand it... Very hard for us to keep a professional SLA.

Maybe it's because we run linux server ?

One good point is cheap blob, slow but cheap.

~~~
clebio
Is it feasible for you to evaluate an AWS deployment? I'd be very interested
in the numbers you mention if we could compare them to something directly.

~~~
erazor42
Nop we don't want to deploy on AWS for contract issue. But we are moving on
full dedicated OVH. I cannot provide numbers for OVH but for now we are SLA
100% on those server.

------
tracker1
I have a handful of issues with this...

* MS is managing said Key Vault, meaning they may well be under pressure from the NSA to provide access, without a warrant, and without a target knowing said access was requested.

* The local SSD storage can really only be used for temporary or cache based workloads... if your image ships to another machine in the case of failover, you'll lose that data. It's not a bad thing, but the High Performance (SSD backed) disk storage is still waiting for general availability, been on the wait list for preview for a while.

* The ready ubuntu+docker VM is cool, but I think it's more cool that CoreOS is generally available in the box now.

~~~
helper
We run all our ec2 instances on ephemeral disk instances. Historically running
on ebs was a great way to ensure application downtime.

Ephemeral drives mean you need to change the design of your application to be
able to withstand full loss of machines. But it's really not that hard. A good
replicated database (riak, cassandra) spanning multiple availability zones
gets you 95% of the way there.

~~~
tracker1
I wouldn't really trust doing so with less than say 40-50 servers, which C*
can do quite well, but this is very much overkill as an expense for most
people.

~~~
helper
I'm not really sure what you mean. The number of nodes you need depends on the
capacity you need and your replication factor.

Most C* deployments are in the 9-15 node range. You could safely deploy with 6
nodes and RF3 if 6 nodes gives you enough capacity in terms of both disk space
and IOPS.

~~~
tracker1
True... but given that you can't control how many nodes come down at once, (up
to a third typically in azure's case), or what data is on which node, it's
less predictable. If I have 24 nodes each across 2 data centers, with a
replication factor of 10, then I would consider the data relatively safe...
short of that, you have a significant chance of down time should an outage
occur.

Let alone in the case of a more significant issue, and again, if the server
goes down, that data is effectively lost, since the individual node will no
longer be there. You have to have multiple sites _and_ higher replication
factors _and_ a good backup system.

That said, Azure storage actually works very well, aside from the relatively
recent azure outage.

~~~
helper
> ...with a replication factor of 10

RF 10 is insane overkill. There is probably someone out there doing it, but it
is completely unnecessary for %99.999 real world deployments.

Getting back to your original comment, Azure persistent storage (or AWS, or
Google) isn't giving you anything near RF10 * 2 DCs.

~~~
tracker1
Azure storage, each write is to two local and a third (optionally geo
redundant) location... This is data that will still be there if my VM
reboots... the local/scratch disk is gone if my VM reboots... if a significant
number of those VMs reboot, you will lose data. I do hope that you are at
least backing up those nodes regularly to persistant options.

~~~
helper
I don't know how Azure works but AWS reboots are fine with ephemeral disks.

We backup all sstables to s3. We've never _needed_ to restore a node from an
s3 backup in 5 years of running in production.

------
mark_l_watson
I think Microsoft is doing a good job of reinventing themselves. Azure and
Office 365 really are good products. The Linux support on Azure is great and
Office 365 runs well on my Android and iOS devices, support on OS X is OK, and
the web version of Office 365 is sometimes handy on my Linux laptop.

As far as privacy on their key store goes, I tend to trust Microsoft and
Google more than average corporations.

~~~
freehunter
I'm paying for Microsoft Office for the first time ever (when I've used it in
the past it has been provided by school or work) because I can use Office on
non-Microsoft platforms now. I can start an Excel document on Windows 8, edit
it later on RHEL, and view it on the go on my iPhone. It's the era of the
cloud. That's how things should be. It doesn't matter what system I'm running.

~~~
semi-extrinsic
Unless you're doing something extremely complicated, linking to data outside
the Excel file or abusing Excel for a purpose where some other tool would be
far better, this interoperability has been provided by open/libre-office and
the various mobile office suites (read-only) for many years. Microsoft's
attempts at vendor lock-in notwithstanding. This cloudiness is the wrong
solution, the right one would be for MS to stop actively sabotaging
interoperability.

~~~
freehunter
Sorry, but OpenOffice (and so on) is lacking in enough places to make it not
worth my time. And believe me, I've put a lot of time into trying to make it
work. Saving a document in OpenOffice to Dropbox and editing it on Android
with Documents to Go or QuickOffice (both of which I've paid for at ~$20 each)
and then trying to open it in Office on the school's computers is a recipe for
disaster. What's even worse is if I didn't have the time to open it and save
it in Word before the assignment was due. The teacher opens it in Word and
finds out that OpenOffice saved it with 1.2" margins and Word interprets it as
1.25", or 12pt Arial font that Word thinks is 11pt Helvetica or that picture
isn't lined up properly and now an English professor is giving me a zero on
the paper because he doesn't know or care what free software means. He just
knows I'm the only one in the class that did not follow the instructions he
gave.

Worse still, out in the real world as a client-facing consultant who uses a
RHEL-based laptop for day-to-day work. I keep a VM of Windows 7 running for
when I need to submit a document to a client, because there is no way I am
taking the chance on Word interpreting an OpenOffice document correctly.

Right solution or wrong solution, Microsoft Office is _the_ solution. I have
to wonder where people work (and where they went to college) that affords them
the luxury of taking a stand on what office suite they use. I would also like
to know what open/libre office suite you're using where I can use the same
document with the same file format and the same rendering engine on any
platform including the web (where the web version is also open/libre). Because
honestly I don't think it exists _right now_ , let alone having existed for
many years, which makes your entire point moot.

~~~
fapjacks
You're clearly doing something wrong if you're running a VM of Windows just to
create simple documents. It really sounds like you need to take inventory of
how you're doing things. Since we're talking anecdote, I have _never_ had a
problem editing Dropbox-saved documents in QuickOffice, or having them
magically messed up when I email them. I went to a couple of different schools
that allowed students to submit documents in formats supported by open source
formats. You're right that in the first half of the 2000s using proprietary
pay software formats was a requirement, but in the last ten years schools and
instructors have started accepting others, and the last couple of years I went
to school I didn't submit any document in a proprietary format. The fact is
that Microsoft Office is an _enormous_ cost to consider versus something like
the equally powerful and less obtuse LibreOffice. Also, your "Microsoft Office
is _the_ solution" makes you sound like a shill, seriously.

~~~
spinchange
His example was creating a document in OpenOffice, editing it later in
QuickOffice, and then having the recipient open in it Microsoft Word. He is
absolutely correct that what the recipient opens in Word will have formatting
discrepancies and not look like what he thinks he submitted. It might not even
be the fault of QuickOffice, it's more of an issue that it wasn't created and
edited in the target/destination environment (Word). This isn't even a new or
unforeseen issue for people who work with a lot of office documents.

More broadly, in the business world, Microsoft Office is still very dominant.
If your clients & business partners collaborate with Word documents, or Excel
workbooks, or PowerPoint presentations, or whatever the case...running a VM so
you can run MS Office and collaborate with them isn't "wrong" or something the
parent needs to reevaluate- It's a business requirement and to ensure
professionalism! It isn't nearly as uncommon of a use case as you think. I
don't think he's shilling, he's being a realist given his needs.

------
sudioStudio64
The truth is that a lot of you refuse to learn how windows works at a deep
level, at least as deep as you know UNIX. Then it doesn't work like UNIX...
and then you're angry.

I have seen similar horror stories from AWS customers. They probably weren't
early adopters like people on HN...who now have the kinks worked out.

MS should stop trying to impress the HN crowd. And unless you own stock in
these companies you need to stop investing so much personal emotion in how
they are doing compared to each other. AWS isn't some scrappy upstart from a
Horatio Alger novel. MS isn't the Empire from Star Wars. And none of them give
a damn about you.

------
davexunit
A good example of openwashing. You can call anything open these days, even
proprietary software!

~~~
Someone1234
The term "open" only appears once in the article on this line (aside from the
title):

> Building on our openness with the availability of the first Docker Image in
> the Microsoft Azure Marketplace

What the hell does "building on our openness" even mean in that context? I've
read it several times and it makes no sense. It is great that they added
Docker images (really) but maybe someone technical at Microsoft should start
to proofread what nonsense that the marketing department spews out.

~~~
higherpurpose
You mean aside from the title that every other news site will reproduce and
which will be everything most people remember?

------
api
... and the Microsoft perestroika continues. :)

~~~
martco
What do you mean? Do you mean this:

perestroika: ORIGIN Russian, literally ‘restructuring.’

~~~
danko
Perestroika is the era in Soviet history when the USSR began to 'thaw' in its
relationship to the West and reform its economic policy to be less
collectivized and more capitalistic.

In this case, Microsoft would be the USSR and its policy of closed-source
Windows/.NET domination would be the old Communist Party hegemonic philosophy.
That would make Satya Nadella Microsoft's Mikhail Gorbachev.

------
steven2012
Does anyone have any opinions on Google Cloud? We are investigating moving to
Google Cloud but I personally am a bit skeptical because they appear to be a
distinct #4 behind AWS, Azure and Rackspace. I'm worried that Google Cloud
will not get the revenues they want and they will close up shop, like they've
done with their other products that were wildly successful. I don't see Google
having the same level of commitment as Bezos, who will believe in something
and then see it through come hell or high water.

Does Google Cloud have the same functionality and flexibility that AWS or
Azure have?

~~~
higherpurpose
I really don't see how Google would exit the cloud service business. It's a
core competence of theirs.

People have been saying "I'd rather stick with Evernote than Keep" as well.
And less than 2 years later, Keep is still there and being updated (with not
that many users I think), while Evernote had just laid off 20 people.

I also think most of Google's "spring cleaning" projects have been small
projects that made _no money_ \- as in they didn't even have a business model
(such as Reader). The cloud business seems to be pretty straightforward - we
give you this, you pay us that.

------
Morphling
I actually think Azure is nice platform, but they've effectively priced me
out.

What I mean is that if I want a basic VPS on Azure it costs ~10€/mo to run the
server for the month, but there are many VPS providers who offer a lot better
hardware for same price.

I guess Azure is meant for bigger needs than mine where you can run
100-200€/mo by default and then scale up when needed, but since my little blog
+ test/dev server won't need to be scaled it just seems too expensive.

~~~
mobiplayer
If you plan on building something, but your needs are not there yet you may
want to apply for a BizSpark account that covers $150/mo if I'm not wrong.
OTOH for a blog you may want to check the PaaS offerings (e.g. Azure
Websites).

------
egsec
Am I comparing the right things for the pricing on AWS Cloud HSM vs Azure Key
Vault?

ASW Cloud HSM -
[http://aws.amazon.com/cloudhsm/pricing/](http://aws.amazon.com/cloudhsm/pricing/)

Azure Key Vault - [http://azure.microsoft.com/en-us/pricing/details/key-
vault/](http://azure.microsoft.com/en-us/pricing/details/key-vault/)

The metrics they use are not the same, so I am not sure if the AWS option is
something dedicated vs the MSFT one is something you share? Is there something
different from AWS that is more comparable?

~~~
count
I think the AWS Cloud HSM is dedicated, but not sure. They look to be about
the same. If you don't need FIPS, AWS also has the new KMS service which is
way cheaper than Cloud HSM.

~~~
egsec
The pricing model looks much more similar for KMS:
[http://aws.amazon.com/kms/](http://aws.amazon.com/kms/)

------
ktavera
I've been using Azure Websites to host 10 web apps monitoring with nodeping
and have not had noticeable downtime in 2014. Maybe it's just their IaaS and
not the PaaS

------
toddkaufmann
Whenever I hear about Microsoft, I just think irrelevant. Am I bad? Sometimes
I think I might have missed out on something, but in 30+ years of programming
I've never done any real development on it (unless you count java), and I
often go months without encountering it (except for remote desktop
occasionally).

I think it was good to have competition Apple/Linux/Google, but it doesn't
seem like they've kept up.

------
vvoyer
I recently had to use the Azure various APIS like ServiceBus.

It's a complete failure once you get lost in bugs, missing or hard to find API
documentation or examples like `var serviceBusService =
azure.createServiceBusService();` WELL Mister API Designer you failed!

------
mrmondo
It's really unreliable though, it seems they're battling outages every few
days.

------
venaoy
A very important issue with Key Vault is: what to do when the Hardware
Security Module dies? All electronics fail or stop working at some point. How
do you make backups of keys that were on the HSM?

~~~
lstamour
You don't. Keys on an HSM never leave the HSM, is how I think it should work.
But your keys in the HSM can encrypt secrets, separate from the HSM's keys,
but stored with the same service. You could potentially distribute secrets to
multiple HSM-backed services. It's equally possible that the service itself
distributes your secrets amongst multiple HSMs.

YubiHSM back in the day, I recall reading, was designed so that you'd want two
HSMs, one generates random secrets, the other stores the secrets using keys
that never leave the device, if I recall correctly. And the reason it needed
two is that the generator would leak parts of its keys with the random data it
produced, I think, and so to securely store them, you needed a second device
with key generating turned off. I could be out to lunch here, never bought a
YubiHSM nor do I have experience with corporate ones. My point, is that there
are different uses for HSMs, and it's easy enough to have an insecure use of
HSMs, even as simple as generating secrets and storing secrets on the same
device.

As to what to do if the key is lost, I suppose it's time to re-issue. :) The
goal is to not make too many backups: keeping a key secret is more important
than ensuring the key is widely available, right? So it's a balance....

~~~
Spooky23
I don't know about a device operating at the scale that Azure is using, but
the key stores on smaller Thales HSMs can absolutely be backed up to smart
cards.

Security of key material is all about procedures. With a private CA I helped
to setup, we used a quorum based authorization scheme, and the collection of
smart cards was distributed among different reporting lines to make collusion
between employees difficult.

~~~
lstamour
Makes sense. At that point it's probably easier to find another part of the
software stack to attack instead of the secrets itself. E.g. instead of
getting the keys to the kingdom, just exploit a weakness in some signing
software. Reminds me of that Microsoft certificate signing service for remote
desktop (or something like that) for the feds (okay, maybe not but still...)
that ended up generating certificates that would pass Windows Update checks
for from-Microsoft validity. Google reminds me it was called "Flame". Ah, here
it is: [http://www.securityweek.com/microsoft-unauthorized-
certifica...](http://www.securityweek.com/microsoft-unauthorized-certificate-
was-used-sign-flame-malware) And it was revealed roughly a year before we
learned about PRISM and such.

------
Aoyagi
I'm not sure I like what MS is doing. They're innovating (or at least fixing
things) almost exclusively only in cloud/online services/products.

~~~
wmf
Windows Server will let you run your own Azure, but you can't run your own EC2
or GCE.

~~~
_delirium
Amazon themselves don't provide a way to run your own EC2, but Eucalyptus [1]
is an open-source implementation that works for some use-cases. I believe
OpenStack and CloudStack also implement a good portion of the AWS APIs.

[1] [https://www.eucalyptus.com/](https://www.eucalyptus.com/)

~~~
derekdb
Last I checked, Eucalyptus is missing an number of the APIs that customers
really use once they are doing more than just hosting a few VMs. Access
control, security, VPN... The service providers are actually quite different
and any attempt to standardize is just doing to be the least-common-
denominator, which is going to be missing a great number of useful features.

------
MichaelGG
Azure needs to provide SSD backed options for all blobs. As is, they encourage
you to use local SSD storage, which gets wiped on reboot.

------
higherpurpose
I assume Microsoft itself has access to the keys in the Key Vault?

~~~
lstamour
Sure, you can make that assumption. Even with an HSM protecting things, they
still own and manage the HSM, not you. But then the same can be said for
everything else you run in Microsoft's cloud or any other service provider,
really. Once I read that the NSA would sometimes take computers from transport
and modify them, I realized the NSA is the type of persistent threat you
simply can't avoid. It can't be helped in this day and age.

For more on the HSM service and how it works:
[http://blogs.technet.com/b/kv/](http://blogs.technet.com/b/kv/)

~~~
higherpurpose
Why can't the keys be managed in an end-to-end fashion? Wasn't it Cloudflare
announcing something like that a few months ago, with clients having their own
key-servers that Cloudflare itself can't access?

~~~
lstamour
They can be, but this avoids the round-trip time entirely. Microsoft's not
forcing you to keep your secrets in the cloud if you don't want to, what
they're saying is, "you don't have to run it all yourself if you don't want
to" or for those already in the cloud, "it's more secure (or audit-able, at
least) to store and share secrets using an HSM than to use plain-text on a
hard drive". Of course, nothing's perfect, and even your secrets will
eventually end up in RAM, but that's why they call it "defense-in-depth"
right? Plus, it means if you're encrypting something, you can use the HSM to
do it and know that only the HSM box has the keys to what you're encrypting,
and it's dedicated and designed for that task. I personally like HSMs as a
concept and look forward to lower cost options as we rely more on encryption
in the cloud.

~~~
higherpurpose
I realize the "it's easier" part. That's why most of us use email over
TLS/STARTTLS instead of PGP. However, I don't think Microsoft is going to
address the "trust" issue foreign governments and companies have with American
clouds right now.

Granted, I'm only picking on Microsoft because they are announcing this now,
and I think they could've done better. But I assume Amazon and Google's
encryption also relies on "trusting them" (+ the US gov).

They all need to adopt more end-to-end solutions from end-user services to
enterprise cloud services. Perhaps _especially_ for enterprise cloud services,
since I think they have more to lose by putting their trust in the cloud
providers instead of building their own clouds, and they could be more
reluctant to adopt their services because of that.

Maybe the cloud companies aren't feeling this as much now since there seems to
be "growth" coming in anyway, but when the market will stabilize a bit, they
will probably start feeling it. It's kind of how Blackberry didn't feel the
they are banking on a bad strategy in the post-iPhone years, because they were
still seeing "growth" during that time, mostly from other markets, hiding the
fact they were using a bad strategy, and they were _only_ growing because of
brand inertia from previous years.

------
StudyAnimal
"It IS faster! Over five million..."

------
aarisa
Bigger, fast, more open, more secure. Where does that leave Azure, given where
it started? It means it's still small, slow, closed, and insecure.

------
at-fates-hands
I'm pretty sure they haven't addressed the old issue of having keeping your
FTP credentials in plain text. To me, that's not very secure at all.

Source: [http://weblogs.asp.net/bleroy/azure-web-sites-ftp-
credential...](http://weblogs.asp.net/bleroy/azure-web-sites-ftp-credentials)

 _" Notice how the password looks encrypted. Well, it’s not really encrypted
in fact. This is your password in clear text. It’s just crypto-random
gibberish, which is the best kind of password."_

What exactly is "crypto-gibberish"?

~~~
biot

      > What exactly is "crypto-gibberish"?
    

You generate a random password from the set of inputs that the system allows,
usually printable ASCII characters. So instead of a non-gibberish password
like "correcthorsebatterystaple" you end up with a gibberish password like
"]'gf2~B;](0EnxW>/n%+b*q4{".

    
    
      > I'm pretty sure they haven't addressed the old issue of
      > having keeping your FTP credentials in plain text.
    

Would you complain if it were an API key that was provided to you in plain
text?

~~~
ghuntley
Yes, because FTP by design is unencrypted and can be easily sniffed.

~~~
biot
You're addressing a different issue; _at-fates-hands_ was addressing the issue
of "keeping your FTP credentials in plain text" whereas you are discussing
that plain FTP is an insecure protocol (a point I fully agree with). The site
does say:

    
    
      "The Azure dashboard doesn’t seem to give easy access to your FTP
       credentials, and they are not the login and password you use everywhere else."
    

Likely the difficulty of finding FTP credentials is because FTP isn't the
preferred method of publishing your site.

