- If you haven't looked at
serverless options in awhile,
stay tuned as we look at
new enterprise capabilities
that help you to apply
serverless compute securely
and confidently to any workload,
including how you can turn
on managed service identities
and protect secrets with
Key Vault integration,
control virtual network connectivity
for both Functions and Logic app.
Build apps that integrate with systems
inside your virtual network
using serverless capabilities
and set cost thresholds to
control how much you wanna scale
with the Azure Functions premium plan.
(upbeat music)
I'm joined by Jeff Hollan
from the engineering team
leading the efforts around
serverless compute at Microsoft.
Welcome back to the show.
- It's great to be back.
- So there's been a lot of
progress in serverless compute
since we last had you on the show
and to recap serverless is
all about letting you build
and run applications that
scale without having to deal
with managing infrastructure.
- Yeah, that's right.
There's been a ton of progress
that Microsoft's been making
in the serverless space
because it's a great tool
to use for automation of resources,
partially because with serverless
compute you're only paying
when your compute resources are being used
which makes it a very
attractive option to many teams.
Now we're seeing serverless
used in all sorts of scenarios,
from web applications to micro services
to real time data processing
or even IoT devices.
In fact just a few months ago at Ignite,
we showed an end to end IoT solution
at Microsoft Mechanics
Live that was powered
entirely by serverless
compute in the Azure Sphere.
- Yeah, we showed how you could
also make the light switch
on a lockdown Azure
Sphere controlled device
and if you missed that show,
you can check it out at the link shown.
So it's awesome to see the momentum.
I know many people have
been wondering just how much
they can use serverless in
more enterprise type scenarios.
- Yeah, we're now at a stage
where you can use Azure
Serverless to run any workload.
We've really been focused
the last few months
at removing common blockers
for security, access management
and integration across your
internal services and apps.
We also now give you a
way to set thresholds
so that you can scale and
control with predictable pricing.
- Great, can we take a look?
- Yeah, absolutely.
So we have here a payment processing app
and as payment requests come
in to process a payment,
the app's going to need
to securely communicate
with databases and services.
Now given that we're grabbing
customer information,
all of this needs to
happen inside the firewall.
To date we've held off
making the payment
processing logic serverless
because of the security
and compliance requirement.
So we kept this payment
processing system on premises.
- So how can you move
some of this highly secure
and mission critical business
logic into serverless
without having to compromise on security?
- Yeah, so we're gonna
do a few things here.
The first thing we wanna do is take
that payment processing logic,
move it up to the cloud
as an Azure Function
which is really the core
piece of serverless compute.
So to do that the function
is going to need to manage
identities and leverage
secrets in a secure way
with Azure Key Vault.
We're going to communicate and integrate
with our payment processing
line of business systems
inside our firewall with
Azure VNet and Logic apps.
And of course once the
payment has been processed,
we'll use an Azure function
to trigger the emailing
of a payment confirmation
back out to the customer.
- And these are new capabilities
now integrate with Azure Functions?
- They are so let me
show you how they work.
So here I am in my Azure
Function and this is the code
that's going to be used
to process the payment.
Now here in my code you'll notice
I'm going to need an account key.
This is the key that I use to authenticate
with my bank account.
Obviously the type of
secret and information
I need to keep secured.
So I'm using Azure Key Vault here
to manage the secret for me.
So I've added the account
key and now Key Vault
is encrypting and securing the secret.
In fact if I come here
to the access policies,
the only piece that has permission
to retrieve and read the secret
is actually my Azure Function application.
Now that's because
Azure Functions now uses
what's called managed
identities for Azure resources
where Azure Active Directory
has given my application
an identity which I
can use to authenticate
with services like Key Vault.
So I've gone ahead in my
application configuration
and I've set to retrieve my account key
from Microsoft Key Vault.
All of this happens securely for me.
There's no usernames and
passwords that I need to manage
so I can be confident in
knowing that this secret,
this account key, could never be linked
to a developer or anyone externally.
- Okay, so Key Vault's now storing
and encrypting the secrets
and with Azure Functions
integrating with managed identities,
it securely retrieves the secrets
for the payment processing code.
- Yeah, that's right and because
we built this integration
right into the service,
you don't have to make
a single line of code
in order to start leveraging Key Vault
to receive any secrets that
your serverless app might need.
- Awesome, so how easy is it to integrate
with systems that are behind the firewall?
I know that's been a big
pain point in the past.
- Yeah, as we showed you
earlier in the illustration,
this payment processor code is
going to need to communicate
with systems that are within a VNet,
some that are in clouds, some
that might be on premises.
Now in the past Azure
Functions hasn't provided a way
to integrate directly with a VNet,
but today you can very
quickly add an Azure Function
to a VNet so it can securely communicate
directly to the resources
within that VNet.
So I'm back here at our
payment processing code
and after we have the account key,
I need to make a call here
to this private IP address.
You see this as a 10.0
address within my VNet.
Now if I tried to call it
right now and run this code,
you'll actually notice
that this run is failing.
I don't have access to the VNet.
I need some way to gain that
access to securely communicate
so I'm gonna come into
my Function app settings
and here in networking
I can just simply choose
to configure a VNet connection.
So I'm gonna come here, add my VNet.
Here it's listing the different VNets
that my application has access to.
I can choose the VNet that I want,
choose the subnet and click okay.
Just like that my Azure
Function is now securely
being connected to my VNet.
So if I come back over to
the application code again
and press run,
now that I've made that change
my application's succeeding.
This call to the internal
system is traveling
through that VNet, never
over the public internet
and my code is now working.
I'm confident in knowing that my traffic
is completely locked down and secure.
- And with most enterprise systems
have a very tight network isolation.
Integrating with VNets is a huge win.
I know though that one downside
can be the cold start time penalty
for brokering connections to
resources as code's initiated.
How do we solve for that?
- Yeah, we really don't want
people to have to sacrifice
on performance when
they're adding these types
of security features so when you use
this new VNet functionality,
we're actually going to keep your app warm
and connected to the VNet
so you're not gonna hit
any additional latency.
- Alright so we've
covered secrets management
and network security,
but are we doing to solve
for secure communication between services?
- Yeah, our team's been hard at work
over the last few months
to give you the ability
to even run your Logic apps
in an integration service environment.
Now this means that I can build a workflow
inside of my VNet as well
so as our function is processing code,
it's actually going to kick off an event
that's gonna trigger
this Logic app workflow.
I'm gonna retrieve some
customer information
through my on premises SQL database.
It's gonna call a generator receipt
and then finally, update
some information in CRM
which is also on premises.
Now because this Logic app is built
inside of the integration
service environment,
even these calls to on
premises systems are succeeding
and everything is
working in a secured way.
- Awesome stuff.
It's really powerful to
see that you now integrate
with services behind your firewall,
but what if my operations
sees a spike in demand
that I wanna control how it scales
so that I don't have a huge
bill at the end of the month?
- One of the most difficult conversations
we sometimes have with
these large enterprises
is how much is this
application going to cost me
because if the function only
runs once it might be free,
but if it runs 100 billion times,
it's gonna be a lot more money.
So one of the features that
we now offer to enterprises
is predictable pricing.
You can control the bounds in
which your Function app runs
to keep your bill within a secured range.
For some companies you
might want pay as you grow,
but for others you may want a ring fence,
a set or resources across your apps
and have a fixed,
predictable cost every month.
In fact for some very
high volume workloads,
you can actually save money
by paying by the resource
instead of by the execution and only Azure
gives you this option for both
in its serverless offerings.
So here in the Azure portal,
this is where I can control
the bounds in which my
app is going to scale.
I can choose to have some
instances always warm
so I don't have any
latency and I can choose
the minimum and maximum limit
so that I get flexible options
in deciding just what
resources will be available
and how much I'm going to pay every month.
Now these elements of
security, performance
and predictability enable every company
to take advantage of serverless
for key mission critical scenarios.
- Awesome, now with all these changes
we're looking forward to seeing the shift
from managing sporadic
workloads with serverless
to running everyday systems.
- Absolutely and we're
seeing a lot of interest
across industries.
For example, in finance
there's a lot of companies
interested in analyzing
and processing transactions and trends.
We've been working with retail companies
who are leveraging
functions within their VNets
to process real time
data at massive scale.
It's really exciting to see
the power and productivity
serverless can unlock for every scenario.
- What's the best way to get started
with these new capabilities?
- So we just released the preview
of the new Azure Functions premium plan.
You just need to follow a few steps
to get your first premium app running
and connected to a secure environment.
If you wanna use the
integration service environment
for your Logic apps and workflows,
you can sign up for the preview as well.
And don't forget to check out
our Microsoft Learn modules
on serverless where you can
learn about applicable scenarios
and even play around
with some code samples.
- And of course subscribe
and keep watching
Microsoft Mechanics for
our latest tech updates.
Bye for now.
(upbeat music)
