Security in the Cloud starts with Architecture

In today’s connected world the subject of security is perhaps the hot topic – at least when it goes wrong!  Unfortunately, many risk teams argue that security is often thought about too late – i.e., after a security incident has occurred and an application has been compromised.

To innovate we need to be able to build new solutions rapidly – using Agile frameworks there is much emphasis on getting out the MVP (Minimum Viable Product) as fast as possible and then iteratively building upon it every two weeks or so.

From a security perspective this creates big headaches – we need to ensure the MVP is solid, but then with every update we introduce the possibility of creating new vulnerabilities.

For many clouds vendors security in depth is an important paradigm to help solve these problems – we need to implement multiple layers of security controls so that if one area is compromised there are others that will stop an attack.

Some of these controls can grouped into the following areas.

  • Network Security
  • Encryption
  • Authentication/Authorization
  • Governance and Compliance

Also notice that these are all mainly around infrastructure, and because of this we need to ensure that they are considered right at the very start of a new solution.  Our solutions need to be secure by design, or to put it another way, security has to start with architecture – i.e., when we design solutions, we need to consider security in the first instance, and always have it in mind when addressing functional and non-functional requirements.

A very simple example of this is when building a simple Azure Web App that connects to an Azure SQL Database.  By default, web apps are built to expose public endpoints and the SQL Database has an option to Allow Azure services and resources access the server (i.e., our Web App).

This reduces the network scope to only Azure, but it includes every other customer using Azure – not just your own subscription or tenant.

We of course need a login and password to access the database (or we can used Managed Identities or AD Integration), but this only represents a single layer of protection.  We should be designing our solutions with greater depth.

One way to further secure the network is through Service Endpoints.  With Service Endpoints you can configure Azure SQL Database to only accept connections from a particular VNET, however for this to work you must enable VNET integration on the Web App itself.

Using VNET integration also allows you to use Network Security Groups on the web app as well, which means you can also control outbound communications.

Finally, the addition of an Application Gateway or Azure Front Door gives even further protection, but to fully realise this added security you must also specifically block all access to the Web App except from the Application Gateway or Front Door appliance.

The following diagram shows an example of how this might look.

This is just one example of how good architecture can ensure that your solutions are locked down more – but these options must be specifically chosen, they are not enabled or configured this way by default.  

Taking it to the next level you can build Azure Policies that would block or report on services that don’t align to your prescribed patterns, which grants greater control over your whole enterprise.If you would like to learn more about Azure architecture, and prepare yourself for the AZ-304 Microsoft Azure Architect Design exam, checkout my book on Amazon – Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond: Design secure and reliable solutions for the real world in Microsoft Azure

Microsoft AZ 303 versus AZ 304 Exam requirements

It’s been a few months now since Microsoft update the Azure Architect exams from AZ300/AZ301 to AZ303/AZ304.

I recently wrote an article for Packt Publishing on the differences between AZ300 and AZ303 here

In this article I wanted to explain the differences between AZ303 and AZ304 – so not the changes between the old and new exam requirements, but the differences for the two Architect Exams that are now live.

There is often some confusion around these two exams, and why and how they are different.  In many ways they are very similar – they are both about Azure (of course!), and they both cover a lot of the same technologies.

First, we can understand some of the differences between the titles – Microsoft Azure Architect Technologies (AZ303) and Microsoft Azure Architect Design – the design bit giving away one of the core differences!

Much can also be gleamed from the wording of the exam requirements documents.  If we look at the skills measured outline for AZ303 we see;

  • Implement and monitor an Azure infrastructure (50-55%)
  • Implement management and security solutions (25-30%)
  • Implement solutions for apps (10-15%)
  • Implement and manage data platforms (10-15%)

And the AZ 304 outline is 

  • Design monitoring (10-15%)
  • Design identity and security (25-30%)
  • Design data storage (15-20%)
  • Design business continuity (10-15%)
  • Design infrastructure (25-30%)

Again, we see the key difference here – Implement versus Design

I have of course taken (and passed!) both of these exams, and therefore I have first hand knowledge of the differences, and I can attest to the fact that the AZ 303 is filled with questions around HOW to implement technologies, and what can and can’t be done.

Conversely the AZ304 exam is all about which technology is the best CHOICE for a given scenario.

For example, on the AZ303 a question around SQL may be long the lines of

Which SQL option supports native VNET integration

Whereas a similar question on the AZ304 exam would be more requirements based, such as

A customer needs to connect over an Express Route connection from an on-premises server to a SQL PaaS database.  Which option would enable this functionality?

The differences can sometimes be subtle, but the key take away is that the AZ 304 exam asks questions based around customer requirements, compared to the AZ 303 which is around the technical options and how to implement them.

I have recently written two books – the first, Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond is available from Amazon here

The second, and newest, is focussed on the AZ304 requirements, Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond – is also now available on Amazon here

So if you’re interested in achieving the Azure Solutions Architect Expert accreditation – I’ve got you covered!

Are you a Coder, a Hacker or a Developer?

Coder, Hacker or Developer – which do you think best sums you up?  I’ll wager that most would consider themselves a ‘Developer’.

But in my many years experience – from learning the basics of coding, to my present day role of Architect and teacher/mentor – I’ve come to the conclusion that actually the three titles are all part of the career path in software development.

For me the titles perform a very good job of defining the role, but I feel the perceptions associated with each can be misleading.


Coder’s code.  To code means to string some computer language together in logical structures to perform some function.  That’s it.  And in today’s modern Agile world this is an extremely important skill.  Agile is to some extent about breaking down the work into manageable tasks or ‘User Stories’.  As a User I want to do x.

So a Coder will be assigned a task – write some code that completes a function.

All these functions are eventually strung together to making the whole.  But essentially most tasks come down to coding – hence why it’s the first step of all developers.


To some a hacker is cool.  To Business & Government hackers are evil!

But let’s examine the term.  Hacker.  To ‘hack’ into an existing system and, well, bend it to your will.

Yes, in the wrong hands this skill can cause some real damage – but so can ANY tool in the wrong (or inept) hands.

But to me Hackers represent the next level of coding skills.  Hackers can obviously code, but hackers can also look into the base foundations that all coders use day in day out, and enhance them. Hackers are able to get right there into the code and make it do things you wouldn’t normally be able to do – how?  Because Hackers truly understand the underlying system they are hacking.

This is also an incredibly important skill.  Rarely do business requirements fit any standard mould.  I have heard coders say – ‘it can’t be done, the system just won’t allow that’.  The Hacker will see the challenge.  They’ll learn the underlying mechanism and find away to make it do what they need it too.

So don’t ever think hacker is a detrimental – term – for me it’s the next level in becoming a truly greater developer.


For all their technical ability, Hackers still lack an important skill – Business Acumen.  Developers (in the varied sense) are often viewed is ‘techies’.  But a true Developer understands the business needs – and can draw upon their Coder and Hacker skills to find the most effective, efficient solution to the Business Problem.

The true Developer is the most misunderstood role.  A Developer not only understands the underlying possibilities, they can decipher the business speak and apply their knowledge to the problem at hand.

In this sense ‘Developer’ is often referred to as Senior Developer – and it’s not about age or years of service (although that often helps!) – it’s about having the full skill set.  The most successful developers, the one’s who’ve built billion dollar companies, are the ones who also understand Marketing, Sales, Finance and Leadership – not necessarily in the depth needed to specialise – but certainly enough to carry their own and talk the talk.

Anyone can learn the basic skills to lay some bricks, or plumb some pipes – but a Developer understands how the whole fits together!


To me an Architect is the natural progression of a Developer – They take the business skills to the next level and help drive the full Software Development Life Cycle (SDLC).

The next level is about seeing things beyond the current project, to the multitude of projects that businesses have to take on. It’s about having the knowledge to see where IT can help and drive the solution BEFORE being asked.

It’s about looking for efficiencies of scale – how sharing code or better still, services, between the different projects can help reduce overhead, development time and quality.


All these ‘levels’ are equally important – but if you want to push your career or technical ability – then you need to understand the different roles available – and focus on what’s needed to take you to the next level.

HTML and CSS For Everyone!

Web Development seems to many non-techies as a black art.

A core skill for any web developer is HTML and CSS – the ‘languages’ used to build websites and an increasing number of mobile apps.

But what if I were to tell you then these two skills – HTML and CSS – are actually becoming key for EVERYONE in business?

The world today is centered around communications –email, social media, blogs and more. But to be heard in the noise of mass information your’s needs to standout.

If you regularly send marketing emails, manage a blog or social media account, then HTML and CSS is a must have skill – as only with an understanding of these can you hope to build something appealing and eye catching.

Because HTML and CSS are often considered a ‘programming language’ – many shy away.

Learning the basic core skills to create stunning material using HTML and CSS is actually very easy – if you have learned how to use Word or Excel – then you can learn this!

Just think what you could do if you mastered the basics? Create awesome emails to your customers, tweak your company’s or your personal WordPress site, speak on par with your technical teams, create a stunning personalised resume website!

Business today demands and ever increase skill base – and if HTML and CSS aren’t at the top of the list of things to learn in 2016 – they should be!

To learn more and get a discount off my own HTML and CSS Online course and book click Web Development Essentials – HTML and CSS

Visual Studio Code – Why?

All Articles in series
Visual Studio Code Why?
Installing Visual Studio Code on OSX – From Scratch

Visual Studio Code – Why?

I am a Microsoft developer. I have been for over 10 years, since Visual Basic was first released.

This article is the first in a series an introducing to the latest Developer product from Microsoft (still in beta at the time of writing) – Visual Studio Code. This wonderful piece of software runs on Windows, Linux and OSX. As I use an Apple MacBook Pro as my workhorse the potential for this is like suddenly discovering the wheel – it’s really is going go be a revolution!

But why? And perhaps more importantly WHY do I use a MacBook when I am a professional Microsoft developer!?

Originally I wasn’t a professional developer – it was a hobby – but it was something I always knew in my heart I wanted to be.

Unfortunately when I started working the opportunities weren’t really around – at least not where I lived in the North of England.

And so I did the next best thing – I became an IT consultant – and I focussed on Microsoft products – Windows 3.1 and Windows NT.

The point is, since then I have been Microsoft through and through. So I often ask myself why I own an iPhone, and 4 iPads, and two years ago I bought a MacBook Pro.

All I can say is the hardware is just gorgeous. The OS to some extents doesn’t really bother me that much – which is odd considering my professional focus!. But then actually, if I think about it, it DOES make sense as for the past 10 years my development career has been about Web Development – which at the back is IS Microsoft (.NET) but for the end user is actually just HTML – and therefore OS agnostic.

In 2012 I needed a new laptop. I wanted a nice screen – after all I spent my days staring at a screen all day long as I wrote code – and the MacBook Pro with Retina display just ticked all the boxes. I also wanted something thin, light and powerful. At the time the ONLY thing on the market was the MacBook. Before then I’d never used a Mac, but now I could’t imagine NOT using a Mac. I wonder if it’s because deep down I’ve always been a bit artistic – and Apple (at least originally) has always attracted the more artistic types because of the aesthetics of its products.

But this left me with a quandary. I was a Microsoft developer! And so for the past few years I’ve used Windows Virtual Machines running on my Mac. I hardly ever touched OSX at all! It was simply the shell for running my VMs.

Actually this worked really well – as being a developer you often have to build and rebuild your OS as you install various tools, then uninstall them or upgrade them. And using VMs makes this process sooo much easier!

And then there is the plain and simple fact that as a developer I need to understand various diverse platforms – Windows, OS X, Android, iOS. In fact in my current position I am involved with a number of applications that use iOS applications that talk to a .NET back end. This pretty much sealed the deal – by using a MacBook with Windows VMs in top I really could have my cake and eat it!

So then Visual Studio comes along. And now I have a reason to be a Microsoft developer AND an OSX user. Again the question – WHY? Well first of all the fact that with ASP.NET 5 and Mono I can actually build applications using Microsoft .NET but deploy them to Linux/Unix – which tend to be a bit cheaper to host – not to mention the exciting possibilities Docker is giving.

Yes, Docker is now available on Windows, and IIS in the latest version of Windows so much faster and has a much smaller memory overhead (not to mention how much faster it can spin up) – but there’s something about the flexibility of being able to deploy to either Windows OR Linux that gets me excited – I can’t help but feel that this, combined with Docker, is going to be a game changer in the industry.

And so the potential to build software completely on OSX, Windows or Linux, using the same code base? Well now I’m feeling the sort of excitement lottery winners feel when they see there numbers come up! Sad, I know.

But now here’s a problem. I’m a Microsoft developer, ex Microsoft OS consultant, and i’ve just been using OSX as a shell for my Windows VMs. I know practically NOTHING about OSX and more importantly the underlying Linux OS that OSX is built on. I’ve seen the past few months playing with VS Code, and I finally think I’m starting to get to grips with it!

So this series of articles is really about my experience installing, setting up, and building full .NET websites using VS Code, .NET 5 and mono. All on an OS i don’t really know, and using technologies (like bower, nodejs, nopm, grunt, gulp) that I’ve never had to really worry about before (because Visual Studio just DOES IT for you!).

I hope you enjoy the series, and gleam some benefit from it!

The first article in the series – installing VS Code and it’s dependencies can be found here
Installing Visual Studio Code on OSX – From Scratch

Installing Visual Studio Code on OSX – from scratch!

All Articles in series:
Visual Studio Code Why?
Installing Visual Studio Code on OSX – From Scratch

Installing Visual Studio Code

This guide will assume a complete clean install of OSX. That means that I will cover every single pre-requisite that is required. I will also assume the reader has not much experience with OSX – if you are coming from a Windows .NET development background installation of many of the pre-requisites are not as straight forward as you’ll be used too!

Installing Code

First of all – the easy bit. Installation of the main Visual Studio Code program.

Go to the website will detect you are running OSX, Windows or Linux and present you with the relevant link. Simply click the link to download the program.

This will download Visual Studio

This is a self contained program and doesn’t require any installation. But lets move it from the default download location – which should be downloads – to the apps folder. Simple drag from the download folder onto the app folder in your Dock (if you’ve created a shortcut for it) or to the Applications folder in finder.

Now run the program by going into Applications (from finder or the Dock) and clicking it. The first time you run it you’ll be prompted to open the file as it was downloaded from the internet. Just click Open.

If you want it to be always in the Dock, right click the Icon choose options and ‘Keep In Dock’.

Another useful option for launching VS Code is to enable launch from a Terminal window. On OSX a lot can and will be performed through terminal so it’s hand to be able to simply type ‘code .’ and have it launch.

To set this launch Terminal by going to the Applications folder, then the Utilities folder and clicking ‘Terminal’. Again once running it will be handy to create a shortcut to it by right clicking it and choose Options->Keep In Dock.

What we need to do is edit a file called –bash_profile – this is like a startup file that you can use to set environment variables and things. It is also hidden. So to edit it in the Terminal window type nano ~/.bash_profile

You will be presented with a blank screen (unless you’ve installed some software that has already put some info in this.

Enter the following

code () {
if [[ $# = 0 ]]
open -a "Visual Studio Code"
[[ $1 = /* ]] && F="$1" || F="$PWD/${1#./}"
open -a "Visual Studio Code" --args "$F"

Now press CTRL+O and accept the default filename to save the changes. Now press CRTL+X to exit nano.

Normally this script will execute on startup, but to run it now type

source ~/.bash_profile

so now if you type (with the period)

code .

VS Code will launch.

Node.js & NPM

Node.js is a JavaScript runtime execution engine. Using it you can create JavaScript applications. It is also used when building applications in VSCode to automate tasks.

Node also includes a utility called NPM – Node Package Manager. NPM is like NuGet – we can use it to install software and update software.

We will be using NPM a lot, so the next thing we need to do is install Node.

In a browser navigate to

On the main page you will be presented with the current release of Node.js for your OS. Click the link to download the installer which be called something like node-v0.12.7.pkg (the actual name will vary depending on what the current version is). Simply run the installer by double clicking it.

In the dialog that appears click continue, then accept the license agreement, then click the install button.

Once installed you’ll be presented with a box telling you to make sure /usr/local/bin is in your path – this is so it can be executed from anywhere.

On a default OSX installation this is already set. You can confirm this by typing echo $PATH in the terminal window.

To confirm everything is working as we need now type the following


this will ‘launch’ nodejs and you’ll see a ‘>’. Now type

console.log(‘node is working’)

If it’s working ‘node is working’ should be output to the window. You’ll also see ‘undefined’ appear – don’t worry about that.

To quit out of node press CTRL+C twice.


The next piece of software we need is Mono. Mono is an open source implementation of .NET. Basically this means it allows you to run .NET applications on Linux and OSX based systems!

To install Mono in a browser navigate to

Again the front page will have a link to download Mono. Click the link then double click the .pkg file that is downloaded to start the installer.

Click continue, accept the License agreement and click install.

.NET Execution Environment (ASP.NET 5)

Now we have Mono, we can install the ASP.NET 5 runtime itself. This has to be done via a terminal Window and in stages. So launch terminal (if it’s not already running).

First install the .NET Version Manager (dnvm). To do this in terminal type the following

curl -sSL | DNX_BRANCH=dev sh && source ~/.dnx/dnvm/

This will download dnvm and automatically update your .bash_profile with the required environment settings.

Now we can use the dnvm to install or upgrade .NET Core Clr– known as the .NET Execution Environment (DNX) – by typing the following

dnvm upgrade -r coreclr

Finally, we must install DNX for Mono by typing

dnvm upgrade -r mono

The final step is we need to update our .bash_profile again. We need to ensure dnvm and dnu commands in our path, and also enable a setting to fix a IOException that we get with Mono and .NET

So again in terminal edit our profile like we did before with

Nano ~/.bash_profile

Make sure you have a reference to the – it will either simply have source, or a longer more verbose version.
After that line then add


Save the file by pressing CTRL+O

Then quit out with CTRL+X


The final software we need to install is called Bower. Bower is another package manager – like NuGet – but specifically for Web Projects.

We install Bower using NPM (The Node Package Manager). From a terminal window type the following

The Importance of Flexible Application Design

I don’t normally blow my own trumpet, but this week the team I work with won a prestigious ‘Innovation’ award at Capita Plc for an iPad/ASP.NET/WebAPI solution we have built to address a specific business need.

The application essentially allows building Surveyors to record information about properties using an iPad in offline or online mode, sync that data up to a backend SQL database via a ASP.NET WebAPI service, and then expose the data through an ASP.NET Web Portal.  There’s also the usual Reports and dashboards that managers and such like generally swoon over.

The product itself is a great time saver, it allows surveys to be taken and reported on in a fraction of the time compared to pen and paper, or even an excel spreadsheet (by hooking costs into items that are picked by the surveyor).

As good as the solution is, from a business perspective, what really impressed the judges was how easily it it could adapted to running any kind of survey you want without have to re-code anything.

Let me explain a bit more.

Version 1 of the solution was built for a specific type of survey, and as such the original developer involved built the application with certain settings hard coded.  So for example, in this particular survey they wanted to segregate any one building into Blocks, Levels and Items, therefore to accommodate these business requirements the developer created Block, Level and Item entities.

The backend database used these entities, the front end iPad app used these entities.  And it worked fine.

Specific Entities

But then as these things go other areas of the business saw what had been done and naturally wanted the same thing for them.

Business versus Technical Design

The problem was that was different area of the business wanted something slightly different.  some wanted 4 or 5 levels, some wanted only 1 block, some didn’t really want to record costs but rather just snippets of information such as diary events during the course of a building project.

The original plan was to use the v1 as a core but then re-develop both the backend, and the iPad app for each client.

Now from a technical design point of view this is great.  We get to independently give each client exactly what they want.

However from a business perspective this really wasn’t very good.  You see there are 3 major issue with this way forward.

  • Each new client would take 3-4 months to re-develop
  • Multiple codebases – both front and backend for each client
  • no central location for management

Ultimately these 3 issues really come down to one common business problem – cost.

You see, many times the business would want it NOW.  Or at the very least within a couple of weeks, obviously being told 3-4 months PLUS testing is no good.

Secondly, although some commissions were large value, some were only for a few thousand (as it was only a handful of small properties/locations).  Again at 3-4 months the cost just becomes prohibitive.

Third, with multiple sets of code bases and no central management location, looking after all these different implementations would requirement far more support overhead – and therefore costs.

Start from scratch or accept the negatives?

It is about this time that I got involved with the project.

Immediately I saw the issue but more importantly the solution.

To some this may be obvious, but when you’re a true techie, especially someone who has already invented the wheel once, it’s quite hard to see more flexible alternatives.  After all, what does a techie care about costs?

Now I think I’m quite lazy!  But believe me, this has often been a useful trait.

You see I’m lazy in that I hate boring repetitive tasks,  I also hate having to re-do the same thing again and again.  Once done I want it finished so I can move onto another challenge.

So to me the solution was to have a generic ‘level’ that could recurse itself.  Each level then has a type associated with it, and a parentId.

In this way a ‘level’ can be anything you want.  A building, a floor, an area of ground, a room, a swing – whatever you wan and link it in a parent child hierarchy accordingly.  We can then define WHAT it actually is within a template that is also stored as a template entity.

The iPad app and the WebUI simple interrogated the template to work out what kind of control to use, and thus as the template changed the UI just flowed around it accordingly.

Flexible Entities

So what we can now do is build HOW the app will work within the app itself, without having to rebuild either of the UI’s or the backend.  We also get to keep everything in a central location and report across ALL different survey types.

This is nothing new.  There are LOTS of apps that do this, but its surprising how often this design pattern can be used.

The Business MUST come first

Now, this of course caused quite a heated ‘discussion’ between myself and the original developer.  He (quite rightly) pointed out that such a method would complicate the code more, making reporting a bit more difficult and increase the amount of required processing power.

However, although this is all true, the fact is, as developers we shouldn’t care about such things, it is our job (or at least should be) to bring the best possible value to the business – and if that means we have a harder time of it then so be it.

Now don’t get me wrong – I’m not suggesting we should embrace creating horribly complex code – quite the opposite – if you also apply SOLID patterns to your solutions then you can easily split up this complexity into nice manageable chunks.

And as for the processing power, well not really.  Even our 2nd generation iPads quite happily reconstructed the models according to a template on the fly – and we had some BIG templates with LOTS of data.

Reporting caused a few problems initially, but again Microsoft provide all the tools in the form of Analysis and Tabular services to help out when things got too hairy.

But let’s get back on track.  Eventually I won the discussion 🙂

The resultant solution now means new clients can be accommodate within DAYS, not months.  This has a huge impact on costs and allows smaller project to make use of our system.  It also gives the business confidence that it can bid for new work knowing that if they win (and by being able to do the job faster and therefore cheaper, they often win), we can turn around the new system for them within a few days and let them get on with the job as efficiently as possible.

Because lets not forget – software is about adding more value to the business, either with cost savings or a better proposition.