TechEd NA 2014 – Cloud-Based Load Testing

TechEd North America 2014, Houston
Using the Cloud-Based Load Testing Service and Application Insights to Find Scale and Performance Bottlenecks in Your Applications – Vibhor Agarwal

Day 3, 14 May 2014, 10:15AM-11:30AM (DEV-B335)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Various testing scenarios, e.g.
    • Load Testing – how will application perform at expected load?
    • Stress Testing – how/when will application “fall down”?
  • Load Test uses one or more web tests to hit web site or service
    • Lots of options for configuring test–# users, timing, etc.
    • Can configure the Load Test to match what you believe to be real-world scenario
  • User response time is a good key indicator
  • Cloud-based load testing allows scaling out in cloud
    • Allows heavier duty tests, e.g. for stress testing
    • Easy to set up and tear down test
  • Visual Studio 2013 Ultimate only
  • Application Insights—dashboard with key metrics about running site

Full video

Vibhor Agarwal – Principal Group Program Manager – Testing Tools, Microsoft


  • Why load testing?
  • Cloud load testing
  • Application insights

Mention of healthcare web site issues—didn’t scale

Why load testing?

  • 1 – Performance testing
    • How fast will the application perform?
    • Typically when you have single user
    • Also—how fast, based on current load? Ok, see below
  • 2 – Load testing
    • How will application behave under expected load?
    • Might work fine for single user, but break under load
  • 3 – Stress testing
    • At what point will application break, i.e. at what load?
    • “Limit testing”, “scale testing”
    • If expected load is X, try out 2x, 3x, etc.
  • 4 – Capacity planning
    • Will application scale up to future capacity
    • How many more servers do we need
    • You can use load testing data to extrapolate

Demo – Performance testing

  • File | New – Web and Load Test Project
  • Create a simple webtest
  • Record some actions on web site, hit a few pages (typical browsing)
  • If there is user input required, the web test will parameterize that stuff
  • Play on local machine—repeats the same actions
  • Records how much time it takes at each steps
  • Look at dependent links that are being followed
  • Also shows # bytes being transferred

Demo – 2nd web test

  • Want to model various typical user scenarios
  • When you enter input, e.g. user input, it doesn’t capture it—so need to do full UI test

Demo – Other stuff available

  • Can data drive web test from CSV, XML or other data source
  • Can generate code based on web test, then modify stuff to customize
  • Parameterize web servers
    • Use same web test, but run on a different web server

Demo – Create Load Test

  • Project | Add | Load Test
  • Wizard
  • Think time profile
    • Use recorded – follow original time profile
    • Normal distribution based on recorded times
  • Typically do use think time, normal distribution
  • Load Pattern
    • Constant load – # users
    • Step load – start at one level, then add users. Good for Stress Testing
  • Test Mix
    • Total # of tests
  • Add web tests to load test, set distribution
  • You could create load test with many parallel scenarios
  • Browser mix
  • Load test duration
    • Set time
    • Typically, you also do warm-up – e.g. once cache is full, response gets better

Demo – Run Load Test

  • Run load test, using local machine
  • Users power of local machine to generate load
    • Works for small load
  • More realistically, you want test rig to do load test with larger # users
  • Creating test rig is sort of a complex process

What is needed to make that work?

  • Network-based load testing is
    • Expensive to set up
    • Complex provisioning
    • Slow to scale
    • Costly to maintain
  • Get PCs, physically set them up, replicate – painful

Demo – Cloud Load Testing

  • Infrastructure uses Azure cloud
  • Test Settings | Run tests using Visual Studio Online
    • That’s all you need to do
  • Test gets queued
  • You do have to connect to Visual Studio Online
  • Load test now in progress in cloud
  • Spits out data while test is running
  • Can open up load load tests that were run

Q: What is application sits behind firewall

  • You need to find hole in firewall to allow the web-based testing
  • VPN tunnel – might be too much for the tunnel, but haven’t done much with this yet

Demo – Review load test results

  • Graph showing user response time, over length of load test
  • View showing entire test, with various key indicators
  • What is most relevant is response time – 95th percentile

Demo – Excel plug-in

  • Can dump out all test data to Excel
  • Trend Analysis or Comparison view
  • Comparison view is the most interesting

Benefits of cloud-based load testing

  • 1 – Don’t have to set up test infrastructure
  • 2 – Get infrastructure in cloud when you need it
  • 3 – Use same load test project that you use on premises
    • Just single settings change
  • 4 – Scale out easily in case of doing stress testing

Cloud load testing today

  • Public preview, Nov-2013
  • General availability, Apr-2014
  • Using it: Xbox, Skype, Visual Studio Online
  • Some customers doing load testing as part of regular process, e.g. weekly
    • Rather than waiting until end of project

Visual Studio Online

  • Application Insights

Application Insights

  • 360 degree view of your application
    • Available – is application available, e.g. from various locations
    • Performing – under load conditions
    • Succeeding – usage dashboards; what are usage metrics, data

Demo – Using Application Insights along with Load Testing

  • Under Load Test | Run Settings, right-click Applications, Get Performance Data
  • Can look at various Performance Counters for your application—right in Visual Studio IDE
  • Can then export to Excel report, correlate
  • In Visual Studio Online, lots of graphs, showing metrics on your application
  • Can use webtest to test availability for long time period
  • Using load testing and Visual Studio Online to get good analytics
  • Can look at top slowest pages
    • Dbl-click into specific events; will jump back to Visual Studio and show you location of problem (in VSO)

Q: Can you manage specific tests up in the cloud? View for Test Management in Visual Studio Online?

  • Not really well represented now, but something that we have planned

Q: Do I need Visual Studio Ultimate?

  • Yes

Q: Is there any way to automatically schedule and then auto compare against various thresholds?

  • Will get to this (future things)

Q: If I run a web test that’s reading/writing to database on-premise, how will that work when running in cloud

  • Cloud test won’t be able to handle this
  • Will have to do SQL Azure storage, rather than on-premise

Upcoming features

  • Customer counters from Application Insights with load test
  • REST APIs to queue Load Tests (automate/schedule)
    • Then have your own logic to compare logic
  • Geo-specific load generation
    • Load service today always come from East U.S.
    • Coming soon—Europe
  • Richer analysis/reporting
    • Excel plug-in, reports

Who can use cloud load testing?

TechEd NA 2014 –Building Real-Time Applications with ASP.NET SignalR

TechEd North America 2014, Houston
Building Real-Time Applications with ASP.NET SignalR – Brady Gaster

Day 3, 14 May 2014, 8:30AM-9:45AM (DEV-B416)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • SignalR is a mechanism for real-time communication between web server and client(s)
  • You code to abstraction that is unaware of capabilities on either server or clients
  • SignalR automatically uses the most appropriate protocol to accomplish real-time
  • Basic idea
    • Something happens in one browser (or on server) and you can inform all current web clients immediately
  • In action
    • Move rectangle around in one browser and you immediately see it moved in all other browsers
  • New Browser Link feature implemented using SignalR
  • Practical applications
    • Web Chat, Hit Counter
    • Real-Time display of some central data store

Full video

Brady Gaster – Program Manager, Azure SDK & Visual Studio Web Tools Publishing, Microsoft


Main web page for SignalR –

When he first saw SignalR, “everything changed”

  • Always open source


  • What is SignalR
    • After you see it, everything starts looking like a nail
    • For real-time HTTP
    • Might lose 1/100 messages
    • Not for pub-sub with queues—not for durable messaging
    • Don’t replace all your REST APIs with SignalR
    • Browser Link uses SignalR
  • Hub Class & jQuery Plugin
  • SignalR and AngularJS
  • SignalR .NET Client
  • Calling SignalR Hub methods on the server
  • Authorization with SignalR
  • Scaling SignalR in web farms
  • Self-hosting SignalR using OWIN

SignalR is an abstraction that intelligently decides how to enable real-time over HTTP

  • But HTTP is stateless protocol, not really designed for real-time
  • You write to an abstraction

Demo – SignalR in action – SignalR Hub and jQuery plugin

  • New project, ASP.NET Web app
  • HitCounter app
  • Install NuGet pkg – Manage NuGet, “Microsoft ASP.NET SignalR”
    • If you want SignalR in web app
    • .NET Client – for server-side
  • Readme.txt shows up
    • Uses Owin, hosted in Owin, no global.asax stuff
    • “Map your hubs”
  • Add file – “OWIN Startup class”
    • App.MapSignalR(); — how to route request to hub
  • Add | SignalR Hub Class
    • HitCounterHub : Hub
    • HubName “hitCounter”
    • Public method RecordHit
      • Add to hit count
      • this.Clients.All (or Caller, or Others)
      • .onHitRecorded
  • Hub/Spoke mode
  • “Once I learned how to use SignalR, dynamic made a lot more sense”
  • Client-side web page
    • Add in jQuery, jQuery.signalR
  • Javascript, function
    • Create connection with $.hubConnection
    • createHubProxy(‘hitCounter’)
    • hub.on(‘onHitRecorded’) => callback for when hub calls this method
    • Define function that updates counter ** scode 8:49 **
    • Start connection and then invoke method on hub
  • SignalR allows sending message out of the client

Demo – Know when clients disconnect

  • In Hub class, define OnDisconnected
  • Server will know when something disconnected

SignalR on old-school servers & clients

  • Old-school—polling
  • SignalR will actually do polling on older browsers that don’t support newer constructs that allow event handling
  • HTML Client starts up, asks server if it can do real-time, web sockets

SignalR built almost entirely on async, so won’t block threads back to server

  • E.g. stress testing team/tool
  • SignalR, first thing that fell down was the network card

Demo – Move Shape

  • Moving shape in one browser, you see it move in all browsers
  • URL shows “foreverFrame” in URL
  • SignalR figured out best mechanism
  • Then enable web sockets
    • Now no foreverFrame in URL, but using web sockets

Demo – SignalR with Angular

  • jQuery and Angular play well together
  • Trace hub – no code
  • Connect trace hub to listener
  • Create Angular factory, signalRService
  • Client dumps out trace messages as 2nd browser hits pages

Demo – Using SignalR’s Native .NET Client – MoveShape with Kinect

  • Daemon on server, pulls in SignalR.Client
  • JavaScript and .NET clients have parity
  • HubConnection created on server
  • Console app that patches Kinect into SignalR on the server
  • Moves shape with his hand

Demo – Calling a SignalR Hub from the Server

  • Real-time location tracking
  • As people connect, pins show up on the map in real-time
  • As people hit site, it’s calling server to add location info
  • GetHubContext<MappingHub> – gives instance of sub back to client, so that he can call methods on it

Demo – Authorization with SignalR

  • You’ll generally want to authorize clients
  • Server calls client to say “hello”
  • Put Authorize attribute on hub—can’t use hub unless logged in
  • You only want to let people use hub if they are authorized

Hubs are server-bound, so you’ll need to use a backplane if you’re running a web farm

  • E.g. if you’re running multiple instances on Azure

How do Backplanes Work?

  • By default, messages back out to client only go to clients on that server
  • Backplane
    • Redis or SQL
  • Client requests go all the way to backplane, then out to all web servers

Demo – Using a SignalR Backplane – Chat App

  • In Startup, SetupScaleOut
  • DependencyResolver.UseSqlServer
  • Same site hosted on two instances of IIS
  • Enable backplane, hit different servers from different browsers
  • Now messages show up in both browsers

Demo – Self-Hosting SignalR Using OWIN

  • Bring OWIN self-hosting and SignalR self-hosting (NuGet packets)
  • Host in .exe
  • SignalR.SelfHost package
  • app.UseCors (authorization)
    • Prior to MapSignalR

TechEd NA 2014 – Native Mobile Application Development using Xamarin

TechEd North America 2014, Houston
Native Mobile Application Development for iOS, Android, and Windows in C# and Visual Studio Using Xamarin – Anuj Bhatia

Day 2, 13 May 2014, 5:00PM-6:15PM (DEV-B221)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • The case for native apps built using Xamarin
    • Native UI for rich experience
    • Native performance
    • C# on the client, leverage existing .NET skills
    • Huge % of shared code across platforms
  • Working directly in Visual Studio
  • Universal Apps – single solution, cross platform
  • Sharing code with either Shared Source or Portable Class Libraries
  • Component Store – lots of 3rd party components, easy one-click install/use
  • Xamarin Test Cloud – test simultaneously on hundreds of devices

Full video

Anuj Bhatia – Enterprise Account Manager, Xamarin

Premise of Xamarin story

  • How do we turn you (Microsoft dev) into a mobile developer?

People Expect Great Experiences

  • First experience for people are things like Facebook and Twitter—great experiences
  • Attention to detail

What’s Driving Mobile?

  • Engagement on mobile devices—how are they engaged?
    • 86% apps / 14% browser
    • We’ve come to expect great experiences

Facebook HTML5 app (hybrid)

  • Horrible ratings in app store for HTML version

Facebook then did true native app

  • Clearly a better experience for everybody (judging from the app store ratings)
  • Meeting (or exceeding) people’s expectations

Xamarin growth – 600,000 registered developers

  • Lots of enterprise customers

Xamarin Studio + Visual Studio

  • Build native apps on iOS, Android using C#
  • Reach 2.6 Billion devices
  • Build fully native apps
  • Go mobile overnight—leverage existing skillsets, e.g. .NET, C#
  • Accelerate development—code sharing, component store
  • Component Store—easy to add functionality
  • Securely connect enterprise data—easy to connect to back-end systems

Could do “Write Once, Run Anywhere” approach

  • Lowest common denominator
  • Not good for scaling

How Xamarin Works

  • Native UI
  • Native performance

C#, Native Apps, No Compromises

Demo – Build Native iOS App with C#


  • Running sample app on iOS
  • Some simple animations: slow zoom on image, and Add to Basket animation
  • Mac with Build Host connection to PC
  • F# build scripts
  • Shared source project (i.e. for universal app)
    • Back-end services connecting to Azure
    • Extension methods
    • Models – huge benefit, not having to rewrite code
    • Authentication client
  • Authentication
    • Oauth2Authenticator – from Xamarin?
    • Automatically shows login screen
  • Filling out form, then “Place Order” click


  • Using Azure Mobile Service client service library

Native UI

  • Designer in Visual Studio
  • Add from Toolbox

Sharing Code Across Platforms

Universal Apps

  • Universal Apps
    • Easily share code between platforms
    • VS 2013 in beta
    • Soon – Xamarin Studio on Mac
  • Shared Source

Portable Class Libraries

  • Pure PCL
    • Limits expressiveness, but easy to build
    • Requires interfaces/plugs to work properly
    • Vs. shared source
  • Can pick targets – just platforms that you want
  • Xamarin moving entirely to PCL
    • Profile 78 is favorite
    • System.Drawing, moving to new platforms
    • In progress

Component Store

  • >150 components
  • Click on component, add to App, package managed for you, everything automatic
  • Charting controls, et al

Xamarin Test Cloud

  • Developers end up testing apps for mobile
  • Find bugs before your users do
    • Start immediately
    • Hundreds of devices – target hundreds of real devices (like Azure, for smartphones)
    • Continuous integration – integrate with your ALM (e.g. TFS)
    • Beautiful reports – great visual reporting
    • Test for fragmentation –
    • Object-based UI testing – test entire app, from UI down, using object-level UI testing
      • Don’t hard-code screen coordinates !
      • Too many device geometries

Automatically test device on hundreds of mobile devices

The Ideal Automated UI Testing Solution

  • Maximum market coverage with lowest coverage
  • Tests on real devices – from UI down
  • Resilient to UI changes
  • Continuous integration processes
  • Beautiful dashboards and detailed analytics

Real devices

  • Same as end users—no jail-breaking
  • Test from UI down
    • User interactions
    • Bugs & Crashes
    • Memory & performance

Resilient to UI Changes

  • Object-level user interface testing
  • Tests adapt as user interface changes

Support for continuous integration

  • Run tests directly from TFS, for example

Beautiful Xamarin Test Cloud UI

  • Cloud environment to allow testing on multiple real devices
  • Step through test code

Rdio demo

  • Simultaneously see app running on multiple devices—all on one screen
  • This is amazing

Xamarin University

  • Live delivery

Xamarin Certifications

  • iOS, Android, and Cross

TechEd NA 2014 – What’s New in Mobile Services and Notification Hubs

TechEd North America 2014, Houston
What’s New in Mobile Services and Notification Hubs – Elio Damaggio, Miranda Luna

Day 2, 13 May 2014, 3:15PM-4:30PM (DEV-B330)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Mobile Services is turnkey back-end service for mobile apps
    • Adds features that you don’t need to write yourself
    • Microsoft manages/runs/monitors back-end service
  • Lots of new stuff in Mobile Services
    • Offline sync, push with Notification Hubs, etc.
  • Offline sync – for apps that are sometimes connected
    • Easily sync with Push/Pull paradigm
  • Hybrid Connections allow mobile app to connect to on-premise resource that has static IP
  • Push notifications in Mobile Services now use Notification Hubs
    • High volume, low latency
  • Use Push to silently sync app

Full video

Miranda Luna, Product Manager, Azure Mobile Team, Microsoft – @Mlunes90


  • Mobile Services Updates
  • Notification Hubs Updates
  • Questions & Resources

Mobile Services Investment Areas

  • What’s New
    • .NET backend – Web API on server
    • Heterogeneous data
    • Hybrid connections – between on-prem and Azure
    • Offline sync – occasionally-connected scenarios
    • Xamarin
    • AAD Authentication – Azure Active Directory
    • Visual Studio – tighter integration
    • API Management – publishing/managing access to API
    • Notification Hubs – easier now to achieve high volume, low latency
    • Sencha

Azure Active Directory

  • Extend line-of-business to mobile
  • Adds notion of AD user in Mobile Services
  • Enable applications built around organizational structures

Active Directory Authentication Library (ADAL)

  • Enables single sign-on

Basic ADAL + Mobile Services Flow

  • Access Token / Refresh Token

Access resources on behalf of the user

  • Mobile Service passes Access Token to AAD along with requested resource URI

Mobile Services .NET

  • Easy backend
  • Logic via .NET Web API
  • Turn-key Mobile Backend Capabilities
  • Local debugging
  • Flexible data model
  • Client SDKs for major platforms
    • iOS, Android, Windows, WinPhone, Xamarin, PhoneGap, Sencha
  • Integration with on-premise systems
  • We Manage/Run/Monitor your backend for you

Diagram showing data flow for Mobile Services – Value Add

  • Service the runtime without restarting your app
  • Can inject strings into app.config

New data model – Green field

  • DataManager – DTO – Entity for SQL

Existing data model – Brown field

  • DataManager – DTO / AutoMapper / Model
  • Maps to existing database

Offline support

  • Applications that are occasionally connected
  • Conflict resolution – users
  • Explicit Push/Pull to/from Mobile Service
  • TableController – with optimistic concurrency

Offline support

  • Store table operations in local data store
  • SQL-lite out of the box
  • Can use what’s out of the box or roll your own

Offline Methods

  • PushAsync – on entire context
  • PullAsync – pull all or a subset of items from remote
    • Pull triggers a push, for data inconsistency
  • PurgeAsync
    • Clear local cache to update data which app no longer needs
    • Purge triggers a push

Handling Offline Conflicts – code snippet

Hybrid Connections

  • Fastest way to consume on-premises resources in Mobile Services app
  • Connect to any on-premises resource that uses static TCP port
  • BizTalk Services hybrid connections

API Management

  • Mobile Services, Web Sites – Build & Host
  • API Management – Publish & Manage
    • Acquisition – “Epiphany”

API Management diagram

  • Admin portal – where you set policies, etc.
  • Developer portal

API Management Features

  • EXPOSE – discovery
  • PROTECT – authorization, quotas, rate limits
  • UNDERSTAND – usage, health, latency, activity, trends
  • MANAGE – lifecycle, versioning, monitoring

Elio Damaggio, Product Manager, Azure Mobile, Microsoft

Push Notifications

Notification Hubs – Azure hub that deals specifically with Push Notification

What’s New

  • Kindle support
  • Tag expressions
  • Visual Studio integration – send debug notifications
  • Mobile Services integration
  • New push-based pricing – based on # pushes
  • Build registration management APIs
  • Xamarin

Push Notifications

  • Push 101
  • Use Notification Hubs ..

Push 101

Mobile push is everywhere

  • Toasts, etc. in notification center
  • E.g. breaking news, SMS replacement
  • Healthcare LOB, e.g. prescription reminders
  • Travel, etc.

Push notification lifecycle

  • Registration at app launch
    • Retrieve current channel
    • App updates handled in back-end
  • Sending Notification
    • App back-end send notification to PNS (Platform Notification Service)
    • PNS pushes notification to the app on the device
  • Maintenance
    • Delete expired handles when PNS rejects them (tokens expire)

Challenges of push notifications

  • Platform dependency
    • Different communication protocols
    • Different presentation formats and caps
  • Routing
    • PNS provides way to send message to device/channel
    • Notifications targeted at users or interest groups
    • App back-end has to maintain registry associating device handle to interest groups/users
  • Scale
    • App back-end has to store handles for each device – high storage and VM costs
    • Broadcast to millions of devices with low latency requires parallelization

Advantages of using Notification Hubs

  • Cross-platform
    • REST-based
    • Support many client platforms
  • No need to store device information in the app back-end
    • Notification Hub does this
  • Routing and interest groups
    • Target individual users and large interest groups using tags
    • Free form, can use them for user IDs or for interest groups
    • From single user/device to big groups
  • Personalization and localization
    • Keep back-end free of presentation concerns like localization and user prefs using templates
  • Broadcast at scale, multicast, unicast
    • Push notifications to multiple devices with single call
  • Telemetry
    • Through portal or APIs

Using Notification Hubs

  • One-time setup
    • Create Notification Hub
  • Register
    • Client app gets handle from PNS
    • App updates registration

Some snippets

  • Register and Send


  • Tags as interest groups
    • When device registers, it specifies a set of tags
  • You can use tags for
    • Interest groups
    • Tag devices with user id
    • No need to pre-create

Tag expressions

  • E.g. “all my group except me”
  • OR, AND, NOT, etc.
  • Send notifications at specific times, or to time zones
  • Versions and platforms

Case Studies

  • Bing apps
    • All use Notification Hubs to power their notifications
    • 10s of millions of devices
    • 3 million notifications/day
    • <2 minutes to deliver
  • Sochi 2014
    • 100s of interest groups (countries, disciplines, athletes)
    • Localized notifications
    • 3+ million devices
    • 150+ million notifications, over 2 weeks

Notification Hubs & Mobile Services

New push engine for Mobile Services

  • Based on Notification Hubs (powered by)
  • No more Channels table
    • Simple two steps process to push notifications, no data handling
  • 1 Unit of Notification Hubs included for free
  • Node.js and .NET (back-ends)

From Mobile Services

  • Register and Push

Secure tags for push to users

  • Cases when Push used to enhance responsiveness of app

Register from your back-end

  • When tags have to be secured
    • E.g. userId for tag
    • App back-end can authenticate user before registering the device
    • Mobile app can’t connect notification hub directly
  • When back-end has to modify tags
    • Tags might depend not on user prefs, but on other global things
    • Back-end has access to add/remove tags from what device sends

Registering from the back-end

  • Identify your device
    • Keep long-living NH registration ids in device storage
  • Register
    • First time only, on app start – get registration id from hub, store in local storage
    • CreateOrUpdate device registration (every app start)
    • Back-end can verify and/or add tags (e.g. performing authentication)
  • Notes
    • Nothing stored in app back-end, not doing device management
    • Don’t use device SDK – will create multiple things

Back-end driven tag updates

  • Use tag to identify user
    • Back-end refers to users and not devices
    • Register devices with tag like userid
  • Back-end updates tags
    • Retrieve device registration by userid
  • Note
    • No device information in back-end
    • Back-end only refers to users

Very easy with Mobile Services (.NET)

  • Registrations already through through back-end
  • Just login the user in the device
  • Register from device (RegisterNativeAsync)
  • Implement registration callback to inject user tag
    • InotificationHandler.Register
  • Push to user
    • SendAsync to user ID

Secure Push & Rich Push

  • Deliver content directly from back-end
    • Rich media
    • Retrieve content securely from BE
  • Will look the same to user, but data won’t go through cloud service
  • Notes
    • Platform dependent
    • Secure push has to use long-lived auth token on app
    • App pulls data directly from back-end, but not yet showing anything to user

Push to Sync

  • Updates app state
    • Does not show message to the user
  • Example: music app
    • User changes playlist on desktop
    • Back-end send push-to-sync notifications to user’s devices
    • Even w/o opening app
    • User finds the new song already on their phone
  • User this feature with Offline feature of Mobile Services – local store
    • So everything just already right there
  • “This is what people expect from mobile apps” – no waiting
  • Platform-dependent
    • Windows, et al


  • Portal dashboard, programmatic access for all PNS outcomes
  • Security
    • Role-based security available to restrict access to hub for various rights
  • Scale
    • Guidance for high scale depends on specific scenarios
    • <5 million devices and <5 million pushes per day can just use single hub – no problem


  • $20/unit/mo (“unit” is NH)
  • 500,000 pushes per unit per month

Miranda again

Azure Mobile

Microsoft is making a massive investment to provide an end-to-end story for cross-platform mobile app development and management

TechEd NA 2014 – Domain-Driven Design

TechEd North America 2014, Houston
How You Can Architect and Develop Enterprise Mission-Critical Applications with Domain-Driven Design and .NET – Vaughn Vernon

Day 2, 13 May 2014, 1:30PM-2:45PM (DEV-B326)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Basic explanation of domain-driven design
    • Breaking model into sub-parts to reduce complexity
    • Each part in a different context, possibly using different language to talk about its elements
  • Presented at a very high subjective level, typical of academic papers about domain modeling
  • Nothing concrete presented
  • Nothing relating to doing data or domain modeling in .NET presented

Full video

Vaughn Vernon


  • Why enterprise apps need DDD
  • Mental Model – Domain experts and ubiquitous language
  • Strategic Design First, Tactical Modeling Second
    • Aggregate

SCRUM-based application management

  • Product, BacklogItem, Release, Sprint
  • BacklogItem has Task, which has EstimationLogEntry
  • Release – ScheduledBacklogItem
  • Sprint – CommittedBacklogItem

Additional items in DDD application lifecycle model

  • Forums, Discussions
  • Calendars
  • Tenants, Users
  • Account info, etc.
  • Team has structure, product owner, members, etc.

What are we really modeling here?

  • Time management, project management?
  • What is core?
  • Story of architects with huge UML diagram
    • Do you really need knowledge of this in order to develop enterprise software?
  • Easier way?
    • Yes, DDD
    • DDD isn’t necessarily easy
    • But DDD gives you tools to help you divide and conquer

Goal – Avoid hugely complex model

This Is DDD

  • Ubiquitous Language – describing elements relationship
  • Bounded Context – sets boundaries for what you model
    • How does it map to what I do every day?
    • Bounded context is just—everything you need for your application
    • Think of Visual Studio solution as the bounded context. (But avoid creating dozens of projects)
    • Think of it as – what doesn’t belong?
  • Insight bounded context, we are modeling single ubiquitous language

Linking contexts

  • Object in Bounded Context might be single rectangle that just references a different bounded context

The gap

  • Between business analyst and developer
  • Analyst has a very different idea of what the application is about

Main goal of DDD

  • Unify mental models
  • We use ubiquitous language to allow business analyst to talk to developer

Business Value

  • Story of customer where key domain expert wouldn’t attend the meeting
  • Asked the guy to just sit there for 30 minutes
  • Guy has “a-ha” moment, realizing need for DDD

Is It a Language?

  • Developers naturally draw boxes and lines and call it a language
  • Volunteer—describe your day only using nouns
    • We could make sense of this
  • But language is far more than that
  • Example sentence for SCRUM, e.g. “Backlog item will be committed to a Spring”
  • But quickly, we think of other constraints—who does something, etc.

Back to original drawing of Model, pick core Domain (subset of entities)

  • Pick subset of domain that makes sense

DDD Rule: Use Bounded Context to separate models by language


  • Fictional company, developing an agile project management product

Tenant and Multi-Tenancy

Early problem – too many connections

  • User and Permission connects to everything
  • Developers would say—move access management outside the bounding context
  • Key—the language doesn’t match
    • E.g. For Forum, talking about Moderators, Authors – not User and Permission

Bounded Contexts

  • Show original schema now broken up into bounding contexts
  • Users/Roles not in core context
  • Can think of having a different Visual Studio solution for each bounded contexts
  • And domain model in each

Brown-field development

  • Legacy system
  • “It’s just a lot of brown” – what a silly thing to say
  • Glimmer of hope, green is growing, next to the brown – ok, that was even sillier

Abstract and Encapsulate

  • Brown is spread between the green rows
  • Brown is in the barn over there, away from the green crops – yikes

Context Mapping

  • How does core context get its notion of entities in other contexts
  • It does “context mapping”
  • Several different context mapping approaches
    • E.g. Anti-corruption layer

Architecture diagram

  • Ports and adapters
  • Domain model at core, Application around it
  • Adapters on the outside
  • Ports are interfaces to outside entities
  • Adapters allow data to be brought in or out

Code snippet showing saveCustomer function and critique

  • This is not object-oriented
  • “This is a huge problem”

Second code snippet, more object-oriented

  • Reorganized code, with separate properties
  • These methods (maybe) better fit the domain logic


  • Aggregate is a special kind of entity

TechEd NA 2014 – Data Privacy and Protection in the Cloud

TechEd North America 2014, Houston
Data Privacy and Protection in the Cloud– A.J. Schwab, Jules Cohen, Sarah Fender

Day 2, 13 May 2014, 10:15AM-11:30AM (OFC-B233)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • The issue of Trust is important whenever you talk about moving data to cloud
    • Need to convince users that data will be secure, private
  • Data Privacy is key goal for Microsoft
  • Lots of tools for controlling access to data, e.g. identity management
  • Security at many layers, e.g. physical, network, etc.
    • Microsoft pours lots of resources into security for the layers that they control

Full video

Jules Cohen – Trustworthy Computing group, Microsoft

Three major buckets, when thinking about moving data to the cloud

  • Innovation properties – will cloud let me do what I want?
  • Economics – what is TCO?
  • Trust

First two buckets are relatively un-complicated

  • Trust – harder to evaluate, more visceral
  • Privacy and data protection are part of trust


  • Microsoft has made significant investments
  • If you already trust the cloud, we’re going to improve level of trust

Changing Data Protection concerns to opportunities

  • You already trust people within your organization
  • In cloud world, some of these functions move off premises
  • Ref: Barriers to Cloud Adoption study, ComScore, Sept-2013
    • 60% – security is barrier to cloud adoption
    • 45% – concerned about data protection (privacy)


  • Can’t have privacy without security
  • Security is a pre-req
    • Do the right people have access to the data?
  • Once data is in the right hands, we can talk about privacy
    • Do people who have access to data use it for the right things?

Perceptions after migration to cloud

  • 94% – said they experienced security that they didn’t have on-premise
  • 62% – said privacy protection increased after moving to cloud

Microsoft’s approach to data protection

  • 1 – Design for privacy
    • Corporate privacy policies, disclosures
    • Trustworthy Computing formed in 2002, after memo from Bill Gates—privacy, security, reliability
  • 2 – Built-in features
    • Customers can use these features to protect their data
  • 3 – Protect data in operations
    • Operating services – Microsoft committed to data protection in service operations
    • Microsoft complies with various standards, help customers comply with those standards
  • 4 – Provide transparency and choice

Privacy governance – Program

  • Design for Privacy
  • People – Employee several hundred people focused on privacy
  • Process
    • Internal standards
    • Rules maintained by Trustworthy Computing
  • Technology
    • Use tools to support people and processes
    • Look for vulnerabilities

Privacy government – Commitments

  • Microsoft services meet highest standards in EU (Article 29)
  • First (and only) service provider to get this approval

Sarah Fender – Director of Product Marketing, Windows Azure, Microsoft – Built-in Features

Data Protections in Azure

  • Data location – can choose to run in a single region, or multiple regions
  • Redundancy & Backup
    • 3 copies of data, within region
    • Can also do geo-redundant storage, to different region
    • E.g. Create new storage account, pick region
  • Manage identities and access to cloud applications
    • Centrally manage user accounts in cloud
    • Enable single sign-on across Microsoft online service and other cloud applications
    • Extend/synchronize on-premise to cloud – Active Directory synching to Azure
  • Monitor and protect access to enterprise apps
    • Passwords stored in encrypted hashes
    • Security reporting that tracks inconsistent access patterns – e.g. user accessing service from distant geo-locations
    • Step up to Multi-Factor Authentication – e.g. text message or e-mail with secret code

Data encryption

  • VMs – encrypted disk using BitLocker
  • Can encrypt data at rest
  • Applications – RMS SDK
  • Storage – .NET Crypto, BitLocker (import/export), StorSimple w/AES 256

Data protections in Office 365

  • Encrypt data in motion and also at rest

A.J. Schwab – Senior Privacy Architect, Office 365, Microsoft – Protect Data in Operations

Value proposition of running in cloud

  • Less work—patching, reacting to problems

Defense in depth strategy

  • Physical
    • Who comes into facility?
    • What media goes in/out?
    • If bad guy can stand in front of your computer, it’s not your computer anymore
  • Network
    • Looking for anomalous traffic
    • Packet penetration testing
    • Watching logs
  • Identity & Access Management
    • Internal Microsoft authentication policies for internal staff
    • Know who people are and who gets access from within Microsoft
    • Just-in-time access – when someone wants access to customer information, it’s an exception
  • Host Security
    • Patching, managing OS on host
  • Application
    • Make sure that application is running in secure configuration
  • Data
    • “Data is everything” – data is money
    • Big part of the focus, protesting the data
  • 24x7x365 incident response

Cloud security must be equal or better to on-premise

Protect data in operations

  • Data isolation
    • Very important to customers
    • Only privileged user has access to data
  • Limited Access
    • MFA for service access
    • Auditing of operator access/actions
    • Zero standing permissions in the service
    • Automatic Microsoft staff account deletion
      • To make sure that things follow policies, everything is automated
    • Staff background checks, training
      • Can Microsoft trust the people that it hires?

Approach to Compliance

  • Industry standards and regulations
  • Controls Framework & Predictable audit schedule
  • Certification and Attestations

Customer Stories – Kindred Healthcare

  • Background
    • Big healthcare provider
    • Mobile service, ensure data privacy
  • Solution
    • Office 365 Exchange, SharePoint, Lync
    • Met security and privacy needs

Shared Protection Responsibility

  • IaaS – cloud customer has most of the responsibility
  • SaaS – cloud provider assume many of the responsibilities

Provide transparency and choice

  • Trust Center web page – for Office 365, and for Azure
  • Lots of documentation online


  • 1 – Design for privacy
  • 2 – Built-in features
  • 3 – Protect data in operations
  • 4 – Provide transparency and choice

Questions and Answers

Q: Sharepoint, is data encrypted while data is at rest? Is BitLocker available? Or third-party products?

  • Microsoft has committed to goal of having all data in transit and all data at rest is encrypted
  • By the end of 2014, Sharepoint data at rest will be fully encrypted
  • But law enforcement has generally been satisfied with current security and privacy policies

Q: What tools do you have to assist attorneys?

  • See materials in the Trust Center
  • Microsoft constantly talking to lawyers, to stay on top of current regulations
  • So probably collateral materials that are required are there
  • We do have Controls Framework that maps what Microsoft does and maps it to specific regulatory requirements
  • Thinking about how to package this up and present it for customers

Q: How to evaluate tools based on legal requirements?

  • We (Microsoft) can’t give you (customer) legal advice. But we can show you how tools map to particular requirements
  • Can do this in the context of certain verticals, e.g. Banking

If you have questions, stop by the Security & Compliance station in the Azure booth

TechEd NA 2014 – Microsoft Azure Security and Compliance Overview

TechEd North America 2014, Houston
Microsoft Azure Security and Compliance Overview– Lori Woehler

Day 2, 13 May 2014, 8:30AM-9:45AM (DCIM-B221)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Microsoft has done a lot of work to support various security standards
    • In some cases, you can use their documents as part of your own demonstration of compliance
  • Data can be more secure in cloud, given the attention payed to security
  • Customer has greater responsibilities for demonstrating compliance when using IaaS (Infrastructure)
    • Fewer responsibilities when using PaaS (Platform)—just application and data
  • Potentially more compliance issues in EU and Asia, or in certain verticals (e.g. Healthcare)
  • Good compliance cheat sheet that lists typical steps to take

Full video

Lori Woehler – Principal Group Program Manager, Microsoft. CISSP, CISA
At Microsoft since 2002
On Azure team for 18 months


  • Understand how Azure security/compliance helps you to meet obligations
  • Define Azure S&C boundaries and responsibilities
  • Info on new resources and approaches

Other sessions

  • B214 Azure Architectural Patterns
  • B387 Data Protection in Microsoft Azure
  • B386 MarkRu on Cloud Computing
  • B306 Public Cloud Security

Track resources

  • Security Best Practices for enveloping Azure Solutions
  • Windows Azure Security Technical Insights
  • Audit Reports, Certifications and Attestations
    • Includes all details related to audits
    • Can just hand off the stack of paper to outside auditors

Other resources

Technology trends: driving cloud adoption

  • 70% of CIOs will embrace cloud-first in 2016
  • Benefits of cloud-first
    • Much faster to deliver solution
    • Scale instantly
    • Cheaper, e.g. $25k in cloud would cost $100k on premises

Cloud innovation

  • Pre-adoption concerns (barriers to adoption)
    • 60% – security is concern
    • 45% – worried about losing control of data
  • Security, Privacy, Compliance

Cloud innovation

  • Benefits realized
    • 94% – new security benefits
    • 62% – privacy protection increased by moving to cloud

Trustworthy foundation timeline

  • 2003 – Trustworthy Computing Initiative
  • Digital Crimes Unit
  • ISO/IEC 27001:2005
  • SOC 1
  • UK G-Cloud Level 2
  • SOC 2
  • CSA Cloud Controls Matrix
  • PCI DSS Level 1

Azure stats

  • 20+ data centers
  • Security Centers of Excellence – combat evolving threats
  • Digital Crimes Unit – legal/technical expertise, disrupt the way cybercriminals operate
    • Info on botnets
    • Bing team publishes blacklist and API to access it
  • Compliance Standards – alphabet soup of standards, audits, certs

Microsoft Azure – Unified platform for modern business

  • Four pillars
    • Compute
    • Data Services
    • App Services
    • Network Services
  • Global Physical Infrastructure

Simplified compliance

  • Information security standards
    • Microsoft interprets, understands
  • Effective controls
    • Map to controls, e.g. SOC 1 type 2, SOC 2 Type 2
    • Evaluate both design and effectiveness of controls
  • Government & industry certifications
    • Ease of audit and oversight

Security compliance strategy

  • Security goals in context of industry requirements
  • Security analytics – detect threats and respond
  • Ensure compliance for high bar of certifications and accreditations
  • Continual monitoring, test, audit

Certifications and Programs

  • Slide shows summary of various certifications
  • ISO/IEC 27001 – broadly accepted outside U.S.
    • Now supporting “Revision 3” under 27001
  • SOC 1, SOC2 – for customers who need financial reporting
    • Five different areas: Security, Privacy, Confidentiality, Integrity, Availability
    • SSAE 16 / ISAE 3402 – accounting standard
  • For IaaS, compliance information is more detailed
  • Increasing focus on government certification and attestation

Contractual commitments

  • EU Data Privacy approval
    • Only Microsoft approved from EU Article 29
  • Broad contractual scope
    • Contractual commitments for HIPAA et al

Shared responsibility

  • Where is customer responsible, vs. Microsoft
  • Customer
    • Manages control of data in PaaS
    • Going with PaaS reduces customer responsibility to just Applications and Data
    • Under PaaS, no customer responsibility for Runtime, Middleware, O/S
  • SaaS – no customer responsibility

PaaS Customers – important things to know

Paas Customer Responsibilities

  • Access Control – define security groups and security set
    • Logs to demonstrate that access is due to customer granted permission
  • Data Protection
    • Geo-location – be careful about setting yourself up for potential non-compliance
      • There are obligations in Europe and Asia
      • You can check for access from outside your geo-location boundaries; then potentially restrict access
    • Data Classification and Handling
      • Deciding what data should go up to the cloud
      • Microsoft has published guides to classifying data (schemas)
      • Cloud Controls Matrix – show where you have programmatic obligation
    • Privacy and Data Regulatory Compliance
  • Logging & Monitoring Access and Data Protection
  • ISMS Programmatic Controls
  • Certifications, Accreditations and Audits
    • Can I just use Microsoft’s audit results are our own? No

IaaS Customer Responsibilities

  • Application Security & SDL (Security Development Lifecycle)
    • Can test outside of protection
    • Role segregation, between operations and development
    • E.g. rely on TFS to show process and evidence
  • Access Control – identity management
    • Start with access control to Azure environment itself
    • Then also access control to guest Oss (or SQL Server)
    • Auditors will focus on timing of provisioning/de-provisioning (e.g. remove user when they leave company)
  • Data Protection
    • Microsoft demonstrates that data in your environment is not exposed to other customers
    • Focuses on HyperV when testing
  • O/S Baselines, Patching, AV, Vulnerability Scanning
    • Standard build image in Azure, patched to most recent security update
    • Customers should adopt standard patching cadence; matching your on-premise infrastructure
    • Configuration and management of SSL settings is responsibility of customer
  • Penetration Testing
  • Logging, Monitoring, Incident Response
    • Microsoft has limited ability to access your logs and VM images
  • ISMS Programmatic Controls
    • Impact of documentation of Standard Operating Procedures—quite cumbersome
    • Can start by taking dependency on Azure, in documents that Microsoft have already generated
    • But this doesn’t go all of the way
  • Certifications, Accreditations & Audits
    • Auditors shouldn’t re-test customers in the areas that Azure already covers
    • Documentation that Azure provides should be enough
    • White papers in trust center describe how to leverage Microsoft stuff

Compliance cheat sheet

  • Identify your obligations/responsibilities
    • E.g. contractual
  • Adopt Standard Control Set
    • List of the rules, ties into policies
  • Establish policies and standards
    • “Your plan is your shield”
    • Criteria against which external auditors will evaluate your environment
    • Don’t try to be too broad, trying to cover every possible audit—auditor will apply their own judgment
    • Set level of detail listing deliverable and schedule for deliverable
    • Then you just demonstrate that you’ve met the policies that you’ve set
  • Document system(s) in scope
    • Challenging, if you haven’t implement an asset inventory mechanism
    • Auditors will want to see all assets—physical and virtual (e.g. user accounts, etc).
    • A significant amount of work
    • Log when systems come online and offline (into or out of production)
  • Develop narratives for each control
    • Written description of how a control executes
    • Ties back to specs for systems
    • Auditors will look at spec and then test plan
  • Test control design & execution
  • Identify exceptions and issues
    • No such thing as perfect
    • Document decisions made
    • “Qualified report” – auditor’s report that says that vendor is only partly compliant
  • Determine risk exposure
    • “Transferring risk” to third party—sometimes reduces your risks, sometimes increases your risks
    • Understand both costs and risks
    • Story of Singapore government, including keystroke loggers and video cameras, plus person observing live data feed (for traders using financial service)
  • Define remediation goals and plans
  • Monitor the system
    • And demonstrate to 3rd party that your controls are behaving as expected
  • Report on compliance status
    • Not just reporting for checklist

More detailed cheat sheet

Most Frequently Asked Questions

  • PCI Compliant? – no
  • Can xyz audit Azure? – no
  • Can we have your pen test reports? –
  • Will you fill out this 500 question survey? –
  • Kicked out of the room at this point