-->
Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. Microsoft Windows came to dominate the world's personal computer (PC) market with over 90% market share, overtaking Mac OS, which had been introduced in 1984, while Microsoft has in 2020 lost its dominance of the consumer operating system market, with Windows down to 30%, lower than Apple's 31% mobile-only share (65% for desktop operating.
Important
The reference microservice application eShopOnContainers is currently using features provided by Envoy to implement the API Gateway instead of the earlier referenced Ocelot.We made this design choice because of Envoy's built-in support for the WebSocket protocol, required by the new gRPC inter-service communications implemented in eShopOnContainers.However, we've retained this section in the guide so you can consider Ocelot as a simple, capable, and lightweight API Gateway suitable for production-grade scenarios.Also, latest Ocelot version contains a breaking change on its json schema. Consider using Ocelot < v16.0.0, or use the key Routes instead of ReRoutes.
Architect and design your API Gateways
The following architecture diagram shows how API Gateways were implemented with Ocelot in eShopOnContainers.
Figure 6-28. eShopOnContainers architecture with API Gateways
That diagram shows how the whole application is deployed into a single Docker host or development PC with 'Docker for Windows' or 'Docker for Mac'. However, deploying into any orchestrator would be similar, but any container in the diagram could be scaled out in the orchestrator.
In addition, the infrastructure assets such as databases, cache, and message brokers should be offloaded from the orchestrator and deployed into high available systems for infrastructure, like Azure SQL Database, Azure Cosmos DB, Azure Redis, Azure Service Bus, or any HA clustering solution on-premises.
As you can also notice in the diagram, having several API Gateways allows multiple development teams to be autonomous (in this case Marketing features vs. Shopping features) when developing and deploying their microservices plus their own related API Gateways.
If you had a single monolithic API Gateway that would mean a single point to be updated by several development teams, which could couple all the microservices with a single part of the application.
Going much further in the design, sometimes a fine-grained API Gateway can also be limited to a single business microservice depending on the chosen architecture. Having the API Gateway's boundaries dictated by the business or domain will help you to get a better design.
For instance, fine granularity in the API Gateway tier can be especially useful for more advanced composite UI applications that are based on microservices, because the concept of a fine-grained API Gateway is similar to a UI composition service.
We delve into more details in the previous section Creating composite UI based on microservices.
As a key takeaway, for many medium- and large-size applications, using a custom-built API Gateway product is usually a good approach, but not as a single monolithic aggregator or unique central custom API Gateway unless that API Gateway allows multiple independent configuration areas for the several development teams creating autonomous microservices.
Sample microservices/containers to reroute through the API Gateways
As an example, eShopOnContainers has around six internal microservice-types that have to be published through the API Gateways, as shown in the following image.
Figure 6-29. Microservice folders in eShopOnContainers solution in Visual Studio
About the Identity service, in the design it's left out of the API Gateway routing because it's the only cross-cutting concern in the system, although with Ocelot it's also possible to include it as part of the rerouting lists.
All those services are currently implemented as ASP.NET Core Web API services, as you can tell from the code. Let's focus on one of the microservices like the Catalog microservice code.
Figure 6-30. Sample Web API microservice (Catalog microservice)
You can see that the Catalog microservice is a typical ASP.NET Core Web API project with several controllers and methods like in the following code.
The HTTP request will end up running that kind of C# code accessing the microservice database and any additional required action.
Regarding the microservice URL, when the containers are deployed in your local development PC (local Docker host), each microservice's container always has an internal port (usually port 80) specified in its dockerfile, as in the following dockerfile:
The port 80 shown in the code is internal within the Docker host, so it can't be reached by client apps.
Client apps can access only the external ports (if any) published when deploying with docker-compose.
Those external ports shouldn't be published when deploying to a production environment. For this specific reason, why you want to use the API Gateway, to avoid the direct communication between the client apps and the microservices.
However, when developing, you want to access the microservice/container directly and run it through Swagger. That's why in eShopOnContainers, the external ports are still specified even when they won't be used by the API Gateway or the client apps.
Here's an example of the docker-compose.override.yml file for the Catalog microservice:
You can see how in the docker-compose.override.yml configuration the internal port for the Catalog container is port 80, but the port for external access is 5101. But this port shouldn't be used by the application when using an API Gateway, only to debug, run, and test just the Catalog microservice.
Normally, you won't be deploying with docker-compose into a production environment because the right production deployment environment for microservices is an orchestrator like Kubernetes or Service Fabric. When deploying to those environments you use different configuration files where you won't publish directly any external port for the microservices but, you'll always use the reverse proxy from the API Gateway.
Run the catalog microservice in your local Docker host. Either run the full eShopOnContainers solution from Visual Studio (it runs all the services in the docker-compose files), or start the Catalog microservice with the following docker-compose command in CMD or PowerShell positioned at the folder where the docker-compose.yml and docker-compose.override.yml are placed.
This command only runs the catalog-api service container plus dependencies that are specified in the docker-compose.yml. In this case, the SQL Server container and RabbitMQ container.
Then, you can directly access the Catalog microservice and see its methods through the Swagger UI accessing directly through that 'external' port, in this case http://localhost:5101/swagger:
Figure 6-31. Testing the Catalog microservice with its Swagger UI
At this point, you could set a breakpoint in C# code in Visual Studio, test the microservice with the methods exposed in Swagger UI, and finally clean-up everything with the docker-compose down command.
However, direct-access communication to the microservice, in this case through the external port 5101, is precisely what you want to avoid in your application. And you can avoid that by setting the additional level of indirection of the API Gateway (Ocelot, in this case). That way, the client app won't directly access the microservice.
Implementing your API Gateways with Ocelot
Ocelot is basically a set of middlewares that you can apply in a specific order.
Ocelot is designed to work with ASP.NET Core only. The latest version of the package targets .NETCoreApp 3.1 and hence it is not suitable for .NET Framework applications.
You install Ocelot and its dependencies in your ASP.NET Core project with Ocelot's NuGet package, from Visual Studio.
In eShopOnContainers, its API Gateway implementation is a simple ASP.NET Core WebHost project, and Ocelot’s middleware handles all the API Gateway features, as shown in the following image:
Figure 6-32. The OcelotApiGw base project in eShopOnContainers
This ASP.NET Core WebHost project is built with two simple files: Program.cs and Startup.cs.
The Program.cs just needs to create and configure the typical ASP.NET Core BuildWebHost.
The important point here for Ocelot is the configuration.json file that you must provide to the builder through the AddJsonFile() method. That configuration.json is where you specify all the API Gateway ReRoutes, meaning the external endpoints with specific ports and the correlated internal endpoints, usually using different ports.
There are two sections to the configuration. An array of ReRoutes and a GlobalConfiguration. The ReRoutes are the objects that tell Ocelot how to treat an upstream request. The Global configuration allows overrides of ReRoute specific settings. It's useful if you don't want to manage lots of ReRoute specific settings.
Here's a simplified example of ReRoute configuration file from one of the API Gateways from eShopOnContainers.
The main functionality of an Ocelot API Gateway is to take incoming HTTP requests and forward them on to a downstream service, currently as another HTTP request. Ocelot's describes the routing of one request to another as a ReRoute.
For instance, let's focus on one of the ReRoutes in the configuration.json from above, the configuration for the Basket microservice.
The DownstreamPathTemplate, Scheme, and DownstreamHostAndPorts make the internal microservice URL that this request will be forwarded to.
The port is the internal port used by the service. When using containers, the port specified at its dockerfile.
The Host is a service name that depends on the service name resolution you are using. When using docker-compose, the services names are provided by the Docker Host, which is using the service names provided in the docker-compose files. If using an orchestrator like Kubernetes or Service Fabric, that name should be resolved by the DNS or name resolution provided by each orchestrator.
DownstreamHostAndPorts is an array that contains the host and port of any downstream services that you wish to forward requests to. Usually this configuration will just contain one entry but sometimes you might want to load balance requests to your downstream services and Ocelot lets you add more than one entry and then select a load balancer. But if using Azure and any orchestrator it is probably a better idea to load balance with the cloud and orchestrator infrastructure.
The UpstreamPathTemplate is the URL that Ocelot will use to identify which DownstreamPathTemplate to use for a given request from the client. Finally, the UpstreamHttpMethod is used so Ocelot can distinguish between different requests (GET, POST, PUT) to the same URL.
At this point, you could have a single Ocelot API Gateway (ASP.NET Core WebHost) using one or multiple merged configuration.json files or you can also store the configuration in a Consul KV store.
But as introduced in the architecture and design sections, if you really want to have autonomous microservices, it might be better to split that single monolithic API Gateway into multiple API Gateways and/or BFF (Backend for Frontend). For that purpose, let's see how to implement that approach with Docker containers.
Using a single Docker container image to run multiple different API Gateway / BFF container types
In eShopOnContainers, we're using a single Docker container image with the Ocelot API Gateway but then, at run time, we create different services/containers for each type of API-Gateway/BFF by providing a different configuration.json file, using a docker volume to access a different PC folder for each service.
Figure 6-33. Reusing a single Ocelot Docker image across multiple API Gateway types
In eShopOnContainers, the 'Generic Ocelot API Gateway Docker Image' is created with the project named 'OcelotApiGw' and the image name 'eshop/ocelotapigw' that is specified in the docker-compose.yml file. Then, when deploying to Docker, there will be four API-Gateway containers created from that same Docker image, as shown in the following extract from the docker-compose.yml file.
Additionally, as you can see in the following docker-compose.override.yml file, the only difference between those API Gateway containers is the Ocelot configuration file, which is different for each service container and it's specified at runtime through a Docker volume.
Because of that previous code, and as shown in the Visual Studio Explorer below, the only file needed to define each specific business/BFF API Gateway is just a configuration.json file, because the four API Gateways are based on the same Docker image.
Figure 6-34. The only file needed to define each API Gateway / BFF with Ocelot is a configuration file
By splitting the API Gateway into multiple API Gateways, different development teams focusing on different subsets of microservices can manage their own API Gateways by using independent Ocelot configuration files. Plus, at the same time they can reuse the same Ocelot Docker image.
Now, if you run eShopOnContainers with the API Gateways (included by default in VS when opening eShopOnContainers-ServicesAndWebApps.sln solution or if running 'docker-compose up'), the following sample routes will be performed.
For instance, when visiting the upstream URL http://localhost:5202/api/v1/c/catalog/items/2/ served by the webshoppingapigw API Gateway, you get the same result from the internal Downstream URL http://catalog-api/api/v1/2 within the Docker host, as in the following browser.
Figure 6-35. Accessing a microservice through a URL provided by the API Gateway
Because of testing or debugging reasons, if you wanted to directly access to the Catalog Docker container (only at the development environment) without passing through the API Gateway, since 'catalog-api' is a DNS resolution internal to the Docker host (service discovery handled by docker-compose service names), the only way to directly access the container is through the external port published in the docker-compose.override.yml, which is provided only for development tests, such as http://localhost:5101/api/v1/Catalog/items/1 in the following browser.
Figure 6-36. Direct access to a microservice for testing purposes
But the application is configured so it accesses all the microservices through the API Gateways, not through the direct port 'shortcuts'.
The Gateway aggregation pattern in eShopOnContainers
As introduced previously, a flexible way to implement requests aggregation is with custom services, by code. You could also implement request aggregation with the Request Aggregation feature in Ocelot, but it might not be as flexible as you need. Therefore, the selected way to implement aggregation in eShopOnContainers is with an explicit ASP.NET Core Web API service for each aggregator.
According to that approach, the API Gateway composition diagram is in reality a bit more extended when considering the aggregator services that are not shown in the simplified global architecture diagram shown previously.
In the following diagram, you can also see how the aggregator services work with their related API Gateways.
Figure 6-37. eShopOnContainers architecture with aggregator services
Zooming in further, on the 'Shopping' business area in the following image, you can see that chattiness between the client apps and the microservices is reduced when using the aggregator services in the API Gateways.
Figure 6-38. Zoom in vision of the Aggregator services
You can notice how when the diagram shows the possible requests coming from the API Gateways it can get complex. On the other hand, when you use the aggregator pattern, you can see how the arrows in blue would simplify the communication from a client app perspective. This pattern not only helps to reduce the chattiness and latency in the communication, it also improves the user experience significantly for the remote apps (mobile and SPA apps).
In the case of the 'Marketing' business area and microservices, it is a simple use case so there was no need to use aggregators, but it could also be possible, if needed.
Authentication and authorization in Ocelot API Gateways
In an Ocelot API Gateway you can sit the authentication service, such as an ASP.NET Core Web API service using IdentityServer providing the auth token, either out or inside the API Gateway.
Since eShopOnContainers is using multiple API Gateways with boundaries based on BFF and business areas, the Identity/Auth service is left out of the API Gateways, as highlighted in yellow in the following diagram.
Figure 6-39. Position of the Identity service in eShopOnContainers
However, Ocelot also supports sitting the Identity/Auth microservice within the API Gateway boundary, as in this other diagram.
Figure 6-40. Authentication in Ocelot
As the previous diagram shows, when the Identity microservice is beneath the API gateway (AG): 1) AG requests an auth token from identity microservice, 2) The identity microservice returns token to AG, 3-4) AG requests from microservices using the auth token. Because eShopOnContainers application has split the API Gateway into multiple BFF (Backend for Frontend) and business areas API Gateways, another option would have been to create an additional API Gateway for cross-cutting concerns. That choice would be fair in a more complex microservice based architecture with multiple cross-cutting concerns microservices. Since there's only one cross-cutting concern in eShopOnContainers, it was decided to just handle the security service out of the API Gateway realm, for simplicity's sake.
In any case, if the app is secured at the API Gateway level, the authentication module of the Ocelot API Gateway is visited at first when trying to use any secured microservice. That redirects the HTTP request to visit the Identity or auth microservice to get the access token so you can visit the protected services with the access_token.
The way you secure with authentication any service at the API Gateway level is by setting the AuthenticationProviderKey in its related settings at the configuration.json.
When Ocelot runs, it will look at the ReRoutes AuthenticationOptions.AuthenticationProviderKey and check that there is an Authentication Provider registered with the given key. If there isn't, then Ocelot will not start up. If there is, then the ReRoute will use that provider when it executes.
Because the Ocelot WebHost is configured with the authenticationProviderKey = 'IdentityApiKey', that will require authentication whenever that service has any requests without any auth token.
Then, you also need to set authorization with the [Authorize] attribute on any resource to be accessed like the microservices, such as in the following Basket microservice controller.
The ValidAudiences such as 'basket' are correlated with the audience defined in each microservice with AddJwtBearer() at the ConfigureServices() of the Startup class, such as in the code below.
If you try to access any secured microservice, like the Basket microservice with a ReRoute URL based on the API Gateway like http://localhost:5202/api/v1/b/basket/1, then you'll get a 401 Unauthorized unless you provide a valid token. On the other hand, if a ReRoute URL is authenticated, Ocelot will invoke whatever downstream scheme is associated with it (the internal microservice URL).
Authorization at Ocelot's ReRoutes tier. Ocelot supports claims-based authorization evaluated after the authentication. You set the authorization at a route level by adding the following lines to the ReRoute configuration.
In that example, when the authorization middleware is called, Ocelot will find if the user has the claim type 'UserType' in the token and if the value of that claim is 'employee'. If it isn't, then the user will not be authorized and the response will be 403 forbidden.
Using Kubernetes Ingress plus Ocelot API Gateways
When using Kubernetes (like in an Azure Kubernetes Service cluster), you usually unify all the HTTP requests through the Kubernetes Ingress tier based on Nginx.
In Kubernetes, if you don't use any ingress approach, then your services and pods have IPs only routable by the cluster network.
But if you use an ingress approach, you'll have a middle tier between the Internet and your services (including your API Gateways), acting as a reverse proxy.
As a definition, an Ingress is a collection of rules that allow inbound connections to reach the cluster services. An ingress is configured to provide services externally reachable URLs, load balance traffic, SSL termination and more. Users request ingress by POSTing the Ingress resource to the API server.
In eShopOnContainers, when developing locally and using just your development machine as the Docker host, you are not using any ingress but only the multiple API Gateways.
However, when targeting a 'production' environment based on Kubernetes, eShopOnContainers is using an ingress in front of the API gateways. That way, the clients still call the same base URL but the requests are routed to multiple API Gateways or BFF.
API Gateways are front-ends or façades surfacing only the services but not the web applications that are usually out of their scope. In addition, the API Gateways might hide certain internal microservices.
The ingress, however, is just redirecting HTTP requests but not trying to hide any microservice or web app.
Having an ingress Nginx tier in Kubernetes in front of the web applications plus the several Ocelot API Gateways / BFF is the ideal architecture, as shown in the following diagram.
Figure 6-41. The ingress tier in eShopOnContainers when deployed into Kubernetes
A Kubernetes Ingress acts as a reverse proxy for all traffic to the app, including the web applications, that are out of the Api gateway scope. When you deploy eShopOnContainers into Kubernetes, it exposes just a few services or endpoints via ingress, basically the following list of postfixes on the URLs:
/for the client SPA web application/webmvcfor the client MVC web application/webstatusfor the client web app showing the status/healthchecks/webshoppingapigwfor the web BFF and shopping business processes/webmarketingapigwfor the web BFF and marketing business processes/mobileshoppingapigwfor the mobile BFF and shopping business processes/mobilemarketingapigwfor the mobile BFF and marketing business processes
When deploying to Kubernetes, each Ocelot API Gateway is using a different 'configuration.json' file for each pod running the API Gateways. Those 'configuration.json' files are provided by mounting (originally with the deploy.ps1 script) a volume created based on a Kubernetes config map named ‘ocelot'. Each container mounts its related configuration file in the container's folder named /app/configuration.
In the source code files of eShopOnContainers, the original 'configuration.json' files can be found within the k8s/ocelot/ folder. There's one file for each BFF/APIGateway.
Additional cross-cutting features in an Ocelot API Gateway
There are other important features to research and use, when using an Ocelot API Gateway, described in the following links.
Service discovery in the client side integrating Ocelot with Consul or Eureka
https://ocelot.readthedocs.io/en/latest/features/servicediscovery.htmlCaching at the API Gateway tier
https://ocelot.readthedocs.io/en/latest/features/caching.htmlLogging at the API Gateway tier
https://ocelot.readthedocs.io/en/latest/features/logging.htmlQuality of Service (Retries and Circuit breakers) at the API Gateway tier
https://ocelot.readthedocs.io/en/latest/features/qualityofservice.htmlRate limiting
https://ocelot.readthedocs.io/en/latest/features/ratelimiting.html
This article describes the important system requirements for your Microsoft Azure Stack Edge Pro solution and for the clients connecting to Azure Stack Edge Pro. We recommend that you review the information carefully before you deploy your Azure Stack Edge Pro. You can refer back to this information as necessary during the deployment and subsequent operation.
The system requirements for the Azure Stack Edge Pro include:
- Software requirements for hosts - describes the supported platforms, browsers for the local configuration UI, SMB clients, and any additional requirements for the clients that access the device.
- Networking requirements for the device - provides information about any networking requirements for the operation of the physical device.
Supported OS for clients connected to device
Here is a list of the supported operating systems for clients or hosts connected to your device. These operating system versions were tested in-house.
| Operating system/platform | Versions |
|---|---|
| Windows Server | 2012 R2 2016 2019 |
| Windows | 8, 10 |
| SUSE Linux | Enterprise Server 12 (x86_64) |
| Ubuntu | 16.04.3 LTS |
| CentOS | 7.0 |
| Mac OS | 10.14.1 |
Supported protocols for clients accessing device
Here are the supported protocols for clients accessing your device.
| Protocol | Versions | Notes |
|---|---|---|
| SMB | 2.X, 3.X | SMB 1 isn't supported. |
| NFS (currently in preview) | 3.0, 4.1 | Mac OS is not supported with NFS v4.1. |
Supported storage accounts
Here is a list of the supported storage accounts for your device.
| Storage account | Notes |
|---|---|
| Classic | Standard |
| General Purpose | Standard; both V1 and V2 are supported. Both hot and cool tiers are supported. |
Supported storage types
Here is a list of the supported storage types for the device.
| File format | Notes |
|---|---|
| Azure block blob | |
| Azure page blob | |
| Azure Files |
Supported browsers for local web UI
Here is a list of the browsers supported for the local web UI for the virtual device.
| Browser | Versions | Additional requirements/notes |
|---|---|---|
| Google Chrome | Latest version | |
| Microsoft Edge | Latest version | |
| Internet Explorer | Latest version | If Enhanced Security features are enabled, you may not be able to access local web UI pages. Disable enhanced security, and restart your browser. |
| FireFox | Latest version |
Networking port requirements
Port requirements for Azure Stack Edge Pro
The following table lists the ports that need to be opened in your firewall to allow for SMB, cloud, or management traffic. In this table, in or inbound refers to the direction from which incoming client requests access to your device. Out or outbound refers to the direction in which your Azure Stack Edge Pro device sends data externally, beyond the deployment, for example, outbound to the internet.
| Port no. | In or out | Port scope | Required | Notes |
|---|---|---|---|---|
| TCP 80 (HTTP) | Out | WAN | No | Outbound port is used for internet access to retrieve updates. The outbound web proxy is user configurable. |
| TCP 443 (HTTPS) | Out | WAN | Yes | Outbound port is used for accessing data in the cloud. The outbound web proxy is user configurable. |
| UDP 123 (NTP) | Out | WAN | In some cases See notes | This port is required only if you're using an internet-based NTP server. |
| UDP 53 (DNS) | Out | WAN | In some cases See notes | This port is required only if you're using an internet-based DNS server. We recommend using a local DNS server. |
| TCP 5985 (WinRM) | Out/In | LAN | In some cases See notes | This port is required to connect to the device via remote PowerShell over HTTP. |
| UDP 67 (DHCP) | Out | LAN | In some cases See notes | This port is required only if you're using a local DHCP server. |
| TCP 80 (HTTP) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. Accessing the local UI over HTTP will automatically redirect to HTTPS. |
| TCP 443 (HTTPS) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. |
| TCP 445 (SMB) | In | LAN | In some cases See notes | This port is required only if you are connecting via SMB. |
| TCP 2049 (NFS) | In | LAN | In some cases See notes | This port is required only if you are connecting via NFS. |
Port requirements for IoT Edge
Azure IoT Edge allows outbound communication from an on-premises Edge device to Azure cloud using supported IoT Hub protocols. Inbound communication is only required for specific scenarios where Azure IoT Hub needs to push down messages to the Azure IoT Edge device (for example, Cloud To Device messaging).
Use the following table for port configuration for the servers hosting Azure IoT Edge runtime:
| Port no. | In or out | Port scope | Required | Guidance |
|---|---|---|---|---|
| TCP 443 (HTTPS) | Out | WAN | Yes | Outbound open for IoT Edge provisioning. This configuration is required when using manual scripts or Azure IoT Device Provisioning Service (DPS). |
Microsoft Service Bus Explorer For Mac
For complete information, go to Firewall and port configuration rules for IoT Edge deployment.
URL patterns for firewall rules
Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
Note
- The device (source) IPs should always be set to all the cloud-enabled network interfaces.
- The destination IPs should be set to Azure datacenter IP ranges.
URL patterns for gateway feature
| URL pattern | Component or functionality |
|---|---|
| https://*.databoxedge.azure.com/* https://*.servicebus.windows.net/* https://login.windows.net | Azure Stack Edge / Data Box Gateway service Azure Service Bus Authentication Service |
| http://*.backup.windowsazure.com | Device activation |
| http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* | Certificate revocation |
| https://*.core.windows.net/* https://*.data.microsoft.com http://*.msftncsi.com | Azure storage accounts and monitoring |
| http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://go.microsoft.com http://dl.delivery.mp.microsoft.com https://dl.delivery.mp.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com | Microsoft Update servers |
| http://*.deploy.akamaitechnologies.com | Akamai CDN |
| https://*.partners.extranet.microsoft.com/* | Support package |
| http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
URL patterns for compute feature
| URL pattern | Component or functionality |
|---|---|
| https://mcr.microsoft.com https://*.cdn.mscr.io | Microsoft container registry (required) |
| https://*.azurecr.io | Personal and third-party container registries (optional) |
| https://*.azure-devices.net | IoT Hub access (required) |
URL patterns for gateway for Azure Government
| URL pattern | Component or functionality |
|---|---|
| https://*.databoxedge.azure.us/* https://*.servicebus.usgovcloudapi.net/* https://login.microsoftonline.us | Azure Stack Edge / Data Box Gateway service Azure Service Bus Authentication Service |
| http://*.backup.windowsazure.us | Device activation |
| http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* | Certificate revocation |
| https://*.core.usgovcloudapi.net/* https://*.data.microsoft.com http://*.msftncsi.com | Azure storage accounts and monitoring |
| http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com | Microsoft Update servers |
| http://*.deploy.akamaitechnologies.com | Akamai CDN |
| https://*.partners.extranet.microsoft.com/* | Support package |
| http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
URL patterns for compute for Azure Government
| URL pattern | Component or functionality |
|---|---|
| https://mcr.microsoft.com https://*.cdn.mscr.com | Microsoft container registry (required) |
| https://*.azure-devices.us | IoT Hub access (required) |
| https://*.azurecr.us | Personal and third-party container registries (optional) |
Internet bandwidth
The devices are designed to continue to operate when your internet connection is slow or gets interrupted. In normal operating conditions, we recommend that you use:
- A minimum of 10-Mbps download bandwidth to ensure the device stays updated.
- A minimum of 20-Mbps dedicated upload and download bandwidth to transfer files.
Compute sizing considerations
Use your experience while developing and testing your solution to ensure there is enough capacity on your Azure Stack Edge Pro device and you get the optimal performance from your device.
Factors you should consider include:
Microsoft Service Bus Explorer For Mac Os
Container specifics - Think about the following.
- How many containers are in your workload? You could have a lot of lightweight containers versus a few resource-intensive ones.
- What are the resources allocated to these containers versus what are the resources they are consuming?
- How many layers do your containers share?
- Are there unused containers? A stopped container still takes up disk space.
- In which language are your containers written?
Size of the data processed - How much data will your containers be processing? Will this data consume disk space or the data will be processed in the memory?
Expected performance - What are the desired performance characteristics of your solution?
To understand and refine the performance of your solution, you could use:
The compute metrics available in the Azure portal. Go to your Azure Stack Edge resource and then go to Monitoring > Metrics. Look at the Edge compute - Memory usage and Edge compute - Percentage CPU to understand the available resources and how are the resources getting consumed.
The monitoring commands available via the PowerShell interface of the device such as:
dkrstats to get a live stream of container(s) resource usage statistics. The command supports CPU, memory usage, memory limit, and network IO metrics.dkr system dfto get information regarding the amount of disk space used.dkr image [prune]to clean up unused images and free up space.dkr ps --sizeto view the approximate size of a running container.
For more information on the available commands, go to Monitor and troubleshoot compute modules.
Finally, make sure that you validate your solution on your dataset and quantify the performance on Azure Stack Edge Pro before deploying in production.