Rules to Better Azure

A lot of these rules have originated from the Azure Superpowers Tour​.

Hold on a second! How would you like to view this content?
Just the title! A brief blurb! Gimme everything!


  1. Do you know how to be frugal with Azure Storage Transactions?

    Azure transactions are CHEAP. You get tens of thousands for just a few cents. What is dangerous though is that it is very easy to have your application generate hundreds of thousands of transactions a day.

    Every call to Windows Azure Blobs, Tables and Queues count as 1 transaction. Windows Azure diagnostic logs, performance counters, trace statements and IIS logs are written to Table Storage or Blob Storage.

    If you are unaware of this, it can quickly add up and either burn through your free trial account, or even create a large unexpected bill.

    Note: Azure Storage Transactions do not count calls to SQL Azure.

    Ensure that Diagnostics are Disabled for your web and worker roles

    Having Diagnostics enabled can contribute 25 transactions per minute, this is 36,000 transactions per day.

    Question for Microsoft: Is this per Web Role?

    Check properties Figure: Check the properties of your web and worker role configuration files Disable Diagnostics Figure: Disable diagnostics

    Disable IntelliTrace and Profiling

    Azure publishing settings Figure: When publishing, ensure that IntelliTrace and Profiling are both disabled


    Search bots crawling your site to index it will lead to a lot of transactions. Especially for web "applications" that do not need to be searchable, use Robot.txt to save transactions.

    Place robots.txt Figure: Place robots.txt in the root of your site to control search engine indexing

    Continuous Deployment

    When deploying to Azure, the deployment package is loaded into the Storage Account. This will also contribute to the transaction count.

    If you have enabled continuous deployment to Azure, you will need to monitor your transaction usage carefully.


  2. Do you always rename staging Url on Azure?

    ​If you use the default Azure staging web site Url, it can be difficult to remember and a waste of time trying to lookup the name every time you access it. Follow this rule to increase your productivity and make it easier for everyone to access your staging site.

    Default Azure Url:

    Figure: Bad e​​​​xample - Site using the default Url (hard to remember!!)

    Customized Url:

    Figure: ​Good ​example - Staging Url having production Url with "staging." prefix

    ​​How to setup a custom Url

    1. Add a CName to the default Url to your DNS server 

    2015-03-10_17-13-55.png Figure: ​ CName being added to DNS for the default Url

    2. Instruct Azure to accept the custom Url 

     custom domains (1).pngFigure: ​ Azure being configured to accept the CName

  3. Do you configure your web applications to use application specific accounts for database access?

    ​​Do you configure your web applications to use application specific accounts for database access? 

    An application's database access profile should be as restricted as possible, so that in the case that it is compromised, the damage will be limited. 

    Application database access should be also be restricted to only the application's database, and none of the other databases on the server


    Bad Example – Contract Manager Web Application using the administrator login in its connection string 




    Good Example – Application specific database user configured in the connection string

    Most web applications need full read and write access to one database.  In the case of EF Code first migrations, they might also need DDL admin rights.  These roles are built in database roles:

     db_ddladminMembers of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.
     db_datawriterMembers of the db_datawriter fixed database role can add, delete, or change data in all user tables.
     db_datareaderMembers of the db_datareader fixed database role can read all data from all user tables.

    Table: Database roles taken from Database-Level Roles

    If you are running a web application on Azure as you should configure you application to use its own specific account that has some restrictions.  The following script demonstrates setting up an sql user for myappstaging and another for myappproduction that also use EF code first migrations:

    USE master


    CREATE LOGIN myappstaging WITH PASSWORD = '************';


    CREATE USER myappstaging FROM LOGIN myappstaging;


    USE myapp-staging-db;


    CREATE USER myappstaging FROM LOGIN myappstaging;


    EXEC sp_addrolemember 'db_datareader', myappstaging;

    EXEC sp_addrolemember 'db_datawriter', myappstaging;

    EXEC sp_addrolemember 'db_ddladmin', myappstaging;

    Script: Example script to create a service user for myappstaging

    Note: If you are using stored procedures, you will also need to grant execute permissions to the user.  E.g.:

    GRANT EXECUTE TO myappstaging

    Data,1433; Initial Catalog=myapp-staging-db; User ID=myappstaging@xyzsqlserver; Password='*************' 

    Figure: Example connection string

  4. Do you consider AzureSearch for your website?

    AzureSearch is designed to work with Azure based data and runs on ElasticSearch. It is still NEW as of today (27/4/2015) and doesn't expose all the advanced search features. You may resist to choose it as your search engine from the missing features and what seems to be an expensive monthly fee ($250 as of today). If this is the case, follow this rule:

    Consider AzureSearch if your website:

    1. Uses SQL Azure (or other Azure based data such as DocumentDB), and
    2. Does not require advanced search features.

    Consider ElasticSearch if your website:

    1.  Requries advance search features that aren't supported by AzureSearch

    Keep in mind that 1) hosting of a full-text search service costs you labour to set up and maintain the infrastructure, and 2) a single Azure VM can cost you up to $450. So do not drop AzureSearch option unless the missing features are absolutely necessary for your site

    ​ ​​​


    Figure: Good Example - Azure website using AzureSearch for what it can deliver today


    Figure: Bad Example - Azure website using ElasticSearch for a simple search that AzureSearch can do
  5. Do you give users least privileges?

    Like other services, it is important that your company has a structured and secure approach to managing Azure Permissions.

    First a little understanding of how Azure permissions work. For each subscription, there is an Access Control (IAM) section that will allow you to grant overall permissions to this Azure subscription. It is important to remember that any access that is given under Subscriptions | "Subscription Name" | Access Control (IAM), will apply to all Resource Groups within the Subscription.

    Figure: Bad example - too many people have Owner permission on the subscription level
    Figure: Good Example - only Administrators that will be managing overall permissions and content have been given Owner/Co-administrator

    From the above image, only the main Administrators have been given Owner/Co-administrator access, all other users within the SSWDesigners and SSWDevelopers Security Groups have been given Reader access. The SSWSysAdmins Security group has also been included as an owner which will assist in case permissions are accidentally stripped from the current Owners.

  6. Do you have an Azure Spend $ master?

    Azure is Microsoft's Cloud service. However, you have to pay for every little bit of service that you use. 

    Before diving in, it is good to have an understanding of the basic built-in user roles:

    Figure: Roles in Azure

    More info:

    It's not a good idea to give everyone 'Contributor' access to Azure resources in your company. The reason is cost: Contributors can add/modify the resources used, and therefore increase the cost of your Azure build at the end of the month. Although a single change might represent 'just a couple of dollars', in the end, everything summed up may increase the bill significantly.

    The best practice is to have an Azure Spend Master. This person will control the level of access granted to users. Providing "Reader" access to users that do not need to/should not be making changes to Azure resources and then "Contributor" access to those users that will need to Add/Modify resources, bearing in mind the cost of every change.

    Also, keep in mind that you should be giving access to security groups and not individual users. It is easier, simpler, and keeps things much better structured.

    Bad Example: Contributor access to the Developers group
    Good Example: Reader access to the Developers group
  7. Do You Know How to Backup Data on SQL Azure?

    ​Built-in Automatic Backup in Azure SQL Database

    Microsoft Azure SQL Database has built-in backups to support self-service Point in Time Restore and Geo-Restore for Basic, Standard, and Premium service tiers.

    You should use the built in automatic backup in Azure SQL Database versus using T-SQL.

    ​  ​​​    T-​​​SQL: CREATE DATABASE destination_database_nameAS COPY OF[source_server_name].source_database_name​​​​

    Figure: Bad example - Using T-SQL to restore your database​
    Figure: Good example - Using the built in SQL Azure Database automatic backup system to restore your database

    Azure SQL Database automatically creates backups of every active database using the following schedule: Full database backup once a week, differential database backups once a day, and transaction log backups every 5 minutes. The full and differential backups are replicated across regions to ensure availability of the backups in the event of a disaster.

    Backup Storage

    Backup storage is the storage associated with your automated database backups that are used for Point in Time Restore and Geo-Restore. Azure SQL Database provides up to 200% of your maximum provisioned database storage of backup storage at no additional cost.​

    Service TierGeo-RestoreSelf-Service Point in Time RestoreBackup Retention PeriodRestore a Deleted Database


    Not supported

    Not supported




    Not supported

    Not supported






    7 days




    14 days




    35 days

    Figure: All the modern SQL Azure Service Tiers support back up. Web and Business tiers are being retired and do not support backup. Check Web and Business Edition Sunset FAQ​ for up to date retention periods.

    Learn more:

    Other ways to back up Azure SQL Database:

  8. Do you know how to find the closest Azure Data Centre for your next project?

    Here's a cool site that tests the latency of  Azure Data Centres from your machine. It can be used to work out which Azure Data Centre is best for your project based on the target user audience:

    As well as testing latency it has additional tests that come in handy like:

    • CDN Test
    • Upload Test
    • Large File Upload Test
    • Download Test
    Figure: example​
  9. Do you know the 9 important parts of Azure?

    ​​To help you out, here is a list of the top 9 Azure services you should be using:

    1. Computing: App Services
    2. Best practices: DevOps Project 
    3. Data management: Azure Cosmos DB (formerly known as Document DB) 
    4. Security: Azure AD (Active Directory) 
    5. Web: API Management
    6.  Automation: Logic Apps
    7. Automation: Cognitive Services 
    8. Automation: Bots
    9.  Storage: Containers 

    Watch the video


  10. Do You Know To Pay for Azure WordPress Databases?

    Setting up a WordPress site hosted on Windows Azure is easy and free, but you only get 20Mb of MySql data on the free plan.

    Figure: Once you approach your 20Mb limit you will receive a warning that your database may be suspended
    Figure: If you are serious about your blog and including content on it, you should configure a paid Azure Add-on to host your MySQL Database when you set it up
    Figure: If you have already created your blog, navigate to your Web Site within the Azure portal, select Linked Resources, select the line for the MySQL Database and click the Manage link. This will open the ClearDb portal. Go to the Dashboard and click Upgrade
    References: John Papa: Tips for WordPress on Azure
  11. Do you know when to use Geo Redundant Storage?

    Data in Azure Storage accounts is protected by replication. Deciding how far to replicate it is a balance between safety and cost.​

    Figure: It is important to balance safety and pricing when choosing the right replication strategy for Azure Storage Accounts

    Locally redundant storage (LRS)

    • Maintains three copies of your data. 
    • Is replicated three times within a single facility in a single region. 
    • Protects your data from normal hardware failures, but not from the failure of a single facility.
    • Less expensive than GRS
    • Use when:
      • o Data is of low importance – e.g. for test websites, or testing virtual machines
      • o Data can be easily reconstructed
      • o Data is non-critical
      • o Data governance requirements restrict data to a single region

    Geo-redundant storage (GRS). 

    • The default when you create it storage accounts.
    • Maintains six copies of your data. 
    • Data is replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region
    • In the event of a failure at the primary region, Azure Storage will failover to the secondary region. 
    • Ensures that your data is durable in two separate regions.
    • Use when:
      • o Data cannot be recovered if los​t
    Read access geo-redundant storage (RA-GRS). 
    • Replicates your data to a secondary geographic location (same as GRS)
    • Provides read access to your data in the secondary location
    • Allows you to access your data from either the primary or the secondary location, in the event that one location becomes unavailable.
    • Use when:​
      • o Data is critical, and access is required to both the primary and the secondary regions
    More reading
  12. Do you shutdown VM's when you no longer need them?

    ​​Often we use Azure VM's for presentations, training and development. As there is a cost involved to store and use the VM it is important to ensure that the VM is shutdown when it is no longer required.​

    Shutting down the VM will prevent compute charges from incurring. There is still a cost involved for the storage of the VHD files but these charges are a lot less than the compute charges. 

    The following is stated on "Stop your virtual machines and we will stop billing them within a minute. " Please note that is for MSDN Azure subscriptions. 

    You can shutdown the VM by either making a remote desktop connection to the VM and shutdown server or using Azure portal to shutdown the VM.​

    Figure: Azure Portal​