Home Microsoft Azure Fundamentals (AZ-900) Notes
Post
Cancel

Microsoft Azure Fundamentals (AZ-900) Notes

Cloud Concepts

Benefits of cloud computing

Scalability: ability to accommodate a larger load by making the hardware stronger(vertical), or by adding nodes (horizontal)

Elasticity: once a system is scalable, elasticity mean that there will be ‘auto scaling’, based on the load, this is cloud friendly : pay per use, match, optimize costs

Agility: (not related to scalability), new IT resources are only a click away, it mean that you reduce the time to make those resources available to your developers from weeks to minutes

Availability: goes in hand with horizontal scaling, mean running your application at least in 2 availability zones, the goal is to survive a data center loss (disaster)

Differences between CapEx and OpEx and Consumption-based model

Capital Expenditure (on-premise): Purchasing some assets upfront (servers) and I need to use for a certain time Operational Expenditure (the cloud): Consumption by the pay for what i use as i am use it, gives flexibility

A consumption-based pricing model is a service provision and payment scheme in which the customer pays according to the resources used. This model is essentially the same as the utility computing payment structure and those of other utilities, such as water and electricity.

Differences between categories of cloud services

Infrastructure as a Service (IaaS)

  • Provide building blocks for cloud IT
  • Provide networking, computers, data storage space
  • Highest level of flexibility
  • Simulate the look from managing physical resources
  • Eg: VMs, Blob Storage, GCP, Digital Ocean, Elastic Load Balancing

Platform as a Service (PaaS)

  • Remove the company to manage underlying infrastructure
  • Focus on deployment and management of applications
  • You will define the behavior and environment for your application (code)
    • Eg: Heroku, EKS, ACI

Software as a Service (SaaS)

  • Completed product that is run and managed by the service provider
  • offer services meant to be accessed by end users
  • Eg: Gmail, Outlook, Recognition for ML, Zoom

Shared Responsibility model:

Differences between types of cloud computing

Cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change.

  • Public Cloud: Limitless, many regions, over internet, like Azure, AWS or GCP
  • Hybrid Cloud: We are using both, like provide some services from my servers and in busy days provide from the cloud
  • Private Cloud: Management of servers, more customizable, we can bring azure capabilities on premise with Azure Stack and Azure arc

Azure Core Services

Core Azure Architectural Components

Region

A region is a group of data centers that interact to provide redundancy and availability for the services hosted within that region. For example, West US, Central US and North Central US are three of many regions, each one is paired with another in the same geography to allow replication of resources and reduce data loss. Microsoft establishes and controls the pairing of regions, you cannot choose a region pair, however you choose the region in which deploy a service, which indirectly determines which other region is in the pair.

Availability Zones

They area data centers that are grouped in regions with low latency connection, we can pick up to 3 AZ when deploying a service, there are no correlation between buildings and subscriptions.

Azure availability zones-enabled services are designed to provide the right level of resiliency and flexibility. They can be configured in two ways. They can be either zone redundant, with automatic replication across zones, or zonal, with instances pinned to a specific zone. You can also combine these approaches.

Some organizations require high availability of availability zones and protection from large-scale phenomena and regional disasters. Azure regions are designed to offer protection against localized disasters with availability zones and protection from regional or large geography disasters with disaster recovery, by making use of another region.

Resource Groups

Like a logical container for your resources, you can apply various properties to the resource group and those properties apply to all the resources in that resource group, keep in mind these list when create resource group:

  • Lifecycle: All resources should share the same lifecycle for deployment, updates and deletion
  • Resource Assignment: A resource can exist in only one group, but you can add or remove a resource to or from the group as needed. You can also move resources from one group to another.
  • Resource Interaction: resources from different resource groups can interact each other
  • Deletion: When you delete a resource group, all resources in the group are deleted
  • Creation: You can use Azure portal, PowerShell, Azure CLI or an Azure resource manager template to create a resource group
  • Tags: You can apply tags to a resource group to differentiate areas in your organization, the tag applies only to the resource group and not the resources inside the group, think like is only a label of the resource group, however you can put tags in the resources inside
  • A resource group can contain resources from any region, not just the region in which the resource group is located

Azure Subscription

A resource group serves as a logical container for resources, Azure Subscriptions serves the same but a higher level, like a box that contains all your resource group boxes, also a resource group only exist in one subscription.

Azure Subscriptions can serve as:

  • Administrative boundaries (control security, resources and policies)
  • Payment Agreement, ex: pay-as-you-go offer tied to a credit card billing each month
  • Legal Agreement with specific Azure plan, each with its own rate plan, terms and conditions ex: free trial

Management Groups

  • Useful for managing access, policies and compliance for your subscriptions
  • Level of scope above subscriptions
  • Use case: limit regions available for VMs creations

Hierarchy of management groups and subscriptions

Resource Manager

  • Everything in azure is a resource (vm,db,etc..)
  • Useful for manage resources, serving as a deployment service for azure
  • ARM support use of templates to create, manage resources in JSON format
  • You can automate the deployment of an entire Azure environment by using templates, only need to declare what you want to create and the properties, and the ARM passes that information to Azure providers

Core Azure Services

Virtual Machines (IaaS)

  • Full control over OS
  • Maintain and patch VM image
  • Has scalability, flexibility
  • You can move from host to host due to the metadata that defines the VM

Virtual machine scale sets

  • Simplify the creation and managing a group of load-balanced VMs
  • Scale in or scale out to adjust the demand
  • Enables high availability in themselves (up to 1000 VMs or 600 custom images)
  • Created from the same OS image (same applications and config)
  • You can use AZs to further improve availability by distributing the VMs across multiple data centers

Availability Set

  • Help avoid potential outages caused by hardware issues and update VMs without causing the set to be unavailable
  • Fault Domain: Group of hardware that shares a power source and network switch, similar to a rack
  • Update Domain: Group of hardware thar undergoes maintenance activities or reboot events at the same time
  • Availability sets distributes VMs across multiple fault domains and update domains

Azure App Service

  • PaaS Service that enables quickly develop and deploy web apps
  • Support .net, java, ruby, python, etc.. and Windows or Linux OS and docker containers
  • Offers load balancing, autoscaling, automated management(updates), security features and templates from Marketplace

Azure Container Instances (ACI)

  • Offers the fastest and simples way to run a container in Azure is a PaaS service where you upload your container and runs for you
  • Cost saving because you are only paying for consumption of CPU and memory used by container, rather than paying a VM
  • Serves as a virtual environment that includes the resources necessary for its hosted application to function
  • Designed to be created, scaled out and stopped dynamically

Azure Kubernetes Service (AKS)

  • AKS is a container orchestration service that monitors health
  • Provides scalability and resource sharing among container in a Kubernetes cluster
  • This service is a complete orchestration for containers with distributed architectures and large volume, can use the same image for deploying

Windows Virtual Desktop (WVD)

  • Enables your users to use a cloud-hosted version of Windows from any location
  • Azure Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux
  • Good for users working from home, rather than provision a new Windows device
  • Provide best user experience, enhance security, simplified management performance management and multi-session win 10 enterprise deployment

Core Azure Storage

Blob Storage

  • Optimized to store large amount of unstructured data
  • Accessed through HTTP or HTTPS, Azure Storage API, Azure Powershell, Azure CLI or Azure storage client library
  • Similar to S3 from Amazon Web Services
  • Tiers:
    • Hot access: Optimized for storing frequently accessed data
    • Cool access: Optimized for data you access infrequently or for a relatively limited period of time
    • Archive access: Data that you rarely access, ex:long-term storage backups
  • Hot an cool stores data online, but cool means lowe storage cost but higher access cost

Disk Storage

  • Attached to a VM, like a physical disk in a server, 99.999 availability through replicas
  • Offer three main types: data disk, OS disk and temporary disk
  • OS and data disks are persistent, they don’t go when you reboot your VM
  • Support server-side-encryption and disk encryption
  • Server-side-encryption is enabled by default with bitlocker(Windows) and DM-Crypt(Linux), meet compliance and policy requirements
  • Disk encryption enables you to encrypt OS and data disks

File Storage

  • Files that are available from anywhere in the world but not associated with a VM or volume letter
  • Can be accessed by Server Massage Block (SMB) or Network File System (NFS)
  • Used for replacing existing data on premise file servers, moving data from on-premise to Azure and sharing data required by apps

Storage Accounts

  • Before you use storage in Azure you must create an storage account, this account provides an unique name through which you can access these objects via HTTP or HTTPS
  • Types of account:
    • General-purpose v1: Legacy account type intended for blobs, files, queues and tables
    • General-purpose v2: Intended for blobs, files, queues as well as Data lake Gen2
    • BlockBlobStorage: Intended for block blobs and append blocs in high-performance such as high transaction rates and for low latency
    • FileStorage: Intended for files-only storage scenarios where premium performance is required
    • BlobStorage: Legacy blob-only storage account type

Core Data Services

SQL Server on Azure VMs

  • Good for fast migration of SQL server from on-premise to Azure with retention of operating system access
  • Enables lift-and-shift from an on-premise datacenter to Azure with ease, while maintaining compatibility

Azure SQL Database

  • You should use this solution for Cost-effective, serverless database with an intermittent usage pattern and a low compute utilization over time
  • Abstracts all the infrastructure needed to host a SQL database
  • Is a PaaS in which Microsoft manages maintenance like upgrades, patching and monitoring to ensure 99.99 uptime
  • You only focus on creating the SQL database and managing tables, views, etc

Azure SQL Managed Instances

  • Is a PaaS service that provides scalable cloud data service without need to deploy hardware
  • Enables frictionless migration to Azure with minimal application and database changes, at the same time it eliminates overhead for the management of underlying infrastructure
  • Differences with azure SQL
    • SQL MI offers features for auditing, authentication, backups,
    • change data capture (CDC)
    • common languaGe runtime (CLR)
    • linked servers, OPENQUERY…
  • Can integrate with the Azure Data Migration Server, enable easy move from on-premise to Azure managed instance

Cosmos DB

  • Multimodel Database: scale data out to multiple Azure regions in the globe
  • Provides excellent elasticity in both throughput and storage, good for peak hours
  • Supports SQL and NoSQL databases like MongoDB, Cassandra, Gremlin API (massive graphs)

Azure Database for MySQL

  • Serverless service, only focus on your MySQL databases without worrying about the infrastructure
  • If you see the LAMP (Linux, Apache, MySQL, PHP) stack for development in the exam think about MySQL

Azure Database for PostgreSQL

  • PaaS service, support PostgreSQL database engine with scalability, elasticity, high availability and more
  • PostgreSQL is appropriate in situations where you want to deploy and manage PostgreSQL databases without worrying about underlying infrastructure

Azure Database Migration Service

  • Supports variety of database migrating scenarios for offline and online migrations
  • Offline occurs when the resource is not in use
  • In an online migration the data is synchronized from the live source to the target and then the app is cut over the new instance of the database

Core Networking Services

Virtual Networks

  • VNet enables virtual machines and other services to communicate among themselves, with the internet and with your on-premise network
  • VNets adds availability and scalability to your network resources in Azure
  • When you create a VNet you specify the private IP adress space that the VNet will use
  • VNets are scoped to a single region and subscription but span in all AZs in each region
  • You can use virtual network peering to connect VNet across regions with the same latency if they where on the same virtual network

Load Balancers

  • Distribute network traffic across multiple resources to improve responsiveness, reliability and availability
  • Azure offer four load balancing services:
    • Azure Front Door:
      • Designed for global or multiregion routing and site acceleration, uses the Microsoft global edge network to enable fast, secure and scalable web applications
      • Support URL path based like application gateway, but this is globally distributed (caching, high availability, fast failover)
    • Azure Traffic Manager:
      • Is an application layer DNS-based traffic that balances traffic at the domain level across global Azure regions, offers options for routing and detecting point health
      • Appropriate for DNS-based global routing, detecting endpoint health and routes traffic to the data center closest to the users
    • Azure Application Gateway:
      • Provides application delivery controller (ADC) as a service, applicable for HTTPS traffic and can route traffic based on incoming URL, URI path, and host headers
      • Good for HTTP(S) traffic, for example when the URL includes videos in the path and you want to direct traffic to a set of web servers
    • Azure Load Balancer
      • Is a transport layer service designed for high performance and low latency, support zone-redundant and applies for non HTTP(S) traffic
      • Good for balancing traffic among multiple database VMs

Azure VPN Gateway

  • VPN establishes an encrypted tunnel between two private networks across public network
  • For example: you can establish a secure connection between your on-premise network and your resources in azure
  • Supports multiple VPN configurations:
    • Site-to-site: Establishes a VPN between two sites, such as between your on premise data center and azure
    • Multi-site: Establishes VPN tunnels between azure and multiple on-premise sites
    • Point-to-site: Establishes a VPN tunnel from a single device (point) to a site
    • VNet-to-VNet: Establish a VPN between two Azure VNets

ExpressRoute

  • Create private connection between Azure Datacenters and infrastructure on premise (cost saving)
  • Don’t go over the public internet, and offer more reliability, faster speeds, and lower latencies than typical internet connections

Content Delivery Networks (CDN)

  • Places web content across networks to make readily available to users on their location
  • Example: If a user in USA want to see a video that you host in Italy, you could place those files in CDN that has a point of presence in Virginia, when the user access this file, the file come from the cached copies in the CDN, rather than your server in Italy
  • Each file has a time-to-live (TTL) property that determines when the file should be refreshed from the source to the cache

Summary

  • Networking Addressing: Devices on a network are assigned a network address, subnets create virtual networks to segregate devices within an address space, when you create a resource you specify the address segment and the IP (static or dynamic)
  • Routing: Routers move network traffic between network segments, make possible to communicate between public networks and private networks with public ones
  • Domain Name Service (DNS): Provides a hots-to-address resolution, enabling application to determine the IP address associated with a hostname
  • Virtual Private Network: Creates an encrypted tunnel between two private networks across public networks
  • Load Balancer: Distributes traffic to a group of servers or services, enabling the load to be shared among them, and enables fault tolerance
  • Express Route: Establish a secure VPN connection bypassing the internet, connects directly to the Microsoft global network
  • Content Delivery Network (CDN): CDN places content near users and reduce network traffic and latency

Core Solutions and Management Tools

Internet of Things (IoT)

Azure IoT Hub

  • Azure-hosted service that server as message hub between IoT devices and Azure services
  • Requires you to write code to connect IoT devices
  • Supports multiple protocols, SDK, highly scalable which means it can integrate billions of devices
  • Support multiple communication and control functions, including:
    • Device-to-cloud telemetry to collect data
    • Device-to-cloud file upload to collect and transfer data
    • Request/reply methods for controlling devices from the cloud
    • Monitoring
  • IoT hub can route messages received to other Azure services
  • Can not support analyzing of telemetry data

Azure IoT Central

  • SaaS solution to build IoT solutions without development expertise
  • Builds on the functions provides by IoT Hub to provide dashboards for control, management features
  • You can connect new devices, view telemetry, view overall device and create alerts to notify you
  • You can use device templates, which allow you to connect new devices without any coding in IoT central
  • This solution supports device-to-cloud messaging and per-devide identity

Azure Sphere

  • Integrated IoT solution that consist of three key parts:
    • Azure Sphere micro controller unit (MCUs): Hardware component built in the IoT device
    • Management software: Custom linux OS that manages communication with security service
    • Azure Sphere Security Service (AS3): Handles certificate-based device auth to Azure, updates the software to prevent vulnerabilities in the device

Data Analytics

Data Lake Analytics

  • Big Data solutions that allows developers to write code with a mixture of SQL and C# syntax, the language is called U-SQL
  • Allows developers to user their existing skills to process data a large-scale

    Azure Synapse Analytics

  • Good if you are looking for distributed query solution, that works with machine learning
  • Offers serverless and dedicated resource model, requires the use of five different application components which forms an Azure Synapse cluster

HDInsight

  • Managed Apache Hadoop service that lets you run Apache Spark, Hive, Kafka, HBase and more (big data)
  • Makes ease, fast and cost effective to process massive amounts of data in a customizable environment
  • Some of its capabilities are:
    • Cloud Native
    • Low-cost and scalable
    • Secure and Compliant
    • Monitoring
    • Global, productivity

Azure Databricks

  • Is an Apache Spark based analytics platform designed to provide collaborative analytics workflow
  • Data analytics platform optimized for Azure, offers three environments for developing apps:
    • Databricks SQL: easy-to-use platform, run SQL queries on their data lake, build and share dashboards
    • Databricks Data Science & Engineering: enables collaboration, for big data pipelines, can work with apache kafka and IoT hub, Spark
    • Databricks Machine Learning: integrated end-to-end ML environment with managed services for experiment tracking, model training, feature development and model serving

Azure Event Hub

  • PaaS service offering that can ingest and process millions of events per second from websites, mobile apps, and IoT devices
  • It can be part of big data streaming or feed a real time analytics solution

Azure Stream Analytics

  • PaaS solution designed to process high volumes of fast streamed data from sources like sensors, IoT devices and apps
  • Identify patterns and relationships in the streamed data to trigger actions, initiate workflows, feed reporting tools and redirect data to storage solutions

    Artificial Intelligence

    Azure Machine Learning

  • Through testing you determine the model that provide the most accurate predictions
  • Can use Machine Learning Studio (portal web) for create no-code solutions using a selection of tools (drag-and-drop), also manage assets and resources
  • You should use Machine Learning service when you want to create machine learning algorithms by using python, there are thousands of open-source Python packages with machine learning components
  • Machine Learning Studio allows you to use built-in algorithms, not write custom algorithm in python

Azure Cognitive Services

  • Provide ML models designed to interact with humans and execute cognitive function that humans would normally do, the following list summarizes the services:
    • Language: To process natural language to determine, for ex: the user question or sentiment
    • Speech: Convert speech into text or text into speech, can translate one language to another, recognize and verify the speaker
    • Vision: Provides identification for analyzing images, videos and similar visual data
    • Decision: Personalize user experience with recommendations, remove offensive content…

Azure Bot Service

  • Enables you to create virtual agents to interact with users
  • Answer questions, get information and start activities with other azure services
  • Can use all the cognitive services to do activities like understand what user is asking

Azure Marketplace

  • Provides purchase and subscriptions links to certified cloud applications and solutions from Microsoft and its technology partners
  • All solutions offered are certified through the Microsoft Azure Certification Program
  • This ensures compatibility with the Azure public cloud
  • Offerings include:
    • API applications
    • Azure AD applications
    • Data services
    • Developer Services
    • VMs and Web apps

      Serverless Computing

Azure Function

  • If you used AWS, is similar to Lambda function, enables you to host a single method that runs in response to an event
  • You can use different programming languages to code this function
  • Scales automatically, pay only for the time and resources needed while function is running
  • Is stateless, does not store it state from every execution, executes the same every time
  • Excellent solution for building small blocks of code that run for a very short time in response to an event

Azure Logic Apps

  • More complex than a function, like a workflow, create no-code and low-code solutions to automate and orchestrate tasks, business processes and workflows
  • Build the apps using web-based design environment by connecting triggers to actions with various connections, ex: a message arriving a queue is a trigger, this event pass the massage to other service
  • Priced based on the number of executions and the type of connectors that the app uses

Azure Event Grid

  • Provides solution for building event-driven architectures that subscribe to Azure resources and route events for different endpoints
  • Event grid can subscribe to a variety of Azure resources including storage resources, resource groups and IoT Hubs
  • Events can be filtered before being forwarded to appropriate event handlers for processing

DevOps

Azure DevOps Services

  • Is a group of services that enables and support multiple stages in development process, include the following:
    • Azure Artifacts: Repository for storing development artifacts such as compiled source code
    • Azure Boards: Manage individuals items, task, features and bugs
    • Azure Pipelines: Automatically build and test code projects
    • Azure Repos: Source code repository for collaborating on development projects
    • Azure Test Plans: Automated testing tool for code

Github Actions

  • Offers many of the same functions as Azure DevOps
  • Github is the appropriate choice for collaborating on open source projects and DevOps is the appropriate choice for enterprise/internal projects

Azure DevTest Labs

  • Automates deployment, configuration and decommissioning of VMs and Azure resources
  • You can decommission all those services so that you pay only for the resources you need for testing while your are testing them
  • Can use ARM templates to deploy any type of resource, however DevTest Labs does not provide monitoring, alerting or telemetry services to monitor those resources

Azure Management Tools

Azure Portal

  • Web interface that enables you ti view, create and manage Azure resources and services
  • Easy to use because it offers a familiar web-based user experience, also provides a wealth of visualization tools and reports
  • You can encounter dashboards, blade or resource panel
    • A blade is a panel that slides out in a navigation sequence, it represents a single level navigation hierarchy, each blade provides either information or configuration option
    • A dashboard is a collection of customizable tiles that are displayed in the portal, you can add remove and reposition tiles as you wish
    • A resource panel is the left-most panel in the portal, is lists the main resource types that are available

Azure PowerShell

  • Scripting environment to execute commands to perform management tasks in Azure through Azure REST API
  • Those scripts can be simple or complex, potentially deploying hundreds of resources in short period
  • You can access powershell through Azure Cloud shell

Azure CLI

  • If you are experienced with Bash, this is your best option, is a driven scripting environment that also uses REST API
  • You can access via web browser through the Azure Cloud Shell

Azure Cloud Shell

  • Web based interface that enables you to run Azure PowerShell, Bash and Azure CLI commands and scripts
  • A storage account is required to use Azure Cloud Shell

Azure Mobile App

  • Enables you to manage Azure resources from your mobile device
  • Is not great management solution for complex tasks, but you can do basic functions with your apps like reset a web app

Azure Advisor

  • Personalized cloud consultant that helps you follow best practices to optimize your Azure deployments
  • Analyzes your resource configuration and usage telemetry to give the best recommendations
  • Gives you recommendation based on:
    • Operational Excellence
    • Security
    • Reliability
    • Performance efficiency
    • Cost Optimization

Azure Monitor

  • Helps you maximize the availability and performance of your apps and services
  • Collect, analyze and acting on telemetry from your cloud and on-premise environments to understand how your apps are performing and identify issues affecting them and the resources they depend on
  • With Azure Monitor you can:
    • Detect issues across applications and dependencies
    • Drill into your monitoring data for troubleshooting
    • Create visualizations with azure dashboards
    • Create actions that execute automatically in response to alerts

Azure Service Health

  • Keep you informed about the health of your cloud resources
  • Include current and upcoming issues such as service impacting events, planned maintenance, …
  • Combination of three separate smaller services
    • Status page: Provides information on Azure services globally to help you see at a glance what services are affected in what regions
    • Service Health: Gives you information about service issues, planned maintenance, health advisories, and security advisories in a dashboard
    • Resource Health: Tracks the state of the resources you have deployed to Azure to give you visibility to any ongoing or historical issues with those resources

General and Network Security

Azure Security

Azure Security Center

Monitoring service that provides threat protection across both azure and on-premise datacenters

  • Support Windows and Linux OS
  • Integrates natively with Microsoft Defender to provide risk detection and assessment with threat intelligence
  • Provide security recommendations
  • Detect and block malware
  • Analyze and identify potential attacks
  • Just-in-time access control for ports
  • Capabilities:
    • Policy Compliance
    • Continuous assessments
    • Tailored recommendations
    • Threat protection

Azure Sentinel

  • Security information management (SIEM) and security automated response (SOAR) solution that provides security analytics and threat intelligence across an enterprise
  • A playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert
  • A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when alerts are triggered
  • Playbooks can be used to sync you Microsoft Sentinel incidents with other ticketing system
  • Connector and Integrations:
    • Ofiice 365
    • Azure Active Directory
    • Azure Advances Threat Protection

Azure Key Vault

Stores application secrets in a centralized cloud location to securely control access permission and access logging

  • Securely store cryptographic keys and other secrets
  • Secret management
  • Key management
  • Certificate management
  • Storing secrets backed by hardware security modules (HSMs)

Azure Dedicated Host

Provides physical servers that host one or more Azure virtual machines that is dedicated to a single organizations workload

  • Hardware isolation at the server level
  • Control over maintenance event timing
  • Aligned with Azure Hybrid Use Benefits

Network Security

Defense in depth

  • Layered approach to securing computer system
  • Provides multiple levels of protection
  • Attacks against one layer are isolated from subsequent layers
  • Combining network security solutions to maximize the defense

Network Security Groups (NSG)

Filter network traffic to and from Azure resources on Azure Virtual Networks

  • Set inbound and outbound rules to filter by source and destination IP address, port, and protocol
  • Add multiple rules, as needed, within subscription limits
  • Azure applies

Application Security Groups (ASG)

  • Enable you to group servers based on applications running on them and manage security for them as a group
  • Rather than apply rules in the NSG to the VMs where applicaction servers reside, you create a ASG and add VMs to it, and then create the NSG and reference the ASG in it
  • The NSG rules then apply to the VMs in the ASG

    Azure Firewall

    A stateful, managed Firewall as a Service (FaaS) that grants/denies server access based on IP address, in order to protect network resources in the perimeter layer

  • Applies inbound and outbound traffic filtering rules
  • Built-in high availability
  • Unrestricted cloud scalability
  • Uses Azure Monitor logging

Azure Distributed Denial of Service (DDoS) protection

DDoS attacks overwhelm and exhaust network resources, making apps slow or unresponsive

  • Sanitizes unwanted network traffic before it impacts service availability
  • Basic service tier is automatically enabled in azure
  • Standard service tier adds mitigation capabilities that are tuned to protect Azure Virtual Network resources

Identity, Governance, Privacy and Compliance

Azure Identity

Compare Authentication and Authorization

Authentication:

  • Identifies the person or service seeking access to a resource
  • Requests legitimate access credentials
  • Basis for creating secure identity and access control principles
  • Can use certificates to identify a person or service

Authorization:

  • Determine an authenticated person or service level of access
  • Defines which data they can access, and what they can do with it
  • Can not use passwords to identify a person

Azure Multi-Factor Authentication

Provides additional security for your identities by requering two or more elements for full authentication

  • Something you know (password, pin)
  • Something you possess (phone, key)
  • Something you are (biometric control)

Azure Active Directory (AAD)

Is Cloud bases identity and access management service

  • Authentication (employees sign-in to access resources)
  • Single sing-on (SSO)
  • Application management
  • Business to Business (B2B)
  • Business to Customer (B2C) identity services
  • Device managements
  • Plans:
    • Azure AD Free: Provides management of users and groups, synchronization with on-premises AD, basic reporting, SSO, Microsoft 365
    • Azure AD Premium P1: Includes all features in free along with the capability to access on-premise resources, support dynamic groups, self-service group management, Microsoft Identity Manager
    • Azure AD Premium P2: All the P1 features along with Azure AD Identity protection for conditional access to apps and critical data, and Privileged Identity Management for discover, monitor, restrict access to resources
  • Can integrate with RBAC to control who has access to specific Azure Resources, what actions they can take and what areas they can access
  • To use RBAC in azure, you create a role assignment that consists of a security principal, role definition and scope
  • Security Principal=who, Role=what, and Scope=where

    Conditional Access

    Is used by Azure Active Directory to bring signals together, to make decisions and enforce organizational policies

  • User or Group Memberships
  • IP Location
  • Device
  • Application
  • Risk Detection

Azure Governance

Explore Role-based access control (RBAC)

  • Fine-grained access management
  • Segregate duties within the team and grant only the amount of access to users that they need to perform their jobs
  • Enables access to the Azure portal and controlling access to resources

Resource Locks

  • Protect your Azure resources from accidental deletion or modification
  • Locks can not be applied to specific users or roles, it applies to all users and roles
  • Manage locks at subscription, resource group, or individual resource levels within Azure Portal
  • Two Types:
    • CanNotDelete ( You can read, update but not delete)
    • ReadOnly ( You can read, but not update or delete)

Tags

  • Provides metadata for your Azure resources
  • Useful to differentiate areas in your company
  • Up to 50 tag per resource by default

Azure Policy

Helps to enforce organizational standards and to access compliance at-scale. Provides governance and resource consistency with regulatory compliance, security, cost, and management

  • Evaluates and identifies Azure resources that do not comply with your policies
  • Provides built-in policy and initiative definitions, under categories such as Storage, Networking, Compute, Security Center, and Monitoring

Azure Policy Initiative

  • Is a collection of Azure policies definitions, usually grouped with the aim of achieving a single goal
  • Initiatives are used to simplify managing and assigning policies
  • When a initiative assignment is evaluated, all policies in that initiative are evaluated
  • An initiative can only contain policies that area located in the same subscription, however you can assign a single initiative to scopes across multiple subscriptions or management groups
  • Azure Blueprints

    Makes it possible for development teams to rapidly build and stand up new environments. Developments team can quickly build trust through organizational compliance with a set of built-in components (such as networking) in order to speed up development and delivery

  • When a blueprint is updated and the updated version is published, any assignments of the blueprint are not updated automatically
  • When a blueprint is unassigned, all resources assigned by the blueprint remain in place, but blueprint resource locking is removed, this results int the deletion of the blueprint assignment object
  • When you delete a core blueprint, any assigned versions of the blueprint remain in place, a blueprint must be unassigned before it can be deleted
  • Role Assignments
  • Policy Assignments
  • Azure Resource Manager Templates
  • Resource Groups

Cloud Adoption Framework

  • The one Microsoft approach to cloud adoption in Azure
  • Best practices from Microsoft employees, partners and customers
  • Tools, guidance, and narratives for strategies and outcomes
  • Strategy: Define the business justification and the expected outcomes of adoption
  • Plan: Align actionable adoption plans with business outcomes
  • Ready: Prepare the cloud environment for the planned changes
  • Develop new cloud-native or hybrid solutions

Azure Compliance

Security, Privacy and Compliance

  • Security: Secure by design. With built in intelligent security, Microsoft helps to protect against known and unknown cyberthreats, using automation and artificial intelligence
  • Privacy: We are committed to ensuring the privacy of organizations through our contractual agreements, and by providing user control and transparency
  • Compliance: We respect local laws and regulations and provide comprehensive coverage of compliance offerings

Online Service Terms and Data Protection Addendum

  • Online Service Terms: The licensing terms define the terms and conditions for the products and Online Services you purchase through Microsoft Volume Licensing programs
  • Data Protection Addendum: The DPA sets forth the obligations, with respect to the processing and security of Customer Data and Personal Data, in connection with the Online Services

Azure Pricing and SLA

Planning and managing costs

Factors affecting costs

There are six primary factors affecting costs

  • Resource type
  • Services: Azure usage rates and billings can differ between Enterprise, Web Direct, and CSP customers
  • Location
  • Bandwidth: inbound data is free, but outbound is priced based on zones
  • Reserved Instances: reservations reduce your resource costs up to 72% on pay-as-you-go prices
  • Azure Hybrid Use Benefit: For customers with Software Assurance, you can use your licenses on Azure to reduce costs

Pricing Calculator

  • You can estimate the total costs of the services your are willing to use
  • You only need to select the resource and specify the parameters like region, OS, tier, time
  • You can export, save or share the price for the solution

Total Cost Ownership Calculator (TCO)

  • A tool to estimate cost saving you can realize by migrating to Azure
  • A report compares the costs of on-premises infrastructures with the costs of on-premises infrastructures with the costs of using Azure products and services in the cloud

Azure Cost Managements

  • Reporting billing reports
  • Data enrichment
  • Budgets - set spend budget
  • Alerting - when costs exceed limits
  • Recommendation - cost recommendations

Azure SLAs and Service Lifecycle

Service Level Agreements (SLAs) describes Microsoft commitments for uptime and connectivity

  • SLAs are based on individual products and services

SLAs for Azure products and services

  • Performance targets are expressed as uptime and connectivity guarantees
  • Performance-targets range from 99% to 99.999%
  • If a service fails to meet the guarantees, a percentage of the monthly bill can be refounded

Composite SLAs

  • Is the result of combining services with potentially differing SLAs, for example VMs and Azure SQL Database, one with 99.9 percent and the other with 99.99 percent, to determine the composite SLA, you simply multiply the SLA values for each resource

Actions that affect SLAs

Lower you SLA:

  • Adding more services
  • Choosing free or non-SLA services

Raise your SLA:

  • Availability Zones
  • Redundant systems Many factors can raise or lower your SLA, design decisions based on business goals will drive your SLA goals

Service Lifecycles

Determines how a product is released and supported, azure provides two lifecycle phases: preview and general availability

Azure Preview Program

  • Azure features in the preview phase (beta testing)
  • Preview features are not subject to SLAs and the limited warranty outlined in the Online service terms
  • In general public previews are available to everyone, in some cases Microsoft offer private previews to selected organizations by invitation
  • Can be configured at the organization or user level

    General Availability

  • The next step is general availability, these services are subject to the published SLAs and other service terms and warranties defined by the Online Service Terms
  • Moving the GA does not guarantee that a service will always be offered
  • Azure provides for a minimum of 12 months notice before a GA feature is retired
This post is licensed under CC BY 4.0 by the author.

Cross-site scripting (XSS)

Attacking Json Web Tokens