Azure

NOTE

Content extracted from Microsoft Learning resource.

Physical Infrastructure

Azure Physical Infrastructure

• Regions

  • A region is a geographical area on the planet that contains at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network.

• Availability Zones

  • Physically separated datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
  • It is set up to be an isolation boundary to offer high availability through redundancy.
  • A minimum of three separate availability zones are present in all availability zone-enabled regions. However, not all Azure Regions currently support availability zones.
  • Azure services that support availability zones fall into three categories:
    • Zonal services: Resource is pinned to a specific zone.
    • Zone-redundant services: The platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).
    • Non-regional services: Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.

• Region pairs

  • Most Azure regions are paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.
  • Not all Azure services automatically replicate data or automatically fall back from a failed region to cross-replicate to another enabled region. In these scenarios, recovery and replication must be configured by the customer.

• Sovereign Regions

  • Instances of Azure that are isolated from the main instance of Azure, used for compliance or legal purposes.

Management Infrastructure

A resource is the basic building block of Azure. Anything you create, provision, deploy, etc. is a resource. Virtual Machines (VMs), virtual networks, databases, cognitive services, etc. are all considered resources within Azure.

Resource groups are simply groupings of resources. Note that resource groups can't be nested.

Subscription is a unit of management, billing, and scale. An Azure accounts requires minimum one subscription, different billing models and different access-management policies can be configured for different subscriptions if exist.

Additional subscriptions can be used for resource or billing management purposes, such as to aligning production/testing envirnoment, data isolation for compliance, reflecting organizational structures or billing purposes.

Azure management group provides a level of scope above subscriptions to deal with multi-application, multi development team in multiple geographies. Usecases could be:

• Create a hierarchy that applies a policy.
• Provide user access to multiple subscriptions with Azure role-based access control

Important facts about management groups:

• 10,000 management groups can be supported in a single directory.
• A management group tree can support up to six levels of depth. This limit doesn't include the root level or the subscription level.
• Each management group and subscription can support only one parent.

Virtual Machines

Considerations

• Size (purpose, number of processor cores, and amount of RAM)
• Storage disks (hard disk drives, solid state drives, etc.)
• Networking (virtual network, public IP address, and port configuration)

VM Scale Sets

• Allows easy creation and manage of a group of identical, load-balanced VMs.
• Automatically deploy a load balancer to make sure that your resources are being used efficiently.
• Suitable for building large-scale services for areas such as compute, big data, and container workloads

VM Availability Sets

• Designed to ensure that VMs stagger updates and have varied power and network connectivity, preventing from losing all your VMs with a single network or power failure.

• Groups VMs in two ways:

  • Update domain: The update domain groups VMs that can be rebooted at the same time. This setup allows you to apply updates while knowing that only one update domain grouping is offline at a time. All of the machines in one update domain update. An update group going through the update process is given a 30-minute time to recover before maintenance on the next update domain starts.
  • Fault domain: The fault domain groups your VMs by common power source and network switch. By default, an availability set splits your VMs across up to three fault domains. This helps protect against a physical power or networking failure by having VMs in different fault domains (thus being connected to different power and networking resources).

Azure App Service

Azure App Service is another hosting options aside from VMs and containers. It is HTTP-based and enables hosting web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure.

App Service handles most of the infrastructure decisions you deal with in hosting web-accessible apps:

• Deployment and management are integrated into the platform.
• Endpoints can be secured.
• Sites can be scaled quickly to handle high traffic loads.
• The built-in load balancing and traffic manager provide high availability.

All of these app styles are hosted in the same infrastructure and share these benefits.

Azure Virtual Networking

Azure virtual networks provide the following key networking capabilities:

• Isolation and segmentation: When set up a virtual network, a private IP address space is defined with either public or private IP address ranges, and it only exists within the virtual network and isn't internet routable. The IP address space can be further breakd down into subnets.For name resolution, the built-in name resolution service or configured DNS server (internal or external) can be used.

• Internet communications: Incoming connections can be enabled by accessing a public IP address of an Azure resource, or through a public load balancer.

• Communicate between Azure resources: Two ways are provided for two Azure resources to communicate

  • Virtual networks can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
  • Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.

• Communicate with on-premises resources: There are three mechanisms to link resources together in on-premises environment and within your Azure subscription, spanning a network across local and cloud environment.

  • Point-to-site virtual private network: A computer outside your organization initiates an encrypted VPN connection back into the corporate network to connect to the Azure virtual network.
  • Site-to-site virtual private networks: Links on-premises VPN device or gateway to the Azure VPN gateway in a virtual network.
  • Azure ExpressRoute: Dedicated private connectivity to Azure that doesn't travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and even higher levels of security.

• Route network traffic: Traffic routing is handled by default, but can be further controlled or overwritten through two methods.

  • Route tables
  • Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.

• Filter network traffic

  • Network security groups are Azure resources that can contain multiple inbound and outbound security rules. Rules can be defined to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.
  • Network virtual appliances are specialized VMs that can be compared to a hardened network appliance. A network virtual appliance carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.

• Connect virtual networks: Virtual networks can be linked together by using virtual network peering. Peering allows two virtual networks to connect directly to each other. Network traffic between peered networks is private, and travels on the Microsoft backbone network, never entering the public internet.

Azure virtual private networks

Azure VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity:

• Connect on-premises datacenters to virtual networks through a site-to-site connection.
• Connect individual devices to virtual networks through a point-to-site connection.
• Connect virtual networks to other virtual networks through a network-to-network connection.

All data transfered inside a private tunnel is encrypted as it crosses the internet. Only one VPN gateway in each virtual network. However, one gateway can connect to multiple locations, including other virtual networks or on-premises datacenters.

When setting up a VPN gateway, it must be specified as either policy-based or route-based.

• Policy-based VPN gateways: Statically specify the IP address of packets that should be encrypted through each tunnel. This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
• Route-based gateways: IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are the preferred connection method for on-premises devices. They're more resilient to topology changes such as the creation of new subnets.

Use a route-based VPN gateway when:

• Connections between virtual networks
• Point-to-site connections
• Multisite connections
• Coexistence with an Azure ExpressRoute gateway

High-availability

VPN gateways are deployed as two instances in an active/standby configuration, even if you only see one VPN gateway resource in Azure.

With the introduction of support for the BGP routing protocol, you can also deploy VPN gateways in an active/active configuration.

Expressroute Failover

Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections. ExpressRoute circuits have resiliency built in.

Zone-redundant gateways

In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration.

Azure ExpressRoute

Azure ExpressRoute enables extending on-premises networks into the Microsoft cloud over a private connection called an ExpressRoute Circuit, with the help of a connectivity provider.

Benefits of using Azure ExpressRoute includes:

• Connectivity to Microsoft cloud services across all regions in the geopolitical region.
• Global connectivity to Microsoft services across all regions with the ExpressRoute Global Reach.
• Dynamic routing between your network and Microsoft via Border Gateway Protocol (BGP).
• Built-in redundancy in every peering location for higher reliability.

With ExpressRoute, data doesn't travel over the public internet, reducing the risks associated with internet communications. ExpressRoute is a private connection from your on-premises infrastructure to your Azure infrastructure. Even if you have an ExpressRoute connection, DNS queries, certificate revocation list checking, and Azure Content Delivery Network requests are still sent over the public internet.

Connectivity Models

ExpressRoute supports four models to connect on-premises network to the Microsoft cloud:

• CloudExchange colocation: Colocation refers to your datacenter, office, or other facility being physically colocated at a cloud exchange, such as an ISP. If your facility is colocated at a cloud exchange, you can request a virtual cross-connect to the Microsoft cloud.
• Point-to-point Ethernet connection
• Any-to-any connection: Integrate wide area network (WAN) with Azure by providing connections to your offices and datacenters.
• Directly from ExpressRoute sites: Connect directly into the Microsoft's global network at a peering location strategically distributed across the world. ExpressRoute Direct provides dual 100 Gbps or 10-Gbps connectivity, which supports Active/Active connectivity at scale.

Azure DNS

By hosting domains in using Azure DNS, one can manage DNS records using the same credentials, APIs, tools, and billing as ones other Azure services.

Azure DNS uses the scope and scale of Microsoft Azure to provide numerous benefits, including:

• Reliability and performance: Domains
  • DNS domains in Azure DNS are hosted on Azure's global network of DNS name servers, providing resiliency and high availability.
  • Azure DNS uses anycast networking, so the closest available DNS server answers each DNS query, providing fast performance.
• Security
  • Azure DNS is based on Azure Resource Manager, which provides features such as Azure role-based access control (Azure RBAC), activity logs, resource locking.
• Ease of Use: Integrated in the Azure portal and uses the same credentials, support contract, and billing as your other Azure services.
• Customizable virtual networks: Supports private DNS domains
• Alias records: Supports alias record sets, which can refer to an Azure resource, such as an Azure public IP address, an Azure Traffic Manager profile, or an Azure Content Delivery Network (CDN) endpoint.

Azure Storage Account

An storage account creates a unique namespace to access storage data securly from around the world through HTTP or HTTPS.

Account Types

Different type of account determines the storage services and redundancy options and has an impact on the use cases.

• Standard general-purpose v2

  • Supported services: Blob Storage (including Data Lake Storage), Queue Storage, Table Storage, Azure Files
  • Redundancy Options: LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS
  • Usage: Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.

• Premium block blobs

  • Supported services: Blob Storage (including Data Lake Storage)
  • Redundancy Options: LRS, ZRS
  • Usage: Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.

• Premium file shares

  • Supported services: Azure Files
  • Redundancy Options: LRS, ZRS
  • Usage: Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.

• Premium page blobs

  • Supported services: Page blobs only
  • Redundancy Options: LRS
  • Usage: Premium storage account type for page blobs only.

Users can access the storage data though the endpoint name formed with the account name and the Azure Storage service endpoint.

• Blob Storage: https://<storage-account-name>.blob.core.windows.net
• Data Lake Storage Gen2: https://<storage-account-name>.dfs.core.windows.net
• Azure Files: https://<storage-account-name>.file.core.windows.net
• Queue Storage: https://<storage-account-name>.queue.core.windows.net
• Table Storage: https://<storage-account-name>.table.core.windows.net

Storage Redundancy

The redundancy option is a tradeoff between cost and availability. Factors to consider includes:

• Replication strategy within the primary region. Azure Storage offers two options for data replication in the primary region:

  • Locally redundant storage (LRS)
    • Replicates data three times within a single data center in the primary region.
    • Provides at least 11 nines of durability of objects over a given year.
    • Lowest-cost redundancy option and offers the least durability.
    • Not suitable for wide range disasters, zone-redundant storage (ZRS), geo-redundant storage (GRS), or geo-zone-redundant storage (GZRS) are recommended.
  • Zone-redundant storage (ZRS)
    • Replicates Azure Storage data synchronously across three Azure availability zones in the primary region (if AZ is available).
    • Provides at least 12 nines of durability over a given year.
    • Suitable for scenarios that require high availability, or to meet data governence requirements by limiting redundant data within a country or region.

• Replication at a second region

  • Data in the secondary region isn't available for read or write access by default, unless there's a failover to the secondary region.
  • Enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS) to read from secondary region.
  • Azure Storage offers two options for copying your data to a secondary region:
    • Reo-redundant storage (GRS)
      • Similar to running LRS in two regions
      • Copies data synchronously three times within a single physical location in the primary region
      • Provides at least 16 nines of durability over a given year.
    • Geo-zone-redundant storage (GZRS)
      • Similar to running ZRS in the primary region and LRS in the secondary region.
      • Provides at least 16 nines of durability over a given year.
      • Suitable for maximum consistency, durability, availability, performance, and resilience for disaster recovery

• Read access to the replicated data in the secondary region if the primary region becomes unavailable.

Recovery Point Objective (RPO)

Data is replicated to the secondary region asynchronously, such that data added between the interval of the most recent primary-region writes and the last secondary-region write might be lost if a failure that affects the primary region happens, known as the recovery point objective (RPO). The RPO indicates the point in time to which data can be recovered.

Azure Storage typically has an RPO of less than 15 minutes, although there's currently no SLA on how long it takes to replicate data to the secondary region.

Azure Storage Services

Azure Storage services offer the following benefits:

• Durable and highly available.
• Secure: All data written to an Azure storage account is encrypted by the service with fine-grained access control.
• Scalable
• Managed: Azure handles hardware maintenance, updates, and critical issues
• Accessible: Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS.

The Azure Storage platform includes the following data services:

• Azure Blobs

  • A massively scalable object store for text and binary data, including support for big data analytics through Data Lake Storage Gen2.

  • Suitalbe for massive amount of data, without limiting the file format

  • Ideal of distributed access, storing data for backup/restore, disaster recovery, storage of on-premise/cloud service, etc.

  • Different access tiers is available to help storing data in the most cost-effective manner. The available access tiers include:

    Characteristic	Hot	Cool	Cold	Archive
    Access Frequency	Frequent	Infrequent	Infrequent	Rare
    Minimum Storage Duration	None	30 days	90 days	180 days
    Example Use Case	Website images	Customer invoices	Older data	Long-term backups
    Available at Account Level	Yes	Yes	Yes	No
    Available at Blob Level	Yes	Yes	Yes	Yes
    Availability	Highest	Slightly lower	Slightly lower	Offline
    Durability	High	High	High	High
    Storage Costs	Highest	Lower	Lower	Lowest
    Access/Retrieval Costs	Lowest	Higher	Higher	Highest
    Latency	Lowest	Similar to Hot	Similar to Hot	Hours
    Throughput	Highest	Similar to Hot	Similar to Hot	Lowest

• Azure Files

  • Managed file shares for cloud or on-premises deployments that are accessible via the industry standard Server Message Block (SMB) or Network File System (NFS) protocols.
    • Azure Files file shares can be mounted concurrently by cloud or on-premises deployments.
    • SMB Azure file shares are accessible from Windows, Linux, and macOS clients.
    • NFS Azure Files shares are accessible from Linux or macOS clients.
    • SMB Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
  • Benefits
    • Shared access: Supports industry standard SMB and NFS protocols
    • Fully managed: Azure file shares can be created without the need to manage hardware or an OS.
    • Scripting and tooling: PowerShell cmdlets and Azure CLI can be used to create, mount, and manage Azure file shares as part of the administration of Azure applications.
    • Resiliency: Built to be highly available
    • Familiar programmability: Applications running in Azure can access data in the share via file system I/O APIs.

• Azure Queues

  • A messaging store for reliable messaging between application components.
  • Messages can be accessed from anywhere in the world via authenticated calls using HTTP or HTTPS.
  • Potentially unlimited messages can be stored (as long as space is available), with Each individual message be up to 64 KB in size.
  • Commonly used to create a backlog of work to process asynchronously, such as combining Azure functions to trigger action on message received.

• Azure Disks

  • Block-level storage volumes for Azure VMs.
  • Conceptually the same as a physical disk but virtualized – offering greater resiliency and availability compared to a physical disk.

• Azure Tables

  • NoSQL table option for structured, non-relational data.

Azure Data Migration Options

Azure supports both real-time migration of infrastructure, applications, and data using Azure Migrate as well as asynchronous migration of data using Azure Data Box.

Azure Migrate

• An unified service that offers a range of tools to help assess and migrate from an on-premises environment to the cloud.
• Available tools
  • Azure Migrate: Discovery and assessment: Discover and assess on-premises servers running on VMware, Hyper-V, and physical servers in preparation for migration to Azure.
  • Azure Migrate: Server Migration: Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.
  • Data Migration Assistant: A stand-alone tool to assess SQL Servers by helping pinpoint potential problems that might block migration. It identifies unsupported features, new features that can benefit you after migration, and the right path for database migration.
  • Azure Database Migration Service: Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.
  • Azure App Service migration assistant: A standalone tool to assess on-premises websites for migration to Azure App Service. Use Migration Assistant to migrate .NET and PHP web apps to Azure.
  • Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.

Azure Data Box

• A physical migration service that helps transfer large amounts of data.
• Accelerate data transfer by shipping a proprietary Data Box storage device that has a maximum usable storage capacity of 80 terabytes.
• Ideally suited to transfer data sizes larger than 40 TBs, scnearios such as: migration on/off cloud, VM farm migration, disaster recovery

Azure File Movement Options

While Azure Migrate and Azure Data Box are for large data migration, moving or interacting with individual files or small file groups are performed with AzCopy, Azure Storage Explorer, and Azure File Sync.

• AzCopy

  • A command-line utility to copy blobs or files to or from a storage account, supports upload files, download files, copy files between storage accounts, and even synchronize files. Moving files back and forth between clouds different cloud providers is possible through configuration.
  info

  Synchronizing blobs or files with AzCopy is one-direction synchronization. It doesn't synchronize bi-directionally based on timestamps or other metadata.

• Azure Storage Explorer

  • A standalone app to manage files and blobs in your Azure Storage Account. It uses AzCopy on the backend to perform all of the file and blob management tasks.

• Azure File Sync

  • A a tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server. It’s almost like turning your Windows file server into a miniature content delivery network. Once installed on the local Windows server, it will automatically stay bi-directionally synced with your files in Azure.

  • Supports any protocol that's available on Windows Server to access data locally, including SMB, NFS, and FTPS.

  • As many caches as needed across the world.

  • Replace a failed local server by installing Azure File Sync on a new server in the same datacenter.

  • Configure cloud tiering so the most frequently accessed files are replicated locally, while infrequently accessed files are kept in the cloud until requested.

Azure Directory Services

Microsoft Entra ID

Microsoft Entra ID is a cloud-based, globally available identity and access management service that enables user to sign in and access both Microsoft cloud applications and cloud applications that you develop. Microsoft Entra ID can also help you maintain your on-premises Active Directory deployment.

When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you connect Active Directory with Microsoft Entra ID, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Microsoft Entra ID can detect sign-in attempts from unexpected locations or unknown devices.

Microsoft Entra ID prvoides functions such as:

• Authentication
• Single sign-on
• Application management
• Device management

Microsoft Entra ID can be connected to an on-premises AD by using Microsoft Entra Connect. Microsoft Entra Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems.

Microsoft Entra Domain Service

Microsoft Entra Domain Services is a service that provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. Users get the benefit of domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud

A Microsoft Entra Domain Services managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment.

Microsoft Entra Domain Services integrates with existing Microsoft Entra tenant, and allow users sign into services and applications connected to the managed domain using their existing credentials.

An unique namespace namespace, aka the domain name, is defined when a Microsoft Entra Domain Services managed domain is created. Two Windows Server domain controllers are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.

You don't need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups and encryption at rest using Azure Disk Encryption.

A managed domain is configured to perform a one-way synchronization from Microsoft Entra ID to Microsoft Entra Domain Services. You can create resources directly in the managed domain, but they aren't synchronized back to Microsoft Entra ID.

Azure Active Directory Sync Topology

Azure Authenticate Methods

Azure supports multiple authentication methods, including standard passwords, single sign-on (SSO), multifactor authentication (MFA), and passwordless.

• SSO
  • Only as secure as the initial authenticator because the subsequent connections are all based on the security of the initial authenticator.
• Multifactor Authentication
  • Provides additional security by requiring two or more elements to fully authenticate. These elements fall into three categories:
    • Something the user knows
    • Something the user has
    • Something the user is
  • Microsoft Entra multifactor authentication provides multifactor authentication capabilities.
• Passwordless
  • Convenient and high security
  • Needs to be set up on a device before it can work
  • Three passwordless authentication options are integrated with Microsoft Entra ID:
    • Windows Hello for Business
    • Microsoft Authenticator app
    • FIDO2 security keys
• Password
  • Convenient and low security
• Password + 2FA
  • Inconvenient and high security

External Identities

Microsoft Entra External ID refers to all the ways you can securely interact with users outside of your organization. The following capabilities make up External Identities:

• Business to business (B2B) collaboration: Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.
• B2B direct connect: Establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration. Currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren't represented in your directory, but they're visible from within the Teams shared channel and can be monitored in Teams admin center reports.
• Microsoft Azure Active Directory business to customer (B2C): Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.

Conditioinal Access

Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

Conditional Access is useful when:

• Require multifactor authentication (MFA) to access an application depending on the requester’s role, location, or network.
• Require access to services only through approved client applications.
• Require users to access your application only from managed devices.

Azure role-based access control

Azure provides built-in roles or custom-defined roles that describe common access rules for cloud resources. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all the associated access permissions.

Azure RBAC is hierarchical, in that when you grant access at a parent scope, those permissions are inherited by all child scopes.

Azure RBAC uses an allow model and is enforced on any action that's initiated against an Azure resource that passes through Azure Resource Manager, but not on the application or data level. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

Azure Role-Based Access Scope

Resource Manager is mainly accessed from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI.

Defense-In-Depth

A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

Defense-in-depth can be visualized as a set of layers, with the data to be secured at the center and all the other layers functioning to protect that central data layer. Layers from the outmost to the innermost are:

• Physical Security: First line of defense to protect computing hardware in the datacenter.
  • Provide physical safeguards against access to assets
• Identity & Access: Controls access to infrastructure and change control.
  • Ensuring identities are secure (e.g SSO, MFA), access is granted only to what's needed (e.g access contorl), and sign-in events and changes are logged (e.g audit and change management).
• Perimeter: Uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  • Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
  • Use perimeter firewalls to identify and alert on malicious attacks against your network.
• Network: Limits communication between resources through segmentation and access controls.
  • Limit the network connectivity across resources and allow only what's required
  • Deny by default.
  • Restrict inbound internet access and limit outbound access where appropriate.
  • Implement secure connectivity to on-premises networks.
• Compute: Secures access to virtual machines.
  • Secure access to virtual machines.
  • Implement endpoint protection on devices and keep systems patched and current.
• Application: Dnsure that applications are secure and free of security vulnerabilities.
  • Ensure that applications are secure and free of vulnerabilities.
  • Store sensitive application secrets in a secure storage medium.
  • Make security a design requirement for all application development.
• Data: Controls access to business and customer data.
  • Often, regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

Microsoft Defender for Cloud

Defender for Cloud is a monitoring tool that offers security posture management and threat protection by monitoring your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications.

As Defender for Cloud is an Azure-native service, many Azure services are monitored and protected by default and a Log Analytics Agent is automatically deployed, but not on-premises environment or another cloud environement.

For hybrid and multicloud environments, Microsoft Defender plans are extended to non-Azure machines with the help of Azure Arc. Cloud security posture management (CSPM) features are extended to multicloud machines without the need for any agents.

Defender for Cloud helps you detect threats across:

• Azure PaaS services – Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps.
• Azure data services – Automatically classify data in Azure SQL. Assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them are available.
• Networks – Limits exposure to brute force attacks by reducing access to virtual machine ports and using the just-in-time VM access. Access policies can be et on selected ports for authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.

To protect resource running on other clouds, multiple options are available:

• Defender for Cloud's CSPM: Agentless plan for AWS resources that abide by AWS-specific security recommendations.
• Microsoft Defender for Container: For EKS Linuxclusters
• Microsoft Defender for Servers: For Windows/Linux EC2 instances

Assess, Secure, and Defend

Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:

• Continuously assess – Know your security posture. Identify and track vulnerabilities.
• Secure – Secure resources and services by adding policies through Azure Policy controls and get security assessments and fix recommendation with Azure Security Benchmark.
• Defend – Detect and resolve threats to resources, workloads, and services.

When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. Security alerts:

• Describe details of the affected resources
• Suggest remediation steps
• Provide, in some cases, an option to trigger a logic app in response

Factors Affecting Cost

OpEx cost can be impacted by many factors.

• Resource type: Including resource types, resource settings, and resource region.
• Consumption: Pay-as-you-go is the default cloud payment model, but a reserve model is also available which comes with discount.
• Maintenance: Use resource group to carefully maintain resources to avoid resources left unprovisioned unintentionally.
• Geography: Cost defer due to power, labor, taxes in differnt geolocations.
• Network Traffic: Pricing of outbound data transfers (data leaving Azure datacenters) are based on zones.
• Subscription type
• Azure Marketplace: Azure Marketplace lets you purchase Azure-based solutions and services from third-party vendors.

To moniter cost and savings, multiple tools are provided:

• Total Cost of Ownership (TCO): Designed to help compare the costs for running an on-premises infrastructure compared to an Azure Cloud infrastructure.
• Pricing Calculator: Designed to give you an estimated cost for provisioning resources in Azure.
• Azure Advisor: Provided advices to optimize resource usage.

Cost Managing Tool

Cost Management provides the ability to quickly check Azure resource costs, create alerts based on resource spend, and create budgets that can be used to automate management of resources.

• Cost analysis: A subset of Cost Management that provides a quick visual for your Azure costs.
• Cost alert: Provide a single location to quickly check on all of the different alert types that may show up in the Cost Management service. The three types of alerts that may show up are:
  • Budget alerts: Triggered when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget.
  • Credit alerts: Triggered when your Azure credit monetary commitments, for organizations with Enterprise Agreements (EAs), are consumed. Credit alerts are generated automatically at 90% and at 100% of your Azure credit balance.
  • Department spending quota alerts: Triggered when department spending reaches a fixed threshold of the quota.
• Budgets: A configured spending limit for Azure based on a subscription, resource group, service type, or other criteria.

Purpose of Tags

Resources can be managed through subscriptions, resource groups and resource tags. Resource tag provides additional metadata that bring benefits such as:

• Resource management: Group resources that are associated with specific workloads, environments, business units, and owners.
• Cost management and optimization: Group resources to report on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
• Operations management: Group resources according to how critical their availability is to your business, formulating SLA
• Security Tags enable you to classify data by its security level, such as public or confidential.
• Governance and regulatory compliance: Identify resources that align with governance or regulatory compliance requirements, such as ISO 27001.
• Workload optimization and automation: Visualize all of the resources that participate in complex deployments.

Resource tags can be added, modified, or deleted through Windows PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal. Azure Policy can be used to enforce tagging rules and conventions.

Resources don't inherit tags from subscriptions and resource groups

Microsoft Purview

Microsoft Purview is a family of data governance, risk, and compliance solutions that helps you get a single, unified view into your data.

It provides up-to-date data landscape through automated data discovery,sensitive data classification and end-to-end data lineage.

Two main solution areas comprise Microsoft Purview:

• Risk and Compliance Solutions: Microsoft 365 features as a core component.
• Unified Data Governance: Enable managing data stored in Azure, SQL and Hive databases, locally, and even in other clouds like Amazon S3.

Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules across your resource configurations so that those configurations stay compliant with corporate standards.

Azure Policy enables defining both individual policies and groups of related policies, known as initiatives.

Azure Policy evaluates resources and highlights those that aren't compliant with the policies, as well as preventing noncompliant resources from being created.

Azure Policies can be set at each level (resource, resource group, subscription, etc) and are inherited.

Azure Policy comes with built-in policy and initiative definitions for Storage, Networking, Compute, Security Center, and Monitoring. In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources.

Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that pertain to the pre-deployment and post-deployment phases of your applications.

An Azure Policy initiative is a way of grouping related policies together. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

Resource Lock

A resource lock prevents resources from being accidentally deleted or changed.

Resource locks can be applied to individual resources, resource groups, or even an entire subscription and are inherited.

There are two types of resource locks, one prevents users from deleting and one prevents users from changing or deleting a resource (equivalent to read-only).

Resource locks apply regardless of RBAC permissions. Even if you're an owner of the resource, you must still remove the lock before you can perform the blocked activity.

Service Trust Protal

The Microsoft Service Trust Portal is a portal that provides access to various content, tools, and other resources about Microsoft security, privacy, and compliance practices.

Tools for interacting with Azure

Azure portal

A web-based, unified console that provides an alternative to command-line tools.

• Build, manage, and monitor everything from simple web apps to complex cloud deployments
• Create custom dashboards for an organized view of resources
• Configure accessibility options for an optimal experience

Azure CLoud Shell

A browser-based shell tool that allows you to create, configure, and manage Azure resources using a shell. Azure Cloud Shell support both Azure PowerShell and the Azure Command Line Interface (CLI), which is a Bash shell.

• Azure PowerShell: A shell with which developers, DevOps, and IT professionals can run commands called command-lets (cmdlets), which call the Azure REST API to perform management tasks.

• Azure CLI: Functionally equivalent to Azure PowerShell, with the primary difference being the syntax of commands. Azure CLI uses Bash commands instead or PowerShell commands.

Azure Arc

In utilizing Azure Resource Manager (ARM), Arc lets you extend your Azure compliance and monitoring to your hybrid and multi-cloud configurations.

Azure Arc provides a centralized, unified way to:

• Manage your entire environment together by projecting your existing non-Azure resources into ARM.
• Manage multi-cloud and hybrid virtual machines, Kubernetes clusters, and databases as if they are running in Azure.
• Use familiar Azure services and management capabilities, regardless of where they live.
• Continue using traditional ITOps while introducing DevOps practices to support new cloud and native patterns in your environment.
• Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters and cluster extensions.

Azure Resource Manager and Azure ARM templates

Azure Resource Manager (ARM) is the deployment and management service for Azure.

ARM receives and authenticates/authorizes all requests sent from any of the Azure tools, APIs, or SDKs. Then, ARM sends the request to the Azure service, which takes the requested action.

Benefits of ARM include:

• Manage infrastructure through declarative templates (JSON format) rather than scripts.
• Deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.
• Confidently redeploy solution throughout the development life-cycle that result in a consistent state.
• Define the dependencies between resources, so they're deployed in the correct order.
• Apply access control to all services.
• Apply tags to resources
• Clarify your organization's billing

Azure Advisor

Azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.

Azure Service Health

Azure Service Health helps you keep track of Azure resource, both your specifically deployed resources and the overall status of Azure. Azure service health does this by combining three different Azure services:

• Azure Status: A broad picture of the status of Azure globally.
• Service Health: Provides a narrower view of Azure services and regions. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Service Health experience knows which services and resources you currently use. Service Health alerts can be set to notify service issues, planned maintenance, or other changes that may affect the Azure services and regions you use.
• Resource Health: A tailored view of your actual Azure resources.

Azure Monitor, Azure Monitor Alert, Application Insight

Azure Monitor is a platform for collecting data on your resources, analyzing that data, visualizing the information, and even acting on the results.

Azure Monitor Overview

Azure Monitor Alerts are an automated way to stay informed when Azure Monitor detects a threshold being crossed.

Application Insights, an Azure Monitor feature, is capable of monitoring applications that are running in Azure, on-premises, or in a different cloud environment. There are two ways to configure Application Insights to help monitor your application. You can either install an SDK in your application, or you can use the Application Insights agent.

Application Insights monitors a broad array of information, such as:

• Request rates, response times, and failure rates
• Dependency rates, response times, and failure rates, to show whether external services are slowing down performance
• Page views and load performance reported by users' browsers
• AJAX calls from web pages, including rates, response times, and failure rates
• User and session counts
• Performance counters from Windows or Linux server machines, such as CPU, memory, and network usage

Azure Log Analytics

Azure Log Analytics is the tool in the Azure portal where you’ll write and run log queries on the data gathered by Azure Monitor.

Snippets

# List VMs
az vm list

# List network security group
az network nsg list \
  --resource-group "learn-adf2f62f-7c17-458e-a778-5b34ea2ba5e8" \
  --query '[].name' \
  --output tsv    

# List network security group rules
az network nsg rule list \
  --resource-group "learn-adf2f62f-7c17-458e-a778-5b34ea2ba5e8" \
  --nsg-name my-vmNSG \
  --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
  --output table

# Create a network security group rule
az network nsg rule create \
  --resource-group "learn-adf2f62f-7c17-458e-a778-5b34ea2ba5e8" \
  --nsg-name my-vmNSG \
  --name allow-http \
  --protocol tcp \
  --priority 100 \  # Only considered when port ranges have overlap
  --destination-port-range 80 \
  --access Allow

Resource

• Exam AZ-900 Microsoft Azure Fundamentals Study Guide
• Microsoft AZ-900 Exam

---