Azure has 200+ services
Before Cloud Technology when the Application Reaches the Peak Load they are using the solution called ,
PEAK LOAD PROVISIONING: Procure(Buy) infrastructure for peak load
Azure one of the leading cloud service providers
DATA CENTER :
Thousands of Server : a typical enterprise has thousands of of servers running different applications
All these servers need to be secured and managed
Data center is a facility used to house an organizations IT operation and equipment
Centralized security measures to protect data and infrastructure
Streamlined management and maintenance of IT resources
Regions and Az(Availability Zone) :
EX : imagine that your application is deployed in data center in London
challenges 1: slow access for user from other parts of the world(high latency) (ex: Chennai , Mumbai , New York, …)
challenges 2: what is the data center crashes ? your application goes down(low availability)
Solution : to add the data center in the multiple regions so we can handle the challenges like Slow access , low availability
Regions in Azure :
Azure provides 60+ regions around the world
Region it means that specific geographical locations to host your resource
Major advantage of region is High Availability , low latency , global footprint , adhere to government regulations
Availability Zones in Azure :
Azure provides multiple AZ(3) in a region
One or more discrete data centers
Each AZ has independent and redundant power , networking & connectivity
AZ in a region are connected through low-latency links
Increased availability and fault tolerance within same region , survive the failure of a complete data center
Not all azure regions have availability zones
VIRTUALIZATION :
Physical server : CPU(s) + Memory + Storage
Early Days : One Application on One Physical server
Underutilized resources : in-efficiency and higher costs
To utilize the Physical Servers the Concept came Virtualization
Virtualization : use software(Hypervisor) to run multiple Virtual Machines(VMs) on a single physical server
Improved resource utilization by sharing hardware resources
Easily create , modify , and move VMs to meet changing demands
Virtualization and Cloud Computing : foundation of Cloud Service like AWS, Azure, Google Cloud
AZURE VIRUTUAL MACHINES :
In corporate data centers applications are deployed to physical servers
In cloud where the application are deployed ?
In cloud the applications are deployed in Rent Virtual servers
Virtual Machines – virtual servers in Azure
Azure Virtual Machines – provision & manage virtual machines
Features of AZ VM :
Create and manage the lifecycle of VM instances
Load balancing and auto scaling for multiple VM instances
Attach storage to your VM instances
Manage network connectivity and configuration for your VM instances
Our Goal :
Setup VM instances as HTTP(web) server
Distribute load with Load Balancers
Azure VM – Key Concepts
| Feature | Explanation |
| Image | Choose Operating System and Software |
| VM family | Choose the right family of hardware(General purpose or Computer/Storage/Memory optimized or GPU or HPC) |
| VM Size (B1s,B2s…) | Choose the right quantity of hardware(2 vCPUs, 4GB of memory) |
| Disks | Attach virtual disks to VM(Block Storage) |
USEFUL COMMANDS :
sudo su – execute commands as a root user
apt-get -y update – update package index – pull the latest changes from the repositories
apt-get -y install nginx – install and start nginx web server
echo “Hello World” > /var/www/html/index.html – write to index.html
$(hostname) – get host name
$(hostname -I) – get host internal IP address
AVAILABILITY :
99.99 availability also called four 9’s availability
INCREASING AVAILABILITY FOR AZURE VMs :
Single Instance VM :
Premium SSD or Ultra Disk : 99.9%
Standard SSD Managed Disks : 99.5%
standard HDD Managed Disks : 95%
Two or more instances in same Availability Set : 99.95%
Availability set is a logical grouping of VMs
Fault domains : Group of VMs sharing common power source and network switch
Update domains : Group of VMs that are rebooted(updated) at the same time
Two or more instances in two or more AZ in the same Azure region : 99.99%
Summary : create multiple instances in multiple AZs if you want high availability
VM Scale Sets :
We want to simplify the creation and management of multiple VMs we can enter VM scale sets
Allow you to create and manage a group of Azure VMs
Provides high availability to your application
(Optional) add a load balancer
(optional) distribute VM instances across multiple AZ(where available)
Supports manual scaling and auto scaling
Supports up to 1,000 VM instances
Azure VM Features :
| Feature | Explanation |
| Static IP address | Assign a fixed IP address to your VM public IP address are charged per IP per hour |
| Azure Monitoring | Monitoring for your Azure VMs |
| Dedicated Hosts | Physical servers dedicated to one customer |
| Create cheaper , temporary instances for non critical workloads | Azure spot instances |
| Reserve compute instances ahead of time | Reserved VM instances (1 or 3 years) |
Designing Good Solutions With VMs :
Availability – are the application available when your users need them ? – Availability sets and Scale sets
Scalability – can we handle a growth in users , traffic or data size without any drop in performance – VM size , scale sets and load balancers
Resilience – ability of system provide acceptable behavior even when one or more parts of the system fail – scale sets and load balancers
Geo-distribution – distribute applications across regions and zones – scale sets and load balancers
Disaster recovery – how to keep your system running in face of disasters? – site recovery
Managing Costs – you want to keep cost low – auto scaling(elasticity),reservations, spot instances
Security – secure your VMs – dedicated Hosts,(More to come…)
There are two types of Scalability
Vertical Scaling :
Deploying application/database to bigger instance :
A large hard drive
A faster CPU
More RAM , CPU , I/O , or networking capabilities
In Azure : we can increase VM size
There are limits to Vertical Scaling , that what we are going for Horizontal Scaling its an another type of scaling
Horizontal Scaling :
Deploying multiple instances of application/database
Typically but no always -horizontal scaling is preferred to vertical scaling
Vertical scaling has limits
Vertical scaling can be expensive
Horizontal scaling increases availability
But horizontal scaling needs additional infrastructure
Scaling sets , load balancer etc..
Azure VM – Scenarios :
| Scenario | Solution |
| How can you automatically scale up and scale down VMs? | VM Scale Sets |
| How can you protect VMs from datacenter failures? | Deploy them to multiple AZ(scale sets) |
| How much availability do you get by deploying two or more VM instances in two or more AZ in same region? | 99.99% |
| How can you perform disaster recovery for your VMs? | Site recovery |
| How can you reduce costs for your VMs? | Auto scaling(elasticity), reserved & spot instances , right region – cost varies from region to region |
| Will you be billed if you stop a VM? | Yes for storage |
| Will two VMs of same size always cost the same? | No price changes with time price also is different in different regions |
| How can you know who performed a specific action on | Activity logs(kept for 90 days) |
Managed Services :
IAAS – Infrastructure as a Service
PAAS – Platform as a Service
SAAS – Software as a Service
Serverless
IAAS (Infrastructure as a Service) :
Use only infrastructure from cloud provider
EX : using VM to deploy your applications or databases
You are responsible for :
Application code and runtime
Configuring load balancing
Auto scaling
OS upgrades and patches
Availability
PAAS (Platform as a Service) :
Use a platform provided by cloud
Cloud provider is responsible for :
OS(incl. upgrades and patches)
Application Runtime
Auto scaling, availability & load balancing etc..
You are responsible for :
Configuration(of application and services)
Application code(if needed)
Examples :
Azure app service
Databases – relational & NoSQL (amazon RDS , Google Cloud SQL , Azure SQL Database etc)
AZURE APP SERVICE :
Fully managed platform for building , deploying and scaling your web apps
Also supports REST APIs, and mobile back ends
Natively supports .NET, .NET core , Node.js , Java , Python and PHP
Choose App service plan : defines a set of compute resources for a web app
Features :
Automated deployment and management
Auto scaling
Built in Load Balancing
MICROSERVICES :
Enterprises are heading towards microservices architectures
Build small focused microservices
Flexibility to innovate and build applications in different programming languages(Go , java , Python , javascript , etc)
But deployments become complex
How can we have one way of deploying Go , java , javascript , microservices ?
Enter containers
Containers – Docker :
Create Docker images for each microservice
Docker image has all needs of a microservice :
Application Runtime (JDK or Python or NodeJS)
Application code and Dependencies
VMs virtualize Hardware while containers virtualize OS
Runs the same way on any infrastructure :
Your local machine
Corporate data center
Cloud
Advantages :
Docker containers are light weight
Compared to virtual machines as they do not have a Guest OS
Docker provides isolation for containers
Docker is cloud neutral
AZURE CONTAINER INSTANCES :
Manage and run simple container based applications
You do not need to provision and manage VMs
Start containers in seconds
Azure app service also supports deploying simple containers
CONTAINER ORCHESTRATION :
Requirement : I want 10 instances of Microservice A container , 15 instances of of Microservice B container etc..
Typical Features :
Auto scaling : scale containers based on demand
Service discovery : help microservices find one another
Load balancer : distribute load among multiple instances of a microservice
Self healing : do health checks and replace failing instances
Zero downtime deployments : release new versions without downtime
CONTAINER ORCHESTRATION – AKS AND SERVICE FABRIC :
Using a container orchestrator :
Create a cluster
Deploy & orchestrate microservices
Azure Services :
Azure Kubernetes service : managed Kubernetes service
Azure Service Fabric : Microsoft’s container orchestrator
SERVERLESS :
Serverless does not mean No Servers
You don’t worry about infrastructure(ZERO visibility into infrastructure)
Flexible scaling and automated high availability
Most important Pay for Use
Ideally ZERO REQUESTS => ZERO COST
You focus on code and the cloud managed service takes care of all that is needed to scale your code to serve millions of requests
And you pay for requests and NOT servers
AZURE FUNCTIONS :
You don’t worry about servers or scaling or availability
You only worry about your code
You pay for what you use
Number of requests
Duration of requests
Memory consumed
Supports c#, Python , JS , Typescript and Java
SAAS (SOFTWARE AS A SERVICE) :
Centrally hosted software(mostly on the cloud)
Offered on a subscription basis (pay as you go)
EX : email , calendaring & office tools (such as Outlook 365 , Microsoft Office 365 , Gmail , Google Docs)
Customer relationship management (CRM) , enterprise resource planning (ERP) and document management tools
Cloud provider is Responsible for :
OS(incl. upgrades and patches)
Application runtime
Auto scaling , availability & load balancing etc..
Application code and/or
Application configuration(how much memory ? how many instances?..)
Customer is responsible for :
Configuring the software
STORAGE :
Storage Types – Block , File , Object …
What is the type of storage of your hard disk?
Block storage
You’ve created a file share to share a set of files with your colleagues in a enterprise what types of storage are you using ?
File storage
You want to be able to upload/download objects using a REST API without mounting them onto your VM . what type of storage are you using ?
Object storage
AZURE STORAGE :
Managed cloud storage solution
Highly available , durable and massively scalable (upto few petabytes)
Core storage services :
Azure disks : block storage(hard disks) for azure VMs
Azure files : file shares for cloud and on-permises
Azure blobs : object store for text and binary data
Azure queues : decouple applications using messaging
Azure tables : NoSQL store (very basic) , prefer azure cosmos DB for NoSQL
Pre – requisite storage account is needed for azure files , azure blobs , azure queues and azure tables
EXPLORING READ ACCESS STORAGE REDUNDANCY OPTIONS :
Geo-redundant storage (GRS or GZRS ) : replicates data to secondary regions
However allows read/write access only after a failover
Read access storage redundancy : what if you need read access to data all the time from the secondary regions?
Two options : RA – GRS : read access geo redundant storage
RA-GZRS : read access geo zone redundant storage
REGION PAIRS :
Data copies across regions => high availability + high durability
Azure makes it easy to distribute data across regions(while retaining data in same geography) through region pairs
Ex : central india & south india , east US & west US etc..
Azure storage ex : if you use Geo redundant storage and choose region as East US
3 copies stored in East US and 3 copies in the corresponding paired regions – West US
Access data from primary region (East US)
Option to failover to secondary region (west US) if primary region is NOT available
Region pairs have very fast data connection
Azure tries to ensure that both regions(in a region pair) do NOT have problems at the same time
For EX : software updates are done one region at a time
PREMIUM STORAGE ACCOUNT : FOR HIGH PERFORMANCE :
Standard General -Purpose Storage Account : recommended for most scenarios
High Performance : what if you need very high performance ?
Premium storage account : uses solid state drives (SSD) for low latency and high throughput
Constraint : fewer redundancy options(LRS,ZRS)
Supported premium account types :
Premium block blobs : blob storage , data lake storage
Premium file shares : supporting both SMB and NFS file shares
Premium page blobs
BLOCK STORAGE :
Use case : hard disks attached to your computers
Typically ONE Block storage device can be connected to one virtual server
However you can connect multiple different block storage devices to one virtual server
AZURE DISKS STORAGE :
Disk Storage : Disks for Azure VMs
Types :
Standard HDD : recommended for backup , non critical , infrequent access
Standard SSD : recommended for web servers , lightly used enterprise applications and dev/test environments
Premium SSD disks : recommended for production and performance sensitive workloads
Ultra disks(SSD) : Recommended for IO-intensive workloads such as SPA HANA , top tier databases(ex SQL,ORACLE) and other transaction – heavy workloads
Premium and ultra provide very high availability
Managed vs Unmanaged Disks :
Managed disks are easy to use :
Azure handle storage
High fault tolerance and availability
Unmanaged Disks are old and tricky (avoid them if you can)
You need to manage storage and storage account
Disk stored in containers (NOT docker containers , completely unrelated)
AZURE FILES :
Media workflows need huge shared storage for things like video editing
Enterprise user need a quick way to share files in a secure & organized way
Azure Files :
Managed file shares
Connect from multiple devices concurrently :
From cloud or on – premises
From different OS : windows , linux and macOS
Supports Server Message Block (SMB) and Network File System(NFS) protocols
Usecase : shared files between multiple VMs (ex : configuration files)
AZURE FILE SYNC :
Windows file server : create file shares on premises
Azure files : create file shares on azure
Storing files in azure files is cheaper & easier to manage BUT windows file server provides flexible connectivity options to on premise apps and users
How about having some connectivity to file shares for on premise apps and resources while storing them in azure file?
Azure file Sync : file shares created in azure files , and retain flexibility and compatibility of windows file server
Option : keep cache of frequently accesses files or have a full local copy
Supports multiple protocols : SMB , NFS , and FTPS
Advantages : cheaper , easier to manage and can be used as cloud side backup(business continuity and disaster recovery)
AZURE BLOB STORAGE – ACCESS TIERS :
Different kinds of data can be stored in blob storage
Media files , website static content
Backup of your databases or storage devices
Long term archives
Huge variations : in access patterns
Access tiers :
Hot : store frequently accessed data
Cool : infrequently accessed data stored for min. 30 days
Cold : infrequently accessed data stored for min.90 days
Archive : Rarely accessed data stored for min.180 days
Complete Flexibility : change the access tiers of an object at any time to optimize cost and performance
Blob Level Configuration : Access tiers can be set at the blob level during or after upload
Storage Account Default Access Tier : can be Hot or Cool
Remember the cold and archive access tiers aren’t available as options for this setting
Archive Tier : Lowest storage cost BUT Highest access cost
Access latency : in hours
To access : Rehydrate(change access tier) OR
Copy to another blob with a changes access tier
AZURE STORAGE EXPLORER :
Azure storage explorer : manage azure storage resources from desktop
Free tool : supported on windows , macOS and linux
Integrates with :
Azure storage blobs , files , queues and tablets
Azure data lake storage
Azure managed disks
Features : upload , download files , manage permissions
Extension available : data factory extn – move data from AWS S3 to Azure Storage
Very similar to storage explorer and storage browser on Azure portal
AzCopy(Alternative) : Command line utility
Copy files from local machine or other cloud storage to Azure storage
Remember Azure storage explorer uses Azcopy in the background
Use Azure storage explorer if you prefer a GUI
Use AzCopy if you like command line or you want to automate
AZURE DATABASE FUNDAMENTALS :
Database provide organized and persistent storage for your data
To choose between different database types we would need to understand
Availability , durability , rto , rpo , consistency , transactions etc
Database – Snapshots :
Lets automatic taking copy of the database (take a snapshot) every hour to another date center
Database – Transaction Logs :
Lets add transaction logs to database and create a process to copy it over to the second data center
Database – Add a Standby
Lets add a standby database in the second data center with replication
AVAILABILITY AND DURABILITY :
Availability :
Will I be able to access my data now and when I need it?
Percentage of time an application provides the operations expected of it
Durability :
Will my data be available after 10 or 100 or 1000 years?
Example of measuring availability and durability :
4 9’s – 99.99
11 9’s – 99.999999999
Typically an availability of four 9’s is considered very good
Typically a durability of eleven 9’s is considered very good
DURABILITY :
What does a durability of 11 9’s means?
If you store one million files for ten million years you would except to lose one file
Why should durability be high ?
Because we hate losing data
Once we lose data it is gone
INCREASING AVAILABILITY AND DURABILITY OF DATABASES :
Increasing Availability :
Have multiple standbys available OR distribute the database
In multiple zones
In multiple regions
Increasing Durability :
Multiple copies of data ( standbys, snapshots ,transaction logs and replicas)
In multiple zones
In multiple regions
Replicating data comes with its own challenges
RPO – Recovery Point Objective – Maximum acceptable period of data loss
RTO – Recovery Time Objective - Maximum acceptable downtime
Achieving minimum RTO and RPO is expensive
CONSISTENCY :
How do you ensure that data in multiple databases instances (standbys and replicas) is updated simultaneously ?
Strong consistency : synchronous replication to all replicas , will be slow if you have multiple replicas or standbys
Eventual consistency – asynchronous replication a little lag few seconds before the change is available in all replicas
In the intermediate period different replicas might return different values
Used when scalability is more important than data integrity
Ex : social media posts , facebook status messages , twitter tweets , linkedin posts
Read-after-Write consistency : inserts are immediately available
However updates would have eventual consistency
RELATIONAL DATABASES :
This was the only option until a decade back
Most popular or unpopular type of databases
Predefined schema with tables and relationships
Very strong transactional capabilities used for ,
OLTP – Online Transaction Processing use cases and
OLAP – Online Analytics Processing use cases
Relational Database – OLTP (Online Transaction Processing)
Applications where large number of user make large number of small transactions
Small data reads, updates and deletes
Use cases : most traditional applications – ERP, CRM , e-commerce , banking
Popular databases : MySQL, Oracle , SQL Server etc…
Recommended Azure Managed Services :
Azure SQL Database : Managed Microsoft SQL Server
Azure Database for MySQL : Mana MySQL
Azure Database for PostgreSQL : Managed PostgreSQL
AZURE SQL DATABASE :
Fully managed service for Microsoft SQL Server
99.99% availability
Built-in high availability , automatic updates and backups
Flexible and responsive serverless compute
Hyperscale(up to 100 TB) storage
AZURE MYSQL DATABASE :
Fully managed , scalable MySQL database
Supports 5.6 , 5.7 and 8.0 community editions of MySQL
99.99% availability
Choose single zone or zone redundant high availability
Automatic updates and backups
Typically used as part of LAMP (Linux , Apache , MySQL , PHP/Perl/Python) stack
AZURE FOR POSTGRESQL :
Fully managed , intelligent and scalable PostgreSQL
99.99% availability
Choose single zone or zone redundant high availability
Automatic updates and backups
Single server and Hyperscale Options
Hyperscale : scale to hundreds of nodes and execute queries across multiple nodes
RELATIONAL DATABASE – OLAP VS OLTP :
OLAP and OLTP use similar data structures
But very different approach in how data is stored
OLTP DATABASES use row storage
Each table row is stored together
Efficient for processing small transactions
OLAP DATABASES use column storage
Each tab column is stored together
High compression – store petabytes of data efficiently
Distribute data – one table in multiple cluster nodes
Execute single query across multiple nodes – complex queries can be executed efficiently
NOSQL DATABASES :
New approach (actually NOT so new!) to building your databases
NoSQL = not only SQL
Flexible schema
Structure data the way your application needs it
Let the schema evolve with time
Horizontally scale to petabytes of data with millions of TPS
Not a 100% accurate generalization but a great starting point :
Typical NoSQL databases trade off Strong consistency and SQL features to achieve scalability and high performance
Azure managed service :
Azure cosmos DB
AZURE COSMOS DB :
Fully managed NoSQL database service
Global database : automatically replicates data across multiple Azure regions
Schemaless , single digit millisecond response times
99.999% availability
Automatic scalling(serverless)
Supports APIs for MongoDB (document) , Cassandra(Key/value) and Gremlin (graph)
IN MEMORY DATABASES :
Retrieving data from memory is much faster than retrieving data from disk
In memory databases like Redis deliver microsecond latency by storing persistent data in memory
Recommended Azure Managed Service
Azure Cache for Redis
Use Cases : caching , session management , gaming leader boards , geospatial applications
AZURE VIRTUAL NETWORK :
Your own isolated network in Azure
Network traffic within a virtual network is isolated (not visible) from all other azure virtual networks
Each virtual network is created in a Region
You control all the traffic coming in and going outside a virtual network
Best practices – create all your azure resources (computer , storage , databases etc ) within a virtual network
Secure resources from unauthorized access and enable secure communication between your cloud resources
Need For SUBNETS :
Different resources are created on cloud
Databases , compute (VMs) etc
Each type of resource has its own access needs
Load balancers are accessible from internet (public resources)
Databases or VM instances should NOT be accessible from internet
Only applications within your virtual network should be able to access them(private resources)
How do you separate public resources from private resources inside a virtual network
Solution Create different subnets for public and private resources
Resources in a public subnet CAN be accessed from internet
Resources in a private subnet CANNOT be accessed from internet
But resources in public subnet can talk to resources in private subnet
Things to Remember – Virtual Network
Every VM in a VNet is assigned a private IP address
You can assign a public IP address and make it static as well
VMs in the same VNet can communicate using private IP addresses
Even if they are in different subnets
Network peering can be use to connect resources in different Virtual networks
Peered virtual networks can be in different regions
AZURE DDOS :
DDos attack : large scale attacks to bring your apps down
Result : app goes down or become slow huge bill because of unlimited auto scaling
Two Azure DDos offerings :
DDos Protection Basic : Protects against common network layer attacks
Intelligently identifies and blocks DDos attacks
Enabled by default
No extra cost
DDOs Protection standard :
Migrates 60 different DDos attack types
Provides attack analytics , metrices , alerting and reporting
Get quick support from DDoS protection Rapid Response (DRR) team
Get a cost guarantee (receive service credit if DDos attack results in scale out)
Enable it on the Azure virtual network
AZURE FIREWALL :
Managed network security service to control traffic in and out of a Azure virtual network
Staeful : once traffic in is allowed traffic out is automatically allowed
Centralized configuration : when one azure firewall you can control traffic to multiple virtual networks (having hundreds of resources) across multiple subscriptions
Ex : if your enterprise has 10 virtual networks (across multiple subscriptions) with 100 VMs , you can control traffic with one Azure Firewall
Integrated with azure monitor : provides logging and analytics
Web application firewall(WAF)
Restrict traffic into web applications
OWASP etc
NETWORK SECURITY GROUPS (NSG)
Azure Firewall is an external firewall – outside your virtual network
Network security group (NSG) is like a internal firewall inside your virtual network right before your resources
Multiple inbound and outbound security rules
Allow or block traffic based on source / destination IP address, protocol and port
Restrict traffic between resources such as virtual machines and subnets
Attached with subnets and network interfaces
UseCases : allow access to web server only on port 80 and port 443 (HTTP / HTTPS)
Restrict database access only to web servers Do NOT allow direct access to database from outside world / other servers
Restrict outbound traffic from VMs to download software packages and system updates
BASTION HOST :
Bastion Host : A special purpose server designed to provide secure access to a private network from an external network
Secure Access : acts as a gateway allowing secure access to internal resources
Monitoring : often equipped with monitoring and logging to track access and activity
Bastion Host in Major Cloud Platforms :
AWS – AWS Bastion Host
Azure – Azure Bastion
Google Cloud – Google Cloud IAP (Identity – Aware Proxy )
CLOUD COMPUTING : PUBLIC (VS) PRIVATE (VS) HYBRID CLOUDS
Public Cloud :
You host everything in the cloud , you do not need a data center anymore
No capital expenditure required
Hardware resources are owned by Azure(Microsoft)
Hardware failures and security of the data center are managed by Azure(Microsoft)
Hardware owned by Azure and shared between multiple tenants
Tenants : customers who rent infrastructure (you , me and other enterprises)
Private Cloud : you host everything in your own data center
Needs capital expenditure
Incur staffing and maintenance expenses for infrastructure
Delivers higher level of security and privacy
Hybrid Cloud :
Combination of both (public & private)
Use public cloud for some workloads and private cloud for others
Ex : connecting an on-premise app to Azure Cosmos DB
Provides you with flexibility : Go on Premises or Cloud Based on specific requirement
Hybrid Cloud : Connecting Azure with On-premises
Options : VPN and Azure ExpressRoute
Azure VPN : Encrypted connection from on premises to azure over internet
Internet Based : encrypted communication over internet (public)
1:point to site VPN : from a computer to azure
2:site to site VPN : from your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network
Needs VPN device or gateway on-premises
Need Azure VPN gateway in the Azure Virtual Network
Azure ExpressRoute : Private connectivity to Azure VNet
Does Not use Internet : Traffic does Not go over internet
Provides very high bandwidth and very high security (private connection)
No encryption : traffic is NOT encrypted by the connection
VMWare : A leading provider of Virtualization software
Virtualization : allows multiple VM to run on a single physical server
Key Features :
Hypervisor : software that creates & manages VMs(eg: VMWare ESXi)
Resource Optimization: Effciently uses hardware resources
Scalability : easily create , modify , and scale VMs as needed
Isolation : Ensures each VM operates independently , without affecting others
Cloud support : VMWare solutions are supported in major cloud platforms , enabling seamless migration to the cloud
Aws for VMWare , Azure VMWare Solution , Google Cloud VMWare Engine
AZURE ARC :
Manage multi cloud and on-premise infrastructure from one place
Supports centralized management of : VMWare resources , K8 cluster , Sql server instances , on-premise physical and virtual machines
AZURE RESOURCE HIERARCHY :
Hierarchy : Management Group(s) > subscription(s) > Resource Group(s) > Resources
Resources : VMs , storage , databases
Resource groups : organize resources by grouping them into resource groups
Subscriptions : manage costs for resources provisioned for different teams or different projects or different business units
Management groups : centralized management for access , policy and compliance across multiple subscriptions
Remember :
No hierarchy in resource groups BUT management groups can have a hierarchy
Resource Groups :
Logical container for resources
Associated with a single subscription
Can have multiple resources
Remember a resource can be associated with one and only one resource group
Can have resource from multiple regions
Deleting it deletes all resource under it
Tags assigned to resource group are not automatically applied to resources
However permissions/roles assigned to user at the resource group level are inherited by all resources in the group
Resource group (like management groups) are free
SUBSCRIPTIONS :
You need a subscription to create resource in Azure
Subscription links Azure account to its resources
An azure account can have multiple subscriptions and multiple account administrators
when do you create a new Subscription ?
I want to manage different access management policies for different environments:
Create different subscriptions for different environments
Manage distinct azure subscription policies for each environment
I want to manage costs across different departments of an organization :
Create different subscription for different departments
Create separate billing reports and invoices for each subscription or department and manage costs
Im exceeding the limits available per subscription
Ex: VMs per subscription – 2,500 per region
Two subscription can not be merged into one
However you can move resources from one to another (ex:VMs)
If subscription expires :
You will not able to create new resources in the subscription
But you can continue to access the data stored
Each subscription is associated with quotas :
You can raise a support request to increase some of quotas
You can convert Free Trail to a pay as you go subscription
Spending limit : prevents spending over your credit amount
Azure free account (spending limit :$200) or credit subscription types have default spending limits
Management Groups :
Allows you to manage access , policies and compliance across multiple subscriptions
Group subscriptions into Management Groups
All subscriptions & resources under a management group inherit all constraints applied to it
Remember you can create a hierarchy of management groups
Remember all subscriptions in a management group should be associated with the same Azure AD tenant
IDENTITY MANAGEMENT :
Diverse Resources : you have cloud resources and internal/external applications
Varied identities : both human and non human identities need access to resources and perform actions
Ex auctions : launching , stopping , starting etc..
User identification : how do you identify users?
User permissions : how do you configure what resources they can access? What actions they can perform?
Microsoft Entra ID : formerly Azure Active Directory provides identity and access management services in Azure
IDENTITY MANAGEMENT – KEY THINGS TO KNOW
Authentication : is it the right user?
Authorization : do they have the right access?
Challenge : each app / service need to authenticate & authorize users
Localized solutions ?: would it be efficient for each app and service to store their own user details(including credentials)?
Centralized identity provider : what if we can store the user details (including credentials) in a centralized way?
SSO(single sign On) : what if you can authenticate once and access multiple apps and services?
ACTIVE DIRECTORY :
Very popular Microsoft’s proprietary directory service
Authentication and Authorization : define users , credentials and their access rights
Supports groups: manage user permissions and access through group policies
On-premises : primarily used in on-premises environments for centralized identity and access management
Active Directory Federation Services(AD FS): enable SSO
Single – sign on (SSO) : enables logging into multiple apps and services with the same credentials
Convenience : simplifies user experience by reducing the need to remember multiple passwords
MICROSOFT ENTRA ID :
Active directory service in Azure
Features : Authentication and Authorization in Azure : control internal/external users and access to applications and azure resources
Microsoft Entr MFA : Enable MFA – Multi Factor Authentication (use 2 of 3 authentication methods)
Something you know , typically a password
Something you have , trusted device
Something you are , fingerprint or face scan
Microsoft Entra self-service password reset : Global administrators can enable the feature to allow users to reset passwords by themselves
SSO : enable application to use Single Sign On
ROLE BASED ACCESS CONTROL(RBAC) – MULTIPLE LEVELS :
RBAC Scop can be :
Resource OR
Resource Group OR
Subscription OR
Management Group
Recommended Approach : Azure Role Based Access Control assignment at the management group level
Why ? : all subscriptions , resource groups and resources underneath that management group would also inherit those permissions
Advantage : simplified centralized access control
Microsoft Entra Connect :
Synchronize on-premises active directory with Microsoft Entra ID
User details Synchronization : sync all user details , including passwords
Unified identity : maintain a consistent identity across on-premises and cloud environments
Seamless integration : ensures smooth interoperability between on-premises and cloud directories
Hybrid identity : supports hybrid identity solutions enabling access to both on-premises and cloud resources
EXPLORING MICROSOFT ENTRA DOMAIN SERVICES :
Active Directory (AD) : Microsoft’s very popular proprietary directory service
Microsoft Entra ID : Managed Active Directory service in Azure
Microsoft Entra ID is a toned down version of AD(woks very differently)
Microsoft Entra ID(flat structure) vs AD(hierarchical with organizational units -Ous and group policy objects – GPOs)
Microsoft Entra ID(web bases protocols -OAuth , SAML , Open ID) vs AD(Kerberos,LDAP,NTLM)
What if you want use managed domain services(domain joining , group policy , ldap , and Kerberos authentication) in Azure ?
Use Microsoft Entra domain services
PASSOWRDLESS AUTHENTICATION FOR MICROSOFT ENTRA ID :
Complex security frustrates users : MFA – User needs to remember passwords & have a security device
How about simplifying security by going passwordless?
Microsoft Entra ID – Three Options:
Windows Hello for Business : credentials tied to PC (for enterprise users who always perform tasks from their own PCs)
Microsoft Authenticator app : use employees phone for authentication (iOS or Android Phone)
FIDOW(Fast Identity Online) security keys
FIDO – open standard for password less authentication
FIDO2 – enables users to use common devices to authenticate to online services(mobile and desktop)
MICROSOFT ENTRA ID & AZURE SUBSCRIPTIONS – REMEMBER :
Subscriptions has a trust relationship with Microsoft Entra ID
Trust Microsoft Entra ID to authenticate users , service and devices
Multiple subscriptions can trust the same Microsoft Entra ID directory
However each subscription can only trust only one directory
You can transfer an azure subscription to a different Microsoft Entra ID directory
When an Azure subscription expires :
Associated Microsoft Entra ID tenant is not deleted
You can link it with a different subscription
MICROSOFT DEFENDER FOR CLOUD :
Cloud security posture management(CSPM) : automate identification & remediation of security risks of your cloud configuration
Cloud workload protection (CWP) : continuously monitor and fix threats to workloads deployed in the cloud
Microsoft Defender for Cloud : Azure’s solution for CSPN and CWP
Formerly called azure security center
Protect your multicloud and hybrid clone environments
Continuous assessment : understand your current security posture
Provides a secure score higher the better
Secure harden all connected resources and services
Provides recommendations to improve your security posture
Automated fixes for many recommendations (fix button)
Defend – detect and resolve threats to resources and services
Detects threats to your resources and workloads
Get immediately alerted by e-mail and IT Service management solutions
EXPLORING JUST IN TIME (JIT) VM ACCESS :
Security challenge : open management ports like RDP or SSH are potential targets for attacks
Our goal : reduce the attack surface of your virtual machines
Block inbound traffic : prevent unwanted inbound traffic to your VMs
JIT VM access : enable just in time (JIT) VM Access
User access verification : when access is requested Microsoft defender for cloud verifies if the user has the appropriates permissions
Dynamic configuration by defender for cloud : network security groups (NSGs) and azure firewall are configured to allow inbound traffic with constraints :
Permit access to the specified ports
Restrict access to the relevant IP address
Grant access for a specified amount of time
SECUIRTY IS COMPLEX – CSPM VS SIEM VS SOAR
Cloud Security Posture Management(CSPM) : find cloud misconfigurations by evaluating configurations automatically and continuously
Best practices : check adherence to best practices and compliance rules
Security Information and Event Management(SIEM) :
Collect and analyze log data from various sources to identify potential threats
Security Automation , Orchestration , and Response (SOAR) :
Prioritizes alerts based on the threat levels
Automate responses to threats , when possible
MICROSOFT SENTINEL – SIEM & SONAR :
Comprehensive SIEM and SOAR Solution : Microsoft sentinel provides a poweful cloud native SIEM & SOAR solution
SIEM : security information and event management
SOAR : security orchestration , automation , and response
Centralized Security Dashboard : provides Bird eye security view across your enterprise
Modern SOC : modernize your security operations center (SOC) with advanced threat detection , investigation and response capabilities
Scalable and Flexible : elasticity scale as your organization grows with no need for on premises infrastructure
Event Storage : store events in azure monitor log analytics workspace or azure storage account
Azure Key Vault :
Securely store and access secrets
Ex : API keys , passwords , certificates or cryptographic keys
Provides access monitoring and access control for secrets
Best practices do not store secrets or passwords in your application code or configuration
ZERO TRUST :
Work are increasingly going remote and
Intensity and sophistication of cyber attacks is growing everyday
How can enterprises prepare for this new reality ?
Zero trust : Microsoft’s modern security strategy
Zero trust principals :
Verify explicitly : use all info – identify , location , device , resource , data classification , time
Use least privilege access
Assume breach
A few best practices :
Apply zero trust : human & non human identities , networks , microservices , virtual machines and workloads
End to end encryption
Continuous monitoring
Continuous updates to devices
Automated threat detection and response
SECURITY BEST PRACTICE – DEFENSE IN DEPTH
A chain is only as strong as its weakest link – secure at all levels
Physical security – control access to physical infrastructure(Microsoft’s responsibility)
Identity and access : proper identities with RBAC use SSO & MFA
Perimeter : Azure DDoS protection + Azure Firewall
Network : Limit network connectivity restrict internet access (inbound and outbound)
Restrict communication between resources
Compute : secure access to virtual machines
Implement endpoint protection
Ensure that OS and software patches are applied
Application : think of security from day one
Implement security best practices depending on language and framework
Stores secrets in azure key vault
Data : encrypt data at rest and in transit
Best practices : implement security at all levels!
AZURE SUPPORT PLANS :
Plans : Basic , developer , standard , professional direct
Earlier plans : premier , professional direct , standard and basic
Features supported for all plans :
Billing and subscription management support
ability to submit as many support tickets as you need
azure advisor automated azure best practices
24/7 self help resources
Documentation and community support ( forums – MSDN , stackoverflow)
Supported by professional Direct Only
Support API ( create support tickets programmatically)
ProDirect delivery managers : get proactive guidance request for service reviews and advisory consultations
Webinars led by azure engineers
AZURE ADVISOR :
Automated recommendations to improve reliability , security & performance , achieve operational excellence & reduce costs
Take immediate actions or schedule or dismiss
Supports notifications for new recommendations
Filter recommendations by subscriptions , resource groups or service
Step by step guidance and quick actions for fast remediation
Gives you total score : score improves as you take remedial actions
AZURE MONITOR :
Gather , analyze and visualize logs and metrices :
Form azure and on premise resources
Monitor resources across multiple subscriptions
Proactively identify issues and trigger alerts/ automated actions
Things you can do with azure monitor :
Application insights : detect & diagnose application issues
VM insights : monitor performance & health of your VMs and VM scale sets
Container insights : monitor performance of container workloads(AKS,ACI etc)
Log analytics : trouble shoot issues using monitoring data extracted from logs
Create smart alerts : SMS , emails , etc.. and attempt to automatically take corrective action
Automatically send an alert if an Azure VM is stopped
Trigger alerts based on data in an Azure log analytics workspace
Auto scale based on thresholds
Create visualizations with azure dashboards
Collect data from monitored resources using azure monitor metrices
EXPLORING AZURE LOG ANALYTICS :
Azure monitor logs : collects log and performance data from monitored resources
Where is the data stored ? log analytics workspace
You can use a single workspace for all your data collection
OR you can create multiple workspaces based on your location access and retention needs
Where does the data come from ? : azure monitor and other azure services such as Microsoft sentinel and Microsoft defender for cloud
Azure log analytics : write and run log queries on the data
Ex 1 : aggregating logs from multiple VMs
Ex 2 : analyzing logs from Microsoft sentinel
RELIABILITY AND PREDICTABILITY IN THE CLOUD
Reliability : ensuring continuous operation & automatic recovery from failures
Multi region deployment : deploy apps in multiple regions and zones
Automatic recovery : initiate automatic recovery actions in case of failures
Predictability : ensuring consistent performance and costs
Performance predictability :
Autoscaling : automatically adjust resources based on demand
Load balancing : distribute traffic evenly across multiple servers
Cost predictability :
Cost estimation tools : use tools like total cost of ownership (TCO) and pricing calculator to estimate cloud spending
Resource monitoring : utilize Azure monitor to track resource usage in real time
AZURE SERVICE HEALTH :
Personalized alerts and guidance for azure service issues
Personalized based on your azure usage – subscriptions , services and regions
Notifies about azure service incidents & planned maintenance
Best place to know about outages issues and planned maintenance
Best practices : set up service health alerts
Get notified about service issues
Channels : email, SMS , push notification , webhook etc
Hierarchy : Azure status > Azure service health > Azure resource health
Azure status : global view of the health of azure services and regions
Azure service health : personalized dashboard based on your azure usage
Azure resource health : provides information about the health of your individual cloud resources such as a specific virtual machine instances
AZURE POLICY
How do you ensures that resources stay complaint with your policies ?
Create , assign , and manage policies
Automatically ensure that resources stay compliant with defined standards and SLAs
Manage compliance of resources across multiple subscriptions
Assigned to a management group a single subscription or a resource group
Initiatives : Group of policies
Azure provides some predefined initiatives :
Azure security benchmark , UK official and UK NHS, HIPPA etc
View them under policy > authoring > definitions
Compliance dashboard : aggregated view of the overall compliance with options to drill down to specific resource/policy
Use cases : governance for resource consistency, regulatory compliance , security , cost and management
Examples :
Only allow creation of VMs of specific sizes
Only allow creation of resources in a specific region
Automatically tag all resources in a resource group with the same tags as that of the resource group
MFA should be mandatory for certain types of accounts
Existing non complaint resources will be marked as non complaint
But they will continue to work as is
Policy evaluation is NOT immediate
Approx once every hour
AZURE BLUEPRINTS :
One or more of (policy + role + ARM template + Resource group) configurations
Different pre built blueprints available
Your architecture team can create blueprints adhering to your organizations standards , patterns , and requirements
And your teams use the blueprints to create Azure resources
Blueprints can be assigned to individual subscriptions
blueprints can be used to set up resources groups within subscriptions
helps teams to quickly set up environments adhering to organizational standards
you can even setup an automated CI/CD pipeline
RESOURCE LOCKS :
Prevent accidental deletion / modification of resources :
Applicable at multiple levels : subscription , resource group , or resource
Azure resource inherits locks from it resource group and subscriptions
Two options : can not delete and read only
Locked resource should be unlocked before it can be changed(even by owners)
Two options :
ReadOnlyLock : Authorized users can read BUT they can’t be delete or update the resource
CannotDelete : Authorized users can read and modify BUT they can’t delete the resource
Ex : if a resource group has a delete lock , then administrator can first remove DELETE lock before its can delete the resource
You can have multiple locks at different levels
COMPLIANCE & AZURE :
What is Compliance ?
depending on the domain of your enterprise you need to adhere to several industry and security standards(in addition to corporate and regulatory policies)
you are using services provided by azure and storing data in azure
COMPLIANCE & AZURE – IMPORTANT STANDARDS TO REMEMBER
90+ Azure compliance offerings can be grouped into four segments :
Global, US government , industry specific , and region/country specific
50+ compliance offerings specific to global regions and countries(the US, the European Union , Germany , Etc)
35+ compliance offerings specific to the needs of key industries ( health , government , finance etc).
NEED OF DATA GOVERNANCE :
Data Proliferation : Exponential growth of data makes managing and securing data increasingly challenging
Regulatory Compliance : Compliance with regulations GDPR,HIPPA, .. is crucial to avoid penalties
Data Security : Protecting sensitive data from breaches and unauthorized access is critical
Data quality : having high quality data is important to provide accurate analytics and business decisions
Data Lineage and Auditing : track the origin , movement , and transformation of data to ensure its integrity and transparency
MICROSOFT PURVIEW : UNIFIED DATA GOVERNANCE IN AZURE
Unified Data Governance : Microsoft purview provides a comprehensive platform for data governance
Data Discovery and Classification : automatically discover and classify sensitive data in on-premises , multi cloud and SaaS environments
Data Catalog : Build a data catalog that allows users to easily find , understand , and consume data
Data Access Policies : Implement and enforce data access policies to ensure data privacy and security
Integration : Seamlessly integrates with Microsoft 365 , Azure … to provide a unified governance experience
EXPENDITURE MODELS : CAPEX VS OPEX
Capital Expenditure (CapEX) : money spent to buy infrastrure
Additional cost to maintain infrastructure with time
You might need a team to manage the infrastructure
Ex : deploying your own data center with physical servers
Ex : purchasing azure reserved VM instances
Operational Expenditure (OpEx) : Money spent to use a service or product
Zero upfront costs
You pay for services as you use them(pay as you go model)
Ex : provisioning VMs as you need them
Ex : using azure functions and paying for invocations
CONSUMPTION – BASED (VS) FIXED PRICE PRICING MODELS :
Consumption – based : you are billed for only what you use
Ex : azure functions – you pay for no of invocations
Fixed price – you are billed for instances irrespective of whether they are used or not
Ex : you provision a VM instance
You pay for its lifetime irrespective of whether you use it or NOT
Ex : app service you choose app service plan (basic , standard or premium plans)
You are billed irrespective of whether you use it or not
TOTAL COST OF OWNERSHIP (TCO) CALCULATOR
Estimate the cost savings you get by migrating your workloads to azure
1:define your workloads enter the details of your on-premises workloads
Servers , databases , storage , networking details
Adjust assumptions : customize electricity costs , storage costs , IT labour costs , hardware costs , software costs etc..
View report : side by side comparison of the cost breakdown
PRICING CALCULATOR :
Estimate the costs for azure services
Ex services that you can estimate costs for :
Virtual machine
Storage accounts
Azure sql database
App service
Axure cosmos DB
Azure K8S (AKS)
Azure functions
Ideal place to explore and learn important factors about different azure services
AZURE COST MANAGEMENT :
Setup and manage your account :
Configure subscriptions manage invoices and payment methods
Analyze and optimize cloud costs :
Break down and analyze costs to get a deeper understanding of costs and usage patterns
Control and optimize costs
Setup budget and cost alerts
Managing Costs – Best Practices :
Estimate costs before you deploy (pricing calculator)
Calculate TCO
Group resources based on cost ownership
Subscriptions , resources groups , tags
Use cost management features
Cost analysis
Budgets and cost alerts
Advisor recommendations
Stop resource when you don’t need them
Remember you pay for active resources
Even if you stop a VM , hard disks and data are still stored , you need to pay storage
Use managed services(PaaS>>>IaaS)
Reserve VMs for 1 or 3 years (Azure Reservations)
REQUESTING A CREDIT FROM MICROSOFT
Service level agreement(SLA) : describe Microsoft’s commitments for uptime and connectivity for Azure services
Ex : single VM with premium SSD or Ultra Disk:99.9% availability
What happens when Microsoft does not meet the SLA ?
Very rare : rare when Microsoft does not meet its SLA
What should you do : submit a support ticket with a completed credit request form
Details needed : provide details like customer tenant ID and proof of service impact
TAGS :
Identify applications , environments or business units that a specific resource is associated with
Report and track costs for a group of resources by assigning them with the same tag
Group resources based on their SLA , security or compliance requirements
Best practice : identify mandatory tags that all resources should have and enforce it using Azure Policy
Ex : environment , Business Unit , priority
Tags for resources are not inherited by default from their resource group
AZURE VIRTUAL DESKTOP : CLOUD BASED VIRTUAL DESKTOP
Azure Virtual Desktop : Desktop & application virtualization service
Windows operating system : provides cloud hosted windows experience
Ultimate device compatibility : accessible from almost any device and OS offering flexibility for users
Integration : seamlessly integrates with Microsoft Entra ID for role based access control (RBAC)
Azure Virtual Desktop : Advantages
Multi session deployment : enables multiple concurrent users on a single VM, cutting costs
Efficient use of resources
Cost Efficiency : pay only for the resources you use optimizing expenditure
Enhanced security : ensures data and applications are securely stored in the cloud leaving nothing on the users local machine
AZURE MARKET PLACE :
Discover , try , and deploy the cloud software you want
Customized and certified solutions optimized for azure , provided by Microsoft partners and other software vendors
Provision end to end solutions (applications and services)
Solutions under a variety of categories
Compute , containers , databases , developer tools , DevOps
Run Word press , Rabbitmq , CouchDB etc
Flexible hourly billing
AZURE MIGRATE :
Central hub to manage your Azure migration
A host of tools are offered under the umbrella of Azure migrate
1: Azure Migrate – Discovery and assessment : Assess migration for on-premises servers , applications and data
2:Azure Migrate – Server Migration : Migrate your VMs(from your data center and other clouds) to Azure
3:Azure Database Migration Service : Migrate databases to Azure
4:Web app Migration assistant : Migrate web apps to Azure App Service
5:Azure Data Box – Offline data transfer to Azure
AZURE DATA BOX : PHYSICAL MIGRATION TO AZURE
If you want to migrate the tens of terabytes of data quickly you can use Azure Data Box
Azure Data Box physical migration service
Recommended to transfer data sizes larger than 40 TBs
STEPS :
1.order the data box device via the Azure Portal
2.copy data into it
3.return it back to Microsoft
4.data automatically uploaded once Microsoft received the data box back
AZURE DATA BOX PRODUCTS : PROVIDE FLEXIBILITY
Variety of products : move large amounts of data offline to azure
Data box disk : 8-TB SSD comes in packs of 5 for a total of 40 TB
Data Box : 100-TB capacity
Data Box Heavy : designed to lift 1 PB of data to the cloud
CONTENT DELIVERY NETWORK :
Slow Load Times : users experience slow load times when accessing content hosted far from their location
How to deliver content quickly to your global audience?
Content delivery network : system of distributed server that deliver content to users based on their geographic location
Global distribution : servers (edge locations) are spread across multiple geographic locations
Caching : stores copies of content closer to end users to reduce latency
AZURE FRONT DOOR :
Azure Front Door : Microsoft’s modern cloud Content Delivery Network(CDN)
Fast , reliable , and secure access : for your end users to your applications static and dynamic web content across the globe
Uses Microsoft’s global edge network : delivers your content to hundreds of global and local points of presence (PoPs) distributed around the world
DevOps
Business , development , operations
Getting better at three elements of great software teams
Communication – get teams together
Feedback – earlier you find a problem easier it is to fix
Automation – automate testing , infrastructure provisioning , deployment and monitoring
CI – Continuous Integration
Continuously run your tests and packing
CD – Continuous Deployment
Continuously deploy to test environments
CD – Continuous Delivery
Continuously deploy to production
AZURE DEVOPS – CI , CD TOOLS
Azure Repos – Private Source Control (Git)
Alternative : GitHub – public and private source control
Azure Pipelines : orchestrate CI/CD pipelines
Alternative : GitHub Actions
Azure Boards – scrum , agile and kanban boards
Azure artifacts – artifact repository to store artifacts
Azure Test Plans – Automation Test Tool to check software quality
Integrate it into your CI/CD pipelines
DEVOPS – INFRASTRUCTURE AS CODE
Treat infrastructure the same way as application code
Track your infrastructure changes over time(version control)
Bring repeatability into your infrastructure
Two key parts
Infrastructure provisioning :
Provisioning compute , database , storage and networking
Open source cloud neutral terraform
Configuration Management :
Install right software and tools on the provisioned resources
Open sour tools – chef , puppet , ansible
BICEP : Domain specific Language (DSL) that uses declarative syntax to deploy azure resources
AZURE RESOURCE MANAGER :
Deployment and management service for Azure
All actions to any resource in Azure go through ARM
AZURE PORTAL : web based user interface . great to get standard BUT No automation possible runs in all modern desktop and tablet browsers
AZURE MOBILE APP : iOS and Android Apps (subset of features) convenience of managing from anywhere
Azure PowerShell : execute cmdlets (sequence of commands) and create scripts (powershell script) recommended for teams familiar with windows administration cross platform (windows , Linux and macOS)
AZURE CLI : Similar to Azure Power Shell But uses a different syntax ( bash scripts) recommended for teams familiar with Linux administration ( and Bash Scripts) Cross – platforms (window , Linux , macOS)
AZURE CLOUD SHELL : Free browser based interactive shell(Access from Azure Portal) Common Azure tools pre-installed and configured to use with your account supports both PowerShell and CLI(bash) runs in all modern desktop and tablet browsers
DEV TEST LABS :
Quickly provision development and test environments
Build windows and linux environments
Use ARM templates : can be used to deploy anything in Azure
Compute – VMs etc
Storage
Databases
Can be integrated into your CI/CD pipelines
Set automated shutdowns to minimize costs
Use cases :
Quickly test your application with an old version of software or OS
Setup a quick load test environment for your app
Quickly provision 100 VMs for testing a specific scenario
Quickly provision environments for training and demos
COMPUTE :
Azure VMs : windows or linux VMs (IaaS) use VMs when you need control over OS OR you want to run custom software
Azure VM Scale Sets : Scaling for Azure VMs
Azure Load Balancer : Balance load to multiple instances of an application or a service typically listed in networking category
Azure App Service : PaaS deploy web apps mobile back ends and RESTful APIs quickly
Azure Container Instances : run isolated containers without orchestration you do not need to provision and manage VMs start containers in seconds
Azure Kubernetes Service : managed Kubernetes service provides container orchestration
Azure Service Fabric : Microsoft’s container orchestrator for cloud and on-premises package , deploy , and manage scalable and reliable microservices
Azure Functions : Serverless compute for event driven apps
NETWORKING :
Azure Virtual Network : create your own private network in the cloud
Azure Firewall : stateful firewall to protect resources in your Azure Virtual Network
Azure DDoS Protection : protect Azure hosted applications from DDOS attacks
Azure ExpressRoute : Dedicated private connection from Azure to on premises
Azure VPN Gateway : encrypt traffic between virtual network & on premises traffic goes over internet (public)
Azure DNS : manage your DNS records, map domain name to IP address
Azure Content Delivery Network : cache content on edge servers(POPs) located around the world Minimize latency to global users
STORAGE :
Azure Disk Storage : store disks attached to VMs
Azure Blob Storage : store unstructured data – video files , databases archives etc
Azure File Storage : create file shares or file servers in the cloud
Azure Queue Storage : decouple applications using a queue (asynchronous communication)
Azure Table Storage : store structure data using NoSQL approach (NON relational) , Schemaless key/attribute store
DATABASES :
Azure Cosmos DB – NoSQL databases , Globally distributed
Azure SQL Database – Relational Database
Azure Database for MySQL – Fully Managed MySQL database
Azure Database for PostgreSQL – Fully Managed PostgreSQL database
Azure Database Migration Service – Migrate Databases to the Cloud
Azure Cache for Redis – Managed service for Redis
KEY BENEFITS ENABLED BY CLOUD COMPUTING :
Elasticity - ability to automatically scale resources up or down based on demand
Agility – adapt to changing business needs , quickly delivery software adapt new services rapidly
Availability – are apps available when your users need them
Scalability – can we handle a growth in users , traffic or data size without any drop in performance
Geo-distribution – distribute applications across regions and zones deliver content from the nearest geo location
Predictability – predictable performance and costs
Reliability - ability of a system to automatically recover from failures
Disaster recovery – how to keep your system running in face of disasters
LOGIC APPS :
Serverless orchestration service :
Recommended for orchestrating long running processes and workflows
Low code/no code solution
Provides web based designer with easy to use GUI
Link Triggers to actions :
Triggers : an event you want to react to :
When there are more than x number of messages in the queue OR
When you receive a Office 365 Outlook email OR
At regular intervals(schedule)
Action : what do you want to do?
Send an email OR
Send a message on the queue
AZURE SECURITY CENTER
Security posture management & threat protection for hybrid cloud workloads
Microsoft implements several types of controls to secure azure
However you need to take additional actions to secure your workloads
How do you decide what actions to take?
Two Main Goals :
To help understand your current security situation
Centralized management of security policies
Monitor your compliance against requirements (ex : Paytm Card industry’s data security standard (PCI DSS) ,ISO 27001)
Option to download regulatory compliance reports
Provides a azure secure score
To improve secure score adhere to more security controls
To help you efficiently and effectively improve your security
Azure security center provides continuous assessment and security recommendations
Ex Rules :
Encrypt data in transit
Enable auditing and logging
Azure backup should be enabled for virtual machines
Basic features (continuous assessment and security recommendations , azure secure score ) are free
($$$) enable azure defender for advanced features
Just in time VM Access , regulatory compliance dashboard , threat protection for VMs and PaaS services
Provides 30 day free trail
AZURE SENTINEL :
Intelligent security analytics for your entire enterprise
Security information and event management(SIEM) solution
Detect threats and respond fast using AI
Behaviour analytics to stay ahead of evolving threats
Four phases :
Collect , detect , investigate , respond
AZURE SERVICE LEVEL AGREEMENT (SLA)
Service Level Agreement (SLA) : formal agreement between service providers and the service customer (or consumer)
SLAs for individual Azure Services
Remember free services do not have an SLA
Ex : azure advisor
Azure status : generic health of Azure services & regions
Azure Service Health : Health of Azure Services and regions you’re using
If Azure is unable to meet SLA , you can request for a service credit
Modern Lifecycle Policy : Covers products and services that are serviced and supported continuously
Microsoft will provide a minimum of 12 months notification prior to ending support if no successor product or service is offered excluding free services or preview releases
For security updates : 30 days notification is give if an action on customers part is required to prevent significant degradation
IDENTIFY ACTIONS THAT CAN IMPACT AN SLA :
You need to identify the right SLA for your app : 99.9 % or 99.99%
Enterprises can use Azure SLA to calculate SLAs for their offerings
If you have a database and VM with SLA’s 99% each , combined SLA will be 0.99 * 0.99 = 0.9801 i.e 98% (More services you need => lesser SLA)
How can you improve SLA of your app?
Do NOT use free tier products as they do NOT offer an SLA
Choose the right product features :
99.9% single instance VM using premium SSD or Ultra Disk
95% single instance VM using standard HDD Managed Disks
Deploy to two or more AZ :
99.99% VM connectivity to at least one instance when you have two or more instances deployed across two or more AZ in the same Azure Region
Increase Redundancy : deploy components across multiple regions
Add redundancy at all layers
SERVICE LIFECYCLE IN AZURE :
New Services (and features) are frequently released
Releases follow a pre determined service lifecycle :
Private preview available to all customers BUT with no SLAs
You can experiment with the services and provide feedback to Microsoft
Not recommended for business critical workloads
Azure portal preview features
Explore preview services – create a resource > search for prview
General availability available to all customers with SLAs
Recommended for production use
IOT – INTERNET OF THINGS
IOT DEVICES : hardware with sensors to
Capture temperature and humidity levels
Detect smoke , gas etc
Capture Geo-location and proximity
Capture device metrices
IOT DEVICES ARE ALL AROUND US:
Smart watches ,fitness trackers and other wearables
Health monitoring
Smart homes
Autonomous and connected vehicles
IOT devices generate huge volumes of time series data
MANAGING IOT DEVICES AND COMMUNICATION
Typical IOT use cases :
Authenticate an IOT device
Receive telemetry (data) from an IOT device
Manage an IOT device from the cloud
How do you manage and communicate with millions of IOT devices?
Use cloud IOT services
IOT in the cloud – Typical steps
0: authenticate and register IOT device
1: capture data
2: relay data
Cloud IOT services can relay data from sensors to your service end points in the cloud
3: Analyze and get intelligence
Using cloud AI services , you can
Predict if a machine needs maintenance
Predict equipment failure ahead of time ( and replace)
IOT – in Azure 3 Important Services :
Azure IOT Hub : managed message hub for IOT devices
Programmatic reporting and IOT device management
Azure IOT central : IOT Hub + Dashboard
Reporting and management with a simple user interface
Recommended to manage an IOT device with a simple user interface OR
When you need to be able to generate and access reports from the Azure portal
Azure Sphere : End to end IOT solution with device tampering detection
Hardware (micro controller unit) + software + communication + end to end security
Recommended for high security use cases : ATMs, point of sale devices
IOT in Azure – Azure IOT HUB :
Managed message hub for IOT devices :
Enables bi directional communication between IOT devices and IOT cloud services
Things you can do :
Send regular telemetry from IOT device to cloud
Upload files from IOT devices to cloud ( ex azure blob storage and azure data lake storage gen2)
Manage your IOT device by sending messaged(command and control)
IOT in Azure – Azure IOT Central
IOT Hub + dashboard (reporting and management)
Connect , monitor , and manage your IOT devices using a simpler user interface
Perform maintenance (push a software/firmware update) for your IOT devices
Adjust IOT device properties
Provides starter templated for various IOT use cases
IOT HUB : control device and generate reports via REST API
IOT Central : starter templates + visual dashboards ( reporting , management of IOT devices)
IOT in Azure – Azure Sphere
End to end IOT solution :
IOT device
Hardware: micro controller unit
Linux operating system
Security :
Azure sphere security service – AS3
Ensure that the device is not tampered
Handles authentication
Communication (with IOT Hub)
Telemetry & errors
Highly secure IOT devices
For use in ATMs , point of sale devices etc
AZURE BIG DATA – SYNAPSE ANALYTICS , HDINSIGHT & DATABRICKS
Azure Synapse Analytics – provides a unified experience for developing end to end analytics solutions data migration + enterprise data warehousing + big data analytics enables MPP ( massive parallel processing) run complex queries across petabytes of data earlier called azure SQL data warehouse
Azure HDInsight – managed open source analytics service based on Hadoop run open source frameworks like Apache Hadoop , spark , hive , Kafka used for complex processing like ETL , data warehousing , machine learning
Azure Databricks – managed Apache spark based analytics service launch Apache spark environment in minutes build artificial intelligence(AI) solutions using python , scale , R , java and SQL supports popular data science frameworks and libraries including TensorFlow , PyTorch and scikit learn
MACHINE LEARNING IN AZURE
Azure Cognitive Services : pre built machine learning models language services : process written text, speech services : translation text speech and vice versa ,
vision services : intelligence around pictures and videos
decision services : automatically moderate content , identify anomalies
Azure Bot Service : talk with humans like a human , virtual agents that enhance customer experience provides natural language understanding and automatic translation features use cases : handling reservations
Azure Machine Learning : quickly build and deploy models programmatically & visually ( end to end machine learning life cycle) supports popular ML languages and frameworks – MLflow , Kubeflow , ONNX , PyTorch ,TensorFlow , Python , R and Jupyter notebooks features: drag and drop machine learning & automated machine learning