Tag Archives: Microsoft Azure

Azure Fundamentals Part 5 Summary

This is a summary of the Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features learning path. Aside from the usual “Introduction to Azure Fundamentals” module, repeated in every learning path in this series, there are three modules covering identity, cloud governance, and compliance, respectively. If you’re a developer, this learning path is easily the most boring of the lot, but it’s also very important from a cloud administration point of view.

Identity Services

This is a summary of the Secure access to your applications by using Azure identity services module. They love using wordy headings, don’t they?

Authentication vs authorization: who you are vs what you have access to.

Azure Active Directory (Azure AD):

  • Similar to Active Directory, but for the cloud
  • Monitors sign-in attempts, unlike the on-premises counterpart
  • Controls access to other Microsoft services such as Office 365
  • Has the concept of tenants, which represent organisations
  • Is an identity and access management service. It stores information about users (including passwords), and provides control over them (e.g. reset password, multifactor authentication, list of banned passwords, etc)
  • Also provides device management – devices can be registered to control which devices are allowed to access services.
  • Supports Single sign-on (SSO) to access multiple applications with the same credentials.
  • Azure AD Connect synchronises user identities between on-premises Active Directory and Azure AD. Users can use their same credentials to access on-premises and cloud services.

Multifactor authentication provides an additional layer of security over the usual username and password by requiring two or more authentication mechanisms, typically from the following categories:

  • Something the user knows (e.g. username and password)
  • Something the user has (e.g. code sent to mobile device)
  • Something the user is (biometric data, e.g. fingerprint)

Conditional access is a feature of Azure AD that applies multifactor authentication differently based on identity signals. This is basically a rule engine that can do things like request the second factor only if they’re in an unknown location, signing in from an unknown device, or accessing a particular application. Access could also be blocked entirely in some circumstances (e.g. signing in from a high-risk country). Conditional access is a premium feature that requires a special Azure AD licence.

Cloud Governance

This is a summary of the Build a cloud governance strategy on Azure module.

The Cloud Adoption Framework for Azure guides you towards migrating to the cloud. There are five steps:

  • Define your strategy: understand what benefits you’ll gain by moving to the cloud, get everyone on board, and choose the right proof of concept project to kick it off.
  • Make a plan: take stock of what you have on-premises, train up, and make a plan to migrate.
  • Ready your organisation: set up your Azure subscriptions and create a landing zone, basically an environment in the cloud to get you started.
  • Adopt the cloud: start migrating, review best practices, find ways to migrate more efficiently, and study ways to handle more complex migrations.
  • Govern and manage your cloud environments: define processes and policies that will apply to resources in the cloud, and maintain them as they evolve throughout the migration process.

Things to consider when deciding how to organise Azure subscriptions:

  • BIlling: you can create one billing report per subscription, so you can organise subscriptions by department or project.
  • Access control: subscriptions provide inherent isolation (e.g. between development and production environments).
  • Subscription limits: some resources are limited in the amount you can deploy per subscription, so you’ll need to allocate more subscriptions if necessary.

Role-based access control (RBAC) is used to grant or restrict access to resources. These roles are applied to a scope that could be:

  • A management group
  • A single subscription
  • A resource group
  • A single resource

Access control is inherited by child scopes, e.g. assigning a role to a single subscription means it is also applied to all resource groups and resources in that subscription.

RBAC is managed via Access control (IAM) in the Azure portal. RBAC rules are applied to any request to an Azure resource that passes through the Azure Resource Manager.

RBAC uses an allow model, so as long as you have a role that allows you to perform an action, you can do it; and if different roles give you different access (e.g. read and write), then they sum up (e.g. you get both read and write).

Resource locks are a simple setting against accidental modification or deletion. You can use either CanNotDelete (authorised users can read or write but not delete) or ReadOnly (authorised users can read a resource but can’t change or delete it). You can remove the lock to perform the restricted operation (e.g. to delete the resource).

You can use Azure Blueprints (more on this further below) to set a standard for resources across your organisation, which could include enforcement of resource locks among other things.

Resource tags are used to apply metadata to resources. They complement subscriptions and resource groups as another way to categorise and organise things. They help to:

  • Manage resources and locate them easily
  • Report on costs by particular tags
  • Group resources based on criticality and SLAs
  • Classify data security (e.g. confidential)
  • Regulatory compliance (e.g. ISO27001)
  • Run any kind of automation logic on resources with a particular tag

Azure Policy lets you create and enforce policies or initiatives (groups of policies) that apply to resources. To implement a policy, you:

  1. Create a policy definition
  2. Assign it to resources
  3. Review the evaluation results

A policy definition can be used to do things like:

  • Prevent VMs from being deployed in certain regions
  • Restrict which virtual machine sizes can be deployed
  • Enforce MFA on accounts with write permissions
  • Prevent CORS from allowing unrestricted access to web applications
  • Ensure updates are installed on VMs

Azure Blueprints lets you orchestrate things like role assignments, policy assignments, ARM templates and resource groups across your organisation so that you don’t need to set them up for each subscription. Blueprints are made up of artifacts, and they deploy different elements to each subscription (e.g. Allowed locations policy, resources from an ARM template, etc).

Data Protection & Compliance

This is a summary of the Examine privacy, compliance, and data protection standards on Azure module.

Some projects require compliance with certain standards, such as ISO 27001 or government-specific regulations. Azure is compliant with a huge number of these, so it’s quite likely you can use Azure even when working in some of the more regulated sectors.

You can also check the following documents:

  • Microsoft Privacy Statement: how Microsoft manages personal data
  • Online Services Terms: agreement between customer and Microsoft when using services such as Azure or Office 365
  • Data Protection Addendum: more specific about data protection

The Trust Center lets you find information about particular compliance offerings, such as ISO 27001, and how it applies to cloud services on Azure.

The Azure compliance documentation describes how Azure adheres to certain standards, e.g. PCI DSS.

Azure Government is a separate Azure offering for US government. It has the highest level of security, and data centres are physically isolated so they can’t be used by you and me outside the scope of the US government.

Azure China 21Vianet is the Azure offering in China. Microsoft can’t operate Azure directly in China because of local regulations, so they instead offer it via a partner, 21Vianet. Services offered are mostly the same, but they may vary a little.

Azure Fundamentals Part 4 Summary

This is a summary of the Azure Fundamentals part 4: Describe general security and network security features learning path. Aside from the usual “Introduction to Azure fundamentals” module repeated in every learning path in the series, there are only a couple of other modules on general and network security, respectively.

General Security

This is a summary of the Protect against security threats on Azure module.

Azure Security Center is a service that gives you visibility into the overall security of your Azure and on-premises services, referred to as your security posture. It provides ratings against different regulatory benchmarks such as Azure CIS or PCI DSS, and also provides an overall secure score. The Resource security hygiene section provides a breakdown of security warnings by service type.

Azure Security Center also provides additional security capabilities including:

  • Permitting temporary access to VMs that would normally be blocked to outside traffic
  • Controlling which applications can run on VMs
  • Recommendations for hardening network security groups
  • Monitoring system files on both Windows and Linux against tampering
  • Integration with Azure Logic Apps to automatically trigger actions based on threat detection alerts of Security Center recommendations.

Azure Sentinel is a security analytics service (the more formal term would be security information and event management (SIEM) system). It can:

  • Collect security information from different sources
    • Microsoft services such as Office 365 or Azure Active Directory
    • Non-Microsoft services such as AWS CloudTrail or Okta SSO
    • Other sources that use recognised formats including Common Event Format (CEF), Syslog, or REST API
  • Detect threats based on built-in or custom rules
  • Investigate incidents or suspicious activity
  • Use Azure Monitor Workbooks to automate responses to threats

Azure Key Vault is another security-related service used to store secrets, including passwords, encryption keys, and certificates. These secrets can also be protected by hardware security modules (HSMs). Access to the secrets can be easily monitored.

Azure Dedicated Host is a special VM offering where you have sole access to the physical hardware (as opposed to normal VMs which are shared). This can sometimes be required for compliance reasons.

  • A host group contains multiple dedicated hosts for high availability, similar to VM scale sets.
  • Maintenance control provides control over when regular maintenance updates occur, within a 35-day rolling window.
  • Pricing is per dedicated host, not per VM running on it. Additional charges apply for software licencing, storage, and network usage.

Network Security

This is a summary of the Secure network connectivity on Azure module.

Defence in depth refers to multiple layers of defence including:

  • Physical security: physical access to the data centre.
  • Identity & access: control access to infrastructure and change control. This includes use of SSO and multifactor authentication, as well as auditing events and changes.
  • Perimeter: DDoS protection and perimeter firewalls.
  • Network: use access control to limit communication between resources, and ensure any external connectivity (e.g. to on-premises networks) is secure.
  • Compute: secure access to VMs and ensure they have the latest security updates.
  • Application: ensure applications are free of vulnerabilities, and store secrets securely.
  • Data: store and transmit data securely, whether it’s in a database, VM disk, SaaS application (e.g. Office 365) or in other cloud storage.

Data protection is based on the CIA principles:

  • Confidentiality: Use the principle of least privilege to give access only to those who really need it. Protect secrets and resources from unauthorised access.
  • Integrity: Protect data at rest and in transit from tampering. Hash algorithms are usually used to verify whether data has changed.
  • Availability: Ensure services are able to run and that access to their data is not compromised, e.g. by DDoS attacks.

Azure Firewall is a highly available and scalable stateful firewall used to protect resources within virtual networks. It can be configured to allow or deny traffic based on rules including:

  • Source IP address
  • Protocol
  • Destination port
  • Destination address
  • Which domains can be accessed from a subnet

Network Address Translation (NAT) rules can also be configured in Azure Firewall.

Azure Application Gateway, Azure Front Door and Azure Content Delivery Network offer a different kind of firewall known as web application firewall (WAF), which provides protection tailored to web applications.

Azure DDoS Protection resists attempts to overwhelm or overallocate resources by flooding them with requests. This is available in two tiers:

  • Basic: free and automatically enabled. The Azure global network is used to distribute and mitigate attack traffic across Azure regions; it ensures that Azure infrastructure is not affected by DDoS attacks. Includes always-on traffic monitoring and real-time mitigation of common network-level attacks.
  • Standard: provides additional protection for virtual network resources linked to public IP addresses. Adapts mitigation measures via dedicated traffic monitoring and machine learning algorithms.

DDoS Protection can help prevent the following types of attacks:

  • Volumetric attacks: flood the network layer with requests.
  • Protocol attacks: exploit weaknesses in layer 3 or 4 protocols.
  • Resource/application-layer attacks (only with web application firewall): target HTTP endpoints that are relatively slow to process, so many such requests ultimately overwhelm the server and make it unable to process additional requests. This requires the HTTP-aware WAF to mitigate.

Network security groups (NSGs) are like internal firewalls. Whereas Azure Firewall controls what traffic comes from outside, NSGs can be used to allow or deny traffic between resources in a virtual network, based on things like source/destination IP (single address or range), protocol (TCP, UDP or both) and direction (incoming or outgoing traffic).

Azure Fundamentals Part 3 Summary

This is a summary of Azure Fundamentals part 3: Describe core solutions and management tools on Azure, one of the longer learning paths in the Azure Fundamentals series. The first of its seven modules is “Introduction to Azure fundamentals”, which is repeated in every learning path. The rest cover a number of different services spanning areas such as AI, source control and project management, observability, serverless, IoT, and different tools to interact with Azure.

This particular learning path uses a tedious format where each module discusses a couple of services, provides criteria to decide which to use, and then takes a while analysing those criteria for different use cases. This summary should save a lot of time if you’re preparing for the exam.

AI Services

This section is a summary of the Choose the best AI service for your needs module.

Approaches to AI:

  • Deep learning: based on neural networks. (The module doesn’t give this more than a brief mention.)
  • Machine learning: train a model and use it to make predictions.

AI services on Azure:

  • Azure Machine Learning: gives complete control to train a model using your own data. You can test it and then use it via a web API endpoint to make predictions.
  • Azure Cognitive Services: pre-built machine learning models covering:
    • Language: process natural language to identify meaning or sentiment
    • Speech: speech-to-text and text-to-speech, as well as translation and speaker recognition.
    • Vision: analyse pictures, videos and other visual content.
    • Decision: personalised recommendations (Azure Cognitive Services Personalizer), content moderation, and detection of anomalies in time-series data.
  • Azure Bot Service: used to develop chatbots. People can interact with these via text, interactive cards, and speech.

Source Control and Project Management

This section is a summary of the Choose the best tools to help organizations build better solutions module.

Azure DevOps Services is an offering similar to the Atlassian stack or GitHub, where you get Git repositories, task management, CI/CD, and more. Formerly known as (the dreaded) Team Foundation Server (TFS), this is now a SaaS product that includes:

  • Azure Repos: Git repositories
  • Azure Boards: task management, JIRA-style
  • Azure Pipelines: CI/CD
  • Azure Artifacts: hosts artifacts to be fed into later stages of a pipeline (e.g. testing or deployment)
  • Azure Test Plans: automated test tool that runs as part of a CI/CD pipeline

GitHub needs no introduction, but was acquired by Microsoft and so it can now be considered as an alternative to Azure DevOps. It remains popular for open-source projects with public repositories and communities built around them. GitHub Actions can be used to automate workflows, for example to implement CI/CD.

Compared to GitHub, Azure DevOps is more intended for enterprise development, and it has heavier project management and reporting tools as well as finer-grained access control.

Azure DevTest Labs is used to automate the provisioning and teardown of pre-configured environments (containing VMs or other resources) to test builds.

Observability

This section is a summary of the Choose the best monitoring service for visibility, insight, and outage mitigation module.

Azure Advisor provides recommendations to make best use of Azure and minimise costs, across the following categories:

  • Reliability
  • Security
  • Performance
  • Cost
  • Operational Excellence

Azure Monitor is use to ingest and analyse log and metric data from various sources. The data can also be used to trigger logic based on particular events. Application Insights is a service that collects telemetry from applications, and uses Azure Monitor under the hood.

Azure Service Health is a personalised view of Azure services, regions and resources that affect you. It helps you keep up to date with and find detailed information about:

  • Service issues
  • Planned maintenance
  • Health advisories (e.g. service retirements and breaking changes)

Working with Azure

This section is a summary of the Choose the best tools for managing and configuring your Azure environment module.

The Azure portal is a web-based user interface used to manage Azure resources. It is friendly for new users, but is not a good choice if you need to automate tasks.

The Azure mobile app supports iOS and Android, and is handy to manage Azure resources remotely when a computer is not available. You can use it to:

  • Monitor health and status of Azure resources
  • Check and fix issues
  • Restart a web app or VM
  • Run Azure CLI or Azure PowerShell commands

Azure PowerShell and the Azure CLI are both used to script interactions with Azure (or execute one-off tasks), via commands which call the Azure REST API underneath. Both provide the same automation benefits and are available for Windows, Linux, Mac, or within Azure Cloud Shell. The only difference is the syntax, where proficient Windows users might prefer Azure PowerShell, whereas the Azure CLI is based on Bash which is more familiar to Linux and Mac users.

ARM templates are a declarative way of describing the resources that need to be deployed using JSON. The ARM template is verified before execution, and creation of resources occurs in parallel while taking dependencies between them in consideration (i.e. they are created in the right order). If an error occurs, it’s easier to rollback everything than with shell scripts. ARM templates are a repeatable way to deploy entire environments.

Note: Azure PowerShell and Azure CLI scripts can trigger ARM templates, and vice versa.

Serverless

This section is a summary of the Choose the best Azure serverless technology for your business scenario module.

Azure Functions can execute a single function.

  • They run in response to an event, such as a timer, HTTP request, or a new message on a queue.
  • They can be written in different programming languages including C#, Python, JavaScript, TypeScript, Java, and PowerShell.
  • They scale automatically.
  • They accrue charges only while they are running, based on number of executions and running time of each execution.
  • By default, they are stateless (they don’t normally keep state between executions).
  • Durable Functions are an extension allowing state to be preserved, and are used for more complex workflows involving multiple functions.
  • You just write the code and don’t manage any underlying infrastructure.

Azure Logic Apps:

  • Are a low-code/no-code service for automation and business integrations.
  • Are designed in a web-based designer.
  • Have triggers (events) that trigger actions (logic) via connectors.
  • Over 200 connectors are available to work with existing systems such as Salesforce, SAP, Oracle DB, etc.
  • You can also write your own connectors.
  • Billed based on number of executions and the type of connectors used.

Azure Functions and Azure Logic Apps can call each other.

Internet of Things (IoT)

This section is a summary of the Choose the best Azure IoT service for your application module.

IoT gathers data from devices in a backend system for processing and analysis. In this space, devices usually gather physical data via sensors, such as temperature or GPS. The devices can also be issued commands or have their firmware upgraded via an administrative portal.

Azure IoT Hub acts as a central message hub, allowing the backend IoT application and the devices to communicate in both directions. This includes command and control, where devices are controlled and issued commands directly. IoT Hub also tracks events such as device creation, failures and connections.

Azure IoT Central is another service providing a UI or dashboard on top of IoT Hub. It is a more complete solution and comes with starter templates to quickly get up and running, without writing any code (except for that which would run on the devices themselves).

Azure Sphere is an end-to-end IoT solution suitable for scenarios requiring the highest levels of security. This is based on three items:

  • The Azure Sphere micro-controller unit (MCU) which runs the operating system and processes signals from attached sensors.
  • A customised Linux OS that handles the security service and can run the vendor’s software.
  • Azure Sphere Security Service (AS3) ensures the security of the device by enforcing certificate-based authentication when the device connects to Azure, and checks for tampering. It also pushes any OS or other software updates to the device.

Devices based on Azure Sphere can talk to other Azure IoT services once they have been authenticated by AS3.

Azure Fundamentals Part 2 Summary

This is a summary of Azure Fundamentals part 2: Describe core Azure services. This learning path consists of five modules. The first one is the “Introduction to Azure fundamentals”, which is repeated in every Azure Fundamentals learning path — we’ve already covered this in Azure Fundamentals Part 1. The remaining four modules cover the core services: compute, storage (databases and unstructured data), and networking.

Database and Analytics Services

This section is a summary of the Explore Azure database and analytics services module.

Managed Database Services

Azure Cosmos DB:

  • is a globally distributed, multi-model database service
  • can scale throughput and storage across any number of Azure regions
  • provides fast, single-digit millisecond data access (latency)
  • stores schemaless data in atom-record-sequence (ARS) format
  • can be accessed using various different APIs including SQL, MongoDB, Cassandra, Tables, or Gremlin

Azure SQL Database:

  • is a relational database based on the latest stable version of MS SQL Server
  • is fully managed (PaaS) so things like upgrading patching, backups and monitoring are all taken care of
  • offers 99.99% availability

Azure SQL Managed Instance is also a managed SQL Server-based offering with 99.99% availability. However, this has better compatibility (i.e. feature coverage) with the SQL Server engine than Azure SQL Database (the example given is that Azure SQL Database supports only one default collation, which makes it a little hard to support foreign characters outside of the Latin set).

The Azure Database Migration Service provides guided migration from existing on-premises databases (e.g. SQL Server, MySQL, etc) to Azure-managed databases (e.g. Azure SQL Database). It works as follows:

  1. You first get an assessment report to identify any hurdles with migration.
  2. After any issues are resolved, the Database Migration Service carries out the migration for you.
  3. You just have to change the connection string in your applications.

Azure Database for MySQL:

  • is a managed version of MySQL based on MySQL Community Edition 5.6, 5.7 and 8.0
  • offers 99.99% availability
  • supports point-in-time restore as far back as 35 days
  • can scale as needed
  • can protect data in transit and at rest

Azure Database for PostgreSQL, similarly, is a managed PostgreSQL instance that offers high availability, can scale, and supports point-in-time restore up to 35 days. What’s interesting here is the deployment options:

  • Single server: 99.99% availability, can scale vertically
  • Hyperscale (Citus): horizontally scales queries across multiple machines using sharding; good for workloads of around 100GB or more

Big Data and Analytics

Azure Synapse Analytics is an enterprise data warehouse and big data analytics service. You can query data using either serverless or provisioned resources.

Azure HDInsight is a managed analytics service for enterprise based on open source software. It can process massive amounts of data and is suitable for things like ETL, data warehousing, machine learning and IoT. It supports different cluster types such as:

  • Apache Spark
  • Apache Hadoop
  • Apache Kafka
  • Apache HBase
  • Apache Storm
  • Machine Learning Services (R-based analytics)

Azure Databricks:

  • Analytics and AI based on Apache Spark
  • Supports languages: Python, Scala, R, Java, SQL
  • Supports libraries: TensorFlow, PyTorch, scikit-learn

Azure Data Lake Analytics is an on-demand analytics job service.

  • You set the dial for how much power you need
  • You pay for jobs only when they’re running
  • No hardware deployment

Compute Services

This section is a summary of the Explore Azure compute services module.

Virtual Machines

Azure virtual machines (VMs):

  • Include virtual processor, memory, storage and networking (IaaS)
  • Provide full control over the OS and applications, but you need to maintain them
  • Useful for lift-and-shift cloud migration

Azure virtual machine scale sets are a group of identical, load-balanced VMs that autoscale (increase/decrease in number) in response to demand or a defined schedule.

Azure Batch runs large-scale parallel and high-performance computing (HPC) batch jobs across a pool of VMs. It also identifies failures and requeues work.

Containers

Virtual machines provide an abstraction for CPU, memory and storage, making these easy to change. However:

  • You install the OS and applications (more maintenance effort)
  • They support only one OS at a time, which is not that great where different runtime environments are required
  • Starting up or taking snapshots can be slow

Containers provide a lighter-weight abstraction. Whereas VMs virtualise the hardware, containers virtualise the OS.

  • A container bundles a single app and its dependencies.
  • You deploy a containerised app to a container host.
  • The container host provides a standardised runtime environment which abstracts away the OS and infrastructure requirements.
  • The same container works in different environments (e.g. dev and prod).
  • Cluster orchestration can handle the problem of where to deploy containers, and take care of starting them, stopping them, and scaling them out.

Azure supports Docker, and provides the following services to manage containers:

  • Azure Container Instances: a PaaS service making it fast and easy to deploy containers without having to manage any VMs.
  • Azure Kubernetes Service: complete orchestration service suitable for distributed architectures with lots of containers

Hosted Apps

Azure App Service provides a managed environment for hosting different kinds of apps.

  • You pay depending on how much hardware is devoted to your host
  • Covers deployment, management, securing endpoints, scaling, and high availability (load balancing and traffic manager)

The following types of apps are supported:

  • Web apps: ASP .NET, ASP .NET Core, Java, Ruby, Node.js, PHP, Python, running on Windows or Linux.
  • API apps: REST APIs with HTTP or HTTPS endpoints, Swagger support, and the ability to publish to Azure Marketplace.
  • WebJobs: schedule/trigger a program (.exe, Java, PHP, Python, Node.js) or script (.cmd, .bat, PowerShell, Bash) in the same context as a web application – good for background tasks.
  • Mobile apps: backend for a mobile app, providing services such as databases, authentication via social logins, push notifications, or custom backend logic (C# or Node.js).

Serverless Functions

Azure provides Azure Functions and Azure Logic Apps, both serverless (i.e. they run on servers but they are hidden away) and triggering based on an event (e.g. timers, HTTP requests, queues, etc).

Azure Functions have the following features:

  • Automatic scaling
  • Micro-billing (you pay only for the time the code is running)
  • Stateless (restarted each time) or stateful (Durable Functions – context is passed to the function on execution)
  • Can run locally or in the cloud

Azure Logic Apps:

  • Execute workflows built on predefined logic blocks to automate business scenarios
  • Are created using a visual designer in the Azure Portal, or Visual Studio. They are stored as JSON using a defined schema.
  • Use connectors (over 200 in-built, or you can write your own) to interact with enterprise apps
  • Run only in the cloud (not locally)

Windows Virtual Desktop

Instead of shipping laptops to remote employees, IT administrators can use Windows Virtual Desktop to provide them with a cloud-based (virtualised) version of Windows.

  • They can remote in from Windows, Mac, iOS, Android or Linux
  • They can also access it directly from most modern browsers
  • It separates the compute environment from user devices, making it less likely for employees to leave confidential data on personal devices
  • Windows 10 Enterprise Multi-Session allows more than 2 users on the same VM
  • Uses reverse connect technology, so it does not open any ports for RDP

Azure Storage Services

This section is a summary of the Explore Azure Storage services module.

You can use several different data storage services after first creating an Azure Storage account.

  • The storage account will contain your data objects (e.g. blobs).
  • It also serves as a unique namespace for your data.
  • Data is secure, highly available, durable, massively scalable, and accessible over HTTP or HTTPS.

Azure Disk Storage is an IaaS service providing virtual disks for Azure VMs. Disks come in different sizes and performance levels (e.g. HDDs vs SSDs).

Azure Blob Storage:

  • Object (think “file”) storage solution for the cloud
  • Can store massive amounts of data
  • Data is unstructured, so you can put any type of data (e.g. videos, backups, etc)
  • Storage Account contains Containers (think “folders”), which in turn contain Blobs (think “files”)

Understanding Blob access tiers:

  • Hot access tier is for frequently accessed data.
  • Cool access tier is for infrequently accessed data stored for at least 30 days. Slightly lower availability and higher access costs are a tradeoff for lower storage costs.
  • Archive access tier is for rarely accessed data stored for at least 180 days, with flexible latency requirements. Data is stored offline, and this tier carries the highest costs to rehydrate and access data.
  • All access tiers can be set at the blob level, whereas only the hot or cool tier can be set at the account level.

Azure Files:

  • Fully managed file shares in the cloud
  • Accessible via Server Message Block and Network File System (preview) protocols
  • Can be mounted concurrently by cloud or on-premises deployments of Windows, Linux and macOS
  • Files can be accessed from anywhere using limited-time URLs using Shared Access Signature (SAS)

Networking

This section is a summary of the Explore Azure networking services module.

Virtual Networks

Azure virtual networks are an IaaS service providing cloud-based equivalents of networks in a data centre. Features include:

  • Isolation and segmentation – private IP address space, subnets
  • Internet communications – via public IP or load balancer
  • Communicate between Azure resources – virtual networks and service endpoints (which link Azure services to virtual networks)
  • Communicate with on-premises resources
    • Point-to-site VPN: computer connects to Azure virtual network
    • Site-to-site VPN: connect on-premises network to Azure network via VPN gateway
    • Azure ExpressRoute: dedicated private connectivity to Azure
  • Route network traffic – route tables, Border Gateway Protocol (BGP)
  • Filter network traffic – network security groups, network virtual appliances
  • Connect virtual networks – virtual network peering (connect networks even across regions)

VPN

VPN = virtual private network, a secure connection between 2 or more trusted private networks over an untrusted network (e.g. the internet).

Azure VPN Gateway:

  • Connects on-premises data centres to Azure virtual networks via site-to-site connection
  • Connects devices to virtual networks via point-to-site connection
  • Connects virtual networks to other virtual networks via network-to-network connection
  • You can deploy only one VPN gateway in each virtual network, but it can connect to multiple locations
  • Policy-based or Route-based: both use pre-shared key and rely on Internet Key Exchange (IKE) on v1 or v2 of IPSec

Policy-based VPN:

  • Supports IKE v1 only
  • Uses static routing: IP address configuration controls how traffic is encrypted/decrypted
  • Use this only where necessary (compatibility with legacy devices)

Route-based VPNs:

  • IPSec tunnels are modelled as a network interface
  • Support static or dynamic routing (using routing tables, BGP)
  • Are resilient to topology changes (e.g. creation of new subnets)
  • Support IKE v2
  • Use any-to-any (wildcard) traffic selectors

To deploy a VPN gateway you need the following in Azure:

  • A virtual network (address space must not overlap with the on-premises network)
  • A dedicated subnet for the VPN gateway
  • A public IP address (dynamic, but it won’t change until you delete the VPN gateway)
  • A local network gateway (represents the on-premises network from Azure’s point of view)
  • A virtual network gateway
  • One or more connection objects, connecting the on-premises VPN device’s IP address to the virtual network gateway’s IP address

To deploy a VPN gateway, you also need to have the following on-premises:

  • A VPN device supporting policy-based or route-based VPN gateways
  • A public-facing IPv4 address

VPN high availability scenarios:

  • Active/standby: 2 instances, brief downtime during maintenance
  • Active/active: additional tunnels and devices are used as fallback
  • ExpressRoute failover: use VPN gateways as fallback if ExpressRoute fails
  • Zone-redundant gateways: deploy VPN gateways or ExpressRoute across availability zones. Needs different gateway instances and Standard (not Basic) IP addresses.

ExpressRoute

Azure ExpressRoute:

  • On-premises data centre connects to Azure via a private connection (i.e. not over the internet) via a connectivity provider
  • It provides better speed, reliability, security, and more consistent latencies compared to going over the internet
  • It covers two layers of the OSI Model:
    • Layer 2: Data Link Layer (node-to-node communication on the same network)
    • Layer 3: Network Layer (addressing and routing on a multi-node network)
  • Provides connectivity to MS cloud services (e.g. Office 365, Dynamics 365 and Azure services)
  • ExpressRoute Global Reach: connect private data centres together via ExpressRoute
  • Uses BGP, dynamic routing

ExpressRoute connectivity models:

  • Colocation at cloud exchange: provider (e.g. ISP) provides Layer 2 and Layer 3 connections between your infrastructure and the MS cloud
  • Point-to-point Ethernet connection
  • Any-to-any networks: Layer 3 connection between your WAN and Azure

Azure Fundamentals Part 1 Summary

This is a summary of Azure Fundamentals part 1: Describe core Azure concepts. This learning path is made up of the following modules:

This is actually a bit of a mess. The first module is repeated in every Azure Fundamentals learning path. The second module is actually a repetition of the first, and the third covers part of the first module in more detail.

My goal here is to gather the most important points to serve as a decent summary for anyone preparing to take the Azure Fundamentals exam.

Cloud Computing

Cloud computing is the delivery of computing services over the internet.

  • You typically pay for what you use
  • Someone else manages certain resources for you (e.g. underlying physical hardware)
  • Compute power and storage are the main cloud resources
  • You can add/remove resources as needed

Basically, you’re renting computing and storage resources from someone else’s datacentre. Thus you don’t need to concern yourself with things like building security or cooling. The pay-as-you-go model is handy because you can provision (and de-provision) resources quickly and as needed:

  • No upfront costs
  • No need to buy and manage idle resources
  • Pay for additional resources when needed
  • Stop paying for resources when they are no longer needed

On a financial level, cloud usage shifts IT expense from CapEx to OpEx:

  • Capital expenditure (CapEx): up-front expenditure on infrastructure, which incurs depreciation over time
  • Operating expenditure (OpEx): pay for what you use, just like electricity

Advantages of cloud computing include:

  • High availability
  • Scalability (vertical and horizontal)
  • Elasticity (autoscaling)
  • Agility
  • Geo-distribution
  • Disaster recovery

Cloud Service Models

Azure and similar cloud providers offer a large range of services. These services abstract underlying resources at different levels, and are generally categorised as follows:

  • Infrastructure as a Service (IaaS): Azure manages the hardware, but you manage the OS, networking, etc. This category offers most control/flexibility but you have to take care of more things yourself (e.g. Azure virtual machines).
  • Platform as a Service (PaaS): Azure manages the hosting environment (e.g. VMs, networking). You just deploy your application (e.g. Azure App Service).
  • Software as a Service (SaaS): Azure manages all aspects of the application environment, including the application itself. You just bring your data (e.g. Office 365).

Serverless computing sits in the PaaS category, and offers a way to execute code in an event-driven manner that scales automatically, without needing to manage infrastructure. Servers are hidden (e.g. Azure Functions).

Public, Private and Hybrid Cloud

  • Public cloud: Azure sells services over the internet to anyone. Technically the physical server resources are shared.
  • Private cloud: Resources are dedicated to one organisation. This can be on-premises or hosted by the cloud service provider (i.e. Azure).
  • Hybrid cloud: Uses both public and private cloud, sharing some resources between them.

How Azure Works

  • Azure uses virtualisation
    • A hypervisor sits between hardware and OS
    • This allows a single physical server to run several VMs, at massive scale
  • Azure has datacentres all over the world
    • Each datacentre has many racks filled with servers
    • Each server includes a hypervisor to run multiple VMs
    • Servers are connected by network switches
  • One server in each rack includes a fabric controller
    • Fabric controller receives instructions from an orchestrator
    • Orchestrator manages everything that happens in Azure, including responding to user requests
  • API requests (e.g. to deploy a VM, from the Azure Portal) will go to an orchestrator, which talks to a fabric controller, which provisions/deprovisions resources as needed.

The above is explained graphically in a video at the What is Azure? page.

Miscellaneous

The Azure Portal is a web interface to view and manage your Azure subscription and resources. It has instances in every datacentre (so it’s close to users) and runs with high availability – updates incur no downtime.

The Azure Marketplace contains third party solutions to be run on Azure.

Azure Services

There is a long list of services on Azure, split up into a number of categories – you can see them at the Tour of Azure services. The more important of these are covered in subsequent learning paths, so let’s just take a high-level look at the categories at this stage:

  • Compute: VMs, container services, serverless functions, etc
  • Networking: virtual networking, load balancing, VPN, and other networking and security services
  • Storage: unstructured storage including blob, file (file server), queue and table (schemaless NoSQL) storage. These are all durable and highly available, secure, scalable, managed, and accessible via HTTP or HTTPS.
  • Mobile: backend services for mobile apps such as offline data sync, push notifications, connectivity to on-premises resources (e.g. SQL Server), and corporate sign-in.
  • Databases: several managed data store offerings ranging from managed RDBMSes (Azure SQL, MySQL, PostgreSQL, MariaDB), Redis, as well as CosmosDB (globally distributed NoSQL).
  • Web: App Service (managed hosting for web apps), Notification Hubs (push notifications), SignalR service, API management and more.
  • Internet of Things (IoT): connect, monitor and manage IoT devices.
  • Big Data: Synapse Analytics (managed enterprise data warehouse), HDInsight (Managed Hadoop clusters), Databricks (Apache Spark-based analytics service)
  • Artificial Intelligence (AI): Machine Learning Service (develop your own ML models) and Studio (use prebuilt ML algorithms). Cognitive Services are related, and comprise Vision, Speech, Knowledge Mapping, Bing Search, and Natural Language Processing.
  • DevOps: Azure DevOps (git repos, pipelines, testing, project management) and DevTest Labs (set up environments for testing).

Azure Subscriptions

An Azure account has one or more subscriptions.

  • Resources are anything you use within Azure (e.g. VMs)
  • Resource groups are a logical group of (related) resources
  • Subscriptions are a group of user accounts and resources; limits/quotas apply
  • Management groups are groups of subscriptions which inherit access, policy and compliance rules

Subscriptions can be used to separate things like environments (e.g. Dev and Prod), departments and billing. They can also be used to deal with limits at a subscription level by adding additional subscriptions. Subscriptions provide isolation in the form of a billing boundary (e.g. bill by department) and an access control boundary (e.g. you can only access Dev and Test environments).

A billing profile can be used to manage invoicing across subscriptions. A billing account can have multiple billing profiles (each of which is an invoice), each of which can have multiple invoice sections, each of which can contain multiple Azure subscriptions.

On management groups:

  • Can be nested to form a hierarchy; rules are inherited by children (other management groups, subscriptions, resource groups and resources)
  • Can give users access to multiple subscriptions via Role-Based Access (RBAC)
  • Can have up to 10,000 management groups in a single directory
  • Can have up to 6 levels of depth (excluding root and leaves (subscriptions))
  • Each can have only one parent
  • Each can have many children

On resource groups:

  • All resources must be in a resource group
  • Resource groups can’t be nested
  • Each resource can only be in one resource group
  • Serve as logical grouping of resources
  • Deleting a resource group deletes all the resources in it
  • Act as scope for RBAC permissions

The Azure Resource Manager (ARM) is a management layer that can be thought of as providing CRUD around resources. ARM also allows resources to be managed by templates – this is covered in more detail in a later learning path.

  • Azure Portal, Azure Powershell & Azure CLI (via SDKs), and REST clients talk to the Azure API
  • Azure API talks to ARM
  • ARM verifies authentication & authorisation
  • ARM can then perform actions (e.g. provision) on Azure services

Geography

A region is basically a geographical area where Azure has its datacentres.

  • A region has one or more datacentres nearby, connected by a low-latency network
  • Most resources have to be deployed to a region (which you choose)
  • Some services are only available in certain regions
  • Some services are global and don’t need a region at all
  • Deploying resources across regions gives you scalability, redundancy, data residency (when data must legally reside within a country), and allows data to be close to users

Some regions are special and not available to the general public. This includes several isolated datacentres used by the US Government, and datacentres in China which are operated by a partner.

Availability zones (AZs) are physically separate datacentres in an Azure region.

  • One or more datacentres with independent power, cooling and networking
  • Isolation boundary: it would take a major disaster for more than one AZ to fail in the same region (see also Region pairs further below)
  • AZs in the same region are connected via high-speed fiber-optic networks
  • Not all regions support AZs

Azure services supporting availability zones:

  • Are mainly VMs, managed disks, load balancers and SQL databases
  • Zonal services: pin resource to specific zone (e.g. VMs)
  • Zone-redundant services: replicates across zones

Region pairs:

  • A region is paired (directly connected) with another region in the same geography, at least 300 miles away (where available)
  • The pair is far enough that disasters shouldn’t take out both regions
  • Updates are rolled out to one region in a pair at a time
  • In case of outages to both regions, one region in a pair is prioritised to restore service quickly to at least one region in the pair
  • Data continues to reside within the same geography, which can be important for legal/compliance reasons