Web App SLA is 99.95%, SQL DB SLA is 99.99%. However if either of these two fails, the application will fail. The composite SLA here is 99.95% X 99.99% = 99.94%.
NOTE: THE COMBINED PROBABILITY OF FAILURE IS HIGHER THAN INDIVIDUAL SLA VALUES.
- With this design, the application is still available even if DB fails.
- The application fails only if both DB and Queue fail simultaneously.
- Adding Queue to the web app, the composite SLA is
- Failure % for SQL DB is 100% - 99.99% = 0.01% which is 0.01/100 = 0.0001
- Failure % for Queue is 100% - 99.9% = 0.1% which is 0.1/100 = 0.001
- Joint probability of failure for SQL DB and Queue is 0.0001 X 0.001 = 0.0000001
- Probability of up time for Either SLQ DB OR Queue = 1- 0.0000001 = 99.99999%
- So, Either SQL DB OR Queue is 99.9999%.
- Composite SLA is therefore 99.95% X 99.99999 = 99.95%
Resiliency
Resiliency is the ability of a system to recover from failure as soon as possible. It's not about failure but about jumping back to normalcy with the least amount of downtime or data loss.
AVAILABILITY and DISASTER RECOVERY are the two key components of resiliency.
- Architecture needs to be designed for resiliency
- Perform FMEA - Failure Mode Effect Analysis for infra when designing.
- If Application SLA is 4 9's, then the Azure solution must be self-diagnosing and self-healing (can't be manual to achieve the target).
- SLA performance targets above 4 9's are difficult to achieve.
Azure Management
- Azure portal - to interact with Azure via a GUI
- Azure PowerShell / Azure command line - command line, automation based interactions with Azure.
- Azure Cloud Shell - Web-based CLI
- Azure Mobile App - for monitoring and managing your resources from your mobile device.
Azure Portal
Azure Powershell
Is a module that can be installed for Windows Powershell or PowerShell Core - runs on Windows, Linux, Mac OS. Helps to connect to Azure to manage resources.
Azure CLI
A cross-platform CLI that connects to Azure and executes admin commands.
Azure Cloud Shell
Browser accessible interactive command prompt to manage Azure resources
You can switch between Bash or PowerShell.
Azure Mobile App
Access, manage, monitor all your Azure accounts, resources, etc.
Azure Advisor
- Get proactive, actionable, and personalized best practice recommendations.
- Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs.
- Get recommendations with proposed actions inline.
Azure Portal Dashboards
Azure New Features
- Azure New Features >> first available for beta testing and other pre-release features >> released to customers as part of Azure Default product set (called General Availability).
- Private preview - for specific customers
- Public preview - for all customers
Azure Compute
Virtual Machines - software emulations of physical computers
Containers - virtualization environment for running applications. Unlike VMs, containers don't include an OS; use the existing host OS running the container.
Azure App Service - is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications.
Serverless Computing
Serverless computing is a cloud-hosted execution environment that runs your code but completely abstracts the underlying hosting environment. You create an instance of the service, and you add your code; no infrastructure configuration or maintenance is required.
Azure Virtual Machines
VMs provide an abstraction layer for CPU, Memory and Storage.
Use VMs
- During testing and development
- When running applications in the cloud
- When extending your data centre to the cloud.
- During disaster recovery
-- You can run single VMs or can group together VMs to provide high availability, scalability and redundancy.
Availability sets
- Is a logical grouping of two or more VMs
- VM pairs as part of the availability set are in different update domains so that there is least impact during planned maintenance. Update domains indicate groups of VMs and underlying physical hardware that can be rebooted at the same time. Update domains are a logical part of each data center and are implemented with software and logic.
- During unplanned events, VMs failover to a working physical server.
- Fault Domain -- group of VMs that share common hardware are in the same fault domain. A fault domain is essential a rack of servers.
Virtual Machine Sets
Azure Virtual Machine Scale Sets let you create and manage a group of identical, load balanced VMs
Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
Azure Batch
Azure Batch enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.
Batch does the following:
- Starts a pool of compute VMs for you
- Installs applications and staging data
- Runs jobs with as many tasks as you have
- Identifies failures
- Requeues work
- Scales down the pool as work completes
AZURE Containers
- A container is a modified Runtime Environment built on top a host OS that executes your application.
- Run multiple instances of application on a single host machine.
- Can run multiple OS.
- Container orchestrator can start, stop, and scale out application instances.
- Containers are lighter than VMs.
- Can run multiple isolated application on a single container host.
- Containerized apps are smaller in size.
- Apps are quicker to launch.
- Dev process is simplified cos dev is similar to prod.
- If you want complete control of the environment, choose VM, if you want portability, and performance go for containers.
VMs vs. Containers
- VMs provide an abstraction layer for CPU, MEM and storage.
- VMs run only one OS at a atime.
- VMs virtualise the h/w while Containers virtualise OS.
Azure containers
- Azure Container Instances (ACI) - is a PaaS offering that allows you to upload your containers and execute them directly with automatic elastic scale.
- Azure Kubernetes Service (AKS) - Azure Kubernetes Service (AKS) is a complete orchestration service for containers with distributed architectures with multiple containers.
Migrating Apps to Containers
- You convert an existing application to one or more containers and then publish one or more container images to the Azure Container Registry.
- By using the Azure portal or the command line, you deploy the containers to an AKS cluster.
- Azure AD controls access to AKS resources.
- You access SLA-backed Azure services, such as Azure Database for MySQL, via OSBA.
- Optionally, AKS is deployed with a virtual network.
Azure App Service
Enables you to build and host web apps, background jobs, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability.
Common App service styles include:
- Web Apps - full support for hosting web apps using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.
- API Apps - you can build REST-based Web APIs using your choice of language and framework. You get full Swagger support, and the ability to package and publish your API in the Azure Marketplace.
- WebJobs - WebJobs allows you to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled, or run by a trigger. WebJobs are often used to run background.
- Mobile Apps - You can use this to quickly build a back-end for iOS and Android apps. With just a few clicks in the Azure portal you can:
- Store mobile app data in a cloud-based SQL database
- Authenticate customers against common social providers such as MSA, Google, Twitter, and Facebook
- Send push notifications
- Execute custom back-end logic in C# or Node.js
Azure Serverless Computing
- Serverless computing is the abstraction of servers, infrastructure, and OSs.
- Azure takes care of managing the server infrastructure and allocation/deallocation of resources based on demand.
Serverless Computing encompasses three ideas:
- Abstraction of servers
- Serverless computing abstracts the servers you run on. You never explicitly reserve server instances; the platform manages it for you. Each function execution can run on different compute instance and this execution is transparent to the code. With this arch, you worry only about deploying code which then runs with high availability.
- Event driven scale
- Instead of writing an entire application, the developer writes a function which contains both code and meta data about its triggers and bindings.
- Serverless computing responds to incoming triggers / events (e.g. a function runs everyday at 10:00 am UTC, etc.).
- The platform automatically schedules the function to run based on the trigger / event and scales the number of compute instances based on the rate of coming events.
- Trigger defines how the function is invoked.
- Bindings provide ways to connect services from within the code.
- Micro billing
- Even if a customer's website gets only one hit a day, they still pay for a full day's worth of availability. With serverless computing, they pay only for the time their code runs.
- For example, if the code runs once a day for two minutes, they're charged for one execution and two minutes of computing time.
There are two flavours of Azure Serverless Computing
When you're concerned only about the code running your service, and not the underlying platform or infrastructure, Azure Functions are ideal. They're commonly used when you need to perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less.
> They scale based on demand.
Logic Apps execute workflows, whereas Azure Function execute code.
Both are triggered by logic based on an event.
Many triggers include basic scheduling capabilities.
You create Logic App workflows using a visual designer on the Azure portal or in Visual Studio.
Example...
As an example, let's say a ticket arrives in ZenDesk. You could:
- Detect the intent of the message with cognitive services
- Create an item in SharePoint to track the issue
- If the customer isn't in your database, add them to your Dynamics 365 CRM system
- Send a follow-up email to acknowledge their request
Functions vs. Logic Apps
Azure Data Storage
Benefits
- Automated backup and recovery
- Replication across globe
- Support for data analytics
- Encryption capabilities
- Multiple data types (video, text, binary etc.)
- Data storage in virtual disks - 32TB in virtual disks.
- Storage tiers prioritise access to data based on frequently used vs. rarely used information.
Types of Data
- Structure data
- Structured data is data that adheres to a schema, so all of the data has the same fields or properties. Structured data can be stored in a database table with rows and columns.
- Semi structured data
- Semi structured data does not fit into tables, rows and columns. Use tags and keys. Semi structured data is also referred to as non-relational or NoSQL data.
- Unstructured data
- BLOB - PDF, JPG, JSON, video content, etc.
Azure SQL Database
- Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine.
Azure Cosmos DB
Is a globally distributed database service.
Azure BLOB Storage
Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blobs are highly scalable and apps work with blobs in much the same way as they would work with files on a disk, such as reading and writing data. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Azure Datalake
Data Lake is a large repository that stores both structured and unstructured data and allows you to perform analytics on your data usage and prepare reports.
Azure Files
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol.
Azure Queue
Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world.
Queue storage provides asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.
Disk Storage
Disk storage provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk. The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user. Typical scenarios for using disk storage are if you want to lift and shift applications that read and write data to persistent disks, or if you are storing data that is not required to be accessed from outside the virtual machine to which the disk is attached.
> SSD
> HDD
Storage Tiers
- Hot Storage Tier
- Optimised for storing data that is accessed frequently.
- Cool Storage Tier
- Optimised for data that is infrequently accessed and stored for at least 30 days.
- Archive Storage Tier
- For data that is rarely accessed and stored for at least 180 days with flexible latency requirements.
Encryption
- SSE - Azure storage service encryption for data at rest.
- Secure data to meet org security and regulatory requirements.
- Encrypts data before storing, de-crypts before returning.
- Encryption and decryption transparent to user.
- Client side encryption
- Data is already encrypted by client libraries.
- Azure stores this data (encrypted state at rest).
- During retrieval, this data is decrypted
Replication
- Replication type is created when storage account is created.
- Replication feature ensures data is durable and always available
- Azure provides regional and geographic replication (protect against natural disasters, etc.).
Azure Data Storage vs. On-premises Data Storage
- Cost effective
- Reliable
- Various storage types
- Agility
Loosely coupled Architecture
Azure has a loosely coupled architecture and uses n-tier architecture.
Example of an eCommerce website deployed on Azure
Azure Region
- One or two data centres within a specific geographic location is an Azure region.
Azure Virtual Network
- A logically isolated network on Azure
Azure Network Security Group
- Allows or denies incoming traffic to Azure.
Azure Load Balancer
Availability
- Availability refers to how long a service is up.
- High availability refers to a service that has been running for a long period of time.
Resiliency
- Systems ability to stay operational during abnormal conditions
Load balancing
- Distribute traffic evenly among systems in a pool.
- Load balancer helps achieve both high availability and resiliency.
Azure Load Balancer is a load balancer service that Microsoft provides that helps take care of the maintenance for you. Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use Load Balancer with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.
Azure load balancer in a multi-tier architecture
Azure Application Gateway
If all your traffic is HTTP, a potentially better option is to use Azure Application Gateway. Application Gateway is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.
This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.
Using Azure application gateway has some benefits over a simple load balancer:
- Cookie affinity - store cookies on the same backend server.
- SSL termination - manages SSL certificates and pass unencrypted traffic to backend servers to avoid encryption / decryption overhead.
- Web application firewall - Supports a sophisticated WAF firewall with detailed monitoring, logging etc.
- URL rule based routes - allows to route traffic based on URL patterns.
- Rewrite HTTP headers - You can add / remove information from inbound and outbound HTTP headers, for security scenarios.
Azure DNS
Azure DNS routes traffic to load balancer.
Azure Traffic Manager
Traffic Manager uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.
Reduces network latency
One way to reduce n/w latency is to provide exact copies of your service to more than one region.
Use traffic manager to route users to the closest endpoint
Load Balancer vs. Traffic Manager
Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user.
Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. When Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.
Security and Trust in Azure / Cloud Security
- IAAS - Microsoft provides VMs and virtual networks. However, it is
- Our responsibility for patch management and secure OS and s/w.
- Our responsibility to configure n/w and be secure.
- PAAS - Azure is taking care of OS and foundational s/w like DB.
- Security patches etc. taken care by Azure.
- SAAS
- With SAAS we outsource everything to Azure.
Note: regardless of the deployment type, we (and not Azure) will retain responsibility for the following items:
1. Data
2. End points
3. Accounts
4. Access Management
Layered approach to Security
MS has a layered approach to security for both its data centres and Azure platform.
Azure Security Centre
Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. It can:
- Provide security recommendations based on configurations, etc.
- Monitor security settings for unauthorised change.
- Apply new security settings for new resources as they come online.
- Continuous monitoring of all services
- Use machine learning to detect and block malware.
- Analyse and identify inbound attacks.
- Provide just in time access controls for ports.
Azure security centre is available in 2 tiers.
1. Free
2. Standard. Full suite of security services.
Identity and Access
Authentication
Establishing identity of a person or a service.
Authorisation
Is the process of establishing what level of access an authenticated person or service has. It specifies what data they are allowed to access and what they can do with it.
Azure AD (Active Directory)
- Is a cloud-based identity service.
- Built in support for synchronising with existing on-premise AD.
- Provides authentication.
- Provides SSO.
- Multi factor authentication - allows increased security of identity.
- Something you know (for example a password)
- Something you possess (for example a mobile - an SMS on mobile).
- Something you are (for example, biometry)
- Provides identities to services thru Service Principles
- Identity -- Identity is a thing like a person with password or a service / servers that can be authenticated.
- Principal is an Identity with a certain roles or claims. Identity and principal go together.
- User Principal -- an identity used by a person.
- Service Principal -- is an identity that is used by a service or application. And like other identities, it can be assigned roles.
- Managed Identities make the task of maintaining service principals easier.
- There is a service that wants to authenticate.
- You create a managed identity on your org's active directory.
- Azure infra automatically takes care of authenticating this service and managing the account.
- Use this account like any other Azure AD account including allowing the authenticated service secure access to resources.
- close example document upload service uses an authentication to upload docs in SAP in Sony Basingstoke,
Role based access control
Identities are mapped to roles (sets of permissions - read only, contributor etc.).
Privileged Identity Management
Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
Encryption
Encryption is the process of making data unreadable to unauthorised viewers.
> Symmetric encryption -
Uses same key to encrypt and decrypt the data.
> Asymmetric encryption -
Uses a public key and a private key pair.
Encryption at Rest
Data at rest is the data that has been stored on a physical medium. disk of a server, data stored in a DB, data stored in a storage account.
Encryption in Transit
Data in transit is the data actively moving from one location to another - thru internet, thru private n/w.
Encryption on Azure
- Azure storage service encrypts data at rest
- Azure storage service encrypts virtual machine disks
- Azure disk encryption service is a capability that allows encryption of Windows, Linux IAAS VMs. (Uses Bitlocker)
- Transcription Data Encryption (TDE) helps protect Azure SQL DB and Azure DW against malicious activities.
- TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key.
- Encrypt secrets
- Azure Key Vault
- Azure Key Vault is a centralised cloud service for storing your application secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
- Secrets management
- Key management (encryption of keys)
- Certificate management.
- Store secrets backed by hardware security modules (HSMs)
Azure Certificates
- Service Certificates
- Are used for cloud services and allow secure communication from and to the service.
- Management Certificates
- Are used for authenticating with the management API
- Are used to authenticate with the classic deployment model.
- Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. However, these types of certificates are not related to cloud services.
Azure Key Vault with Certificates
- Can store and manage certificates with key vault.
- You can create certificates in key vault
- Create policies to direct key vault to manage certificate lifecycle
- Provide for notifications regarding certification expiry / renewal
- Automatically renew certificates with selected issuers
Network Security
- Azure has layered security approach to network ( see above sections)
- Azure firewall
- Is a managed, cloud based, network security service that protects Azure virtual network resources.
- Protection for HTTPS, RDP ,SSH, FTP protocols
- Azure application gateway
- Is a load balancer that includes a Web application firewall (WAF) that provides protection from common, known vulnerabilities.
- Network Virtual Appliances (NVA) are ideal options for non-HTTP services.
DDoS - Distributed Denial of Services Attacks
Azure has DDoS protection, and is offered in two basic service tiers
- Basic - Is automatically enabled as part of Azure platform.
- Standard - additional mitigation capabilities.
- Volumetric attacks
- Protocol attacks
- Resource layer attacks
Protecting Shared Documents - AIP / Azure Information Protection
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
You can also track and control how the content is used --- analyze data flows, detect risky behaviours, track access to documents, and prevent data leakage or misuse of confidential information.
Azure ATP - Advanced Threat Protection
Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
ATP Sensors
Installed on Domain Controllers - monitors domain traffic without requiring a dedicated server or configuring port mirror.
ATP cloud service
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license.
Microsoft Security Development Lifecycle (SDL)
The Microsoft Security Development Lifecycle (Microsoft SDL) is a software development process based on the spiral model, which has been proposed by Microsoft to help developers create applications or software while reducing security issues, resolving security vulnerabilities and even reducing development and maintenance costs. The process is divided into seven phases: training, requirements, design, implementation, verification, release and response.
Infrastructure Standards with Azure Policy
- Azure lets you set up policies for cloud infra and these policies will enforce rules for the created resources thus ensuring compliance with corporate standards, SLAs, etc.
- Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements.
- Example -- Imagine we allow anyone in our organization to create virtual machines (VMs). We want to control costs, so the administrator of our Azure tenant defines a policy that prohibits the creation of any VM with more than 4 CPUs. Once the policy is implemented, Azure Policy will stop anyone from creating a new VM outside the list of allowed stock keeping units (SKUs).
- Any VM you add will be checked by policy.
- Azure policy will audit all existing VMs.
- Azure Policy is DIFFERENT FROM RBAC (Role based access control).
- Both Azure policy and RBAC go hand in hand to ensure organisational business rules are applied.
- RBAC
- Manages who has access to Azure resources, what areas they have access to, and what they can do with those resources.
- Example, allow users to access and manage VMs, websites, etc.
- Azure Policy
- Focus on resource properties during deployment and for already existing resources.
- Example, policy to ensure users can only deploy DS series of VMs.
Creating Policy
- Create policy definition --
- tells what to evaluate and what action to take.
- Represented by a .JSON file.
- Assign a definition to a scope of resources. (Apply policy)
- You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters that are defined.
- View policy evaluation results
- Use the Azure portal and the applied policies to identify non compliant resources.
Policy Effects
What happens during the "evaluation process" by the policy?
Policy evaluation results
You can find the Azure Policy section through the search field or All Services.
Azure policy portal...
Removing a policy
Finally, you can delete policy requirements through the portal, or through the PowerShell command Remove-AzPolicyAssignment.
Azure Initiatives
Initiatives are helpful when managing / organising several azure policies. An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.
Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.
Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.
Example of defining an initiative
|
Policy definition
|
Purpose
|
|
Monitor unencrypted SQL Database in Security Center
|
For monitoring unencrypted SQL databases and servers.
|
|
Monitor OS vulnerabilities in Security Center
|
For monitoring servers that do not satisfy the configured baseline.
|
|
Monitor missing Endpoint Protection in Security Center
|
For monitoring servers without an installed endpoint protection agent.
|
Azure Management Group
Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions
Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions.
Governance hierarchy using management group
You can create management groups by using the Azure portal, Azure PowerShell, or Azure CLI.
After you select Save on your first management group, a root management group is created in the Azure Active Directory (Azure AD) organisation. By default, the root management group's display name is Tenant root group.
Azure Blueprints
Azure blueprint tools help in auditing, traceability, and compliance of deployments against organisational, govt, and industry standards.
The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package—including through a CI/CD pipeline. Ultimately, each setup is assigned to a subscription in a single operation that can be audited and tracked.
1. Create Azure blueprint
2. Assign blueprint
3. Track blueprint assignments
Blueprint vs. Azure Resource Manager Template
Nearly everything that you want to include for deployment in Blueprints can be accomplished with a Resource Manager template. However, a Resource Manager template is a document that doesn't exist natively in Azure. Resource Manager templates are stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there's no active connection or relationship to the template.
Blueprint vs. Azure Policy
A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.
A policy is a default-allow and explicit-deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.
A policy can be included as one of many artifacts in a blueprint definition.
Azure Compliance Manager
- Compliance manager makes it easy to perform risk assessments of Microsoft's cloud services.
- Use it to manage your organisation's compliance activities from implementation to reporting.
- There are four sources as below:
- Microsoft Privacy Statement
- The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
- MS Trust Centre
- Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
- Service Trust Portal
- Is a companion feature of Trust Centre
- The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
- These compliances
- STP allows you to:
- Access audit reports on a single page
- Access compliance guides
- Access trust documents
- Compliance Manager
- Compliance manager is a workflow-based risk assessment dashboard within Service Trust Portal that enables you to track, assign, and verify your organisation's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
- Enables to assign, track and record compliance assessment related activities.
- Provides compliance score.
- Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.
- Produces richly detailed reports in Microsoft Excel that document the compliance activities.
- Provides recommended actions you can take to improve regulatory compliance.
Monitor Service Health
Two primary sources to monitor health of Azure services:
- Azure monitor
- Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
- Data sources: Azure monitor collects data from various sources...
-- As soon as you create a resource, Azure starts collecting data thru Activity Logs.
-- Activity logs record when resources are created, modified
-- Metrics tell you how the resource is performing and the resources that it's consuming
-- You can extend the data you are collecting by enabling diagnostics.
-- Enable guest level monitoring
-- Performance counters
-- Event logs
-- Crash dumps
-- Sinks
-- Agent configurations
- Getting Application Data
-- Application insights is a service that monitors the availability, performance and usage of web applications.
-- Azure monitor for containers is a service designed to monitor the performance of container workloads
-- Azure monitor for VMs is a service that monitors your Azure VMs at scale.
Responding to Alert Conditions
Alerts
Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.
Autoscale
Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively.
Visualise monitoring data
Can be done thru
- Dashboards
- Views
- Power BI
Azure Service Health
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you (outages, planned maintenance). So this is to know (when you are troubleshooting) where the platform itself has any issues that is causing issues for your application.
Azure Monitor on the other hand identifies issues "at my end" (when troubleshooting).
Both Azure Monitor and Azure Service Health together help during troubleshooting.
Azure service health comprises:
1. Azure status - provides global view of health state of Azure services.
2. Service Health - provides customisable dashboards
that track the state of Azure services.
3. Resource Health - helps diagnose and obtain support when Azure service affects you.
Azure Resources Manager
1. Resource Groups -- are containers for resources you deploy on Azure
You place resources of similar usage, type, or location in the same resource group.
2. Tags - also provide a way to organise your Azure resources. They help to improve the organisation of resources. You can tag resource, or resource group, cost centre, billing dept, etc.
Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has the following properties:
Department, environment, cost centre, lifecycle and automation...
A resource can have up to 50 tags
Tags and Resource Groups are a great way to organise existing resources. To ensure new resources that are created also follow the same rules, You can use Azure policies.
RBAC provides fine grained access to ensure the rules you have created are protected.
Resource groups can be created via
> Azure portal
> Azure PowerShell
> Azure CLI
> Templates
> Azure SDKs
-- Create resource group
--Add existing resources to this group
>> Make sure you have a consistent naming convention
-- You can organise resources for billing
-- organise for authorisation
-- organise for lifecycle (for a particular project, for a test campaign, etc.)
(You delete a resource group, you delete all resources within it !!!!)
Create Policy
RBAC
Using RBAC, you can:
Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
Allow a database administrator (DBA) group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
Allow an application to access all resources in a resource group.
Resource Locks
Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.
Resource locks can be applied to
- subscriptions,
- resource groups, and
- to individual resources, and are inherited when applied at higher levels.
Purchasing Azure Products and Services
- Azure products and services are arranged by category.
 |
When you provision an Azure resource, Azure creates one or more meter instances for that resource. The meters track the resources' usage, and generate a usage record that is used to calculate your bill.
For a VM
- Compute hours
- IP address hours
- Data transfer in
- Data transfer out
- Standard managed disk
- Std managed disk operations
- Stadard IO disk
- Standard IO-Block Blob Read, Write, Delete
Factors Affecting Azure Products / Service Costs- Resource type - depends on the type of resource
- Services - Rates differ between Enterprise, Web Direct, Cloud Service Provider, etc. types of subscription services.
- Location - costs vary depending on location.
- Zone 1 - United States, US Government, Europe, Canada, UK, France, Switzerland
- Zone 2 - East Asia, Southeast Asia, Japan, Australia, India, Korea
- Zone 3 - Brazil, South Africa, UAE
- DE Zone 1 - Germany
Azure Pricing CalculatorTo make estimates easy for customers to create, Microsoft developed the Azure pricing calculator. The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.
- You do all calculations in the product tab - The calculations can be exported into an Excel or calculations URL can be shared. Azure AdvisorAzure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas. We'll focus on the cost recommendations, but you'll want to take some time to review the other recommendations as well.
It makes recommendations in the following areas:
- Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.
- Buy reserved instances to save money over pay-as-you-go.
- Right-size or shutdown underutilized virtual machines.
Azure Cost ManagementAzure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.
Ways to Save on Infra costs- Use Azure Credits
- Use spending limits
- Use reserved instances
- Choose low cost locations and regions
- Research available cost-saving offers
- Right size un-utilised virtual machines
- Deallocate VMs in off hours
- Delete unused VMs
- Migrate to PaaS or SaaS services
Save on Licensing Costs- Check whether on Linux or Windows - some products/ services cost diff based on OS
- If you already have purchased Widows Server, you can repurpose it on Azure.
- Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.
- The Enterprise Dev/Test and Pay-As-You-Go (PAYG) Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments.
- If you are a customer on an Enterprise Agreement and already have an investment in SQL Server licenses, and they have freed up as part of moving resources to Azure, you can provision bring your own license (BYOL) images off the Azure Marketplace.
- SQL server developer edition is free product for non-production use. Use it for non-production workloads.
|
