Page Hits

Wednesday, July 29, 2020

AZ-900 - Azure Fundamentals - Microsoft

What is Azure

  • Azure is Microsoft's cloud platform.
  • It is a continually expanding set of cloud services.

How does Azure Work?



Hypervisor

A hypervisor, also known as a virtual machine monitor or VMM, is software that creates and runs virtual machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually sharing its resources, such as memory and processing. 

Type 1 – Bare metal hypervisor where virtualization s/w is directly installed on the h/w where the OS is normally installed. These are extremely secure because they are isolated from attack-prone operating systems. 

Type 2 Hypervisors runs on a software layer on an operating system, like the computer programs. 

A hypervisor reduces: 
  • Space
  • Energy
  • Maintenance requirements
User Requests

Cane be: Create a Web App, Create a virtual machine, create a load balancer, create a web virtual machine, etc. 

Risks

  • If resources are left running after they are no longer needed, or created unauthorized. 
  • The solution is to use Azure's Resource Access Management

Azure Services

8 Main categories

  1. Compute services: performing calculations, executing logic, and running applicatinos. 
    1. Virtual machines
    2. Containers
    3. Serverless computing including Microservices
  2. Cloud storage
    1. Disks attached to VM
    2. File shares
    3. Databases
    4. All these can expand or shrink as necessary
  3. Networking
    1. Let you set up private n/w conn to on-premise to Azure.
  4. App hosting
    1. Lets you run your entire web apps on a managed platform on Windows or Linux.
    2. The azure marketplace has a range of products including SAP, SQL, etc. 
  5. Artificial Intelligence
    1. ML
    2. Pre-built cognitive services
  6. IOT
    1. Enables Integrate sensors and devices and manage with IOT hub, create dashboards, etc. to monitor and control.
  7. Integration
    1. Logic Apps
    2. Service Bus
    3. Connect applications and services, allows workflows to orchestrate business processes.
  8. Security
    1. Integrated into Azure 


Most commonly used categories are:

  1. Compute
  2. Networking
  3. Storage
  4. Mobile
  5. Databases
  6. Web
  7. IOT
  8. Big Data
  9. AI
  10. DevOps

Compute

Service name
Service function
Azure Virtual Machines
Windows or Linux virtual machines (VMs) hosted in Azure
Azure Virtual Machine Scale Sets
Scaling for Windows or Linux VMs hosted in Azure
Azure Kubernetes Service
Enables management of a cluster of VMs that run containerized services
Azure Service Fabric
Distributed systems platform. Runs in Azure or on-premises
Azure Batch
Managed service for parallel and high-performance computing applications
Azure Container Instances
Run containerized apps on Azure without provisioning servers or VMs
Azure Functions
An event-driven, serverless compute service

Networking

TABLE 2
Service name
Service function
Azure Virtual Network
Connects VMs to incoming Virtual Private Network (VPN) connections
Azure Load Balancer
Balances inbound and outbound connections to applications or service endpoints
Azure Application Gateway
Optimizes app server farm delivery while increasing application security
Azure VPN Gateway
Accesses Azure Virtual Networks through high-performance VPN gateways
Azure DNS
Provides ultra-fast DNS responses and ultra-high domain availability
Azure Content Delivery Network
Delivers high-bandwidth content to customers globally
Azure DDoS Protection
Protects Azure-hosted applications from distributed denial of service (DDOS) attacks
Azure Traffic Manager
Distributes network traffic across Azure regions worldwide
Azure ExpressRoute
Connects to Azure over high-bandwidth dedicated secure connections
Azure Network Watcher
Monitors and diagnoses network issues using scenario-based analysis
Azure Firewall
Implements high-security, high-availability firewall with unlimited scalability
Azure Virtual WAN
Creates a unified wide area network (WAN), connecting local and remote sites

Storage


Service name
Service function
Azure Blob storage
Storage service for very large objects, such as video files or bitmaps
Azure File storage
File shares that you can access and manage like a file server
Azure Queue storage
A data store for queuing and reliably delivering messages between applications
Azure Table storage
A NoSQL store that hosts unstructured data independent of any schema

Mobile

  • Azure enables devs to create mobile backend services for IOS, Android, and Windows. 
  • E.g. corporate sign-in, connecting to on premise resources such as SAP, oracle, sql, etc. 
  • Other features include
    • Offline data sync
    • Connectivity to on-premises data
    • Broadcasting push notifications. 
    • Autoscaling to match business needs.

Databases

Service name
Service function
Azure Cosmos DB
Globally distributed database that supports NoSQL options
Azure SQL Database
Fully managed relational database with auto-scale, integral intelligence, and robust security
Azure Database for MySQL
Fully managed and scalable MySQL relational database with high availability and security
Azure Database for PostgreSQL
Fully managed and scalable PostgreSQL relational database with high availability and security
SQL Server on VMs
Host enterprise SQL Server apps in the cloud
Azure Synapse Analytics
Fully managed data warehouse with integral security at every level of scale at no extra cost
Azure Database Migration Service
Migrates your databases to the cloud with no application code changes
Azure Cache for Redis
Caches frequently used and static data to reduce data and application latency
Azure Database for MariaDB
Fully managed and scalable MariaDB relational database with high availability and security

Web

  • Build and host web apps, and HTTP-based web services
Service Name
Description
Azure App Service
Quickly create powerful cloud web-based apps
Azure Notification Hubs
Send push notifications to any platform from any back end.
Azure API Management
Publish APIs to developers, partners, and employees securely and at scale.
Azure Cognitive Search
Fully managed search as a service.
Web Apps feature of Azure App Service
Create and deploy mission-critical web apps at scale.
Azure SignalR Service
Add real-time web functionalities easily.

IOT

Service Name
Description
IoT Central
Fully-managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage your IoT assets at scale
Azure IoT Hub
Messaging hub that provides secure communications between and monitoring of millions of IoT devices
IoT Edge
Push your data analysis models directly onto your IoT devices, allowing them to react quickly to state changes without needing to consult cloud-based AI models.

Big Data

Service Name
Description
Azure Synapse Analytics
Run analytics at a massive scale using a cloud-based Enterprise Data Warehouse (EDW) that leverages massive parallel processing (MPP) to run complex queries quickly across petabytes of data
Azure HDInsight
Process massive amounts of data with managed clusters of Hadoop clusters in the cloud
Azure Databricks
Collaborative Apache Spark–based analytics service that can be integrated with other Big Data services in Azure.

AI

AI and Machine Learning services are:
Service Name
Description
Azure Machine Learning Service
Cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud
Azure Machine Learning Studio
Collaborative, drag-and-drop visual workspace where you can build, test, and deploy machine learning solutions using pre-built machine learning algorithms and data-handling modules


Cognitive Services are:

Service Name
Description
Vision
Image-processing algorithms to smartly identify, caption, index, and moderate your pictures and videos.
Speech
Convert spoken audio into text, use voice for verification, or add speaker recognition to your app.
Knowledge mapping
Map complex information and data in order to solve tasks such as intelligent recommendations and semantic search.
Bing Search
Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.
Natural Language processing
Allow your apps to process natural language with pre-built scripts, evaluate sentiment and learn how to recognize what users want.

DevOps
Service Name
Description
Azure DevOps
Azure DevOps Services (formerly known as Visual Studio Team Services, or VSTS), provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing
Azure DevTest Labs
Quickly create on-demand Windows and Linux environments you can use to test or demo your applications directly from your deployment pipelines

Azure Data Centre and Regions

  • Azure is made up of data centres around the world.
  • When you are using a resource such as a SQL db or virtual machine, you are using an equipment at one of these locations. 
  • Azure organizes these data centres into REGIONS.
  • A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. Azure intelligently assigns and controls the resources within each region to ensure workloads are appropriately balanced.
  • Some resources are available in only some REGIONS.

  • Azure regions give the flexibility of bringing applications closer to your users. 

Azure Geographies

An Azure geography is a discrete market typically containing two or more regions that preserve data residency and compliance boundaries.
  • Americas
  • Europe
  • Asia Pacific
  • Middle East and Africa
> To meet compliance needs
> Data residency, sovereignity, and resiliency needs.
> Fault tolerance needs

Availability Zones

  • Availability Zones are physically separate datacenters within an Azure region.
    • Each availability zone is made up of one ore more data centres.
    • If one goes down, the other continues working. 

NOT EVERY REGION HAS SUPPORT FOR AVAILABILITY ZONES. 

The following regions have a minimum of three separate zones to ensure resiliency.
  • Central US
  • East US 2
  • West US 2
  • West Europe
  • France Central
  • North Europe
  • Southeast Asia

Region Pairs

Each Azure region is always paired with another region within the same geography. at least 300 Miles away

> Allows replication of resources
> Helps reduce impact of natural disasters, civil unrests, power outages, physical n/w outages, etc.

If a region in a pair was affected by a natural disaster, for instance, services would automatically fail over to the other region in its region pair.



  • If there is an extensive outage, on region out of every pair is prioritized for restoration. 
  • Updates are planned one region at time (out of a pair) to minimize downtime and risk of application outage. 
  • Data continues to reside in its pair for tax & law jurisdiction purposes.

Summary -- geography, region pairs



Azure Regional Pairs

GeographyRegional Pair ARegional Pair B
Asia-PacificEast Asia (Hong Kong)Southeast Asia (Singapore)
AustraliaAustralia EastAustralia Southeast
AustraliaAustralia CentralAustralia Central 2

Azure SLAs

  1. Performance Targets
    • Are specific to each Azure product or service. 
  2. Uptime and connectivity guarantees
    • Ranges from 3 9's (99.9%) to 5 9's (99.999%) - first figure below.
  3. Azure thru SLAs, describes how MS will respond to product or service fails by giving service credits. 
    1. Cust may have a discount applied on their bill as a compensation for under performance. 



Composite SLAs

  • The resultant SLA by combining SLAs is called a composite SLA.
Example below. 


Web App SLA is 99.95%, SQL DB SLA is 99.99%. However if either of these two fails, the application will fail. The composite SLA here is 99.95% X 99.99% = 99.94%.

NOTE: THE COMBINED PROBABILITY OF FAILURE IS HIGHER THAN INDIVIDUAL SLA VALUES.

  • With this design, the application is still available even if DB fails. 
  • The application fails only if both DB and Queue fail simultaneously. 
  • Adding Queue to the web app, the composite SLA is
    • Failure % for SQL DB is 100% - 99.99% = 0.01% which is 0.01/100 = 0.0001
    • Failure % for Queue is 100% - 99.9% = 0.1% which is 0.1/100 = 0.001
    • Joint probability of failure for SQL DB and Queue is 0.0001 X 0.001 = 0.0000001
    • Probability of up time for Either SLQ DB OR Queue = 1- 0.0000001 = 99.99999%
    • So, Either SQL DB OR Queue is 99.9999%.
    • Composite SLA is therefore 99.95% X 99.99999 = 99.95%

Resiliency

Resiliency is the ability of a system to recover from failure as soon as possible. It's not about failure but about jumping back to normalcy with the least amount of downtime or data loss. 

AVAILABILITY and DISASTER RECOVERY are the two key components of resiliency. 
  • Architecture needs to be designed for resiliency
  • Perform FMEA - Failure Mode Effect Analysis for infra when designing. 
  • If Application SLA is 4 9's, then the Azure solution must be self-diagnosing and self-healing (can't be manual to achieve the target). 
  • SLA performance targets above 4 9's are difficult to achieve. 

Azure Management

  • Azure portal - to interact with Azure via a GUI
  • Azure PowerShell / Azure command line - command line, automation based interactions with Azure.
  • Azure Cloud Shell - Web-based CLI
  • Azure Mobile App - for monitoring and managing your resources from your mobile device.
Azure Portal



Azure Powershell

Is a module that can be installed for Windows Powershell or PowerShell Core - runs on Windows, Linux, Mac OS. Helps to connect to Azure to manage resources. 


Azure CLI

A cross-platform CLI that connects to Azure and executes admin commands. 
 

Azure Cloud Shell

Browser accessible interactive command prompt to manage Azure resources


You can switch between Bash or PowerShell.

Azure Mobile App

Access, manage, monitor all your Azure accounts, resources, etc. 

Azure Advisor

  • Get proactive, actionable, and personalized best practice recommendations. 
  • Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs.
  • Get recommendations with proposed actions inline.

Azure Portal Dashboards


Azure New Features

  • Azure New Features >> first available for beta testing and other pre-release features >> released to customers as part of Azure Default product set (called General Availability).
  • Private preview - for specific customers
  • Public preview - for all customers


Azure Compute

Virtual Machines - software emulations of physical computers

Containers - virtualization environment for running applications. Unlike VMs, containers don't include an OS; use the existing host OS running the container. 



Azure App Service - is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications.

Serverless Computing

Serverless computing is a cloud-hosted execution environment that runs your code but completely abstracts the underlying hosting environment. You create an instance of the service, and you add your code; no infrastructure configuration or maintenance is required. 

Azure Virtual Machines

VMs provide an abstraction layer for CPU, Memory and Storage. 

Use VMs
  • During testing and development
  • When running applications in the cloud
  • When extending your data centre to the cloud.
  • During disaster recovery
-- You can run single VMs or can group together VMs to provide high availability, scalability and redundancy. 

Availability sets
  • Is a logical grouping of two or more VMs
  • VM pairs as part of the availability set are in different update domains so that there is least impact during planned maintenance. Update domains indicate groups of VMs and underlying physical hardware that can be rebooted at the same time. Update domains are a logical part of each data center and are implemented with software and logic.
  • During unplanned events, VMs failover to a working physical server. 
  • Fault Domain -- group of VMs that share common hardware are in the same fault domain. A fault domain is essential a rack of servers. 

Virtual Machine Sets

Azure Virtual Machine Scale Sets let you create and manage a group of identical, load balanced VMs

Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. 

Azure Batch

Azure Batch enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.

Batch does the following:
  • Starts a pool of compute VMs for you
  • Installs applications and staging data
  • Runs jobs with as many tasks as you have
  • Identifies failures
  • Requeues work
  • Scales down the pool as work completes

AZURE Containers

  • A container is a modified Runtime Environment built on top a host OS that executes your application.
  • Run multiple instances of application on a single host machine. 
  • Can run multiple OS.
  • Container orchestrator can start, stop, and scale out application instances. 
  • Containers are lighter than VMs.
  • Can run multiple isolated application on a single container host. 
  • Containerized apps are smaller in size.
  • Apps are quicker to launch.
  • Dev process is simplified cos dev is similar to prod.
  • If you want complete control of the environment, choose VM, if you want portability, and performance go for containers.
VMs vs. Containers

  • VMs provide an abstraction layer for CPU, MEM and storage.
  • VMs run only one OS at a atime. 
  • VMs virtualise the h/w while Containers virtualise OS. 

Azure containers

  • Azure Container Instances (ACI) - is a PaaS offering that allows you to upload your containers and execute them directly with automatic elastic scale.
  • Azure Kubernetes Service (AKS) - Azure Kubernetes Service (AKS) is a complete orchestration service for containers with distributed architectures with multiple containers.

Migrating Apps to Containers


  1. You convert an existing application to one or more containers and then publish one or more container images to the Azure Container Registry.
  2. By using the Azure portal or the command line, you deploy the containers to an AKS cluster.
  3. Azure AD controls access to AKS resources.
  4. You access SLA-backed Azure services, such as Azure Database for MySQL, via OSBA.
  5. Optionally, AKS is deployed with a virtual network.

Azure App Service

Enables you to build and host web apps, background jobs, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability.

Common App service styles include:
  • Web Apps - full support for hosting web apps using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.
  • API Apps - you can build REST-based Web APIs using your choice of language and framework. You get full Swagger support, and the ability to package and publish your API in the Azure Marketplace.
  • WebJobs - WebJobs allows you to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled, or run by a trigger. WebJobs are often used to run background.
  • Mobile Apps - You can use this to quickly build a back-end for iOS and Android apps. With just a few clicks in the Azure portal you can:
    • Store mobile app data in a cloud-based SQL database
    • Authenticate customers against common social providers such as MSA, Google, Twitter, and Facebook
    • Send push notifications
    • Execute custom back-end logic in C# or Node.js

Azure Serverless Computing

  • Serverless computing is the abstraction of servers, infrastructure, and OSs.
  • Azure takes care of managing the server infrastructure and allocation/deallocation of resources based on demand.
Serverless Computing encompasses three ideas:
  1. Abstraction of servers
    • Serverless computing abstracts the servers you run on. You never explicitly reserve server instances; the platform manages it for you. Each function execution can run on different compute instance and this execution is transparent to the code. With this arch, you worry only about deploying code which then runs with high availability. 
  2. Event driven scale
    • Instead of writing an entire application, the developer writes a function which contains both code and meta data about its triggers and bindings. 
    • Serverless computing responds to incoming triggers / events (e.g. a function runs everyday at 10:00 am UTC, etc.). 
    • The platform automatically schedules the function to run based on the trigger / event and scales the number of compute instances based on the rate of coming events. 
    • Trigger defines how the function is invoked.
    • Bindings provide ways to connect services from within the code.
  3. Micro billing
    • Even if a customer's website gets only one hit a day, they still pay for a full day's worth of availability. With serverless computing, they pay only for the time their code runs. 
    • For example, if the code runs once a day for two minutes, they're charged for one execution and two minutes of computing time.
There are two flavours of Azure Serverless Computing

  • Azure functions: 
When you're concerned only about the code running your service, and not the underlying platform or infrastructure, Azure Functions are ideal. They're commonly used when you need to perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less.

> They scale based on demand.

  • Azure Logic Apps: 
Logic Apps execute workflows, whereas Azure Function execute code.
Both are triggered by logic based on an event. 

Many triggers include basic scheduling capabilities. 

You create Logic App workflows using a visual designer on the Azure portal or in Visual Studio. 

Example...

As an example, let's say a ticket arrives in ZenDesk. You could:

  • Detect the intent of the message with cognitive services
  • Create an item in SharePoint to track the issue
  • If the customer isn't in your database, add them to your Dynamics 365 CRM system
  • Send a follow-up email to acknowledge their request

Functions vs. Logic Apps


Azure Data Storage

Benefits
  • Automated backup and recovery
  • Replication across globe
  • Support for data analytics
  • Encryption capabilities
  • Multiple data types (video, text, binary etc.)
  • Data storage in virtual disks - 32TB in virtual disks. 
  • Storage tiers prioritise access to data based on frequently used vs. rarely used information.
Types of Data
  • Structure data
    • Structured data is data that adheres to a schema, so all of the data has the same fields or properties. Structured data can be stored in a database table with rows and columns. 
  • Semi structured data
    • Semi structured data does not fit into tables, rows and columns. Use tags and keys. Semi structured data is also referred to as non-relational or NoSQL data.
  • Unstructured data
    • BLOB - PDF, JPG, JSON, video content, etc.

Azure SQL Database

  • Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine. 


Azure Cosmos DB

Is a globally distributed database service. 




Azure BLOB Storage

Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blobs are highly scalable and apps work with blobs in much the same way as they would work with files on a disk, such as reading and writing data. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.

Azure Datalake

Data Lake is a large repository that stores both structured and unstructured data and allows you to perform analytics on your data usage and prepare reports. 



Azure Files

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. 


Azure Queue

Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world.

Queue storage provides asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.


Disk Storage

Disk storage provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk. The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user. Typical scenarios for using disk storage are if you want to lift and shift applications that read and write data to persistent disks, or if you are storing data that is not required to be accessed from outside the virtual machine to which the disk is attached.

> SSD
> HDD

Storage Tiers

  1. Hot Storage Tier
    • Optimised for storing data that is accessed frequently.
  2. Cool Storage Tier
    • Optimised for data that is infrequently accessed and stored for at least 30 days.
  3. Archive Storage Tier
    • For data that is rarely accessed and stored for at least 180 days with flexible latency requirements. 

Encryption

  1. SSE - Azure storage service encryption for data at rest.
    • Secure data to meet org security and regulatory requirements. 
    • Encrypts data before storing, de-crypts before returning. 
    • Encryption and decryption transparent to user.
  2. Client side encryption
    • Data is already encrypted by client libraries. 
    • Azure stores this data (encrypted state at rest).
    • During retrieval, this data is decrypted

Replication

  • Replication type is created when storage account is created. 
  • Replication feature ensures data is durable and always available 
  • Azure provides regional and geographic replication (protect against natural disasters, etc.). 

Azure Data Storage vs. On-premises Data Storage

  • Cost effective
  • Reliable
  • Various storage types
  • Agility


Loosely coupled Architecture

Azure has a loosely coupled architecture and uses n-tier architecture. 

Example of an eCommerce website deployed on Azure


Azure Region

- One or two data centres within a specific geographic location is an Azure region. 

Azure Virtual Network

- A logically isolated network on Azure

Azure Network Security Group

- Allows or denies incoming traffic to Azure. 

Azure Load Balancer

Availability
  • Availability refers to how long a service is up.
  • High availability refers to a service that has been running for a long period of time. 
Resiliency
  • Systems ability to stay operational during abnormal conditions
Load balancing
  • Distribute traffic evenly among systems in a pool. 
  • Load balancer helps achieve both high availability and resiliency.

Azure Load Balancer is a load balancer service that Microsoft provides that helps take care of the maintenance for you. Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use Load Balancer with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.

Azure load balancer in a multi-tier architecture


Azure Application Gateway

If all your traffic is HTTP, a potentially better option is to use Azure Application Gateway. Application Gateway is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.



This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.

Using Azure application gateway has some benefits over a simple load balancer:

  • Cookie affinity - store cookies on the same backend server. 
  • SSL termination - manages SSL certificates and pass unencrypted traffic to backend servers to avoid encryption / decryption overhead.
  • Web application firewall - Supports a sophisticated WAF firewall with detailed monitoring, logging etc.
  • URL rule based routes - allows to route traffic based on URL patterns.
  • Rewrite HTTP headers - You can add / remove information from inbound and outbound HTTP headers, for security scenarios.

Azure DNS

Azure DNS routes traffic to load balancer.


Azure Traffic Manager

Traffic Manager uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.

Reduces network latency
One way to reduce n/w latency is to provide exact copies of your service to more than one region. 
Use traffic manager to route users to the closest endpoint



Load Balancer vs. Traffic Manager

Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. When Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

Security and Trust in Azure / Cloud Security

  • IAAS - Microsoft provides VMs and virtual networks. However, it is
    • Our responsibility for patch management and secure OS and s/w.
    • Our responsibility to configure n/w and be secure. 
  • PAAS - Azure is taking care of OS and foundational s/w like DB.
    • Security patches etc. taken care by Azure.

  • SAAS
    • With SAAS we outsource everything to Azure.




Note: regardless of the deployment type, we (and not Azure) will retain responsibility for the following items:

1. Data
2. End points
3. Accounts
4. Access Management

Layered approach to Security

MS has a layered approach to security for both its data centres and Azure platform.


Azure Security Centre

Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. It can:
  • Provide security recommendations based on configurations, etc.
  • Monitor security settings for unauthorised change.
  • Apply new security settings for new resources as they come online.
  • Continuous monitoring of all services
  • Use machine learning to detect and block malware.
  • Analyse and identify inbound attacks.
  • Provide just in time access controls for ports.
Azure security centre is available in 2 tiers.

1. Free
2. Standard. Full suite of security services.

Identity and Access


Authentication

Establishing identity of a person or a service. 

Authorisation

Is the process of establishing what level of access an authenticated person or service has. It specifies what data they are allowed to access and what they can do with it.

Azure AD (Active Directory)

  • Is a cloud-based identity service. 
  • Built in support for synchronising with existing on-premise AD.
  • Provides authentication.
  • Provides SSO.
  • Multi factor authentication - allows increased security of identity.
    • Something you know (for example a password)
    • Something you possess (for example a mobile - an SMS on mobile).
    • Something you are (for example, biometry)
  • Provides identities to services thru Service Principles

    • Identity -- Identity is a thing like a person with password or a service / servers that can be authenticated.
    • Principal is an Identity with a certain roles or claims. Identity and principal go together.
    • User Principal -- an identity used by a person. 
    • Service Principal -- is an identity that is used by a service or application. And like other identities, it can be assigned roles. 
    • Managed Identities make the task of maintaining service principals easier. 
      • There is a service that wants to authenticate.
      • You create a managed identity on your org's active directory.
      • Azure infra automatically takes care of authenticating this service and managing the account. 
      • Use this account like any other Azure AD account including allowing the authenticated service secure access to resources. 
      • close example document upload service uses an authentication to upload docs in SAP in Sony Basingstoke, 

Role based access control

Identities are mapped to roles (sets of permissions - read only, contributor etc.). 




Privileged Identity Management

Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.



Encryption

Encryption is the process of making data unreadable to unauthorised viewers.

> Symmetric encryption

Uses same key to encrypt and decrypt the data.

> Asymmetric encryption

Uses a public key and a private key pair. 

Encryption at Rest

Data at rest is the data that has been stored on a physical medium. disk of a server, data stored in a DB, data stored in a storage account. 



Encryption in Transit

Data in transit is the data actively moving from one location to another - thru internet, thru private n/w. 


Encryption on Azure

  • Encrypt raw storage
    • Azure storage service encrypts data at rest
    • Azure storage service encrypts virtual machine disks
    • Azure disk encryption service is a capability that allows encryption of Windows, Linux IAAS VMs. (Uses Bitlocker)
  • Encrypt databases
    • Transcription Data Encryption (TDE) helps protect Azure SQL DB and Azure DW against malicious activities.
    • TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key.
  • Encrypt secrets
    • Azure Key Vault
      • Azure Key Vault is a centralised cloud service for storing your application secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
      • Secrets management
      • Key management (encryption of keys)
      • Certificate management.
      • Store secrets backed by hardware security modules (HSMs)

Azure Certificates

  • Service Certificates
    • Are used for cloud services and allow secure communication from and to the service. 
  • Management Certificates
    • Are used for authenticating with the management API
    • Are used to authenticate with the classic deployment model. 
    • Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. However, these types of certificates are not related to cloud services.

Azure Key Vault with Certificates

- Can store and manage certificates with key vault.
- You can create certificates in key vault
- Create policies to direct key vault to manage certificate lifecycle
- Provide for notifications regarding certification expiry / renewal
- Automatically renew certificates with selected issuers

Network Security

  • Azure has layered security approach to network ( see above sections)
  • Azure firewall
    • Is a managed, cloud based, network security service that protects Azure virtual network resources. 
    • Protection for HTTPS, RDP ,SSH, FTP protocols
  • Azure application gateway
    • Is a load balancer that includes a Web application firewall (WAF) that provides protection from common, known vulnerabilities. 
    • Network Virtual Appliances (NVA) are ideal options for non-HTTP services.

DDoS - Distributed Denial of Services Attacks

Azure has DDoS protection, and is offered in two basic service tiers

  • Basic - Is automatically enabled as part of Azure platform. 
  • Standard  - additional mitigation capabilities. 
    • Volumetric attacks
    • Protocol attacks
    • Resource layer attacks

Protecting Shared Documents - AIP / Azure Information Protection


Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.


You can also track and control how the content is used --- analyze data flows, detect risky behaviours, track access to documents, and prevent data leakage or misuse of confidential information.

Azure ATP - Advanced Threat Protection

Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment. 


ATP Sensors

Installed on Domain Controllers - monitors domain traffic without requiring a dedicated server or configuring port mirror.

ATP cloud service

Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.

Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. 

Microsoft Security Development Lifecycle (SDL)

The Microsoft Security Development Lifecycle (Microsoft SDL) is a software development process based on the spiral model, which has been proposed by Microsoft to help developers create applications or software while reducing security issues, resolving security vulnerabilities and even reducing development and maintenance costs. The process is divided into seven phases: training, requirements, design, implementation, verification, release and response.





Infrastructure Standards with Azure Policy

  • Azure lets you set up policies for cloud infra and these policies will enforce rules for the created resources thus ensuring compliance with corporate standards, SLAs, etc. 
  • Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. 
    • Example -- Imagine we allow anyone in our organization to create virtual machines (VMs). We want to control costs, so the administrator of our Azure tenant defines a policy that prohibits the creation of any VM with more than 4 CPUs. Once the policy is implemented, Azure Policy will stop anyone from creating a new VM outside the list of allowed stock keeping units (SKUs). 
    • Any VM you add will be checked by policy.
    • Azure policy will audit all existing VMs.
  • Azure Policy is DIFFERENT FROM RBAC (Role based access control).
  • Both Azure policy and RBAC go hand in hand to ensure organisational business rules are applied. 
  • RBAC
    • Manages who has access to Azure resources, what areas they have access to, and what they can do with those resources. 
    • Example, allow users to access and manage VMs, websites, etc.
  • Azure Policy
    • Focus on resource properties during deployment and for already existing resources. 
    • Example, policy to ensure users can only deploy DS series of VMs.

Creating Policy
  • Create policy definition -- 
    • tells what to evaluate and what action to take.
    • Represented by a .JSON file.
  • Assign a definition to a scope of resources. (Apply policy)
    • You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI. When you assign a policy definition, you will need to supply any parameters that are defined.
  • View policy evaluation results
    • Use the Azure portal and the applied policies to identify non compliant resources. 
Policy Effects

What happens during the "evaluation process" by the policy?


Policy evaluation results

 You can find the Azure Policy section through the search field or All Services.

Azure policy portal...



Removing a policy

Finally, you can delete policy requirements through the portal, or through the PowerShell command Remove-AzPolicyAssignment. 

Azure Initiatives

Initiatives are helpful when managing / organising several azure policies.  An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.

Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. 

Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.

Example of defining an initiative

Policy definition

Purpose

Monitor unencrypted SQL Database in Security Center

For monitoring unencrypted SQL databases and servers.

Monitor OS vulnerabilities in Security Center

For monitoring servers that do not satisfy the configured baseline.

Monitor missing Endpoint Protection in Security Center

For monitoring servers without an installed endpoint protection agent.


Azure Management Group

Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions

Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. 

Governance hierarchy using management group


You can create management groups by using the Azure portal, Azure PowerShell, or Azure CLI.

After you select Save on your first management group, a root management group is created in the Azure Active Directory (Azure AD) organisation. By default, the root management group's display name is Tenant root group.

Azure Blueprints

Azure blueprint tools help in auditing, traceability, and compliance of deployments against organisational, govt, and industry standards.

The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package—including through a CI/CD pipeline. Ultimately, each setup is assigned to a subscription in a single operation that can be audited and tracked.

1. Create Azure blueprint
2. Assign blueprint
3. Track blueprint assignments


Blueprint vs. Azure Resource Manager Template

Nearly everything that you want to include for deployment in Blueprints can be accomplished with a Resource Manager template. However, a Resource Manager template is a document that doesn't exist natively in Azure. Resource Manager templates are stored either locally or in source control. The template gets used for deployments of one or more Azure resources, but once those resources deploy there's no active connection or relationship to the template.

Blueprint vs. Azure Policy

A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance.

A policy is a default-allow and explicit-deny system focused on resource properties during deployment and for already existing resources. It supports cloud governance by validating that resources within a subscription adhere to requirements and standards.

A policy can be included as one of many artifacts in a blueprint definition. 

Azure Compliance Manager

  • Compliance manager makes it easy to perform risk assessments of Microsoft's cloud services. 
  • Use it to manage your organisation's compliance activities from implementation to reporting. 
  • There are four sources as below:
  1. Microsoft Privacy Statement
    • The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
  2. MS Trust Centre
    • Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. 
  3. Service Trust Portal
    • Is a companion feature of Trust Centre
    • The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
    • These compliances
      • ISO
      • SOC
      • NIST
      • FedRAMP
      • GDPR
    • STP allows you to:
      • Access audit reports on a single page
      • Access compliance guides
      • Access trust documents
  4. Compliance Manager
    • Compliance manager is a workflow-based risk assessment dashboard within Service Trust Portal that enables you to track, assign, and verify your organisation's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
    • Enables to assign, track and record compliance assessment related activities. 
    • Provides compliance score. 
    • Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.
    • Produces richly detailed reports in Microsoft Excel that document the compliance activities.
    • Provides recommended actions you can take to improve regulatory compliance. 

Monitor Service Health

Two primary sources to monitor health of Azure services:
  1. Azure monitor
    • Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.

    • Data sources: Azure monitor collects data from various sources...
    • Diagnostics
-- As soon as you create a resource, Azure starts collecting data thru Activity Logs. 
-- Activity logs record when resources are created, modified
-- Metrics tell you how the resource is performing and the resources that it's consuming
-- You can extend the data you are collecting by enabling diagnostics.
        -- Enable guest level monitoring
        -- Performance counters
        -- Event logs
        -- Crash dumps
        -- Sinks
        -- Agent configurations
  1. Getting Application Data
-- Application insights is a service that monitors the availability, performance and usage of web applications. 
-- Azure monitor for containers is a service designed to monitor the performance of container workloads
-- Azure monitor for VMs is a service that monitors your Azure VMs at scale.

Responding to Alert Conditions

Alerts

Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions. 

Autoscale

 Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. 

Visualise monitoring data

Can be done thru

- Dashboards
- Views
- Power BI

Azure Service Health

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you (outages, planned maintenance). So this is to know (when you are troubleshooting) where the platform itself has any issues that is causing issues for your application.

Azure Monitor on the other hand identifies issues "at my end" (when troubleshooting). 

Both Azure Monitor and Azure Service Health together help during troubleshooting.

Azure service health comprises:

1. Azure status - provides global view of health state of Azure services.
2. Service Health - provides customisable dashboards
that track the state of Azure services.
3. Resource Health - helps diagnose and obtain support when Azure service affects you.

Azure Resources Manager

1. Resource Groups -- are containers for resources you deploy on Azure

You place resources of similar usage, type, or location in the same resource group.

2. Tags - also provide a way to organise your Azure resources. They help to improve the organisation of resources. You can tag resource, or resource group, cost centre, billing dept, etc.

Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has the following properties:

Department, environment, cost centre, lifecycle and automation...

A resource can have up to 50 tags



Tags and Resource Groups are a great way to organise existing resources. To ensure new resources that are created also follow the same rules, You can use Azure policies. 

RBAC provides fine grained access to ensure the rules you have created are protected.

Resource groups can be created via

> Azure portal
> Azure PowerShell
> Azure CLI
> Templates
> Azure SDKs

-- Create resource group
--Add existing resources to this group

>> Make sure you have a consistent naming convention

-- You can organise resources for billing
-- organise for authorisation
-- organise for lifecycle (for a particular project, for a test campaign, etc.)

(You delete a resource group, you delete all resources within it !!!!)

Create Policy


RBAC

Using RBAC, you can:

Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
Allow a database administrator (DBA) group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
Allow an application to access all resources in a resource group.

Resource Locks

Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. 

Resource locks can be applied to 

  • subscriptions, 
  • resource groups, and 
  • to individual resources, and are inherited when applied at higher levels.

Purchasing Azure Products and Services

  • Azure products and services are arranged by category.

When you provision an Azure resource, Azure creates one or more meter instances for that resource. The meters track the resources' usage, and generate a usage record that is used to calculate your bill.

For a VM

- Compute hours
- IP address hours
- Data transfer in
- Data transfer out
- Standard managed disk
- Std managed disk operations
- Stadard IO disk
- Standard IO-Block Blob Read, Write, Delete

Factors Affecting Azure Products / Service Costs

  1. Resource type - depends on the type of resource
  2. Services - Rates differ between Enterprise, Web Direct, Cloud Service Provider, etc. types of subscription services.
  3. Location - costs vary depending on location. 
    1. Zone 1 - United States, US Government, Europe, Canada, UK, France, Switzerland
    2. Zone 2 - East Asia, Southeast Asia, Japan, Australia, India, Korea
    3. Zone 3 - Brazil, South Africa, UAE
    4. DE Zone 1  - Germany

Azure Pricing Calculator

To make estimates easy for customers to create, Microsoft developed the Azure pricing calculator. The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.

- You do all calculations in the product tab
- The calculations can be exported into an Excel or calculations URL can be shared.

Azure Advisor

Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across each of these areas. We'll focus on the cost recommendations, but you'll want to take some time to review the other recommendations as well.

It makes recommendations in the following areas:

  • Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.
  • Buy reserved instances to save money over pay-as-you-go.
  • Right-size or shutdown underutilized virtual machines. 

Azure Cost Management

Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.


Ways to Save on Infra costs

  • Use Azure Credits
  • Use spending limits
  • Use reserved instances
  • Choose low cost locations and regions
  • Research available cost-saving offers
  • Right size un-utilised virtual machines
  • Deallocate VMs in off hours
  • Delete unused VMs
  • Migrate to PaaS or SaaS services

Save on Licensing Costs

  • Check whether on Linux or Windows - some products/ services cost diff based on OS
  • If you already have purchased Widows Server, you can repurpose it on Azure.
  • Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.
  • The Enterprise Dev/Test and Pay-As-You-Go (PAYG) Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments. 
  • If you are a customer on an Enterprise Agreement and already have an investment in SQL Server licenses, and they have freed up as part of moving resources to Azure, you can provision bring your own license (BYOL) images off the Azure Marketplace.
  • SQL server developer edition is free product for non-production use. Use it for non-production workloads.

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DSPM, Data Security Posture Management, Data Observability

DATA SECURITY POSTURE MANAGEMENT DSPM, or Data Security Posture Management, is a practice that involves assessing and managing the security ...