Azure Cloud Fundamentals

All the notes on this page have been taken from Microsoft's learning portal - learn.microsoft.com. If any of this material is copyrighted, please let me know in the comments below and I will remove it. The main goal here is to learn and understand the concepts of Azure Cloud Fundamentals.

What is Cloud Computing

Cloud computing is the delivery of computing services over the internet, such as virtual machines, storage, databases, and networking, as well as other offerings such as Internet of Things (IoT), machine learning (ML) and artificial intelligence (AI).

The Cloud Provider manages all these resources for us, and we need to pay for only what we use. This allows us to scale up our resources during peak times and scale down during times of low usage.

Cloud Modes

Private Cloud

It is a cloud environment used and maintained by a single organization. It provides much greater control for the company but comes with greater cost and fewer of the benefits of a public cloud. Hardware must be purchased for startup and maintenance.
Private cloud can be On-Premise or offered by 3rd party cloud vendor. In case of On-Premise, the organization buys and maintains all infrastructure in its own Datacenter. On the other hand, when an organization uses a 3rd party vendor for a private cloud, the vendor has to buy and maintain the infrastructure exclusively for this organization (single-tenant).

Public Cloud

It is built, controlled, and maintained by a third-party cloud provider. Organizations pay only for what they use. However, there is less control over resources and security. Multiple users may be sharing the same underlying infrastructure (multi-tenant)

Hybrid Cloud

It is a computing environment that uses both public and private clouds in an inter-connected environment. This is most commonly used by running the applications from a public cloud while storing the data in a private cloud or an on-premises datacenter for improved security. Example - An Azure web Application that connects to an on-premise database.

Cloud Bursting

When cloud bursting is configured, cloud-based resources are provisioned when on-premises servers reach 100% resource capacity. Cloud bursting is used in hybrid cloud models consisting of on-premises and cloud-based resources.

Multi Cloud

In this scenario, you use multiple public cloud providers

Types of Expenses - CapEx and OpEx

CapEx

Capital expenditures (CapEx) are a company's major, upfront expenses on hardware infrastructure. This includes the cost of buying servers, storage and routers.

Highest to lowest cost
On-Premise Cloud > Private Cloud > Hybrid Cloud > Public Cloud

- In an On-Premise cloud, the CapEx expense is not reduced as the organization is responsible for buying and maintaining the infrastructure.

- In a Private Cloud (maintained by a 3rd party cloud vendor), the vendor is responsible for buying and maintaining the infrastructure, so CapEx cost is eliminated (no upfront charges). You only need to pay for usage, but the overall cost of ownership is still high - the rates are higher than public cloud, because the infrastructure is not shared with other users (i.e. single tenant), and used exclusively by one organization.

- In a Public Cloud, CapEx costs are eliminated because you only need to pay for the usage of these devices. However, since the infrastructure is shared among multiple users (multi-tenant), you have less control over resources and security.

- In a Hybrid Cloud, (combination of Private and Public cloud), CapEx costs are higher than Public cloud because you need to pay for devices that are on-premises. If in case the private cloud is maintained by 3rd party, then CapEx costs are eliminated, but still the the overall cost of ownership is higher than public cloud, due to higher rates of private cloud.

OpEx

Operating expenses (OpEx) are a company's expenses on day-to-day operation and maintenance.

Azure Arc

Azure Arc is a set of technologies that helps manage your cloud environment, whether it's a public cloud solely on Azure, a private cloud in your datacenter, a hybrid configuration, or even a multi-cloud environment.

Azure VMware Solution

If you have already setup VMware in a private cloud environment but want to migrate to a public or hybrid cloud, Azure VMware Solution lets you run your VMware workloads in Azure with seamless integration and scalability.

Cloud Service Models - Shared Responsibility Model - IaaS, PaaS and SaaS

A quick tour!
IaaS - Cloud provider manages hardware. Users need to set up VMs, OS, and applications.
PaaS - Cloud provider manages hardware, VMs, OS and dev tools. Users then develop, test and deploy their apps. e.g Heroku, PCF, AWS Lambda, Azure Function,
SaaS - Cloud provider manages hardware, VMs, OS and apps as well. Users just pay for using the apps (basically end users). e.g. Outlook, GMail, Netflix, Zoom

As you move from an on-premises datacenter to the cloud, some of the responsibilities transfer to the cloud provider, while others are retained by you (the customer).

Source: Microsoft

Regardless of the type of deployment, you own your data and identities. The following responsibilities are always retained by you:
1. Data
2. Endpoints
3. Account
4. Access management

Another diagram that shows which resources are managed by cloud provider in each service type

Source: Microsoft

On-Premise

In an on-premise datacenter, you own the whole stack.

Infrastructure as a Service (IaaS)

IaaS offers essential infrastructure such as servers, storage, and networking resources on demand, on a pay-as-you-go basis.
It is the most flexible category of cloud services, as it provides you with the maximum amount of control over your cloud resources.
Migrating your infrastructure from on-premise to an IaaS solution helps you save money on hardware costs, and gives you flexibility to scale your IT resources up and down with demand.

Responsibilities transferred to Cloud Provider in IaaS
1. Physical Hosts
2. Physical Network
3. Physical Datacenter

Common IaaS business scenarios
1. Lift-and-shift migration - This is the fastest and least expensive method of migrating an application or workload to the cloud.
2. Test and development - Your team can quickly setup and dismantle test and development environments.
3. Storage, backup, and recovery - IaaS is useful for handling unpredictable demand and steadily growing storage needs of an organization.
4. Web apps - IaaS provides all the infrastructure to support web apps, including storage, web and application servers, and networking resources.
5. High-performance computing - IaaS can support high-performance computing on supercomputers, computer grids, or computer clusters to help solve complex problems, such as earthquake simulations, climate and weather predictions etc.

Platform as a Service (PaaS)

PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating. In PaaS, you manage the applications and services you develop, and the cloud service provider typically manages everything else.
PaaS includes infrastructure - servers, storage, and networking - but also middleware, development tools, business intelligence (BI) services, database management systems, and more.
PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators, or the development tools and other resources.

Responsibilities transferred to Cloud Provider in PaaS
1. Physical Hosts
2. Physical Network
3. Physical Datacenter
4. Operating System
5. Development Tools
6. Database Management
7. Business Analytics

Common PaaS business scenarios
1. Development framework - PaaS provides a framework that developers can use to build cloud-based applications, using built-in software components.
2. Analytics or business intelligence - PaaS allows organizations to analyze and mine their data, finding insights and patterns.
3. Additional services - PaaS provides other services such as workflow, directory, security, and scheduling.

Software as a Service (SaaS)

With SaaS, you're essentially renting or using a fully developed application. It places the most responsibility with the cloud provider and the least responsibility with the user.
Email, financial software, messaging applications, and connectivity software are all common examples.

SaaS is software that is centrally hosted and managed for you and your users or customers. Usually, one version of the application is used for all customers, and it is licensed through a monthly or annual subscription. This is different from PaaS and IaaS which use a consumption-based model, so you only pay for what you use.

Responsibilities transferred to Cloud Provider in PaaS
1. Physical Hosts
2. Physical Network
3. Physical Datacenter
4. Operating System
5. Development Tools
6. Database Management
7. Business Analytics
8. Hosted applications/apps

Common SaaS business scenarios
1. Email and messaging
2. Business productivity applications
3. Finance and expense tracking

Benefits of Cloud

1. High Availability

High availability focuses on ensuring maximum availability, regardless of disruptions or events that may occur.

Azure is a highly available cloud environment with uptime guarantees depending on the service level agreements (SLAs).

2. Scalability

Scalability refers to the ability to adjust resources to meet demand.

It generally comes in two varieties -
Vertical scaling - this is focused on increasing or decreasing the CPU or RAM of a specific virtual machine. We scale up during peak time and scale down during low activity
Horizontal scaling - this is focused on adding or removing virtual machines or containers. We scale out during peak time by adding more machines, and scale in by removing the additional machines during low activity.

3. Elasticity

You can configure cloud-based apps to take advantage of autoscaling, so your apps always have the resources they need.

Scalability vs Elasticity
Scalability and Elasticity are used interchangeably, so it is easy to confuse them with one another. In pure technical terms, the difference between the two is the level of automation.
Scalability is the ability to adjust the resources manually, as in someone manually logs into the cloud and adds or removes the resources. This is usually done where the workload is predictable, and there is no possibility of sudden unpredictable spikes.
Elasticity is the ability to adjust the resources automatically, in real time. This is used where the workload is unpredictable and needs quick action based on peaks or drops.

4. Agility

Agility allows speed and flexibility in allocation and deallocation of required resources. It allows deployment of required resources and services in minutes without manual administration.

5. Reliability with Geo-distribution

Reliability is the ability of a system to recover from failures and continue to function.

With a decentralized design, the cloud enables you to have resources deployed in regions around the world. Even if one region has a catastrophic event other regions are still up and running. The customers also get the best performance in their region.

6. Predictability

Predictability focuses on building a solution whose cost and performance can be predicted.

Performance predictability - this focuses on predicting the expected usage of resources. Autoscaling, load balancing, and high availability are some cloud concepts that support performance predictability.

Cost predictability - this focuses on forecasting the cost of using cloud resources. By using cloud analytics and tools like Total Cost of Ownership (TCO) or Pricing Calculator, we can get an estimate of potential cloud spend.

6. Disaster Recovery

By taking advantag of cloud-based backup services, data replication, and geo-distribution, you can deploy your apps with the confidence that your data is safe in the event of disaster.

Azure Subscriptions, Management groups, and Resources

The hierarchy goes like this:
Resources --> Resource Groups --> Subscriptions --> Management Groups

Resources

Resources are instances of services that you create, like virtual machines, storage, or SQL databases

Resource Groups

Resources are combined into resource groups. Resource groups act as a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed.

Subscriptions

A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use.

Management Groups

Management groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.

Regions and Availability Zones

Azure provides Regions and Availability zones as a way to achieve High Availability and resiliency in cloud applications.

Architecture of Azure infrastructure

Azure infrastructure is divided into geographies, regions, availability zones and data centers.

Geography

An Azure geography is an area of the world that contains one or more regions and meets specific data residency and compliance requirements.
Most geographies correspond to countries - e.g India, United States, United Kingdom.
A few geographies correspond to continents - e.g Africa, Australia, Europe
Some geographies correspond to specific global areas - e.g. Asia Pacific

Regions

A geography is further divided into one or more regions. Each region may have 1 or more Availability zones - ideally, each region should have at least 3 availability zones. Each region is separated from another region by at least 300 miles, to reduce the likelihood that a disaster in one region affects the other.
For example,
India geography has these regions: Central India, South Central, South
Europe geography has these regions: North Europe, West Europe
Asia Pacific geography has these regions: East Asia, South East Asia

Availability Zones

Azure availability zones are physically and logically separated datacenters with their own independent power source, network, and cooling.

Every region is recommended to have at least 3 availability zones. Availability zones within a region are connected to each other with an extremely low-latency network. Availability zones are designed so that if one zone is affected, regional services, capacity, and high availability are supported by the remaining two zones. Each zone can have one or more datacenters.
Azure customers can choose to have their resources replicated in multiple Availability Zones.
Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases.

Data Center

A data center is a physical location where Azure manages its hardware infrastructure.

Within a data center, we have Availability sets, fault domains and update domains.

Availability Set

Availability Set allows a customer to spread their virtual machines across multiple Fault Domains and Update Domains within a data center, to ensure availability in the event of unplanned or planned downtime. Each VM is isolated within a separate physical server, compute rack, storage units and network switches within a single datacentre within an Azure Region.
Availability Sets only apply to virtual machines, they can’t be used for any other type of resource within Azure.

Fault Domain

Fault domain defines a group of virtual machines that share a common power source and network switch. Basically, a single rack of hardware resources sharing a common power source and network switch is called a fault domain.

Update Domain

Update domains indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time for updates and patching. Azure will only restart items in one update domain at a time. So ideally you should spread your VMs across at least 2 update domains, so that even if one UD goes down, the other one is still up.

Let us say that a customer has created 8 VMs to run the same application. In order to ensure that all 8 VMs are created on different racks (Fault Domains) and Update Domains, they create an Availability set by defining 3 Fault Domains and 5 Update Domains, and then assign their VMs to that Availability Set. Azure will ensure internally that the 8 VMs are spread uniformly across these FDs and UDs in round robin manner.

Fault Domain 1	Fault Domain 2	Fault Domain 3
VM1 UD1	VM2 UD2	VM3 UD3
VM4 UD4	VM5 UD5	VM6 UD1
VM7 UD2	VM8 UD3

Cross-region replication

Cross-region replication is a strategy that asynchronously replicates applications and data across Azure regions for disaster recovery. Some services are automatically replicated by Azure, such as Azure Geo-Redundant Storage (GRS), but most services need to be configured by customer for cross-region replication. Azure provides a feature called Region Pairing for this purpose.

Region Pairing
Region pairing is the relationship between two Azure regions within the same geographic area to provide geographically redundant solutions. Azure’s paired regions are prewired with high bandwidth connectivity between them. Below are a few of the pairings provided by Azure.

One limitation here is that customers cannot create their own custom region pairings, they must use the pairings that Azure provides. However, they are free to setup replication in any number of regions in the world - with the drawback that they will have to setup their own replication services to sync up data between the regions.

Azure Compute Services

Azure compute is an on-demand computing service for running cloud-based applications. It provides computing resources such as disks, processors, memory, networking, and Operating Systems.

Below are the most prominent services:

Azure Virtual Machines

Virtual Machines are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources. VMs come under IaaS and are useful when you need total control over an OS and environment.

Azure Spot Instances

Microsoft offers Azure Spot Virtual Machines, which are a great fit for batch jobs. These Spot VMs or instances can help reduce costs by taking advantage of unutilized compute capacity. Most cloud service providers (CSPs) offer this unused capacity at a significant discount. Unlike a normal Virtual Machine, a spot VM does not offer guaranteed compute resources at a specified time. They are perfect for batch or other asynchronous processing that can occur on a flexible schedule.

For instance, say an organization has completed the migration of its core servers and processes to cloud-based virtual machines. Its final project involves migrating a weekly batch-processing task that relies on operating system drivers to print pdf reports. It needs to meet this requirement while minimizing costs. In this scenario, Azure Spot Instances is very useful, as it is perfect for batch jobs and also cost efficient.

Virtual Machine Scale Sets

Virtual Machine Scale Sets are an Azure compute resource that you can use to deploy and manage a set of identical VMs. It is designed to support true autoscale.

Containers and Kubernetes

Container Instances and Azure Kubernetes Service are Azure compute resources that you can use to deploy and manage containers. Containers are lightweight, virtualized application environments. They are designed to be quickly created, scaled out, and stopped dynamically. You can run multiple instances of a containerized application on a single host machine.

App Service

With Azure App Service, you can quickly build, deploy, and scale apps running on any platform. It is a PaaS offering.

Azure Functions

Functions are ideal when you're concerned only about the code running your service and not the underlying platform or infrastructure. They're commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be quickly, within seconds or less.

Azure Functions is a serverless solution that allows you to execute your code when needed and pay for the actual runtime only, without worrying about configuration or management of the underlying physical and application infrastructure. Azure functions can be invoked by various triggers such as HTTP, Queue, Timer or Event Grid.
A few sample scenarios where Azure Functions may be useful

Containers in Azure

A container is standard unit of software that packages up code and all its dependencies so the application runs seamlessly across environments.
You can create containers using Azure Container Instances.
A container represents a single app and its dependencies. This allows you to package, deploy, and manage the container as a unit.
A container can run on Windows or Linux. You specify the OS when you create the container group. A container group is a group of containers that all run on the same host VM. This means that the group itself is tied to an OS. So all containers in the container group share the same OS.
Since containers share the host OS, they don't need to boot an OS or load libraries. This enables containers to be much more efficient and lightweight.
A container does not require you to configure the host VM. Azure manages the host VM.
A container does not require you to manually install dependencies. A container represents a single app and its dependencies. The dependencies are installed automatically.
A container can scale out as needed. You do not need to use custom scaling rules as you do with App Services.
A container can be accessed over the internet by IP address or domain name. With Azure Container Instances, you can specify the DNS name label, allowing your container to be reachable at [dnsnamelabel].[region].azurecontainer.io.

Azure Virtual Network

Azure virtual networks enables Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. You can think of an Azure network as an extension of your on-premises network with resources that links other Azure resources.

Example of using Azure Virtual Network -
Your organization has an on-premises datacenter that you plan to keep, but you want to use Azure to offload peak traffic by using Virtual Machines (VMs) hosted in Azure. You want to keep your existing IP addressing scheme and network appliances while ensuring that any data transfer is secure. Using Azure Virtual Network for your virtual networking can help you reach your goals.

Azure virtual networks provide the following networking capabilities:

Isolation and Segmentation

It allows you to create multiple isolated virtual networks. When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges. The public IP range only exists within the virtual network and isn't internet routable. You can divide that IP address space into subnets and allocate part of the defined address space to each named subnet.

Internet communications

A VM in Azure can connect to the internet by default. You can enable incoming connections from the internet by assigning a public IP address to the VM or by putting the VM behind a public load balancer.

Communicate between Azure resources

Azure resources can communicate with each other securely in one of two ways:

1. Virtual networks - Virtual networks can connnect VMs as well as other Azure resources, such as the App Service Environment, Azure Kubernetes Service, and Azure Virtual Machine Scale Sets.
2. Service endpoints - You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts.

Communicate with on-premises resources

Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. There are three ways you can achieve this connectivity:

1. Point-to-site virtual private networks - In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network

2. Site-so-site virtual private networks - This links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network.

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises locations over the public internet.

3. Azure ExpressRoute - For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet.

Route network traffic

By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. You can also control routing and override those settings, as follows:

1. Route tables - A route table allows you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.

2. Border Gateway Protocol - BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP works with Azure VPN gateways, Azure Route Server, or ExpressRoute to propagate on-premises BGP routes to Azure Virtual networks.

Filter network traffic

Following are the approaches:

1. Network Security Groups - A network security group is an Azure resource that can contain multiple inbound and outbound security rules. You can define these rules to allow or block traffic, based on factors such as source and destination IP address, port, and protocol.

2. Network Virtual Appliances - A network virtual appliance is a specialized VM that can be compared to a hardened network appliance. It carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.

Peering - Connect virtual Networks

You can link virtual networks together by using virtual network peering. Peering enables resources in each virtual network to communicate with each other. These virtual networks can be in separate regions, which allows you to create a global interconnected network through Azure.

User-defined routes (UDR) are a significant update to Azure's Virtual Networks that allows for greater control over network traffic flow. This method allows network administrators to control the routing tables between subnets within a VNet, as well as between VNets.

Secure Network Connectivity on Azure

Defense in Depth Strategy

A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

Layers of defense in depth:

1. The physical security layer is the first line of defense to protect computing hardware in the datacenter

2. The identity and access layter controls the access to infrastructure and change control

3. The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.

4. The network layer limits communication between resources through segmentation and access controls

5. The compute layer secures access to virtual machines

6. The application layer helps ensure that applications are secure and free of security vulnerabilities.

7. The data layer controls access to business and customer data that you need to protect.

Security Posture

Your security posture is your organization's ability to protect from and respond to security threats. The common principles used to define a security posture are confidentiality, integrity, and availability, known collectively as CIA.

1. Confidentiality - The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work.

2. Integrity: Prevent unauthorized changes to information at rest (when it is stored), and in transit (when it's being transferred from one place to another). A common approach used in data transmission is for the sender to create a unique fingerprint of the data by using a one-way hashing algorithm.

3. Availability: Ensure that services are functioning and can be accessed only by authorized users. DDoS attacks are designed to degrade the availability of a system, affecting its users.

Azure Storage

Azure storage comes in different categories, as discussed below:

Disk Storage

Disk storage provides disks for Azure VMs. Applications and other services can access and use these disks as needed. Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk.
1. Standard SSD and HDD disks - used for less critical workloads
2. Premium SSD disks - for mission-critical production applications
3. Ultra disks - for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads

Blob Storage

Azure Blob Storage is an object storage solution, that can store massive amounts of data such as text, or binary data such as images, audio, video, documents.

Blob storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. You store blobs in containers, which help you organize your blobs depending on your business needs.

Blob storage is ideal for:
1. Serving images or documents directly to a browser
2. Storing files for distributed access
3. Streaming videos and audio
4. Storing data for backup and restore, disaster recovery, and archiving
5. Storing data for analysis by an on-premises or Azure-hosted service
6. Storing up to 8 TB of data for VMs

Blob Storage Tiers:
1. Hot access tier: Optimized for storing data that is accessed frequently (e.g. images for your website)
2. Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (e.g. invoices for your customers)
3. Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (e.g. long-term backups)

Azure Files

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System protocols. Any number of VMs or roles can mount and access the file storage share simultaneously.

Use Azure Files for the following scenarios:

1. For applications that use file shares
2. To share files anywhere in the world, diagnostics data, or application data sharing
3. Store configuration files on a file share and access from multiple VMs
4. Write data to a file share, and process or analyze the data later.

Azure Storage Account

An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks. The storage account provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS. Default capacity of a storage account is 5PiB (PebiByte).

Below are the types of storage accounts:

Zone-redundant storage (ZRS) / geo-zone-redundant storage (GZRS) / read-access geo-zone-redundant storage (RA-GZRS) | Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type. | | Premium block blobs | Blob Storage (including Data Lake Storage) | LRS

ZRS | Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency. | | Premium file shares | Azure Files | LRS

ZRS | Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares. | | Premium page blobs | Page blobs only | LRS | Premium storage account type for page blobs only. |

Storage account endpoints

A storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has a URL address that includes your unique account name. The combination of the account name and the service endpoint forms the endpoints for your storage account.

There are two types of service endpoints available for a storage account:

• Standard endpoints (recommended). You can create up to 250 storage accounts per region with standard endpoints in a given subscription.

• Azure DNS zone endpoints (preview). You can create up to 5000 storage accounts per region with Azure DNS zone endpoints in a given subscription.

Resource Management in Azure

Resource

A resource is a manageable item available in Azure, such as VMs, storage accounts, web apps, databases, virtual networks etc. Resource groups, subscriptions, management groups, and tags are also examples of resources.

Resource Group

A resource group is a logical container that holds related resources for an Azure solution. You decide which resources belong in a resource group based on what makes the most sense for your organization.

Azure Resource Manager (ARM)

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account.
It helps you to automate resource deployments using templates. Azure Resource Manager integrates with Azure portal, PowerShell, CLI, and REST API to perform deployment and management tasks. It gives you an easy way to deploy multiple resource instances or reliably redeploy resources. Using templates helps to ensure consistency. A validation step is also included to ensure that all resources can be created in the proper order based on dependencies, in parallel, and idempotent.

You use ARM templates to describe the resources you want to use, in a declarative JSON format.
Example template:

"resources": [ 
  { 
      "type": "Microsoft.Storage/storageAccounts", 
      "apiVersion": "2019-04-01", 
      "name": "mystorageaccount", 
      "location": "westus", 
      "sku": { 
          "name": "Standard_LRS" 
       },
     "kind": "StorageV2", 
     "properties": {} 
  } 
]

Add, Delete, Move or Lock Resources

You can add or delete resources in a resource group. You can also move resources between resource groups. A resource can reside in only one resource group at a time. Deleting a resource group will delete all resources contained in that group.

You can apply locks to a resource group or subscription to prevent accidental deletion or make contained resources read-only. You can also apply locks directly to a resource. When the resource group is locked, you cannot add or remove resources from it. There are two types of resource locks in Azure -
CanNotDelete lock - authorized users can read and modify a resource, but they cannot delete it
Readonly lock - authorized users can read a resource, but they cannot delete or update it.

Cost Management in Azure

Below are few of the options. Other options can be found on Azure portal.

Azure Reservations

Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72% compared to pay-as-you-go prices. To receive a discount, you can reserve services and resources by paying in advance.

Tags

Tags are metadata elements that you can use to categorize your resources. A tag is basically a key-value pair. You can apply tags to your Azure resources, resource groups, and subscriptions.

For instance, if you want to categorize your resources by environment, you add a key named Environment. Then, all resources in development environment can be given the value of Development, and the production resources can be given the value of Production. Fully formed, the key-value pair becomes Environment=Development or Environment=Production.

Another instance can be using tags to categorize costs by department, such as human resources, marketing, or finance.

Azure Advisor

Use Azure Advisor to monitor your usage. It identifies unused or underutilized resources and recommends unused resources that you can remove.

Use spending limits

If you have a free trial or a credit-based Azure subscription, you can use spending limits to prevent accidental overrun.

Choose low-cost locations and regions

The cost of Azure resources can vary across locations and regions. If possible, you should use them in locations where they cost less.

Use Azure Cost Management + Billing to control spending

Cost Management is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use. Cost Management features include:

1. Reporting: Use historical data to generate reports and forecast future usage and expenditure

2. Data enrichment: Improve accountability by categorizing resources with tags that correspond to real-world business and organizational units.

3. Budgets: Create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns.

4. Alerting: Get alerts based on your cost and usage budgets

5. Recommendations: Receive recommendations to eliminate idle resources and to optimize the Azure resources you provision

Governance in Azure

Governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced. Below are the different ways in which policies are created and enforced in Azure.

Azure Role-Based Access Control (RBAC)

In Azure, access to resources can be controlled through Azure RBAC. Azure provides built-in roles such as Owner, Reader, or Contributor (full list of built-in roles here). You can also define your own roles. Each role has an associated set of access permissions relevant to that role. When you assign individuals or teams to one or more roles, they receive all of the associated access permissions.

Role-based access control is applied to a scope. A scope can be -
A management group ( a collection of multiple subscriptions)
A single subscription
A resource group
A single resource

When you grant access to a scope, those permissions are inherited by all child scopes. For example, when you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.

RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete.

You can manage access permissions on the Access Control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.

Resource Locks

You can apply locks to a resource group or subscription to prevent accidental deletion or make contained resources read-only. You can also apply locks directly to a resource. When the resource group is locked, you cannot add or remove resources from it. There are two types of resource locks in Azure -
CanNotDelete lock - authorized users can read and modify a resource, but they cannot delete it
Readonly lock - authorized users can read a resource, but they cannot delete or update it.

Think of a lock as a warning system that reminds you that a resource should not be deleted or changed. You can still modify or remove the lock by following additioal steps.

Resource Tags

Tags are metadata elements that you can use to categorize your resources. A tag is basically a key-value pair. You can apply tags to your Azure resources, resource groups, and subscriptions.

For instance, if you want to categorize your resources by environment, you add a key named Environment. Then, all resources in development environment can be given the value of Development, and the production resources can be given the value of Production. Fully formed, the key-value pair becomes Environment=Development or Environment=Production.

Another instance can be using tags to categorize costs by department, such as human resources, marketing, or finance.

Azure Policy

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit resources. These policies enforce different rules across all resource configurations so that the configurations stay compliant with corporate standards.
Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives*.* Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you have created.

For instance, Azure policies will allow you to enforce company standards on new virtual machines. If you define a policy that allows only a certain size for VMs to be used in your environment, that policy is invoked when you create a new VM and whenever you resize existing VMs.
Another instance is - Azure Policy can help to create a policy for allowed regions, which enables you to restrict the deployment of VMs to a specific location.
Tags even enable you to classify data by its security level, such as public or confidential.

Azure Blueprints

With Azure Blueprints, you can define a repeatable set of governance tools and standard Azure resources that your organization requires.
When your cloud environment grows beyond just one subscription, instead of having to configure roles and policies for each subscription, you can use Azure Blueprints to scale the configurations across multiple subscriptions.
Azure Blueprints simplifies large scale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager (ARM) templates, role-based access controls (RBAC), and policies, into a single blueprint definition. You can easily apply the blueprint to new subscriptions and environments.

Microsoft Trust Center

The Trust Center showcases the Microsoft principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
For instance, if you need to identify which Azure services are compliant with ISO 27001 Information Security Management Standards, you should come to Trust Center.

Azure management tools

Azure Portal

A web-based user interface that allows you to access virtually every feature of Azure. It provides a graphical UI to view all the services you are using, create new services, configure your services, and view reports. But as your Azure usage grows, you'll likely choose a more repeatable code-centric approach to managing your Azure resources.

Azure Mobile App

An app that can be used on Android or iOS to access your Azure resources. With it you can:
- Monitor the health and status of your Azure resources.
- Check for alerts, quickly diagnose and fix issues, and restart a web app or VM
- Run the Azure CLI or Azure Powershell commands to manage your Azure resources.

Azure Powershell

Azure Powershell is a shell with which user can execute commands called cmdlets (command-lets) that call the Azure REST API. It can run on Windows, Linux and Mac, and you can access it in a web browser via Azure Cloud Shell.

Azure CLI

Azure CLI is an executable program with which a user can execute commands in Bash that call the Azure REST API. In many ways Azure CLI is almost identical to Azure Powershell, the primary difference is the syntax you use (Bash vs Powershell).

Azure Cloud Shell

Azure Cloud Shell is an interactive, browser-accessible shell for managing Azure resources.

Azure monitoring tools

Azure Advisor

Azure Advisor evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs. Advisor is designed to help you save time on cloud optimization.

Azure Monitor

Azure Monitor is a platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment.
Application Insights is a feature of Azure Monitor that allows you to monitor running applications, automatically detect performance anomalies, and use built-in analytics tools to see what users do on an app.

Azure Service Health

Azure Service Health provides a personalized view of the health of the Azure services, regions, and resources that you are using. It displays both major and smaller, localized issues that affect you. You can set up alerts that help you triage outages and planned maintenance. After an outage, Service Health provides official incident reports, called root cause analyses (RCAs), which you can share with stakeholders. It can help you keep an eye on several types of issues/events such as:
1. Service issues - these are problems in Azure, such as outages, that affect you right now. Using Service Health, you can drill down to the affected services, regions, and find ways to share and track the latest information.
2. Planned maintenance - You can drill down to the affected services, regions, and details to show how an event will affect you and what you need to do. Service Health also allows you to choose when to perform the maintenance to minimize the downtime.
3. Health advisories - these are issues that require you to act to avoid service interruption, including service retirements and breaking changes. Health advisories are announced far in advance to allow you to plan.

Azure Security

Below are the security features provided by Azure

1. Microsoft Sentinel

It delivers intelligent security analytics for attack detection, threat visibility, proactive hunting and threat response.

2. Microsoft Defender for Cloud

It provides integrated security monitoring and policy management across your Azure subscriptions. It provides you with a single dashboard for alerts and recommendations that can be acted upon immediately.

4. Azure Storage Encryption

It is a feature that encrypts data using 256-bit AES encryption before storing it in Azure Storage. Data remains encrypted while in transit between the customer's computer and Azure, and between Azure data centers. This feature cannot be disabled*.*

5. Express Route

It is a dedicated private network connection (VPN) between your organization and Microsoft Cloud Services. It provides a more secure, reliable, and predictable way to connect to Microsoft Cloud services than connecting over the internet.

6. Azure Key Vault

It is used to manage API keys, tokens, passwords, certificates, and other secrets

7. Azure Active Directory

It is a cloud-based identity and access management service which helps you manage users, groups, and access to applications in your Azure subscription.

Authentication and Authorization in Azure

Authentication

Authentication is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials to establish whether the user is who they say they are.

Authorization

Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.

Azure Active Directory

Azure AD provides identity services that enable your users to sign in and access cloud applications.

It provides services such as:
1. Authentication: This includes verifying identity to access applications and resources, as well as other services such as self-service password reset, multi-factor authentication (MFA), and smart lockout services

2. Single Sign-on: SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, and access rules are tied to that identity.

3. Application management: Features like Application Proxy, SaaS apps, the My Apps portal, and SSO provide a better experience.

4. Device management: Azure AD supports the registration of devices. This enables devices to be managed through tools like Microsoft Intune. It also allows for device-based Conditional Access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.

Multi-Factor Authentication (MFA)

Azure AD Multi-Factor Authentication provides multifactor authentication capabilities, enabling users to choose an additional form of authentication during sign-in, such as phone call or mobile app notification.

Conditional Access

Conditional Access is a tool that Azure AD uses to allow or deny access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from. To use Conditional Access, you need an Azure AD Premium P1 or P2 license.
Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication if they're at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they're at an unexpected location.

Next up - Azure Fundamentals Knowledge Check - Part 1