Az900 Notes

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 16

Cloud computing is the delivery of computing services over the internet by using a pay-as-you-

go pricing model. You typically pay only for the cloud services you use, which helps you:

Lower your operating costs.


Run your infrastructure more efficiently.
Scale as your business needs change

What is the Azure portal?


The Azure portal is a web-based, unified console that provides an alternative to command-line
tools. With the Azure portal, you can manage your Azure subscription by using a graphical user
interface. You can:

Build, manage, and monitor everything from simple web apps to complex cloud deployments.
Create custom dashboards for an organized view of resources.
Configure accessibility options for an optimal experience.

There are total 10 categories of services-

1)Compute
2) Network
3)Storage
4)IoT
5)AI
6)Databases
7)Mobile
8)Web- helps in web apps
9)Big Data
10)DevOps

There are several advantages that a cloud environment has over a physical environment that
Tailwind Traders can use following its migration to Azure.

● High availability: Depending on the service-level agreement (SLA) that you choose, your
cloud-based apps can provide a continuous user experience with no apparent downtime,
even when things go wrong.
● Scalability: Apps in the cloud can scale vertically and horizontally:
○ Scale vertically to increase compute capacity by adding RAM or CPUs to a virtual
machine.
○ Scaling horizontally increases compute capacity by adding instances of
resources, such as adding VMs to the configuration.
● Elasticity: You can configure cloud-based apps to take advantage of autoscaling, so your
apps always have the resources they need.
● Agility: Deploy and configure cloud-based resources quickly as your app requirements
change.
● Geo-distribution: You can deploy apps and data to regional datacenters around the
globe, thereby ensuring that your customers always have the best performance in their
region.
● Disaster recovery: By taking advantage of cloud-based backup services, data
replication, and geo-distribution, you can deploy your apps with the confidence that
comes from knowing that your data is safe in the event of disaster.

Organizing structure for resources in Azure, which has four levels: management groups,
subscriptions, resource groups, and resources

Managmt Groups -> Subscriptions -> Resource Grps → Resource

Resources: Resources are instances of services that you create, like virtual machines,
storage, or SQL databases.
Resource groups: Resources are combined into resource groups, which act as a logical
container into which Azure resources like web apps, databases, and storage accounts are
deployed and managed.
Subscriptions: A subscription groups together user accounts and the resources that have
been created by those user accounts. For each subscription, there are limits or quotas on the
amount of resources that you can create and use. Organizations can use subscriptions to
manage costs and the resources that are created by users, teams, or projects.
Management groups: These groups help you manage access, policy, and compliance for
multiple subscriptions. All subscriptions in a management group automatically inherit the
conditions applied to the management group.

Availability zones are physically separate datacenters within an Azure region. Each availability
zone is made up of one or more datacenters equipped with independent power, cooling, and
networking. An availability zone is set up to be an isolation boundary. If one zone goes down,
the other continues working. Availability zones are connected through high-speed, private fiber-
optic networks.

Availability zones are created by using one or more datacenters. There's a minimum of three
zones within a single region. It's possible that a large disaster could cause an outage big
enough to affect even two datacenters. That's why Azure also creates region pairs.

Resource groups can't be nested.


Azure Resource Manager
Azure Resource Manager is the deployment and management service for Azure. It provides a
management layer that enables you to create, update, and delete resources in your Azure
account. You use management features like access control, locks, and tags to secure and
organize your resources after deployment.
When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager
receives the request. It authenticates and authorizes the request. Resource Manager sends the
request to the Azure service, which takes the requested action. Because all requests are
handled through the same API, you see consistent results and capabilities in all the different
tools.

https://docs.microsoft.com/en-us/learn/modules/azure-architecture-fundamentals/resources-
resource-manager.

Azure subscriptions
Using Azure requires an Azure subscription. A subscription provides you with authenticated and
authorized access to Azure products and services. It also allows you to provision resources. An
Azure subscription is a logical unit of Azure services that links to an Azure account, which is an
identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.

An account can have one subscription or multiple subscriptions that have different billing models
and to which you apply different access-management policies. You can use Azure subscriptions
to define boundaries around Azure products, services, and resources. There are two types of
subscription boundaries that you can use:
● Billing boundary: This subscription type determines how an Azure account is billed for
using Azure. You can create multiple subscriptions for different types of billing
requirements. Azure generates separate billing reports and invoices for each
subscription so that you can organize and manage costs.
● Access control boundary: Azure applies access-management policies at the subscription
level, and you can create separate subscriptions to reflect different organizational
structures. An example is that within a business, you have different departments to
which you apply distinct Azure subscription policies. This billing model allows you to
manage and control access to the resources that users provision with specific
subscriptions.

Virtual machines are software emulations of physical computers. They include a virtual
processor, memory, storage, and networking resources.
Customize billing to meet your needs
If you have multiple subscriptions, you can organize them into invoice sections. Each invoice
section is a line item on the invoice that shows the charges incurred that month. For example,
you might need a single invoice for your organization but want to organize charges by
department, team, or project.

Depending on your needs, you can set up multiple invoices within the same billing account. To
do this, create additional billing profiles. Each billing profile has its own monthly invoice and
payment method.

The following diagram shows an overview of how billing is structured. If you've previously signed
up for Azure or if your organization has an Enterprise Agreement, your billing might be set up
differently.

Azure Compute Services

Virtual Machine
Virtual machines are software emulations of physical computers.hey include a virtual processor,
memory, storage, and networking resources. VMs host an operating system, and you can install
and run software just like a physical computer. When using a remote desktop client, you can
use and control the VM as if you were sitting in front of it.

Virtual machine scale sets

are an Azure compute resource that you can use to deploy and manage a set of identical VMs.
With all VMs configured the same, virtual machine scale sets are designed to support true
autoscale. As demand goes up, more VM instances can be added. As demand goes down, VM
instances can be removed. The process can be manual, automated, or a combination of both.

Containers and Kubernetes


Container Instances and Azure Kubernetes Service are Azure compute resources that you can
use to deploy and manage containers. Containers are lightweight, virtualized application
environments. They're designed to be quickly created, scaled out, and stopped dynamically.
You can run multiple instances of a containerized application on a single host machine.

App Service
With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile,
and API apps running on any platform. You can meet rigorous performance, scalability, security,
and compliance requirements while using a fully managed platform to perform infrastructure
maintenance. App Service is a platform as a service (PaaS) offering.
An image is a template used to create a VM.These templates already include an OS and often
other software, like development tools or web hosting environments.

Virtual machine scale sets


Azure Batch are the 2 services that help in increasing scale when required.

Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs.
Imagine you're running a website that enables scientists to upload astronomy images that need
to be processed. If you duplicated the VM, you'd normally need to configure an additional
service to route requests between multiple instances of the website. Virtual machine scale sets
could do that work for you.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in
minutes to provide highly available applications. The number of VM instances can automatically
increase or decrease in response to demand or a defined schedule. With virtual machine scale
sets, you can build large-scale services for areas such as compute, big data, and container
workloads.

Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs
with the ability to scale to tens, hundreds, or thousands of VMs.
When you're ready to run a job, Batch does the following:
● Starts a pool of compute VMs for you.
● Installs applications and staging data.
● Runs jobs with as many tasks as you have.
● Identifies failures.
● Requeues work.
● Scales down the pool as work completes.

App Service enables you to build and host web apps, background jobs, mobile back-ends, and
RESTful APIs in the programming language of your choice without managing infrastructure. It
offers automatic scaling and high availability. App Service supports Windows and Linux and
enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a
continuous deployment model.This platform as a service (PaaS) environment allows you to
focus on the website and API logic while Azure handles the infrastructure to run and scale your
web applications.. The App Service plan determines how much hardware is devoted to your
host.

Types of app services


With App Service, you can host most common app service styles like:
● Web apps
● API apps
● WebJobs
● Mobile apps

------------------------------------------------------------------------------------------------------------------------------

Azure Funadamental Cost mmgmt

Pricing calculator to estimate the monthly cost of running your cloud workloads.

The TCO Calculator helps you estimate the cost savings of operating your solution on Azure
over time, instead of in your on-premises datacenter. The TCO calc helps to estimate the cost of
using azure services instead of owning of data centre. You do not need azure subs to use TCO
calc,.

Working with the TCO Calculator involves three steps:

Define your workloads.


Adjust assumptions.
View the report.

To define the workload we need to identify the followings

Sever - This category includes operating systems, virtualization methods, CPU cores, and
memory (RAM).--
Database--- includes database types, server hardware, and the Azure service and max users
signins

Networking-- includes the amount of network bandwidth you currently consume in your on-
premises environment.
Storage-- includes storage type and capacity, which includes any backup or archive storage.

Adjust assumptions. - adjust for software assurance, which can save you money by reusing
those licenses on Azure.
How do I purchase Azure services?
There are three main ways to purchase services on Azure. They are:

Through an Enterprise Agreement

Larger customers, known as enterprise customers, can sign an Enterprise Agreement with
Microsoft. This agreement commits them to spending a predetermined amount on Azure
services over a period of three years. The service fee is typically paid annually. As an Enterprise
Agreement customer, you'll receive the best customized pricing based on the kinds and
amounts of services you plan on using.

Directly from the web

Here, you purchase Azure services directly from the Azure portal website and pay standard
prices. You're billed monthly, as a credit card payment or through an invoice. This purchasing
method is known as Web Direct.

Through a Cloud Solution Provider

A Cloud Solution Provider (CSP) is a Microsoft Partner who helps you build solutions on top of
Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer
your support questions and escalate them to Microsoft, as needed.

Trannsferiing data btw zones incur charges

Keep in mind that the Pricing calculator provides estimates and not actual price quotes. Actual
prices can vary depending upon the date of purchase, the payment currency you're using, and
the type of Azure customer you are.

an accurate cost estimate takes all of the preceding factors into account. Fortunately, the Azure
Pricing calculator helps you with that process.

Azure Advisor identifies unused or underutilized resources and recommends unused resources
that you can remove. This information helps you configure your resources to match your actual
workload.

Azure advisor
Azure Advisor identifies unused or underutilized resources and recommends unused resources
that you can remove. This information helps you configure your resources to match your actual
workload.

Use spending limits to restrict your spending


Azure Reservations to prepay- discount upto 72%. Azure Reservations are available to
customers with an Enterprise Agreement, Cloud Solution Providers, and pay-as-you-go
subscriptions.

Choose low-cost locations and regions

Research available cost-saving offers

Azure Cost Management + Billing to control spending- Azure Cost


Management + Billing is a free service that helps you understand your Azure bill,
manage your account and subscriptions, monitor and control Azure spending,
and optimize resource use.

Apply tags to identify cost owners- Tags help you manage costs associated with the different
groups of Azure products and resources. You can apply tags to groups of Azure resources to
organize billing data.

For example, if you run several VMs for different teams, you can use tags to categorize costs by
department, such as Human Resources, Marketing, or Finance, or by environment, such as
Test or Production.

Tags make it easier to identify groups that generate the biggest Azure costs, which can help you
adjust your spending accordingly.Migrate from IaaS to PaaS services

Resize underutilized virtual machines, Deallocate virtual machines during off hours, , Migrate from IaaS
to PaaS services, Choose cost-effective operating system And Use Azure Hybrid Benefit to repurpose
software licenses on Azure

SLA-
a service-level agreement (SLA) is a formal agreement between a service company and the
customer. For Azure, this agreement defines the performance standards that Microsoft commits
to for you, the customer.
Downtime refers to the time duration that the service is unavailable

SLA percentage Downtime per week Downtime per month Downtime per year
99 1.68 hours 7.2 hours 3.65 days
99.9 10.1 minutes 43.2 minutes 8.76 hours
99.95 5 minutes 21.6 minutes 4.38 hours
99.99 1.01 minutes 4.32 minutes 52.56 minutes
99.999 6 seconds 25.9 seconds 5.26 minutes.

Monthly uptime percentage Service credit percentage

< 99.99 10

< 99 25

< 95 100

Free products typically don't have an SLA.

Azure status provides a global view of the health of Azure services and regions. If you suspect
there's an outage, this is often a good place to start your investigation.

Azure status provides an RSS feed of changes to the health of Azure services that you can
subscribe to. You can connect this feed to communication software such as Microsoft Teams or
Slack.From the Azure status page, you can also access Azure Service Health. This provides a
personalized view of the health of the Azure services and regions that you're using, directly from
the Azure portal.

Application SLA-
An application SLA defines the SLA requirements for a specific application. This term typically
refers to an application that you build on Azure.

A workload is a distinct capability or task that's logically separated from other tasks, in terms of
business logic and data storage requirements.

To calculate the SLA for a application or DB simply multiply theSLA of the services which you
are using. ALso, remember if you are two VM then you need to multiply SLA 2 times
That menas multiply SLA of every instance of service to get final SLA
If your app sla is not meeting the desired SLA or Uptime, then use-
-more advanced service with higher SLA
- Include redundancy to increase availability. To ensure high availability, you might plan for your
application to have duplicate components across several regions, known as redundancy

Service Lifecycle-

The service lifecycle defines how every Azure service is released for public use
Every Azure service starts in the development phase. In this phase, the Azure team collects and
defines its requirements, and begins to build the service.
Next, the service is released to the public preview phase. After a new Azure service is validated
and tested, it's released to all customers as a production-ready service. This is known as
general availability (GA).

Some previews aren't covered by customer support. Therefore, previews are not recommended
for business-critical workloads.

--------------------------------------------------------------------------------------------------------------

Azure- Protect from security threats

Azure Security Centre-


Azure Security Center is a monitoring service that provides visibility of your security posture
across all of your services, both on Azure and on-premises. The term security posture refers to
cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to
security threats.

In the Resource security hygiene section, Tailwind Traders can see the health of its resources
from a security perspective.Secure score is a measurement of an organization's security
posture.

Secure score is based on security controls, or groups of related security recommendations.


Your score is based on the percentage of security controls that you satisfy. The more security
controls you satisfy, the higher the score you receive. Your score improves when you remediate
all of the recommendations for a single resource within a control.

To protect from threats-


Just-in-time VM access- This access blocks traffic by default to specific network ports of VMs,
but allows traffic for a specified time when an admin requests and approves it
Adaptive application controls- can control which applications are allowed to run on its VMs. In
the background, Security Center uses machine learning to look at the processes running on a
VM. It creates exception rules for each resource group that holds the VMs and provides
recommendations. This process provides alerts that inform the company about unauthorized
applications that are running on its VMs.

Adaptive network hardening- Security Center can monitor the internet traffic
patterns of the VMs, and compare those patterns with the company's current network
security group (NSG) settings. From there, Security Center can make recommendations
about whether the NSGs should be locked down further and provide remediation steps.

File integrity monitoring


Tailwind Traders can also configure the monitoring of changes to important files on both
Windows and Linux, registry settings, applications, and other aspects that might indicate a
security attack.

Azure Sentinel-
Azure Sentinel is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and
threat analysis.

Azure Sentinel enables you to:


● Collect cloud data at scale
Collect data across all users, devices, applications, and infrastructure, both on-premises
and from multiple clouds.
● Detect previously undetected threats
Minimize false positives by using Microsoft's comprehensive analytics and threat
intelligence.
● Investigate threats with artificial intelligence
Examine suspicious activities at scale, tapping into years of cybersecurity experience
from Microsoft.
● Respond to incidents rapidly
Use built-in orchestration and automation of common tasks.

Azure sentinel can connect with multiple data sources-


● Connect Microsoft solutions
Connectors provide real-time integration for services like Microsoft Threat Protection
solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and
Windows Defender Firewall.
● Connect other services and solutions
Connectors are available for common non-Microsoft services and solutions, including
AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware Carbon Black
Cloud, and Okta SSO.
● Connect industry-standard data sources
Azure Sentinel supports data from other sources that use the Common Event Format
(CEF) messaging standard, Syslog, or REST API.

Azure Sentinel can help in detecting threats-


Built in analytics use templates designed by Microsoft's team of security experts and analysts
based on known threats, common attack vectors, and escalation chains for suspicious activity.

Custom analytics are rules that you create to search for specific criteria within your environment.
You can preview the number of results that the query would generate (based on past log
events) and set a schedule for the query to run. You can also set an alert threshold.

Investigate and respond with azure sentinel


investigate specific alerts or incidents (a group of related alerts). With the investigation graph,
the company can review information from entities directly connected to the alert, and see
common exploration queries to help guide the investigation.

he company will also use Azure Monitor Playbooks to automate responses to threats. For
example, it can set an alert that looks for malicious IP addresses that access the network and
create a workbook that does the following steps:

When the alert is triggered, open a ticket in the IT ticketing system.

Send a message to the security operations channel in Microsoft Teams or Slack to make sure
the security analysts are aware of the incident.

Send all of the information in the alert to the senior network admin and to the security admin.
The email message has two user option buttons: Block or Ignore.

When an admin chooses Block, the IP address is blocked in the firewall, and the user is
disabled in Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure
Sentinel, and the incident is closed in the IT ticketing system.

The playbook continues to run after it receives a response from the admins.

Playbooks can be run manually or automatically when a rule triggers an alert.

Store and manage secrets by using Azure Key Vault

Azure Key Vault is a centralized cloud service for storing an application's secrets in a single,
central location. It provides secure access to sensitive information by providing access control
and logging capabilities.
Azure Key Vault can help you:
● Manage secrets
You can use Key Vault to securely store and tightly control access to tokens, passwords,
certificates, API keys, and other secrets.
● Manage encryption keys
You can use Key Vault as a key management solution. Key Vault makes it easier to
create and control the encryption keys that are used to encrypt your data.
● Manage SSL/TLS certificates
Key Vault enables you to provision, manage, and deploy your public and private Secure
Sockets Layer/Trasport Layer Security (SSL/TLS) certificates for both your Azure
resources and your internal resources.
● Store secrets backed by hardware security modules (HSMs)
These secrets and keys can be protected either by software or by FIPS 140-2 Level 2
validated HSMs.

Benefits of key vault-

Centralized application secrets


Securely stored secrets and keys
Access monitoring and access control
Simplified administration of application secrets
Integration with other Azure services

Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows
and Linux.A dedicated host is mapped to a physical server in an Azure datacenter. A host group
is a collection of dedicated hosts.

For high availability, you can provision multiple hosts in a host group, and deploy your VMs
across this group. VMs on dedicated hosts can also take advantage of maintenance control.
This feature enables you to control when regular maintenance updates occur, within a 35-day
rolling window.

Layers of security -
Physical security → IAM→ Permiter→ Network → Compute → Application → Data

● The physical security layer is the first line of defense to protect computing hardware in
the datacenter.
● The identity and access layer controls access to infrastructure and change control.
● The perimeter layer uses distributed denial of service (DDoS) protection to filter large-
scale attacks before they can cause a denial of service for users.
● The network layer limits communication between resources through segmentation and
access controls.
● The compute layer secures access to virtual machines.
● The application layer helps ensure that applications are secure and free of security
vulnerabilities.
● The data layer controls access to business and customer data that you need to protect.

Security posture
Your security posture is your organization's ability to protect from and respond to security
threats. The common principles used to define a security posture are confidentiality, integrity,
and availability, known collectively as CIA.
● Confidentiality
The principle of least privilege means restricting access to information only to individuals
explicitly granted access, at only the level that they need to perform their work. This
information includes protection of user passwords, email content, and access levels to
applications and underlying infrastructure.
● Integrity
Prevent unauthorized changes to information:
○ At rest: when it's stored.
○ In transit: when it's being transferred from one place to another, including from a
local computer to the cloud.
● A common approach used in data transmission is for the sender to create a unique
fingerprint of the data by using a one-way hashing algorithm. The hash is sent to the
receiver along with the data. The receiver recalculates the data's hash and compares it
to the original to ensure that the data wasn't lost or modified in transit.
● Availability
Ensure that services are functioning and can be accessed only by authorized users.
Denial-of-service attacks are designed to degrade the availability of a system, affecting
its users.

Azure Firewall
A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. You
can create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses
from within those ranges are allowed to access the destination server. Firewall rules can also
include specific network protocol and port information.

Azure Firewall is a managed, cloud-based network security service that helps protect resources
in your Azure virtual networks.

Azure Firewall provides a central location to create, enforce, and log application and network
connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static
(unchanging) public IP address for your virtual network resources, which enables outside
firewalls to identify traffic coming from your virtual network. The service is integrated with Azure
Monitor to enable logging and analytics.
Azure Application Gateway also provides a firewall that's called the web application firewall
(WAF). WAF provides centralized, inbound protection for your web applications against
common exploits and vulnerabilities. Azure Front Door and Azure Content Delivery Network
also provide WAF services.

DDoS

DDoS Protection provides these service tiers:


● Basic
The Basic service tier is automatically enabled for free as part of your Azure
subscription.
Always-on traffic monitoring and real-time mitigation of common network-level attacks
provide the same defenses that Microsoft's online services use. The Basic service tier
ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack.
The Azure global network is used to distribute and mitigate attack traffic across Azure
regions.
● Standard
The Standard service tier provides additional mitigation capabilities that are tuned
specifically to Azure Virtual Network resources. DDoS Protection Standard is relatively
easy to enable and requires no changes to your applications.
The Standard tier provides always-on traffic monitoring and real-time mitigation of
common network-level attacks. It provides the same defenses that Microsoft's online
services use.
Protection policies are tuned through dedicated traffic monitoring and machine learning
algorithms. Policies are applied to public IP addresses, which are associated with
resources deployed in virtual networks such as Azure Load Balancer and Application
Gateway.
The Azure global network is used to distribute and mitigate attack traffic across Azure
regions.

The Standard service tier can help prevent:


● Volumetric attacks
The goal of this attack is to flood the network layer with a substantial amount of
seemingly legitimate traffic.
● Protocol attacks
These attacks render a target inaccessible by exploiting a weakness in the layer 3 and
layer 4 protocol stack.
● Resource-layer (application-layer) attacks (only with web application firewall)
These attacks target web application packets to disrupt the transmission of data
between hosts. You need a web application firewall (WAF) to protect against L7 attacks.
DDoS Protection Standard protects the WAF from volumetric and protocol attacks.
NSG-
A network security group enables you to filter network traffic to and from Azure resources within
an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain
multiple inbound and outbound security rules that enable you to filter traffic to and from
resources by source and destination IP address, port, and protocol.

You might also like