Az900 Notes
Az900 Notes
Az900 Notes
go pricing model. You typically pay only for the cloud services you use, which helps you:
Build, manage, and monitor everything from simple web apps to complex cloud deployments.
Create custom dashboards for an organized view of resources.
Configure accessibility options for an optimal experience.
1)Compute
2) Network
3)Storage
4)IoT
5)AI
6)Databases
7)Mobile
8)Web- helps in web apps
9)Big Data
10)DevOps
There are several advantages that a cloud environment has over a physical environment that
Tailwind Traders can use following its migration to Azure.
● High availability: Depending on the service-level agreement (SLA) that you choose, your
cloud-based apps can provide a continuous user experience with no apparent downtime,
even when things go wrong.
● Scalability: Apps in the cloud can scale vertically and horizontally:
○ Scale vertically to increase compute capacity by adding RAM or CPUs to a virtual
machine.
○ Scaling horizontally increases compute capacity by adding instances of
resources, such as adding VMs to the configuration.
● Elasticity: You can configure cloud-based apps to take advantage of autoscaling, so your
apps always have the resources they need.
● Agility: Deploy and configure cloud-based resources quickly as your app requirements
change.
● Geo-distribution: You can deploy apps and data to regional datacenters around the
globe, thereby ensuring that your customers always have the best performance in their
region.
● Disaster recovery: By taking advantage of cloud-based backup services, data
replication, and geo-distribution, you can deploy your apps with the confidence that
comes from knowing that your data is safe in the event of disaster.
Organizing structure for resources in Azure, which has four levels: management groups,
subscriptions, resource groups, and resources
Resources: Resources are instances of services that you create, like virtual machines,
storage, or SQL databases.
Resource groups: Resources are combined into resource groups, which act as a logical
container into which Azure resources like web apps, databases, and storage accounts are
deployed and managed.
Subscriptions: A subscription groups together user accounts and the resources that have
been created by those user accounts. For each subscription, there are limits or quotas on the
amount of resources that you can create and use. Organizations can use subscriptions to
manage costs and the resources that are created by users, teams, or projects.
Management groups: These groups help you manage access, policy, and compliance for
multiple subscriptions. All subscriptions in a management group automatically inherit the
conditions applied to the management group.
Availability zones are physically separate datacenters within an Azure region. Each availability
zone is made up of one or more datacenters equipped with independent power, cooling, and
networking. An availability zone is set up to be an isolation boundary. If one zone goes down,
the other continues working. Availability zones are connected through high-speed, private fiber-
optic networks.
Availability zones are created by using one or more datacenters. There's a minimum of three
zones within a single region. It's possible that a large disaster could cause an outage big
enough to affect even two datacenters. That's why Azure also creates region pairs.
https://docs.microsoft.com/en-us/learn/modules/azure-architecture-fundamentals/resources-
resource-manager.
Azure subscriptions
Using Azure requires an Azure subscription. A subscription provides you with authenticated and
authorized access to Azure products and services. It also allows you to provision resources. An
Azure subscription is a logical unit of Azure services that links to an Azure account, which is an
identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
An account can have one subscription or multiple subscriptions that have different billing models
and to which you apply different access-management policies. You can use Azure subscriptions
to define boundaries around Azure products, services, and resources. There are two types of
subscription boundaries that you can use:
● Billing boundary: This subscription type determines how an Azure account is billed for
using Azure. You can create multiple subscriptions for different types of billing
requirements. Azure generates separate billing reports and invoices for each
subscription so that you can organize and manage costs.
● Access control boundary: Azure applies access-management policies at the subscription
level, and you can create separate subscriptions to reflect different organizational
structures. An example is that within a business, you have different departments to
which you apply distinct Azure subscription policies. This billing model allows you to
manage and control access to the resources that users provision with specific
subscriptions.
Virtual machines are software emulations of physical computers. They include a virtual
processor, memory, storage, and networking resources.
Customize billing to meet your needs
If you have multiple subscriptions, you can organize them into invoice sections. Each invoice
section is a line item on the invoice that shows the charges incurred that month. For example,
you might need a single invoice for your organization but want to organize charges by
department, team, or project.
Depending on your needs, you can set up multiple invoices within the same billing account. To
do this, create additional billing profiles. Each billing profile has its own monthly invoice and
payment method.
The following diagram shows an overview of how billing is structured. If you've previously signed
up for Azure or if your organization has an Enterprise Agreement, your billing might be set up
differently.
Virtual Machine
Virtual machines are software emulations of physical computers.hey include a virtual processor,
memory, storage, and networking resources. VMs host an operating system, and you can install
and run software just like a physical computer. When using a remote desktop client, you can
use and control the VM as if you were sitting in front of it.
are an Azure compute resource that you can use to deploy and manage a set of identical VMs.
With all VMs configured the same, virtual machine scale sets are designed to support true
autoscale. As demand goes up, more VM instances can be added. As demand goes down, VM
instances can be removed. The process can be manual, automated, or a combination of both.
App Service
With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile,
and API apps running on any platform. You can meet rigorous performance, scalability, security,
and compliance requirements while using a fully managed platform to perform infrastructure
maintenance. App Service is a platform as a service (PaaS) offering.
An image is a template used to create a VM.These templates already include an OS and often
other software, like development tools or web hosting environments.
Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs.
Imagine you're running a website that enables scientists to upload astronomy images that need
to be processed. If you duplicated the VM, you'd normally need to configure an additional
service to route requests between multiple instances of the website. Virtual machine scale sets
could do that work for you.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in
minutes to provide highly available applications. The number of VM instances can automatically
increase or decrease in response to demand or a defined schedule. With virtual machine scale
sets, you can build large-scale services for areas such as compute, big data, and container
workloads.
Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs
with the ability to scale to tens, hundreds, or thousands of VMs.
When you're ready to run a job, Batch does the following:
● Starts a pool of compute VMs for you.
● Installs applications and staging data.
● Runs jobs with as many tasks as you have.
● Identifies failures.
● Requeues work.
● Scales down the pool as work completes.
App Service enables you to build and host web apps, background jobs, mobile back-ends, and
RESTful APIs in the programming language of your choice without managing infrastructure. It
offers automatic scaling and high availability. App Service supports Windows and Linux and
enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a
continuous deployment model.This platform as a service (PaaS) environment allows you to
focus on the website and API logic while Azure handles the infrastructure to run and scale your
web applications.. The App Service plan determines how much hardware is devoted to your
host.
------------------------------------------------------------------------------------------------------------------------------
Pricing calculator to estimate the monthly cost of running your cloud workloads.
The TCO Calculator helps you estimate the cost savings of operating your solution on Azure
over time, instead of in your on-premises datacenter. The TCO calc helps to estimate the cost of
using azure services instead of owning of data centre. You do not need azure subs to use TCO
calc,.
Sever - This category includes operating systems, virtualization methods, CPU cores, and
memory (RAM).--
Database--- includes database types, server hardware, and the Azure service and max users
signins
Networking-- includes the amount of network bandwidth you currently consume in your on-
premises environment.
Storage-- includes storage type and capacity, which includes any backup or archive storage.
Adjust assumptions. - adjust for software assurance, which can save you money by reusing
those licenses on Azure.
How do I purchase Azure services?
There are three main ways to purchase services on Azure. They are:
Larger customers, known as enterprise customers, can sign an Enterprise Agreement with
Microsoft. This agreement commits them to spending a predetermined amount on Azure
services over a period of three years. The service fee is typically paid annually. As an Enterprise
Agreement customer, you'll receive the best customized pricing based on the kinds and
amounts of services you plan on using.
Here, you purchase Azure services directly from the Azure portal website and pay standard
prices. You're billed monthly, as a credit card payment or through an invoice. This purchasing
method is known as Web Direct.
A Cloud Solution Provider (CSP) is a Microsoft Partner who helps you build solutions on top of
Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer
your support questions and escalate them to Microsoft, as needed.
Keep in mind that the Pricing calculator provides estimates and not actual price quotes. Actual
prices can vary depending upon the date of purchase, the payment currency you're using, and
the type of Azure customer you are.
an accurate cost estimate takes all of the preceding factors into account. Fortunately, the Azure
Pricing calculator helps you with that process.
Azure Advisor identifies unused or underutilized resources and recommends unused resources
that you can remove. This information helps you configure your resources to match your actual
workload.
Azure advisor
Azure Advisor identifies unused or underutilized resources and recommends unused resources
that you can remove. This information helps you configure your resources to match your actual
workload.
Apply tags to identify cost owners- Tags help you manage costs associated with the different
groups of Azure products and resources. You can apply tags to groups of Azure resources to
organize billing data.
For example, if you run several VMs for different teams, you can use tags to categorize costs by
department, such as Human Resources, Marketing, or Finance, or by environment, such as
Test or Production.
Tags make it easier to identify groups that generate the biggest Azure costs, which can help you
adjust your spending accordingly.Migrate from IaaS to PaaS services
Resize underutilized virtual machines, Deallocate virtual machines during off hours, , Migrate from IaaS
to PaaS services, Choose cost-effective operating system And Use Azure Hybrid Benefit to repurpose
software licenses on Azure
SLA-
a service-level agreement (SLA) is a formal agreement between a service company and the
customer. For Azure, this agreement defines the performance standards that Microsoft commits
to for you, the customer.
Downtime refers to the time duration that the service is unavailable
SLA percentage Downtime per week Downtime per month Downtime per year
99 1.68 hours 7.2 hours 3.65 days
99.9 10.1 minutes 43.2 minutes 8.76 hours
99.95 5 minutes 21.6 minutes 4.38 hours
99.99 1.01 minutes 4.32 minutes 52.56 minutes
99.999 6 seconds 25.9 seconds 5.26 minutes.
< 99.99 10
< 99 25
< 95 100
Azure status provides a global view of the health of Azure services and regions. If you suspect
there's an outage, this is often a good place to start your investigation.
Azure status provides an RSS feed of changes to the health of Azure services that you can
subscribe to. You can connect this feed to communication software such as Microsoft Teams or
Slack.From the Azure status page, you can also access Azure Service Health. This provides a
personalized view of the health of the Azure services and regions that you're using, directly from
the Azure portal.
Application SLA-
An application SLA defines the SLA requirements for a specific application. This term typically
refers to an application that you build on Azure.
A workload is a distinct capability or task that's logically separated from other tasks, in terms of
business logic and data storage requirements.
To calculate the SLA for a application or DB simply multiply theSLA of the services which you
are using. ALso, remember if you are two VM then you need to multiply SLA 2 times
That menas multiply SLA of every instance of service to get final SLA
If your app sla is not meeting the desired SLA or Uptime, then use-
-more advanced service with higher SLA
- Include redundancy to increase availability. To ensure high availability, you might plan for your
application to have duplicate components across several regions, known as redundancy
Service Lifecycle-
The service lifecycle defines how every Azure service is released for public use
Every Azure service starts in the development phase. In this phase, the Azure team collects and
defines its requirements, and begins to build the service.
Next, the service is released to the public preview phase. After a new Azure service is validated
and tested, it's released to all customers as a production-ready service. This is known as
general availability (GA).
Some previews aren't covered by customer support. Therefore, previews are not recommended
for business-critical workloads.
--------------------------------------------------------------------------------------------------------------
In the Resource security hygiene section, Tailwind Traders can see the health of its resources
from a security perspective.Secure score is a measurement of an organization's security
posture.
Adaptive network hardening- Security Center can monitor the internet traffic
patterns of the VMs, and compare those patterns with the company's current network
security group (NSG) settings. From there, Security Center can make recommendations
about whether the NSGs should be locked down further and provide remediation steps.
Azure Sentinel-
Azure Sentinel is Microsoft's cloud-based SIEM system. It uses intelligent security analytics and
threat analysis.
Custom analytics are rules that you create to search for specific criteria within your environment.
You can preview the number of results that the query would generate (based on past log
events) and set a schedule for the query to run. You can also set an alert threshold.
he company will also use Azure Monitor Playbooks to automate responses to threats. For
example, it can set an alert that looks for malicious IP addresses that access the network and
create a workbook that does the following steps:
Send a message to the security operations channel in Microsoft Teams or Slack to make sure
the security analysts are aware of the incident.
Send all of the information in the alert to the senior network admin and to the security admin.
The email message has two user option buttons: Block or Ignore.
When an admin chooses Block, the IP address is blocked in the firewall, and the user is
disabled in Azure Active Directory. When an admin chooses Ignore, the alert is closed in Azure
Sentinel, and the incident is closed in the IT ticketing system.
The playbook continues to run after it receives a response from the admins.
Azure Key Vault is a centralized cloud service for storing an application's secrets in a single,
central location. It provides secure access to sensitive information by providing access control
and logging capabilities.
Azure Key Vault can help you:
● Manage secrets
You can use Key Vault to securely store and tightly control access to tokens, passwords,
certificates, API keys, and other secrets.
● Manage encryption keys
You can use Key Vault as a key management solution. Key Vault makes it easier to
create and control the encryption keys that are used to encrypt your data.
● Manage SSL/TLS certificates
Key Vault enables you to provision, manage, and deploy your public and private Secure
Sockets Layer/Trasport Layer Security (SSL/TLS) certificates for both your Azure
resources and your internal resources.
● Store secrets backed by hardware security modules (HSMs)
These secrets and keys can be protected either by software or by FIPS 140-2 Level 2
validated HSMs.
●
Benefits of key vault-
Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows
and Linux.A dedicated host is mapped to a physical server in an Azure datacenter. A host group
is a collection of dedicated hosts.
For high availability, you can provision multiple hosts in a host group, and deploy your VMs
across this group. VMs on dedicated hosts can also take advantage of maintenance control.
This feature enables you to control when regular maintenance updates occur, within a 35-day
rolling window.
Layers of security -
Physical security → IAM→ Permiter→ Network → Compute → Application → Data
● The physical security layer is the first line of defense to protect computing hardware in
the datacenter.
● The identity and access layer controls access to infrastructure and change control.
● The perimeter layer uses distributed denial of service (DDoS) protection to filter large-
scale attacks before they can cause a denial of service for users.
● The network layer limits communication between resources through segmentation and
access controls.
● The compute layer secures access to virtual machines.
● The application layer helps ensure that applications are secure and free of security
vulnerabilities.
● The data layer controls access to business and customer data that you need to protect.
Security posture
Your security posture is your organization's ability to protect from and respond to security
threats. The common principles used to define a security posture are confidentiality, integrity,
and availability, known collectively as CIA.
● Confidentiality
The principle of least privilege means restricting access to information only to individuals
explicitly granted access, at only the level that they need to perform their work. This
information includes protection of user passwords, email content, and access levels to
applications and underlying infrastructure.
● Integrity
Prevent unauthorized changes to information:
○ At rest: when it's stored.
○ In transit: when it's being transferred from one place to another, including from a
local computer to the cloud.
● A common approach used in data transmission is for the sender to create a unique
fingerprint of the data by using a one-way hashing algorithm. The hash is sent to the
receiver along with the data. The receiver recalculates the data's hash and compares it
to the original to ensure that the data wasn't lost or modified in transit.
● Availability
Ensure that services are functioning and can be accessed only by authorized users.
Denial-of-service attacks are designed to degrade the availability of a system, affecting
its users.
Azure Firewall
A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. You
can create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses
from within those ranges are allowed to access the destination server. Firewall rules can also
include specific network protocol and port information.
Azure Firewall is a managed, cloud-based network security service that helps protect resources
in your Azure virtual networks.
Azure Firewall provides a central location to create, enforce, and log application and network
connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static
(unchanging) public IP address for your virtual network resources, which enables outside
firewalls to identify traffic coming from your virtual network. The service is integrated with Azure
Monitor to enable logging and analytics.
Azure Application Gateway also provides a firewall that's called the web application firewall
(WAF). WAF provides centralized, inbound protection for your web applications against
common exploits and vulnerabilities. Azure Front Door and Azure Content Delivery Network
also provide WAF services.
DDoS