| Section | Status |
|---|---|
| Cloud Models and Cloud Types | Complete |
| Core Azure Architectural Compenants | Complete |
| Core resources available in Azure | Complete |
| Azure Core Solutions | Incomplete |
| Azure Management Tools | Incomplete |
| Azure Security Features | Complete |
| Azure Network Security | Complete |
| Azure Identity Services | Incomplete |
| Azure Governance Features | Incomplete |
| Policy and Compliance Features | Incomplete |
| Managing Azure Costs | Complete |
| Azure Service Level Agreements (SLAs) | Complete |
-
Infrastructure-as-a-service
This is usually when you have access to VMs and complete control over them, load balancers / virtual machines / gateways.
-
Platform-as-a-service
Uploading code that a cloud provider will run for you, no access to the underlying operating system/hardware
-
Software-as-a-service
Typically you run these services in your browser, such as Office365/Dropbox/Googledocs
The shared responsibility model will be demonstrate whether the cloud provider or the customer will have ownership/responsibility.
Software-as-a-service for example, the customer will be responsibile for the data and accounts, however the physical datacenter security will be down to the cloud provider.
With the serviceless model you don't have to select a plan such as Premium/Basic, this is since the Cloudprovider will autoscale for you. Platform-as-a-service however will require the user to select which level of compute they require, and scaling will be down to the user.
Serverless model could also result in completely free bills, this is since you're only paying for the compute used, therefore if no one was to browse your web app hosted via serverless, then the usage would be zero. The flip side to this is that you could recieve an unexpected bill should large amounts of compute be consumed due to autoscaling.
-
Public Cloud
This is the most commonly used type of cloud, as a customer you would rent hardware and compute from a company such as Microsoft. You have no real control as to who else is using hardware within the data center etc.
-
Private Cloud
This is when an organisation such as a Government wants complete control of the underlying hardware and owns physical infrastructure. They may use already owned devices or go and rent physical machines from a provider such as IBM in their own datacenter. This has the same functionality as a public cloud such as setting up virtual machines and virtual networking.
-
Hybrid Model
Combination of Public and Private cloud, this could be extending your private cloud into the public. An example may be extending a database from the private to public cloud for more compute.
- Cloud computing allows you to use Operational Expenditure rather than upfront Capital Expenditure.
- 99.99% uptime is roughly a maximum of 4 minutes downtime.
Over 60 Regions now in Azure, these are geographical areas where datacenters sit. Not all are available to all customers, such as some specified just for Government.
-
Paired Regions
- Every region hhas another region trusted as a pair
- The data link between each pair is the highest possible
- Software updates only happen on one region of the pair at a time for stability
- If multiple regions go down, one of the pair is treated a priority
- Data in one region is mirrored in the other.
-
Example Pairs
- Canada (Canada Central - Canada East)
- Europe (North Europe - West Europe)
- Regions are broken down into availability zones.
- An availability zone is a physically seperate datacenters, so own power/cooling/networking.
- The more availability zones, the less likely you will experience an outage should there be a problem with a data center.
- Resource groups are used to break up your Azure services by small subsets such as a project. Under a resource group you may have some virtual machines and databases, or many more depending on the needs of the project.
- A subscription is a billing unit - i.e. where to be charged.
- Different departments can use seperate subscriptions so that each department only pays for the service they use. This makes it easier to track costs.
- Every single resource in Azure must be aligned to a subscription.
- Management groups allow you to create a top down governance, so that subscriptions below a management group have the rules applied. You can also nest management groups so that rules can be applied to multiple groups more granularly.
6 Different types of resources
- Compute (Apps/VMs etc)
- Networking (Way in which apps can communicated with each other)
- Storage (How you can store data in the cloud)
- Database (Tables/Columns etc)
- Azure Marketplace (Where you find services, some not made by Microsoft)
Virtual Machines / App Services / Azure Container Instances / Azure Kubernetes Service / Windows Virtual Desktop
-
Virtual Machine (Infrastructure-as-a-service)
- Take an existing machine from your environment and put it in the cloud
- Windows / Linux etc (Depends on what the cloud provider gives you the choice of)
- A portion of a physical machine
- Full control over the operating system as if you physically at the machine
- Ability to choose horsepower (CPU/RAM/Disk Size/IOPs/etc)
-
App Services (Platform-as-a-service)
- Package your code and Azure will execute in the cloud
- Promise of performance but not ability to access underlying hardware
-
Container Instances
- Containers contain everything the app needs to run
- Fastest and easiest way to deploy
- Azure Container Instance - ACI Single instance
- Azure Kubernetes Service - AKS runs on a cluster of servers
-
Windows Virtual Desktop
- Desktop version of Windows that runs in the cloud
- You can access your apps from anyway with internet
- Runs on Azure
Connectivity Services / Protection Services / Delivery Services / Monitoring Services
-
Connectivity
- Virtual Network is emulating a physical network
- VPN connects two networks as if they were on the same networking using a gateway
- ExpressRoute is a high-speed private connection to Azure (Requires a physical piece of hardware)
-
Protection Services
- DDoS Protectiion
- Azure Firewall
- Network Security Group (ACL Based, Same as AWS Security Groups)
- Private Link
-
General Purpose Storage
-
Container Storage
-
Tables
-
Queues
-
File Storage
-
Settings
- Access Tiers (Hot,Cool,Archive) - Hot is default, cool is less to store but more for read and writes. Archive is the cheapest but most expensive when you read/write.
- Performance ties (Standard / Premium) - Pay extra for faster read/write
- Location - Some regions are more expensive, however you may wish to pay more for less latency if closer to the file geographically
- Redundancy - Azure by default replicates each file 3 times, can increase to globally redunant which will be 6 copies
- Failover - Can replicate to multiple regions in case of region fallover.
-
-
Disk Storage
- Pay for reservation of disk
- Costs the same regardless of how much storage you use
- Commonly used for the underlying disk of a Virtual Machine.
-
Configuration Storage Account Considerations
- Soft Delete - Files are only removed however not deleted for a period of time so that you can recover accidentally deleted files.
Cosmos DB / Azure SQL Database / Azure Database for MySQL / Azure Database for PostgreSQL / SQL Managed Instance
-
Cosmos DB (NoSQL Storage)
-
Designed to be extremely fast
-
Supports many open-source APIs and protocols
-
Great for small bits of data that need to be fast
-
Can be replicated around the world, which would be great for games
-
Azure SQL Database
- Runs on the SQL Server Engine
- Relations
- Easily scaleable
- Easy to replicate
- Easy to migrate from on prem SQL DB.
-
Azure MySQL
- Same as MySQL on prem
-
Azure Database for Postgresql
- Great for large complex setups / clusters etc
- Easy to migrate into the cloud
- Open source
-
SQL Managed Instance
- Most compatible with existing SQL Server
- Fully managed by Azure
- Always up to date
Central secure repo for your secrets, certificates and keys
-
This may be secrets for a web app so that they do not need to be stored within configuration files, also it limits who has access to these secrets.
-
The ability to generate and store encryption keys
- Centralises all log files from various resources
- Analyses the collected logs to detect threats
- Can write custom detections
- Ability to investigate incidents
- Build custom runbooks to fix any issues
Azure allows users to reserve whole servers so that no software vulns can potentially expose multiple tennated devices.
- Data - i.e. virtual network endpoint
- Application - i.e. API Management
- Compute - i.e. Limit Remote Dekstop access, Windows Update
- Network - i.e. NSG, use of subnets, deny by default
- Perimeter -i.e. DDoS, Firewalls
- Identity & Access - i.e. Azure AD
- Physical - i.e. Door locks and key cards
- These work in the same way for a subnet as they do in AWS Security Groups
- Access Control List based rules
- The Azure Firewall will inspect data and try to find trends and identify threats
- Basic firewall will try and prevent L3/L4 DDoS Attacks
- WAF with the basic firewall
- Logging and Alerting is only available to the Standard package
Pay per usage (Consumption Model)
- Functions
- Logic Apps
- Storage
- Outbound Bandwidth
- Cognitive API
Pay for time (per second)
- Billing starts the second a virtual machine starts, and stops the second it stops
- You will still be paying for any used storage
- Discounts for 1 year or 3 year commitments (Reserved Instance)
Per per bandwidth
- First 5Gb outbound free
- All inbound traffic is free
- Azure Advisor Cost Tab will make suggestions as to how you can reduce your costs
- Auto shutdown any resources when not in use (time or activity)
- Utilise cool/archive storage where possible
- Reserved instances will be at a reduced rate, however you're paying regardless if its off or on.
- Configure billing alerts when billing exceed an expected level
- Implement policy to restrict certain expensive resources
- Autoscaling resources both up and down to run the same workloads on the required hardware
- Ensure every resource has an owner in tags
Spot pricing
- Ability to use a virtual machine when nobody is using it for a discounted price at much lower costs
- It's impossible to calculate an exact estimate amount
- Configurable options (Region/Tier/Subscription Type/Support Opetions/Dev-Test pricing
- You can save and export the Azure estimate for collaberotive input
- Total Cost of Ownership (
-
2 or more Virtual Machines across 2 or more availability zones within the same Region, Microsoft promises a 99.99% uptime.
-
2 or more Virtual Machines deployed within the same availability set or in the same dedicated host group, guarented connectivity to at least one of them 99.95% of the time.
-
Any single Virtual Machine using Premium SSD or Ultra Disk, guarenteed connectivity 99.9% of the time
-
Any single virtual machine with Standard SSD, guarenteed connectivity 99.5% of the time
-
Any Sinle virtual machine using Standard HDD, guarenteed connectivity 95% of the time
-
Load balanced endpoint using Azure Standard Load Balancer serving 2 or more health virtual machines will be available 99.99% of the time
-
Basic load balancer is not included in the SLA for refunds
-
Previews are not included within the SLAs
-
Public preview available to everyone
-
Private preview requires registration
-
GA - Generally Available
AZ = Availability Zone
- Fault Domains = Different physical hardware to prevent outage due to a single server being down
- Update Domains = Different groups so they arent all effected by updates at once