Recently i obtained the AZ-900: Microsoft Azure Fundamentals Certification. In this blog post i will be writing in brief about my learning on the topic.
Azure Architectural Components
First and foremost thing is let us learn the organizing structure for resources. The top-down hierarchy of organization has four levels for organizing Azure resources, namely the management groups, subscriptions, resource groups, and resources.
- Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
- Resource groups: Grouping of resources like VMs, WebApps, DB of a business group or a department or an application to manage them effectively. Every Azure resource that you create must have a Resource group associated with it. This will be helpful in metering and billing, applying policies, monitoring, assigning quotas, granting access control permissions etc.
- Subscriptions: A subscription, groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources that you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
- Management groups: These groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group. For example, you can limit VM creation in a particular region by applying policies to the management groups in the region.
Resource Manager being the management layer is responsible for the deployment and management of services, whether they are deployed through the Azure Portal/CLI/Power shell/Client SDK. The management layer enables you to create, update, and delete resources in your Azure account. Features like access control, locks, and tags to secure and organize your resources after deployment is also supported.
Azure Regions, Availability Zones and Availability Sets
A region is a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network. The number of current Azure regions across the globe is 42 and 12 more are planned, which is more than any other major cloud provider.
Azure has specialized regions that you might want to use when you build out your applications for compliance or legal purposes. A few examples are, US DoD Central, US Gov Virginia, US Gov Iowa, China East and North, Germany Central and North-east, etc.
Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. An availability zone is set up to be an isolation boundary. If one zone goes down, the other continues working providing high availability. Availability zones are connected through high-speed, private fiber-optic networks.
There is a minimum of three availability zones in a single region. It’s possible that a large disaster could cause an outage big enough to affect even two datacenters. That’s why Azure also creates region pairs. Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources across a geography that might be helpful during a huge disaster.
If you want to run a VM based workload in a single Azure Region, then the way you achieve improved availability is to use an Availability Set. An Availability Set allows you to take a Virtual Machine (VM) and improve it’s availability by configuring multiple copies of the VM to be deployed as a group which ensures that the Azure management plane will place the VMs such that the hosted workload/s (Ex: a VM based App) are resilient across Azure updates and faults. When you create a VM and define an Availability Set, the Azure management plane will ensure that each VM instance is deployed to different Fault and Update Domains thus promoting high availability.
Core Azure Services
The most commonly used services of Azure include compute, network, storage, and database. Other services are Web, IoT, Big Data and analysis, AI, DevOps etc.
Once you login to Azure portal, you will be directed to home screen as follows. The home screen shows a list of resources that is part of various services. If you want to view the resources by service name, click on the “Create a resource” that will take you to the below screen. Here you can click on any service name at the left to view all the resources under it. In order to create a resource you need to click on any resource icon in the list. One more method to create a resource is to click on the resource icon directly in the upper screen and enter the necessary information.
Azure Compute Services
Azure compute is an on-demand computing service for running cloud-based applications. It provides computing resources such as disks, processors, memory, networking, and operating systems. You pay only for the resources you use, and only for as long as you’re using them. A few of the prominent compute services are follows.
- Azure Virtual Machines
Virtual machines are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources. VMs host an operating system, and you can install and run software just like a physical computer. With Azure, you can create and use VMs in the cloud. When you need total control over an operating system and environment, VMs are an ideal choice.
- Azure Container Instances
Containers are becoming the preferred way to package, deploy, and manage cloud applications. Containers offer significant startup benefits over virtual machines (VMs). Azure Container Instances can start containers in Azure in seconds, without the need to provision and manage VMs. Azure Container Instances is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For complex scenarios, Azure Kubernetes Service is the solution.
- Azure Function App (or serverless computing)
This is ideal when you’re concerned only about the code running your service and not the underlying platform or infrastructure. They’re commonly used when you need to perform work in response to an event, timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less. The cloud provider manages the underlying infrastructure. One other example of serverless computing is Azure Logic App.
Azure Storage Services
Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.
- Azure Blob
It is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. It is highly scalable and powerful.
- Azure Disks
It provides disks for Azure virtual machines. Applications and other services can access and use these disks as needed, similar to how they would in on-premises scenarios. Disk Storage allows data to be persistently stored and accessed from an attached virtual hard disk.
- Azure Files
It offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System (preview) protocols. These are managed file shares for cloud or on-premises deployments. Applications running in Azure virtual machine/s or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share.
- Azure Queues
A messaging store for reliable messaging between application components. It is used to store and retrieve messages. Queue messages can be up to 64 KB in size, and a queue can contain millions of messages. Queues are generally used to store lists of messages to be processed asynchronously.
- Azure Tables
It is a service that stores non-relational structured data (also known as structured NoSQL data) in the cloud, providing a key/attribute store with a schemaless design. Because table storage is schemaless, it’s easy to adapt your data as the needs of your application evolve. On the Azure Portal, the NoSql table can be created but data can be pumped in only through powershell / REST API etc
- Azure Archive Storage
It provides a storage facility for data that is rarely accessed. Azure Archive Storage offers low-cost, durable, and highly available secure cloud storage for rarely accessed data with flexible latency requirements.
Azure Networking Services
Azure Networking services provide several capabilities to connect and manage your cloud resources securely. Azure networking by virtue of its various networking capabilities offers customers and users a delightful experience by patching cloud and/or on-premises infrastructure and services. A few of the core networking resources in Azure are as follows.
- Azure Virtual Network (VNet)
VNet enables Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers. VNet is similar to a traditional network that you’d operate in your own data center, but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation.
- Azure Virtual Private Network (VPN) Gateway
A VPN is a type of private interconnected network, deployed to connect two or more trusted private networks to one another over an untrusted network ,i.e, the public internet. A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between Azure virtual networks or between an Azure virtual network and an on-premises location over the public Internet.
- Azure Load Balancer
An Azure load balancer is a Layer-4 (TCP, UDP) load balancer that provides high availability by distributing incoming traffic among healthy VMs. A load balancer health probe monitors a given port on each VM and only distributes traffic to an operational VM. You define a front-end IP configuration that contains one or more public IP addresses. This allows your load balancer and applications to be accessible over the internet. Virtual machines connect to a load balancer using their virtual network interface card (NIC).
- Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the OSI layer 4 and route traffic based on source IP address and port, to a destination IP address and port. However, Application gateway operates at the OSI layer 7 or application layer. Application Gateway can make routing decisions based on additional attributes of an HTTP request ,i.e, URL-based routing and more.
- Azure Traffic Manager
It is a DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions. Traffic Manager also provides your public endpoints with high availability and quick responsiveness. Traffic Manager provides a range of traffic-routing methods and endpoint monitoring options to suit different application needs and automatic failover models. Traffic Manager is resilient to failure, including the failure of an entire Azure region.
- Azure Content Delivery Networks (CDNs)
A CDN can significantly speed up the delivery of assets on a web site. It is a network of web servers that cache website content in different geographical locations. It helps to minimize latency by caching website content at point-of-presence (POP) locations that are close to large clusters of users.
Azure Database Services
Azure offers a choice of fully managed relational, NoSQL, and in-memory databases, spanning proprietary and open-source engines, to fit the needs of modern app developers. Infrastructure management—including scalability, availability, and security—is automated, saving you time and money. You can find a list of the most used database services as follows.
- Azure Cosmos DB
Azure Cosmos DB is a globally distributed, multi-model database service. You can elastically and independently scale throughput and storage across any number of Azure regions worldwide. Cosmos DB supports schema-less data, which lets you build highly responsive and “Always On” applications to support constantly changing data. You can use this feature to store data that’s updated and maintained by users around the world. Cosmos DB provides comprehensive service level agreements for throughput, latency, availability, and consistency guarantees.
- Azure SQL Database
Azure SQL Database being a relational DB is a platform as a service (PaaS) database engine. It handles most of the database management functions, such as upgrading, patching, backups, and monitoring, without user involvement. SQL Database provides 99.99 percent availability. You can use it to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure.
- Azure SQL Managed Instance
Azure SQL Managed Instance is a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed platform as a service. Azure SQL Managed Instance is designed for customers looking to migrate a large number of apps from an on-premises or IaaS, self-built environment to a fully managed PaaS cloud environment, with as low a migration effort as possible. Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available to Azure SQL Database.
- Azure DB for MySQL
Azure Database for MySQL is a relational database service in the cloud, and it’s based on the MySQL Community Edition database engine, ver 5.6, 5.7, and 8.0. With it, you have a 99.99 percent availability service level agreement from Azure, powered by a global network of Microsoft-managed datacenters. With every Azure Database for MySQL server, you take advantage of built-in security, fault tolerance, HA, point in time restore and data protection that you would otherwise have to buy or design, build, and manage.
- Azure DB for PostgreSQL
It is a relational database service in the cloud. The server software is based on the community version of the open-source PostgreSQL database engine. Your familiarity with tools and expertise with PostgreSQL is applicable when you’re using Azure Database for PostgreSQL. Every Azure Database for PostgreSQL has benefits like HA, scale up or down as needed withing seconds, adjustable automatic backups and point in time restore, enterprise grade security and compliance.
Before closing this section on core services, it is worth mentioning about the big data and analysis services. Microsoft Azure supports a broad range of technologies and services to provide big data and analytic solutions, including Azure Synapse Analytics, Azure HDInsight, Azure Databricks, and Azure Data Lake Analytics.
General Security and Network Security Features
Many services on Azure include built in security features. However, tools on Azure like Azure Security Center, Azure Sentinel, Azure Key Vault ensure that all the systems of an organization meets a minimum level of security and that its information is protected against attacks.
- Azure Security Center
Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. Azure Security Center addresses the most urgent security challenges of rapidly changing workloads and increasingly sophisticated attacks. Azure security center assess your environment and enables you to understand the status of your resources, and whether they are secure. It assess your workloads and raises threat prevention recommendation and security alerts. Lastly, since security center is natively integrated, provides auto provisioning and protection with Azure services.
- Azure Sentinel
Security management on a large scale can benefit from a dedicated security information and event management (SIEM) system that aggregates security data from many different sources. Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis. Azure Sentinel enables you to collect data across all users, devices, applications, infrastructure, both on-prem and from multiple clouds. Other features include, investigation of threats with AI, respond to incidents rapidly through automation of common tasks.
- Azure Key Vault
Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Key Vault makes it easier to create and control the encryption keys, provision and manage SSL/TLS certificates.
Network Security Features
Azure uses defense in depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it. You can visualize defense in depth as a set of layers, with the data to be secured at the center. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. It slows down an attack and provides alert telemetry that security teams can act upon, either automatically or manually. Azure provides security tools and features at every level of the defense-in-depth concept. Some of the tools/features are as follows.
- Azure Firewall
It is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks. It analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability.
- Azure Distribute Denial of Service (DDoS) Protection
It helps protect your Azure resources from DDoS attacks. DDoS Protection identifies the attacker’s attempt to overwhelm the network and blocks further traffic from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from customers still flows into Azure without any interruption of service. DDoS protection provides these two service tiers, namely, Basic service tier and Standard service tier. The basic tier is automatically enabled for free as part of your Azure subscription. It ensures that Azure infrastructure itself is not affected during a large-scale DDoS attack. The Standard service tier provides additional mitigation capabilities. Here, protection policies are tuned through dedicated traffic monitoring and machine learning algorithms.
- Network Security Groups (NSG)
Azure Firewall and Azure DDoS Protection can help control what traffic can come from outside sources, while NSGs help protect its internal networks on Azure. A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Identity, Governance and Compliance Features
With the rise of remote work, bring your own device (BYOD), mobile applications, and cloud applications, the primary security boundary has shifted from firewalls and physical access controls to identity. Understanding who is using your systems and what they have permission to do are critical to keeping your data safe from attackers. To stay organized, manage costs, and meet your compliance goals, you need a good cloud governance strategy.
- Azure Active Directory (Azure AD)
Two fundamental concepts that you need to understand when talking about identity and access are authentication (AuthN) and authorization (AuthZ). Authentication is the process of establishing the identity of a person or service that wants to access a resource. Whereas, authorization is the process of establishing what level of access an authenticated person or service has.
Microsoft introduced AD in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user. Azure AD is Microsoft’s cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. Azure AD provides secure authentication by the processes, Multi-Factor Authentication and Conditional Access.
- Create and manage subscriptions
Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits. You can create one billing report per subscription. If you have multiple departments and need to do a “chargeback” of cloud costs, one possible solution is to organize subscriptions by department or by project. Resource tags can also help in this respect. You can find more about tags in the subsequent section.
A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure AD tenant that provides administrators the ability to set granular access through defined roles by using Azure role-based access control. Subscriptions also have some resource limitations. If you hit a hard limit maximum, there’s no flexibility to increase it. If you’ll need to exceed the limits, you might need to add more subscriptions. Management groups are also available to assist with managing subscriptions.
A resource lock prevents resources from being accidentally deleted or changed. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed. You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.
As your cloud usage grows, it’s increasingly important to stay organized. A good organization strategy helps you understand your cloud usage and can help you manage costs. You can organize resources by subscriptions or resource groups. Resource tags are another way to organize resources. Tags provide extra information, or metadata, about your resources that are helpful for resource management, Security, Cost management and optimization etc.
- Azure Policy
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. Azure Policy enables you to define both individual policies and groups of related policies. Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent non-compliant resources from being created. You can apply tags to a resource group, but those tags aren’t automatically applied to the resources within that resource group, unless you create Azure Policy to ensure that a resource/s inherits the same tags.
- Azure Blueprints
Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts like, Azure Resource manager templates, Resource groups, Role and Policy assignments.
Privacy and Compliance Features
The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes. The privacy statement covers all of Microsoft’s services, websites, apps, software, servers, and devices. This list ranges from enterprise and server products to devices that you use in your home to software that students use at school like Windows.
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft’s online services that you license through a subscription, including Azure, Dynamics 365, Office 365 etc. The Data Protection Addendum (DPA) further defines the data processing and security terms for online services.
The following link shows some of the popular compliance offerings that are available on Azure and other Microsoft services. These offerings are grouped under four categories: Global, US Government, Industry, and Regional. They show Microsoft’s commitment to compliance is comprehensive, ongoing, and independently tested and verified.
The Trust Center showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community. The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure China 21Vianet is operated by 21Vianet. It’s a physically separated instance of cloud services located in China. Similarly, Azure Germany has a physically isolated instance of Microsoft Azure.
Azure Cost Management and SLA
Having a firm understanding of where your company is today will give you a greater sense of what cloud migration means in terms of cost. The TCO Calculator helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenter. With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the suggested industry average cost for related operational costs. These costs include electricity, network maintenance, and IT labor. Using the report, you can compare those costs with the same workloads running on Azure.
Purchase Azure Services
Azure subscription provides you with access to Azure resources, such as virtual machines, storage, and databases. The types of resources you use impact your monthly bill. Azure offers both free and paid subscription options to fit your needs and requirements.
A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription. Paid subscription involves, a pay-as-you-go subscription that enables you to pay for what you use by attaching a credit or debit card to your account. One more paid membership offer is on your existing membership to certain Microsoft products and services that might provide you with credits for your Azure account and reduced rates on Azure services.
There are three main ways to purchase services on Azure. Through an Enterprise Agreement, larger customers, known as enterprise customers, can sign an Enterprise Agreement with Microsoft for a period of 3 years. In the Web direct method, you purchase Azure services directly from the Azure portal website and pay standard prices. The final method is through a Cloud Solution Provider (CSP), a Microsoft Partner who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine.
Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provision your services closest to where your customers use them. Different regions can have different associated prices. Because geographic regions can impact where your network traffic flows, network traffic is a cost influence to consider as well. Some inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on billing zones.
The Pricing calculator displays Azure products in categories with accurate cost estimate. You add the categories to your estimate and configure according to your specific requirements. You then receive a consolidated estimated price, with a detailed breakdown of the costs associated with each resource you added to your solution. You can load a saved estimate and modify it to match updated requirements.
Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) Calculator. Ideally, you want your provisioned resources to match your actual usage. Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. Spending limits and Azure reservations are some of the methods to prevent accidental overrun or save on Azure services respectively. Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use. You can apply tags to groups of Azure resources to organize billing data.
Service Level Agreements (SLA)
A service-level agreement is a formal agreement between a service company and the customer. Understanding the SLA for each Azure service you use helps you understand what guarantees you can expect from Microsoft and can help you establish the SLA you set with your customers.
An application SLA defines the SLA requirements for a specific application. This term typically refers to an application that you build on Azure. There are many design decisions that extend beyond just the SLA for a service, inorder to improve the availability and resiliency of the applications and services you build on Azure. Keeping the application SLA in mind, you need to design an efficient and reliable solution for the application on Azure. You’ll select the Azure products and services you need, and provision your cloud resources according to those requirements.
The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service used to build the app. In case the composite SLA doesn’t meet your requirement, the customization choices you make when you provision each workload affects that SLA like the disk type, tier etc. One more method to improve the availability of the application is to avoid having any single points of failure ,i.e, deploy one or more extra instances of the same VM across different availability zones in the same Azure region. Ensuring high availability for your application by having duplicate components across several regions, i.e, redundancy would also be an option.
Further Reading :