What is cloud computing?

Cloud computing is flexible and cost-efficient, which can be beneficial to every business,
whether it's a small start-up or a large enterprise.

Containers provide a consistent, isolated execution environment for applications.

They're similar to VMs except they don't require a guest operating system.

Serverless computing lets you run application code without creating, configuring, or
maintaining a server.
Benefits of cloud computing

It's cost-effective
This consumption-based model brings with it many benefits, including:

No upfront infrastructure costs

No need to purchase and manage costly infrastructure that you may not use to its fullest
The ability to pay for additional resources only when they are needed
The ability to stop paying for resources that are no longer needed

It's scalable
Vertical scaling, also known as "scaling up", is the process of adding resources to
increase the power of an existing server. Some examples of vertical scaling are: adding
more CPUs, or adding more memory.

Horizontal scaling, also known as "scaling out", is the process of adding more
servers that function together as one unit. For example, you have more than one server
processing incoming requests.

It's elastic
spike or drop in demand,

It's current
Cloud usage eliminates the burdens of maintaining software patches, hardware setup,
upgrades, and other IT management tasks.

It's reliable
offer data backup, disaster recovery, and data replication services
referred to as fault tolerance

It's global
It's secure
physical security
digital security

Compliance Offerings

● Criminal Justice Information Services (CJIS)

● Cloud Security Alliance (CSA) STAR Certification.
● General Data Protection Regulation (GDPR)
● EU Model Clauses
● Health Insurance Portability and Accountability Act (HIPAA)
● UK Government G-Cloud.
● International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) 27018.
● Multi-Tier Cloud Security (MTCS) Singapore.
● Service Organization Controls (SOC) 1, 2, and 3
● National Institute of Standards and Technology (NIST) Cybersecurity Framework
(CSF).
Economies of scale
Economies of scale is the ability to do things more efficiently or at a lower-cost per unit
when operating at a larger scale. This cost advantage is an important benefit in cloud
computing.

Capital expenditure (CapEx) versus operational

expenditure (OpEx)
Capital Expenditure (CapEx): CapEx is the spending of money on physical
infrastructure up front,
● Server costs
● Storage costs
● Network costs
● Backup and archive costs
● Organiza
● tion continuity and disaster recovery costs
● Datacenter infrastructure costs
● Technical personnel

Operational Expenditure (OpEx): You pay for a service or product as you use it.
● Leasing software and customized features
● Scaling charges based on usage/demand instead of fixed hardware or capacity.
● Billing at the user or organization level.
Cloud deployment models

Public cloud

Advantages

● High scalability/agility – you don't have to buy a new server in order to scale
● Pay-as-you-go pricing – you pay only for what you use, no CapEx costs
● You're not responsible for maintenance or updates of the hardware
● Minimal technical knowledge to set up and use - you can leverage the skills
and expertise of the cloud provider to ensure workloads are secure, safe,
and highly available

Disadvantages

Not all scenarios fit the public cloud. Here are some disadvantages to think about:

● There may be specific security requirements that cannot be met by using

public cloud
● There may be government policies, industry standards, or legal
requirements which public clouds cannot meet
● You don't own the hardware or services and cannot manage them as you
may want to
● Unique business requirements, such as having to maintain a legacy
application might be hard to meet

Private cloud

Advantages

This approach has several advantages:

● You can ensure the configuration can support any scenario or legacy
application
● You have control (and responsibility) over security
● Private clouds can meet strict security, compliance, or legal requirements

Disadvantages
Some reasons teams move away from the private cloud are:
● You have some initial CapEx costs and must purchase the hardware for
startup and maintenance
● Owning the equipment limits the agility - to scale you must buy, install, and
setup new hardware
● Private clouds require IT skills and expertise that's hard to come by

Hybrid cloud

Advantages

Some advantages of a hybrid cloud are:

● You can keep any systems running and accessible that use out-of-date
hardware or an out-of-date operating system
● You have flexibility with what you run locally versus in the cloud
● You can take advantage of economies of scale from public cloud providers
for services and resources where it's cheaper, and then supplement with
your own equipment when it's not

● You can use your own equipment to meet security, compliance, or legacy
scenarios where you need to completely control the environment

Disadvantages

Some concerns you'll need to watch out for are:

● It can be more expensive than selecting one deployment model since it

involves some CapEx cost up front
● It can be more complicated to set up and manage

Types of cloud services

Cost and Ownership

IaaS PaaS SaaS

Upfront costs There are no upfront There are no upfront Users have no upfront
costs. Users pay only costs. Users pay only for costs; they pay a
for what they what they consume. subscription, typically
consume. on a monthly or annual
basis.

User ownership The user is The user is responsible Users just use the
responsible for the for the development of application software;
purchase, installation, their own applications. they are not
configuration, and However, they are not responsible for any
management of their responsible for maintenance or
own software, managing the server or management of that
operating systems, infrastructure. This software.
middleware, and allows the user to focus
applications. on the application or
workload they want to
run.

Cloud provider The cloud provider is The cloud provider is The cloud provider is
ownership responsible for responsible for responsible for the
ensuring that the operating system provision,
underlying cloud management, network, management, and
infrastructure (such and service maintenance of the
as virtual machines, configuration. Cloud
storage, and providers are typically
networking) is responsible for
available for the user. everything apart from
the application that a
user wants to run. They
provide a complete
managed platform on
which to run the
application.

Understand Azure billing

● Every Invoice Section is a line item on the invoice
● Each billing profile has its own monthly invoice and payment method
Azure support plans
As an Azure customer, the following free support resources are available to you as well.

● Billing and subscription management support

● Azure Quickstart Center, a guided experience in the Azure portal available
to anyone who wants to improve their knowledge of Azure
● Azure Service Health gives you insights on issues related to your Azure
services
● Azure Advisor gives you personalized recommendations on how to optimize
your cost and performance
Azure


Azure services

Let's take a closer look at the most commonly-used categories:

● Compute
● Networking
● Storage
● Mobile
● Databases
● Web
● Internet of Things
● Big Data
● Artificial Intelligence
Compute

Service name Service function

Azure Virtual Machines Windows or Linux virtual machines (VMs) hosted in Azure
Azure Virtual Machine Scaling for Windows or Linux VMs hosted in Azure
Scale Sets
Azure Kubernetes Service Enables management of a cluster of VMs that run
containerized services
Azure Service Fabric Distributed systems platform.
Runs in Azure or on-premises
Azure Batch Managed service for parallel and high-performance
computing applications
Azure Container Instances Run containerized apps on Azure without provisioning
servers or VMs
Azure Functions An event-driven, serverless compute service

Networking

Service name Service function

Azure Virtual Network Connects VMs to incoming Virtual Private Network (VPN)
connections
Azure Load Balancer Balances inbound and outbound connections to applications or
service endpoints
Azure Application Optimizes app server farm delivery while increasing application
Gateway security
Azure VPN Gateway Accesses Azure Virtual Networks through high-performance
VPN gateways
Azure DNS Provides ultra-fast DNS responses and ultra-high domain
availability
Azure Content Delivery Delivers high-bandwidth content to customers globally
Network
Azure DDoS Protection Protects Azure-hosted applications from distributed denial of
service (DDOS) attacks
Azure Traffic Manager Distributes network traffic across Azure regions worldwide
Azure ExpressRoute Connects to Azure over high-bandwidth dedicated secure
connections
Azure Network Watcher Monitors and diagnoses network issues using scenario-based
analysis
Azure Firewall Implements high-security, high-availability firewall with
unlimited scalability
Azure Virtual WAN Creates a unified wide area network (WAN), connecting local
and remote sites

Storage

Service name Service function

Azure Blob storage Storage service for very large objects, such as video files or bitmaps

Azure File storage File shares that you can access and manage like a file server

Azure Queue A data store for queuing and reliably delivering messages between
storage applications
Azure Table storage A NoSQL store that hosts unstructured data independent of any
schema

Azure Blob storage Storage service for very large objects, such as video files or bitmaps
Storage tiers
Azure offers three storage tiers for blob object storage:

Hot storage tier: optimized for storing data that is accessed

frequently.

Cool storage tier: optimized for data that are infrequently accessed
and stored for at least 30 days.

Archive storage tier: for data that are rarely accessed and stored for at
least 180 days with flexible latency requirements.

Azure File storage File shares that you can access and manage like a file server via Server
Message Block (SMB) protocol
Azure Queue A data store for queuing and reliably delivering messages between
storage applications

Azure Table storage A NoSQL store that hosts unstructured data independent of any
schema
Azure Data Lake Data Lake is a large repository that stores both structured and
Storage

unstructured data.
Disk Storage Disk storage provides disks for virtual machines, applications, and
other services to access and use as they
need,
you can use standard SSD and HDD
disks for less critical workloads, and
premium SSD disks for mission-critical
production applications.
These services all share several common characteristics:

● Durable and highly available with redundancy and replication.

● Secure through automatic encryption and role-based access control.
● Scalable with virtually unlimited storage.
● Managed, handling maintenance and any critical problems for you.
● Accessible from anywhere in the world over HTTP or HTTPS.

Encryption and replication

1. Azure Storage Service Encryption (SSE) for data at rest helps you
secure your data to meet the organization's security and regulatory
compliance. It encrypts the data before storing it and decrypts the
data before retrieving it. The encryption and decryption are
transparent to the user.
2. Client-side encryption is where the data is already encrypted by the
client libraries. Azure stores the data in the encrypted state at rest,
which is then decrypted during retrieval.

Mobile

Other features of this service include:

● Offline data synchronization.

● Connectivity to on-premises data.
● Broadcasting push notifications.
● Autoscaling to match business needs.

Databases
Service name Service function
Azure Cosmos DB Globally distributed database that supports NoSQL options

Azure SQL Database Fully managed relational database with auto-scale, integral
intelligence, and robust security

Azure Database for Fully managed and scalable MySQL relational database with high
MySQL availability and security
Azure Database for Fully managed and scalable PostgreSQL relational database with
PostgreSQL high availability and security
SQL Server on VMs Host enterprise SQL Server apps in the cloud
Azure SQL Data Fully managed data warehouse with integral security at every
Warehouse level of scale at no extra cost
Azure Database Migrates your databases to the cloud with no application code
Migration Service changes
Azure Cache for Redis Caches frequently used and static data to reduce data and
application latency
Azure Database for
MariaDB

Fully managed and scalable MariaDB relational database with

high availability and security

Web

Service Name Description

Azure App Service Quickly create powerful cloud web-based apps

Azure Notification Hubs Send push notifications to any platform from any back
end.
Azure API Management Publish APIs to developers, partners, and employees
securely and at scale.
Azure Cognitive Search Fully managed search as a service.
Web Apps feature of Azure App Create and deploy mission-critical web apps at scale.
Service
Azure SignalR Service Add real-time web functionalities easily.

Internet of Things

Service Description
Name
IoT Fully-managed global IoT software as a service (SaaS) solution that makes it
Central easy to connect, monitor, and manage your IoT assets at scale
Azure Messaging hub that provides secure communications and monitoring between
IoT Hub millions of IoT devices

IoT Edge Push your data analysis models directly onto your IoT devices, allowing them to
react quickly to state changes without needing to consult cloud-based AI models.

Big Data

Service Description
Name
Azure SQL Run analytics at a massive scale using a cloud-based Enterprise Data
Data Warehouse (EDW) that leverages massive parallel processing (MPP) to run
Warehouse complex queries quickly across petabytes of data
Azure Process massive amounts of data with managed clusters of Hadoop clusters in
HDInsight the cloud
Azure Collaborative Apache Spark–based analytics service that can be integrated
Databricks with other Big Data services in Azure.

Compare on-premises storage to Azure data storage

The following table describes the differences between on-premises storage and Azure
data storage.
Needs On-premises Azure data storage

Compliance and security Dedicated servers required for Client-side encryption and
privacy and security encryption at rest

Store structured and Additional IT resources with Azure Data Lake and portal
unstructured data dedicated servers required analyzes and manages all types of
data

Replication and high More resources, licensing, and Built-in replication and redundancy
availability servers required features available

Application sharing and File sharing requires additional File sharing options available
access to shared administration resources without additional license
resources

Relational data storage Needs a database server with Offers database-as-a-service

database admin role options

Distributed storage and Expensive storage, networking, Azure Cosmos DB provides

data access and compute resources needed distributed access

Messaging and load Hardware redundancy impacts Azure Queue provides effective
balancing budget and resources load balancing

Tiered storage Management of tiered storage Azure offers automated tiered

needs technology and labor skill storage of data
set

Artificial Intelligence

Service Description
Name
Azure Cloud-based environment you can use to develop, train, test, deploy, manage,
Machine and track machine learning models. It can auto-generate a model and auto-tune
Learning it for you. It will let you start training on your local machine, and then scale out
Service to the cloud
Azure Collaborative, drag-and-drop visual workspace where you can build, test, and
Machine deploy machine learning solutions using pre-built machine learning algorithms
Learning and data-handling modules
Studio

A closely related set of products are the cognitive services. These are pre-built APIs you
can leverage in your applications to solve complex problems.

Service Name Description

Vision Image-processing algorithms to smartly identify, caption, index, and
moderate your pictures and videos.
Speech Convert spoken audio into text, use voice for verification, or add
speaker recognition to your app.
Knowledge Map complex information and data in order to solve tasks such as
mapping intelligent recommendations and semantic search.
Bing Search Add Bing Search APIs to your apps and harness the ability to comb
billions of webpages, images, videos, and news with a single API
call.
Natural Allow your apps to process natural language with pre-built scripts,
Language evaluate sentiment and learn how to recognize what users want.
processing

DevOps

Service Description
Name
Azure Azure DevOps Services (formerly known as Visual Studio Team Services, or
DevOps VSTS), provides development collaboration tools including high-performance
pipelines, free private Git repositories, configurable Kanban boards, and
extensive automated and cloud-based load testing
Azure Quickly create on-demand Windows and Linux environments you can use to
DevTest test or demo your applications directly from your deployment pipelines
Labs
Regions
A region is a geographical area on the planet containing at least one, but potentially
multiple datacenters that are nearby and networked together with a low-latency network

Special Azure regions

Azure has specialized regions that you might want to use when building out your
applications for compliance or legal purposes. These include:

● US DoD Central, US Gov Virginia, US Gov Iowa and more: These are
physical and logical network-isolated instances of Azure for US government
agencies and partners. These datacenters are operated by screened US
persons and include additional compliance certifications.
● China East, China North and more: These regions are available through a
unique partnership between Microsoft and 21Vianet, whereby Microsoft
does not directly maintain the datacenters.

Geographies are broken up into the following areas:

● Americas
● Europe
● Asia Pacific
● Middle East and Africa

What is an Availability Zone?

Availability Zones are physically separate datacenters within an Azure region.

Each Availability Zone is made up of one or more datacenters equipped with

independent power, cooling, and networking. It is set up to be an isolation boundary. If
one zone goes down, the other continues working. Availability Zones are connected
through high-speed, private fiber-optic networks.
Supported regions

Not every region has support for Availability Zones. The following regions have a
minimum of three separate zones to ensure resiliency.

● Central US
● East US 2
● West US 2
● West Europe
● France Central
● North Europe
● Southeast Asia

Availability Zones are primarily for VMs, managed disks, load balancers, and SQL
databases. Azure services that support Availability Zones fall into two categories:

● Zonal services – you pin the resource to a specific zone (for example,
virtual machines, managed disks, IP addresses)
● Zone-redundant services – platform replicates automatically across zones
(for example, zone-redundant storage, SQL Database).
Understand Region Pairs in Azure

What is a region pair?

Each Azure region is always paired with another region within the same geography at
least 300 miles away.

Planned Azure updates are rolled out to paired regions one region at a time to minimize
downtime and risk of application outage.

Advantages of region pairs include:

● If there's an extensive Azure outage, one region out of every pair is

prioritized to make sure at least one is restored as quickly as possible for
applications hosted in that region pair.
● Planned Azure updates are rolled out to paired regions one region at a time
to minimize downtime and risk of application outage.
● Data continues to reside within the same geography as its pair (except for
Brazil South) for tax and law enforcement jurisdiction purposes.
Understand Service-Level Agreements for
Azure

Azure does not provide SLAs for most services under the Free or Shared tiers. Also,
free products such as Azure Advisor do not typically have an SLA.

SLAs for Azure products and services

There are three key characteristics of SLAs for Azure products and services:

1. Performance Targets
2. Uptime and Connectivity Guarantees
3. Service credits

SLA % Downtime per week Downtime per month Downtime per year

99 1.68 hours 7.2 hours 3.65 days

99.9 10.1 minutes 43.2 minutes 8.76 hours

99.95 5 minutes 21.6 minutes 4.38 hours

99.99 1.01 minutes 4.32 minutes 52.56 minutes

99.999 6 seconds 25.9 seconds 5.26 minutes

Service Credits

customers may have a discount applied to their Azure bill, as compensation for an
under-performing Azure product or service. The table below explains this example in
more detail.

MONTHLY UPTIME PERCENTAGE SERVICE CREDIT PERCENTAGE

< 99.9 10

< 99 25

< 95 100

Compose SLAs across services

When combining SLAs across different service offerings, the resultant SLA is called a
Composite SLA. The resulting composite SLA can provide higher or lower uptime
values, depending on your application architecture.

Calculating downtime

99.95 percent × 99.99 percent = 99.94 percent

This means the combined probability of failure is higher than the individual SLA
values. This isn't surprising, because an application that relies on multiple services has
more potential failure points.

With this design, the application is still available even if it can't connect to the database.
However, it fails if both the database and the queue fail simultaneously.

If the expected percentage of time for a simultaneous failure is 0.0001 × 0.001, the
composite SLA for this combined path of a database or queue would be:

1.0 − (0.0001 × 0.001) = 99.99999 percent

Therefore, if we add the queue to our web app, the total composite SLA is:

99.95 percent × 99.99999 percent = ~99.95 percent

Improve your app reliability in Azure

● Understand your app requirements

○ workload requirements.
● Resiliency
○ ability of a system to recover from failures
● Cost and complexity vs. high availability
○ A workload that requires 99.99 percent uptime shouldn't depend upon a service
with a 99.9 percent SLA.
SLA summary for Azure services

Azure Active Directory

We guarantee at least 99.9% availability of the Azure Active Directory Basic and
Premium services. The services are considered available in the following scenarios:

Azure Active Directory B2C

We guarantee at least 99.9% availability of the Azure Active Directory B2C service. The
service is considered available for a directory in the following scenarios:

Azure Active Directory Domain Services

We guarantee at least 99.9% of Azure Active Directory Domain Services requests for
domain authentication of user accounts belonging to the Managed Domain, LDAP bind
to the root DSE, or DNS lookup of records will complete successfully.

Azure Advisor
Advisor is a free service, therefore, it does not have a financially backed SLA.

Azure Analysis Services

We guarantee that, at least 99.9% of the time Client Operations executed on an Azure
Analysis Services server will succeed.

API Management
● We guarantee that API Management Service instances running in the Standard
tier will respond to requests to perform operations at least 99.9% of the time.
● We guarantee that API Management Service instances running in the Premium
tier deployed across two or more regions will respond to requests to perform
operations at least 99.95% of the time.

No SLA is provided for the Developer tier of the API Management Service.

App Service
We guarantee that Apps running in a customer subscription will be available 99.95% of
the time. No SLA is provided for Apps under either the Free or Shared tiers.
Application Gateway
We guarantee that each Application Gateway Cloud Service having two or more
medium or larger instances, or deployments capable of supporting autoscale or zone
redundancy, will be available at least 99.95% of the time.

Automation
We guarantee that at least 99.9% of runbook jobs will start within 30 minutes of their
planned start times.

We guarantee at least 99.9% availability of the Azure Automation DSC agent service.

Azure DevOps
● We guarantee at least 99.9% availability of Azure DevOps Services for paid
Azure DevOps Services users, including users with paid User-Based Extensions
to Azure DevOps Services, to access the associated Azure DevOps Services
account.
● We guarantee at least 99.9% availability to execute load testing operations using
the paid Azure Test Plans Load Testing Service.
● We guarantee at least 99.9% availability to execute build and deployment
operations using the paid Azure Pipelines.

Azure Firewall
Azure Firewall offers fully stateful native firewall capabilities for Virtual Network
resources, with built-in high availability and the ability to scale automatically.

We guarantee that Azure Firewall will be available at least 99.95% of the time, when
deployed within a single Availability Zone.

We guarantee that Azure Firewall will be available at least 99.99% of the time, when
deployed within two or more Availability Zones in the same Azure regio

Azure Firewall
Azure Firewall offers fully stateful native firewall capabilities for Virtual Network
resources, with built-in high availability and the ability to scale automatically.

We guarantee that Azure Firewall will be available at least 99.95% of the time, when
deployed within a single Availability Zone.
We guarantee that Azure Firewall will be available at least 99.99% of the time, when
deployed within two or more Availability Zones in the same Azure region.

Azure management options

● Azure portal for interacting with Azure via a Graphical User Interface (GUI)
● Azure PowerShell and Azure Command-Line Interface (CLI) for
command line and automation-based interactions with Azure
● Azure Cloud Shell is authenticated, browser-accessible shell command-
line interface. Cloud Shell has a suite of developer tools, text editors, and
other tools
● Azure mobile app for monitoring and managing your resources from your
mobile device.

What is the Azure Marketplace?

The Marketplace allows customers to find, try, purchase, and provision applications and
services from hundreds of leading service providers, all certified to run on Azure.

Azure Advisor

Finally, the Azure Advisor is a free service built into Azure that provides
recommendations on high availability, security, performance, operational excellence,
and cost
Azure compute
Azure compute is an on-demand computing service for running cloud-based applications.

There are four common techniques for performing compute in Azure:

● Virtual machines or VMs, are software emulations of physical computers.

● Containers - a virtualization environment for running applications.
● Azure App Service - platform-as-a-service (PaaS) offering in Azure that is designed to
host enterprise-grade web-oriented applications.
● Serverless computing - cloud-hosted execution environment that runs your code but
completely abstracts the underlying hosting environment

Virtual machines
● IaaS
● Total control over the operating system (OS)
● The ability to run custom software, or
● To use custom hosting configurations
● VMs are also an excellent choice when moving from a physical server to the cloud ("lift
and shift")

Scaling VMs in Azure

● Availability sets
● Virtual Machine Scale Sets
● Azure Batch

availability sets
● An availability set is a logical grouping of two or more VMs that help keep your
application available during planned or unplanned maintenance.
● With an availability set, you get:
○ Up to three fault domains that each have a server rack with dedicated power and
network resources
○ Five logical update domains which then can be increased to a maximum of 20
Your VMs are then sequentially placed across the fault and update domains. The following
diagram shows an example where you have six VMs in two availability sets distributed across
the two fault domains and five update domains.
● There's no cost for an availability set.
● You only pay for the VMs within the availability set. We highly recommend that you place
each workload in an availability set to avoid having a single point of failure in your VM
architecture.

virtual machine scale sets

Azure Virtual Machine Scale Sets let you create and manage a group of identical, load balanced
VMs. Imagine you're running a website that enables scientists to upload astronomy images that
need to be processed. If you duplicated the VM, you'd normally need to configure an additional
service to route requests between multiple instances of the website. Virtual Machine Scale Sets
could do that work for you.

Scale sets allow you to centrally manage, configure, and update a large number of VMs in
minutes to provide highly available applications. The number of VM instances can automatically
increase or decrease in response to demand or a defined schedule. With Virtual Machine Scale
Sets, you can build large-scale services for areas such as compute, big data, and container
workloads.
Azure Batch
Azure Batch enables large-scale job scheduling and compute management with the ability to
scale to tens, hundreds, or thousands of VMs.

When you're ready to run a job, Batch does the following:

● Starts a pool of compute VMs for you

● Installs applications and staging data
● Runs jobs with as many tasks as you have
● Identifies failures
● Requeues work
● Scales down the pool as work completes
There may be situations in which you need raw computing power or supercomputer level
compute power. Azure provides these capabilities.
Containers
If you wish to run multiple instances of an application on a single host machine, containers are
an excellent choice.

A container doesn't use virtualization, so it doesn't waste resources simulating virtual hardware
with a redundant OS.

VMs versus containers

https://www.microsoft.com/en-us/videoplayer/embed/RE2yuaq?pid=RE2yuaq-ax-86-id-
oneplayer&postJsllMsg=true&autoplay=false&mute=false&loop=false&market=en-
us&playFullScreen=false

Containers in Azure
to manage containers in Azure:
● Azure Container Instances (ACI)
● Azure Kubernetes Service (AKS)

Azure Container Instances

Azure Container Instances (ACI) offers the fastest and simplest way to run a container in Azure.
You don't have to manage any virtual machines or configure any additional services. It is a
PaaS offering that allows you to upload your containers and execute them directly with
automatic elastic scale.
Containers are often used to create solutions using a microservice architecture.

Azure Kubernetes Service

The task of automating, managing, and interacting with a large number of containers is known
as orchestration. Azure Kubernetes Service (AKS) is a complete orchestration service for
containers with distributed architectures with multiple containers.
Migrating apps to containers

1. You convert an existing application to one or more containers and then publish one or
more container images to the Azure Container Registry.
2. By using the Azure portal or the command line, you deploy the containers to an AKS
cluster.
3. Azure AD controls access to AKS resources.
4. You access SLA-backed Azure services, such as Azure Database for MySQL, via Open
Service Broker for Azure (OSBA).
5. Optionally, AKS is deployed with a virtual network.
Azure App Service
1. With Azure App Service, you can host most common web app styles including:
○ Web Apps (using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or
Python)
○ API Apps (REST-based)
○ WebJobs (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell,
or Bash)
○ Mobile Apps
i. Store mobile app data in a cloud-based SQL database
ii. Authenticate customers against common social providers such as MSA,
Google, Twitter, and Facebook
iii. Send push notifications
iv. Execute custom back-end logic in C# or Node.js
2. All of these app styles are hosted in the same infrastructure and share these benefits.
3. It offers automatic scaling and high availability.
4. App Service supports both Windows and Linux, and enables automated deployments
from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.
5. This platform as a service (PaaS) allows you to focus on the website and API logic while
Azure handles the infrastructure to run and scale your web applications.
App Service costs
● Pay for the Azure compute resources your app uses
● There is even a free tier you can use to host small, low-traffic sites.

Serverless computing
● Serverless computing is the abstraction of servers, infrastructure, and OSs.
● There's no need to even reserve capacity.

Serverless computing encompasses three ideas:

 The abstraction of servers: Serverless computing abstracts the servers you run on.
You never explicitly reserve server instances; the platform manages that for you. Each
function execution can run on a different compute instance, and this execution context is
transparent to the code. With serverless architecture, you simply deploy your code,
which then runs with high availability.
 Event-driven scale: Serverless computing is an excellent fit for workloads that respond
to incoming events. Events include triggers by timers (for example, if a function needs to
run every day at 10:00 AM UTC), HTTP (API and webhook scenarios), queues (for
example, with order processing), and much more. Instead of writing an entire
application, the developer authors a function, which contains both code and metadata
about its triggers and bindings. The platform automatically schedules the function to run
and scales the number of compute instances based on the rate of incoming events.
Triggers define how a function is invoked and bindings provide a declarative way to
connect to services from within the code.
 Micro-billing: Traditional computing has the notion of per-second billing, but often, that's
not as useful as it seems. Even if a customer's website gets only one hit a day, they still
pay for a full day's worth of availability. With serverless computing, they pay only for the
time their code runs. If no active function executions occur, they're not charged. For
example, if the code runs once a day for two minutes, they're charged for one execution
and two minutes of computing time.

Azure has two implementations of serverless compute:

1. Azure Functions:
a. They're commonly used when you need to perform work in response to an
event, often via a
i. REST request,
ii. timer, or
iii. message from another Azure service and
b. When that work can be completed quickly, within seconds or less.
c. you're only charged for the CPU time used
d. Furthermore, Azure Functions can be either
i. stateless (the default), where they behave as if they're restarted every
time they respond to an event, or
ii. stateful (called "Durable Functions"), where a context is passed through
the function to track prior activity.
2. Azure Logic Apps:
a. Azure Logic Apps are similar to Functions - both enable you to trigger logic
based on an event. Where Functions execute code, Logic Apps execute
workflows designed to automate business scenarios and built from predefined
logic blocks.
b. Every logic app workflow starts with a trigger, which fires when a specific event
happens or when newly available data meets specific criteria. Many triggers
include basic scheduling capabilities, so developers can specify how regularly
their workloads will run. Each time the trigger fires, the Logic Apps engine
creates a logic app instance that runs the actions in the workflow. These actions
can also include data conversions and flow controls, such as conditional
statements, switch statements, loops, and branching. You create Logic App
workflows using a visual designer on the Azure portal or in Visual Studio. The
workflows are persisted as a JSON file with a known workflow schema.Azure
provides over 200 different connectors and processing blocks to interact with
different services - including most popular enterprise apps. You can also build
custom connectors and workflow steps if the service you need to interact with
isn't covered. You then use the visual designer to link connectors and blocks
together, passing data through the workflow to do custom processing - often all
without writing any code. As an example, let's say a ticket arrives in ZenDesk.
You could:
i. Detect the intent of the message with cognitive services
ii. Create an item in SharePoint to track the issue
iii. If the customer isn't in your database, add them to your Dynamics 365
CRM system
iv. Send a follow-up email to acknowledge their request
v. All of that could be designed in a visual designer making it easy to see
the logic flow, which is ideal for a business analyst role.

Functions vs. Logic Apps

● Functions and Logic Apps can both create complex orchestrations.
● An orchestration is a collection of functions or steps, that are executed to
accomplish a complex task.
● With Azure Functions, you write code to complete each step, with Logic Apps,
you use a GUI to define the actions and how they relate to one another.
You can mix and match services when you build an orchestration, calling functions from
logic apps and calling logic apps from functions. Here are some common differences
between the two.
- Functions Logic Apps

State Normally stateless, but Durable Stateful

Functions provide state

Development Code-first (imperative) Designer-first (declarative)

Connectivity About a dozen built-in binding Large collection of connectors, Enterprise

types, write code for custom Integration Pack for B2B scenarios, build
bindings custom connectors

Actions Each activity is an Azure function; Large collection of ready-made actions

write code for activity functions

Monitoring Azure Application Insights Azure portal, Log Analytics

Management REST API, Visual Studio Azure portal, REST API, PowerShell,
Visual Studio

Execution context Can run locally or in the cloud Runs only in the cloud.
Choose an Azure compute service for
your application

Hosting model
Criteria Virtual App Service Azure Azure Container Azure
Machines Service Fabric Functions Kubernete Instances Batch
s Service
Application Agnostic Applications Services, Functions Containers Containers Scheduled
composition , containers guest jobs
executables
, containers
Density Agnostic Multiple Multiple Serverless Multiple No Multiple
apps per services per 1 containers dedicated apps per
instance via VM per node instances VM
app service
plans
Minimum 12 1 53 Serverless 33 No 14
number of 1 dedicated
nodes nodes
State Stateless or Stateless Stateless or Stateless Stateless or Stateless Stateless
manageme Stateful stateful Stateful
nt
Web Agnostic Built in Agnostic Not Agnostic Agnostic No
hosting applicable
Can be Supported Supported5 Supported Supported 5 Supported Not Supported
deployed to supported
dedicated
VNet?
Hybrid Supported Supported 6 Supported Supported 7 Supported Not Supported
connectivity supported

DevOps

Criteria Virtual App Service Azure Azure Containe Azure

Machine Service Fabric Functions Kubernete r Batch
s s Service Instance
s

Local Agnostic IIS Local Visual Minikube, Local Not

debugging Express, node Studio or others container supporte
others 1 cluster Azure runtime d
Functions
CLI

Programmin Agnostic Web and Guest Functions Agnostic Agnostic Comman

g model API executabl with d line
application e, Service triggers applicatio
s, model,
n
WebJobs Actor
for model,
backgroun Container
d tasks s
Application No built- Deploymen Rolling Deployme Rolling Not
update in t slots upgrade nt slots update applicabl
support (per e
service)

Scalability

Criteria Virtual App Service Azure Azure Container Azure

Machines Service Fabric Function Kubernete Instances Batch
s s Service

Autoscalin Virtual Built-in Virtual Built-in Pod auto- Not N/A

g machine service machine service scaling1, supported
scale sets scale cluster
sets auto-
scaling2

Load Azure Integrated Azure Integrated Azure Load No built-in Azure

balancer Load Load Balancer or support Load
Balancer Balancer Application Balancer
Gateway

Scale limit3 Platform 20 100 200 100 nodes 20 20 core

image: instances, nodes instances per cluster container limit
1000 100 with per scale per (default groups per (default
nodes per App set Function limit) subscriptio limit).
scale set, Service app n (default
Custom Environme limit).
image: nt
600 nodes
per scale
set
Availability

Criteria Virtual App Service Azure Azure Container Azure

Machines Service Fabric Functions Kubernetes Instances Batch
Service

SLA SLA for SLA for SLA for SLA for SLA for SLA for SLA for
Virtual App Service Functions AKS Container Azure
Machines Service Fabric Instances Batch

Multi Traffic Traffic Traffic Not Traffic Not Not

region manager manager manager, supported manager supported Supported
failover Multi-
Region
Cluster
Azure data storage
Benefits
● Automated backup and recovery: mitigates the risk of losing your data if there is any
unforeseen failure or interruption.
● Replication across the globe: copies your data to protect it against any planned or
unplanned events, such as scheduled maintenance or hardware failures. You can
choose to replicate your data at multiple locations across the globe.
● Support for data analytics: supports performing analytics on your data consumption.
● Encryption capabilities: data is encrypted to make it highly secure; you also have tight
control over who can access the data.
● Multiple data types: Azure can store almost any type of data you need. It can handle
video files, text files, and even large binary files like virtual hard disks. It also has many
options for your relational and NoSQL data.
● Data storage in virtual disks: Azure also has the capability of storing up to 32 TB of
data in its virtual disks. This capability is significant when you're storing heavy data such
as videos and simulations.
● Storage tiers: storage tiers to prioritize access to data based on frequently used versus
rarely used information.

Types of data
1. Structured data.
a. Structured data is data that adheres to a schema, so all of the data has the same
fields or properties.
b. Structured data can be stored in a database table with rows and columns.
Structured data relies on keys to indicate how one row in a table relates to data
in another row of another table.
c. Structured data is also referred to as relational data, as the data's schema
defines the table of data, the fields in the table, and the clear relationship
between the two.
d. Structured data is straightforward in that it's easy to enter, query, and analyze. All
of the data follows the same format. Examples of structured data include sensor
data or financial data.
2. Semi-structured data. Semi-structured data doesn't fit neatly into tables, rows, and
columns.
a. Instead, semi-structured data uses tags or keys that organize and provide a
hierarchy for the data.
b. Semi-structured data is also referred to as non-relational or NoSQL data.
3. Unstructured data. Unstructured data encompasses data that has no designated
structure to it. This lack of structure also means that there are no restrictions on the
kinds of data it can hold. For example, a blob can hold a PDF document, a JPG image, a
JSON file, video content, etc. As such, unstructured data is becoming more prominent
as businesses try to tap into new data sources.
Core Cloud Services

N-tier architecture
● used to build loosely coupled systems
● An N-tier architecture divides an application into two or more logical tiers. Architecturally,
a higher tier can access services from a lower tier, but a lower tier should never access
a higher tier.
○ The web tier provides the web interface to your users through a browser.
○ The application tier runs business logic.
○ The data tier includes databases and other storage that hold product information
and customer orders.
● An N-tier application can have a closed layer architecture or an open layer architecture:
○ In a closed layer architecture, a layer can only call the next layer immediately
down.
○ In an open layer architecture, a layer can call any of the layers below it

Network security group

● A network security group, or NSG, allows or denies inbound network traffic to your Azure
resources.
● Think of a network security group as a cloud-level firewall for your network.
Azure Load Balancer

availability and high availability

● Availability refers to how long your service is up and running without interruption.
● High availability, or highly available, refers to a service that's up and running for a long
period of time.

Resiliency
Resiliency refers to a system's ability to stay operational during abnormal conditions.

Load Balancer
A load balancer distributes traffic evenly among each system in a pool. A load balancer can help
you achieve both high availability and resiliency.
Azure Load Balancer
● Load Balancer supports inbound and outbound scenarios,
provides low latency and high throughput, and scales up to
millions of flows for all (TCP) and User Datagram Protocol
(UDP) applicationsTransmission Control Protocol
● You can use Load Balancer with
○ incoming internet traffic,
○ internal traffic across Azure services,
○ port forwarding for specific traffic, or
○ outbound connectivity for VMs in your virtual
network

Azure Application Gateway

● If all your traffic is
HTTP, a potentially
better option is to
use Azure
Application
Gateway.
● Application Gateway is a load balancer designed for web applications.
● It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-
based routing rules to support several advanced scenarios.
● This type of routing is known as application layer (OSI layer 7) load balancing
since it understands the structure of the HTTP message.

Benefits of Azure Application Gateway over a simple load balancer:

● Cookie affinity. Useful when you want to keep a user session on the same
backend server.
● SSL termination. Application Gateway can manage your SSL certificates
and pass unencrypted traffic to the backend servers to avoid
encryption/decryption overhead. It also supports full end-to-end encryption
for applications that require that.
● Web application firewall. Application gateway supports a sophisticated
firewall (WAF) with detailed monitoring and logging to detect malicious
attacks against your network infrastructure.
● URL rule-based routes. Application Gateway allows you to route traffic
based on URL patterns, source IP address and port to destination IP
address and port. This is helpful when setting up a content delivery
network.
● Rewrite HTTP headers. You can add or remove information from the
inboun d and outbound HTTP headers of
each request to enable important security scenarios, or scrub sensitive
information such as server names.

Content Delivery Network

● A content delivery network (CDN) is a distributed network of servers that can

efficiently deliver web content to users.
● It is a way to get content to users in their local region to minimize latency.
● You can cache content at strategically placed physical nodes across the world
and provide better performance to end users.

DNS

● DNS, or Domain Name System, is a way to map user-

friendly names to their IP addresses.

The following illustration shows Azure DNS. When the user

navigates to contoso.com, Azure DNS routes traffic to the
load balancer.

Reduce latency with Azure

Traffic Manager

Network latency

● Latency refers to the time it takes for data to travel over the network. Latency is
typically measured in milliseconds.
● Compare latency to bandwidth. Bandwidth refers to the amount of data that
can fit on the connection. Latency refers to the time it takes for that data to reach
its destination.
● Factors such as the type of connection you use and how your application is
designed can affect latency. But perhaps the biggest factor is distance.
Scale out to different regions
● One way to reduce latency is to provide
exact copies of your service in more
than one region. The following
illustration shows an example of global
deployment.
● How can you connect users to the
service that's closest geographically

Use Traffic Manager to route users to the closest

endpoint
● Traffic Manager uses the DNS
server that's closest to the user
to direct user traffic to a globally
distributed endpoint. The
following illustration shows the
role of the Traffic Manager.
● Traffic Manager doesn't see the
traffic that's passed between the client and server. Rather, it directs the client
web browser to a preferred endpoint. Traffic Manager can route traffic in a few
different ways, such as to the endpoint with the lowest latency.
● Although not shown here, this setup could also include your on-premises
deployment running in California.

Compare Load Balancer to Traffic Manager

● Azure Load Balancer distributes traffic within the same region to make your
services more highly available and resilient.
● Traffic Manager works at the DNS level, and directs the client to a preferred
endpoint. This endpoint can be to the region that's closest to your user.
● Load Balancer and Traffic Manager both help make your services more resilient,
but in slightly different ways. When Load Balancer detects an unresponsive VM,
it directs traffic to other VMs in the pool.
○ Traffic Manager monitors the health of your endpoints.
○ When Traffic Manager finds an unresponsive endpoint, it directs traffic to
the next closest endpoint that is responsive.
Security is a shared responsibility
https://www.microsoft.com/en-us/videoplayer/embed/RWkotg?pid=RWkotg-ax-86-id-
oneplayer&postJsllMsg=true&autoplay=false&mute=false&loop=false&market=en-
us&playFullScreen=false

Regardless of the deployment type,

you always retain responsibility for the
following items:

● Data
● Endpoints
● Accounts
● Access management

https://www.microsoft.com/en-
us/videoplayer/embed/RE2yEvj?pid=RE2yEvj-ax-87-id-

oneplayer&postJsllMsg=true&autoplay=false&mute=false&loop=false&market=en-us&playFullScreen=false

A layered approach to security

● Microsoft applies a layered approach to security,
both in physical data centers and across Azure
services. The objective of defense in depth is to
protect and prevent information from being stolen by individuals who are not
authorized to access it.
● Defense in depth can be visualized as a set of concentric rings, with the data to
be secured at the center. Each ring adds an additional layer of security around
the data. This approach removes reliance on any single layer of protection and
acts to slow down an attack and provide alert telemetry that can be acted upon,
either automatically or manually.

Let's take a look at each of the layers.

Data

In almost all cases, attackers are after data:

● Stored in a database
● Stored on disk inside virtual machines
● Stored on a SaaS application such as Office 365
● Stored in cloud storage

It's the responsibility of those storing and controlling access to data to ensure that it's
properly secured.

Application

● Ensure applications are secure and free of vulnerabilities.

● Store sensitive application secrets in a secure storage medium.
● Make security a design requirement for all application development.

Integrating security into the application development life cycle will help reduce the
number of vulnerabilities introduced in code.

Compute

● Secure access to virtual machines.

● Implement endpoint protection and keep systems patched and current.

Malware, unpatched systems, and improperly secured systems open your environment
to attacks.

Networking

● Limit communication between resources.

● Deny by default.
● Restrict inbound internet access and limit outbound, where appropriate.
■ Implement secure
connectivity to on-
premises networks.

At this layer, the focus is on limiting the network connectivity across all your resources
to allow only what is required.

Perimeter

● Use distributed denial of service (DDoS) protection to filter large-scale

attacks before they can cause a denial of service for end users.
● Use perimeter firewalls to identify and alert on malicious attacks against
your network.

At the network perimeter, it's about protecting from network-based attacks against your
resources.

Identity and access

● Control access to infrastructure and change control.

● Use single sign-on and multi-factor authentication.
● Audit events and changes.
The identity and access layer is all about ensuring identities are secure, access granted
is only what is needed, and changes are logged.

Physical security

● Physical building security and controlling access to computing hardware

within the data center is the first line of defense.

With physical security, the intent is to provide physical safeguards against access to
assets.
Azure Security Center
Security Center can:

● Provide security recommendations based on your configurations,

resources, and networks.
● Monitor security settings across on-premises and cloud workloads, and
automatically apply required security to new services as they come online.
● Continuously monitor all your services, and perform automatic security
assessments to identify potential vulnerabilities before they can be
exploited.
● Use machine learning to detect and block malware from being installed on
your virtual machines and services. You can also define a list of allowed
applications to ensure that only the apps you validate are allowed to
execute.
● Analyze and identify potential inbound attacks, and help to investigate
threats and any post-breach activity that might have occurred.
● Provide just-in-time access control for ports, reducing your attack surface
by ensuring the network only allows traffic that you require.

Azure Security Center is part of the Center for Internet Security (CIS)
recommendations.

Azure Security Center is available in two tiers:

1. Free. Available as part of your Azure subscription, this tier is limited to

assessments and recommendations of Azure resources only.
2. Standard. This tier provides a full suite of security-related services
including continuous monitoring, threat detection, just-in-time access
control for ports, and more. Azure Security Center is $15 per node per
month
Usage scenarios
You can integrate Security Center into your workflows and use it in many ways. Here
are two examples.

1. Use the Security Center for incident response.

Many organizations learn how to respond to security incidents only after suffering
an attack. To reduce costs and damage, it's important to have an incident
response plan in place before an attack occurs. You can use Azure Security
Center in different stages of an incident response.

Detect. Review the first indication of an event investigation. For example, you can use
the Security Center dashboard to review the initial verification that a high-priority
security alert was raised.

Assess. Perform the initial assessment to obtain more information about the suspicious
activity. For example, obtain more information about the security alert.
Diagnose. Conduct a technical investigation and identify containment, mitigation, and
workaround strategies. For example, follow the remediation steps described by Security
Center in that particular security alert.

2. Use Security Center recommendations to enhance security.

● A security policy defines the set of controls that are recommended for
resources within that specified subscription or resource group. In Security
Center, you define policies according to your company's security
requirements.
● When the Security Center identifies potential security vulnerabilities, it
creates recommendations based on the controls set in the security policy.
The recommendations guide you through the process of configuring the needed
security controls.
○ For example, if you have workloads that do not require the Azure SQL
Database Transparent Data Encryption (TDE) policy, turn off the policy at
the subscription level and enable it only in the resources groups where
SQL TDE is required.

Important

To upgrade a subscription to the Standard tier, you must be assigned the role of
Subscription Owner, Subscription Contributor, or Security Admin.

Identity and access

Identity has become the new primary security boundary. Therefore, proper
authentication and assignment of privileges is critical to maintaining control of your data.

Authentication and authorization

● Authentication / AuthN is the process of establishing the identity of a

person or service looking to access a resource. It involves the act of
challenging a party for legitimate credentials, and provides the basis for
creating a security principal for identity and access control use. It
establishes if they are who they say they are.

● AuthZ / Authorization(Azure Active Directory) is the process of

establishing what level of access an authenticated person or service has. It
specifies what data they're allowed to access and what they can do with it.

Azure Active Directory

● Authentication. This includes verifying identity to access applications and
resources, and providing functionality such as
○ self-service password reset,
○ Multi-factor authentication (MFA) provides additional security for your
identities by requiring two or more elements for full authentication.
■ Something you know
■ Something you possess
■ Something you are
● Single-Sign-On (SSO). SSO enables users to remember only one ID and
one password to access multiple applications.
○ A single identity is tied to a user, simplifying the security model.
○ As users change roles or leave an organization, access modifications are
tied to that identity, greatly reducing the effort needed to change or disable
accounts.
● Application management. You can manage your cloud and on-premises
apps using Azure AD Application Proxy, SSO, the My apps portal (also
referred to as Access panel), and SaaS apps. Azure AD has two methods:
○ Service principals: A service principal is an identity that is used by a
service or application. And like other identities, it can be assigned roles.
○ Managed identities for Azure services:
■ A managed identity can be instantly created for any Azure service
that supports it.
■ When you create a managed identity for a service, you are creating
an account on your organization's Active Directory (a specific
organization's Active Directory instance is known as an "Active
Directory Tenant"). The Azure infrastructure will automatically take
care of authenticating the service and managing the account. You
can then use that account like any other Azure AD account,
including allowing the authenticated service secure access of other
Azure resources.
● Business to business (B2B) identity services. Manage your guest users
and external partners while maintaining control over your own corporate
data
● Business-to-Customer (B2C) identity services. Customize and control
how users sign up, sign in, and manage their profiles when using your apps
with services.
● Device Management. Manage how your cloud or on-premises devices
access your corporate data.
Role-based access control
● Roles are sets of permissions, like "Read-only" or "Contributor", that users can
be granted to access an Azure service instance.
● Identities are mapped to roles directly or
through group membership.
● Separating security principals, access
permissions, and resources provides simple
access management and fine-grained
control.

Roles can be granted at the individual service

instance level, but they also flow down the Azure
Resource Manager hierarchy.

Here's a diagram that shows this relationship.

Roles assigned at a higher scope, like an entire
subscription, are inherited by child scopes, like
service instances.

Privileged Identity Management

○ In addition to managing Azure resource access with role-based access

control (RBAC), a comprehensive approach to infrastructure protection
should consider including the ongoing auditing of role members as their
organization changes and evolves.
○ Azure AD Privileged Identity Management (PIM) is an additional, paid-for
offering that provides oversight of
■ role assignments,
■ self-service, and
■ just-in-time role activation
■ Azure AD and Azure resource access reviews.
Encryption
Symmetric encryption uses the same key to encrypt and decrypt the data.

Asymmetric encryption uses a public key and private key pair. Used for things like
Transport Layer Security (TLS) (used in HTTPS) and data signing.

Both symmetric and asymmetric encryption play a role in properly securing your data.
Encryption is typically approached in two ways:

● Encryption at rest:
○ Data at rest is the data that has been stored on a physical medium.
● Encryption in transit:
○ Data in transit is the data actively moving from one location to another.
Secure transfer can be handled by several different layers:
■ HTTPS is an example of an application layer in transit encryption.
■ a virtual private network (VPN), at a network layer, to transmit data
between two systems.

Encryption on Azure

Encrypt raw storage

Azure Storage Service Encryption automatically encrypts your data before persisting
it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage,
and decrypts the data before retrieval.

Encrypt virtual machine disks

Storage Service Encryption

● Azure Disk Encryption is a capability that helps you encrypt your Windows and
Linux IaaS virtual machine disks.
● Azure Disk Encryption leverages the industry-standard BitLocker feature of
Windows and the dm-crypt feature of Linux.
● The solution is integrated with Azure Key Vault to help you control and manage
the disk encryption keys and secrets
Encrypt databases

● Transparent data encryption (TDE) helps protect Azure SQL Database and
Azure Data Warehouse against the threat of malicious activity.
● By default, TDE is enabled for all newly deployed Azure SQL Database
instances.
● TDE encrypts the storage of an entire database by using a symmetric key called
the database encryption key.
● By default, Azure provides a unique encryption key per logical SQL Server
instance and handles all the details.
● Bring your own key (BYOK) is also supported with keys stored in Azure Key
Vault (see below).

Encrypt secrets

● Azure Key Vault is a centralized cloud service for storing your application
secrets. It is useful for a variety of scenarios:
● Secrets management. tokens, passwords, certificates, Application
Programming Interface (API) keys, and other secrets.
● Key management. Key Vault makes it easier to create and control the
encryption keys used to encrypt your data.
● Certificate management. Key Vault lets you provision, manage, and
deploy your public and private Secure Sockets Layer/ Transport Layer
Security (SSL/ TLS) certificates for your Azure, and internally connected,
resources more easily.
● Store secrets backed by hardware security modules (HSMs). The
secrets and keys can be protected either by software, or by FIPS 140-2
Level 2 validated HSMs.

The benefits of using Key Vault include:

● Centralized application secrets. Centralizing storage for application

secrets allows you to control their distribution, and reduces the chances that
secrets may be accidentally leaked.
● Securely stored secrets and keys. Azure uses industry-standard
algorithms, key lengths, and HSMs, and access requires proper
authentication and authorization.
● Monitor access and use. Using Key Vault, you can monitor and control
access to company secrets.
● Simplified administration of application secrets. Key Vault makes it
easier to enroll and renew certificates from public Certificate Authorities
(CAs). You can also scale up and replicate content within regions, and use
standard certificate management tools.
● Integrate with other Azure serhyyvices. You can integrate Key Vault with
storage accounts, container registries, event hubs, and many more Azure
services.

Because Azure AD identities can be granted access to use Azure Key Vault secrets,
applications with managed service identities enabled can automatically and seamlessly
acquire the secrets they need.

Azure certificates
● Transport Layer Security (TLS) is the basis for encryption of website data in
transit.
● Certificates used in Azure are x.509 v3 and can be signed by a trusted certificate
authority, or they can be self-signed.

Types of certificates

1. Service certificates are used for cloud services

2. Management certificates are used for authenticating with the management
API

Service certificates

● Service certificates are attached to cloud services and enable secure

communication to and from the service.
○ For example, if you deploy a web site, you would want to supply a
certificate that can authenticate an exposed HTTPS endpoint. Service
certificates, which are defined in your service definition, are automatically
deployed to the VM that is running an instance of your role.

Management certificates
● Management certificates allow you to authenticate with the classic deployment
model.
○ Many programs and tools (such as Visual Studio or the Azure SDK) use
these certificates to automate configuration and deployment of various
Azure services.

Using Azure Key Vault with certificates

● You can create certificates in Key Vault, or import existing certificates

● You can securely store and manage certificates without interaction with
private key material.
● You can create a policy that directs Key Vault to manage the life cycle of a
certificate.
● You can provide contact information for notification about life-cycle events
of expiration and renewal of certificate.
● You can automatically renew certificates with selected issuers - Key Vault
partner x509 certificate providers / certificate authorities.
Protect your network

A layered approach to network security

Internet protection

● Make sure you identify all resources that are allowing inbound network traffic of
any type, and then ensure they are restricted to only the ports and protocols
required.
● Azure Security Center is a great place to look for this information, because it
will identify internet-facing resources that don't have network security groups
associated with them, as well as resources that are not secured behind a firewall.

Firewall

● A firewall is a service that grants server access based on the originating IP

address of each request.
● You create firewall rules that specify ranges of IP addresses.

To provide inbound protection at the perimeter, you have several choices.

● Azure Firewall is a managed, cloud-based, network security service that

protects your Azure Virtual Network resources.
● It is a fully stateful firewall as a service with built-in high availability and
unrestricted cloud scalability.
● Azure Firewall provides inbound protection for non-HTTP/S protocols.
Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure
Shell (SSH), and File Transfer Protocol (FTP).
● It also provides outbound, network-level protection for all ports and
protocols, and application-level protection for outbound HTTP/S.
● Azure Application Gateway is a load balancer that includes a Web
Application Firewall (WAF) that provides protection from common, known
vulnerabilities in websites. It is designed to protect HTTP traffic.
● Network virtual appliances (NVAs) are ideal options for non-HTTP
services or advanced configurations, and are similar to hardware firewall
appliances.
Stopping Distributed Denial of Service (DDoS) attacks

● The Azure DDoS Protection service protects your Azure applications by

monitoring traffic at the Azure network edge before it can impact your
service's availability.
● Within a few minutes of attack detection, you are notified using Azure Monitor
metrics.

Legitimate traffic from customers still flows into Azure without any interruption of
service.

Azure DDoS Protection provides the following service tiers:

● Basic - The Basic service tier is automatically enabled as part of the

Azure platform.
● Standard - specifically to Microsoft Azure Virtual Network resources. DDoS
standard protection can mitigate the following types of attacks:
○ Volumetric attacks. The attackers goal is to flood the network
layer with a substantial amount of seemingly legitimate traffic.
○ Protocol attacks. These attacks render a target inaccessible, by
exploiting a weakness in the layer 3 and layer 4 protocol stack.
○ Resource (application) layer attacks. These attacks target web
application packets to disrupt the transmission of data between
hosts.

Controlling the traffic inside your virtual network

Virtual network security

● For communication between virtual machines, Network Security Groups
(NSGs) are a critical piece to restrict unnecessary communication.
● An NSG can contain multiple inbound and outbound security rules that enable
you to filter traffic to and from resources by source and destination IP address,
port, and protocol.
● They provide a list of allowed and denied communication to and from network
interfaces and subnets, and are fully customizable.
● You can completely remove public internet access to your services by restricting
access to service endpoints.

Network integration

● Virtual private network (VPN) connections are a common way of establishing

secure communication channels between networks.
● To provide a dedicated, private connection between your network and Azure, you
can use Azure ExpressRoute.
○ ExpressRoute lets you extend your on-premises networks into the
Microsoft cloud over a private connection facilitated by a connectivity
provider.
○ ExpressRoute connections improve the security of your on-premises
communication by sending this traffic over the private circuit instead of
over the public internet.
Protect your shared documents
● Microsoft Azure Information Protection (AIP) is a cloud-based solution that
helps organizations classify and optionally protect documents and emails by
applying labels.
● You can purchase AIP either as a standalone solution, or through one of the
following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft
365 Enterprise.
● Labels can be applied automatically based on rules and conditions. Labels can
also be applied manually.
● The following screen capture is an example of AIP in action on a user's
computer. In this example, the administrator has configured a label with rules that
detect sensitive data. When a user saves a Microsoft Word document containing
a credit card number, a custom tooltip is displayed. The tooltip recommends
labeling the file as Confidential \ All Employees. This label is configured by the
administrator. Using this label classifies the document and protects it.

After your content is classified, you can track and control how the content is used. For
example, you can:

● Analyze data flows to gain insight into your business

● Detect risky behaviors and take corrective measures
● Track access to documents
● Prevent data leakage or misuse of confidential information
Azure Advanced Threat Protection
● Azure Advanced Threat Protection (Azure ATP) is a cloud-based security
solution that identifies, detects, and helps you investigate advanced threats,
compromised identities, and malicious insider actions directed at your
organization.
● Azure ATP is capable of detecting known malicious attacks and techniques,
security issues, and risks against your network.

Azure ATP components

Azure ATP portal

● Azure ATP has its own portal, through which you can monitor and respond to
suspicious activity.
● The Azure ATP portal allows you to create your Azure ATP instance, and view
the data received from Azure ATP sensors.
● You can also use the portal to monitor, manage, and investigate threats in your
network environment.
● You can sign in to the Azure ATP portal at https://portal.atp.azure.com .
● Your user accounts must be assigned to an Azure AD security group that has
access to the Azure ATP portal to be able to sign in.

Azure ATP sensor

● Azure ATP sensors are installed directly on your domain controllers.

● The sensor monitors domain controller traffic without requiring a dedicated server
or configuring port mirroring.

Azure ATP cloud service

● Azure ATP cloud service runs on Azure infrastructure and is currently deployed
in the United States, Europe, and Asia. Azure ATP cloud service is connected to
Microsoft's intelligent security graph.

Purchasing Azure Advanced Threat Protection

● Azure ATP is available as part of the Enterprise Mobility + Security E5 suite
(EMS E5) and as a standalone license.
● You can acquire a license directly from the Enterprise Mobility + Security Pricing
Options page or through the Cloud Solution Provider (CSP) licensing model.
● It is not available to purchase via the Azure portal.
Understand Security Considerations for
Application Lifecycle Management
Solutions
● The Microsoft Security Development Lifecycle (SDL) introduces security and
privacy considerations throughout all phases of the development process.

Provide training

● Effective training will complement and reinforce security policies, SDL practices,
standards, and requirements of software security

Define security requirements

● The optimal time to define the security requirements is during the initial design
and planning stages.

Factors that influence security requirements include, but are not limited to:

● Legal and industry requirements

● Internal standards and coding practices
● Review of previous incidents
● Known threats

Define metrics and compliance reporting

● Setting a meaningful security bar involves clearly defining the severity thresholds
of security vulnerabilities, and helps to establish a plan of action when
vulnerabilities are encountered.
● To track key performance indicators (KPIs) and ensure security tasks are
completed, bug tracking and/or work tracking mechanisms used by an
organization

Perform threat modeling

● Threat modeling should be used in environments where there is a meaningful
security risk.
● Applying a structured approach to threat scenarios helps a team more effectively
and less expensively identify security vulnerabilities, determine risks from those
threats, and then make security feature selections and establish appropriate
mitigations.
● You can apply threat modeling at the component, application, or system level.

Establish design requirements

● The SDL is typically thought of as assurance activities that help engineers

implement more secure features, meaning the features are well engineered for
security.
● To achieve this assurance, engineers typically rely on security features such as
cryptography, authentication, and logging.

Define and use cryptography standards

● With the rise of mobile and cloud computing, it's important to ensure all data -
including security-sensitive information and management and control data - are
protected from unintended disclosure or alteration when it's being transmitted or
stored.
● A good general rule is to only use industry-vetted encryption libraries and ensure
they're implemented in a way that allows them to be easily replaced if needed.

Manage security risks from using third-party components

● The vast majority of software projects today are built using third-party
components.
● Having an accurate inventory of these components, and a plan to respond when
new vulnerabilities are discovered, will go a long way toward mitigating risks.

Use approved tools

● Define and publish a list of approved tools and their associated security checks,
such as compiler/linker options and warnings.
Perform Static Analysis Security Testing

● Analyzing source code prior to compilation provides a highly scalable method of

security code review, and helps ensure that secure coding policies are being
followed.
● Static Analysis Security Testing (SAST) is typically integrated into the commit
pipeline to identify vulnerabilities each time the software is built or packaged.

Perform Dynamic Analysis Security Testing

● Performing run-time verification of your fully compiled or packaged software

checks functionality that is only apparent when all components are integrated
and running.
● This verification is typically achieved using a tool, a suite of pre-built attacks, or
tools that specifically monitor application behavior for memory corruption, user
privilege issues, and other critical security problems.

Perform penetration testing

● Penetration testing is a security analysis of a software system that is performed

by skilled security professionals who simulate the actions of a hacker.
● uncover potential vulnerabilities resulting from coding errors, system
configuration faults, or other operational deployment weaknesses.

Establish a standard incident response process

Product Security Incident Response Team (PSIRT).

Your incident response plan should:

● Include who to contact if a security emergency occurs

● Establish the protocol for security servicing (including plans for code
inherited from other groups within the organization and for third-party code)
● Be tested before it is needed
Define IT compliance with Azure Policy
● Azure Policy is an Azure service you use to create, assign and manage policies.
● so that those resources stay compliant with your corporate standards and service
level agreements.
● For example, you might have a policy that allows virtual machines of only a
certain size in your environment. After this policy is implemented, new and
existing resources are evaluated for compliance. With the right type of policy,
existing resources can be brought into compliance.
● We want to control costs, so the administrator of our Azure tenant defines a
policy that prohibits the creation of any VM with more than 4 CPUs.
● Once the policy is implemented, Azure Policy will stop anyone from creating a
new VM outside the list of allowed stock keeping units (SKUs).

How are Azure Policy and RBAC different?

● RBAC focuses on user actions at different scopes.

○ You might be added to the contributor role for a resource group, allowing
you to make changes to anything in that resource group.
● Azure Policy focuses on resource properties during deployment and for already-
existing resources.
○ Azure Policy controls properties such as the types or locations of
resources.
● Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

Creating a policy

1. Create a policy definition

2. Assign a definition to a scope of resources
3. View policy evaluation results

Policy definition

● A policy definition expresses what to evaluate and what action to take. For
example,
○ you could ensure all public websites are secured with HTTPS,
○ prevent a particular storage type from being created,
○ force a specific version of SQL Server to be used.

Here are some of the most common policy definitions you can apply.
Policy definition Description

Allowed Storage Account This policy definition has a set of conditions/rules that determine whether a
SKUs storage account that is being deployed is within a set of SKU sizes. Its
effect is to deny all storage accounts that do not adhere to the set of defined
SKU sizes.

Allowed Resource Type This policy definition has a set of conditions/rules to specify the resource
types that your organization can deploy. Its effect is to deny all resources
that are not part of this defined list.

Allowed Locations This policy enables you to restrict the locations that your organization can
specify when deploying resources. Its effect is used to enforce your
geographic compliance requirements.

Allowed Virtual Machine This policy enables you to specify a set of VM SKUs that your organization
SKUs can deploy.

Not allowed resource Prevents a list of resource types from being deployed.
types

Applying Azure policy

To apply a policy, we can use the Azure portal, or one of the command-line tools such
as Azure PowerShell by adding the Microsoft.PolicyInsights extension.

Identifying non-compliant resources

We can use the applied policy definition to identify resources that aren't compliant with
the policy assignment through the Azure portal
Assign a definition to a scope of resources

● A policy assignment is a policy definition that has been assigned to take place
within a specific scope.
● This scope could range from a full subscription down to a resource group.

Policy effects

Policy Effect What happens?

Deny The resource creation/update fails due to policy.

Disabled The policy rule is ignored (disabled). Often used for testing.

Append Adds additional parameters/fields to the requested resource during creation or

update. A common example is adding tags on resources such as Cost Center or
specifying allowed IPs for a storage resource.

Audit, Creates a warning event in the activity log when evaluating a non-compliant
AuditIfNotExists resource, but it doesn't stop the request.

DeployIfNotExists Executes a template deployment when a specific condition is met. For example,
if SQL encryption is enabled on a database, then it can run a template after the
DB is created to set it up a specific way.

View policy evaluation results

● The easiest approach is in the portal as it provides a nice graphical overview that
you can explore.
● spot resources that are not compliant and take action to correct them.

Removing a policy definition

Finally, you can delete policy requirements through the portal, or through the
PowerShell command.
Organize policy with initiatives
● An initiative definition is a set or group of policy definitions to help track your
compliance state for a larger goal.

Enterprise governance management

● Azure Management Groups are containers for managing access, policies, and
compliance across multiple Azure subscriptions.
● Management groups allow you to order your Azure resources hierarchically into
collections, which provide a further level of classification that is above the level of
subscriptions.
● All subscriptions within a management group automatically inherit the conditions
applied to the management group.
Define standard resources with Azure
Blueprints
● To help you with auditing, traceability, and compliance of your deployments, use
Azure Blueprint artifacts and tools.
● Azure Blueprints enables cloud architects and central information technology
groups to define a repeatable set of Azure resources that implements and
adheres to an organization's standards, patterns, and requirements.
● Azure Blueprints makes it possible for development teams to rapidly build and
deploy new environments with the trust they're building within organizational
compliance using a set of built-in components, such as networking, to speed up
development and delivery.

Azure Blueprints is a declarative way to orchestrate the deployment of various resource

templates and other artifacts, such as:

● Role assignments
● Policy assignments
● Azure Resource Manager templates
● Resource groups

The process of implementing Azure Blueprint consists of the following high-level steps:

1. Create an Azure Blueprint

2. Assign the blueprint
3. Track the blueprint assignments

How is it different from Resource Manager templates?

● The Azure Blueprints service is designed to help with environment setup.

● This setup often consists of a set of resource groups, policies, role assignments,
and Resource Manager template deployments.
● Nearly everything that you want to include for deployment in Blueprints can be
accomplished with a Resource Manager template. However, a Resource
Manager template is a document that doesn't exist natively in Azure.
○ Resource Manager templates are stored either locally or in source control.
● With Blueprints, the relationship between the blueprint definition (what should be
deployed) and the blueprint assignment (what was deployed) is preserved.
○ This connection supports improved tracking and auditing of deployments.
Blueprints can also upgrade several subscriptions at once that are
governed by the same blueprint.

How it's different from Azure Policy

● A blueprint is a package or container for composing focus-specific sets of

standards, patterns, and requirements related to the implementation of Azure
cloud services, security, and design that can be reused to maintain consistency
and compliance.
● A policy is a default-allow and explicit-deny system focused on resource
properties during deployment and for already existing resources. It supports
cloud governance by validating that resources within a subscription adhere to
requirements and standards.
Compliance Manager
Understand how the provider manages the underlying resources you are building on.

1. Microsoft Privacy Statement

a. explains what personal data Microsoft processes, how Microsoft
processes it, and for what purposes.
2. Microsoft Trust Center
a. provides support and resources for the legal and compliance community
including:
3. Service Trust Portal (STP)
a. Microsoft public site for publishing audit reports and other compliance-
related information relevant to Microsoft's cloud services
i. Access audit reports
ii. Access compliance guides
iii. Access trust documents
4. Compliance Manager
a. Compliance Manager is a workflow-based risk assessment dashboard that
enables you to track, assign, and verify your organization's regulatory
compliance activities related Microsoft cloud services such as Office 365,
Dynamics 365, and Azure.
Monitor your service health
Azure provides two primary services to monitor the health of your apps and resources.

1. Azure Monitor - It helps you understand how your applications are

performing and proactively identifies issues affecting them and the
resources they depend on.
2. Azure Service Health

Azure Monitor

It helps you understand how your applications are performing and proactively identifies
issues affecting them and the resources they depend on.

Data sources

Data tier Description

Application monitoring data Data about the performance and functionality of the code you have
written, regardless of its platform.

Guest OS monitoring data Data about the operating system on which your application is running.
This could be running in Azure, another cloud, or on-premises.

Azure resource monitoring data Data about the operation of an Azure resource.
Azure subscription monitoring Data about the operation and management of an Azure subscription,
data as well as data about the health and operation of Azure itself.

Azure tenant monitoring data Data about the operation of tenant-level Azure services, such as Azure
Active Directory.

Diagnostic settings

Activity Logs record when resources are created or modified and Metrics tell you how
the resource is performing and the resources that it's consuming.

Under resource settings, you can enable Diagnostics

● Enable guest-level monitoring

● Performance counters: collect performance data
● Event Logs: enable various event logs
● Crash Dumps: enable or disable
● Sinks: send your diagnostic data to other services for more analysis
● Agent: configure agent settings

Getting more data from your apps

● Application Insights is a service that monitors the availability, performance, and

usage of your web applications, whether they're hosted in the cloud or on-
premises.
● Application Insights includes connection points to a variety of development tools,
and integrates with Microsoft Visual Studio to support your DevOps processes.
● Azure Monitor for containers is a service that is designed to monitor the
performance of container workloads,
● Azure Monitor for VMs is a service that monitors your Azure VMs at scale
● Integrating any, or all, of these monitoring services with Azure Service Health has
additional benefits.
● Azure Service Health also helps you to plan for scheduled maintenance.
Responding to alert conditions

● This might involve, for example, sending a text or email to an administrator who
is responsible for investigating an issue,
● Autoscale. Azure Monitor uses Autoscale to ensure that you have the right
amount of resources running to manage the load on your application effectively.
● Autoscale can also help reduce your Azure costs by removing resources that are
not being used.

Visualize monitoring data

Visualizations, such as charts and tables, are effective tools for summarizing monitoring
data

● Dashboards
● Views
● Power BI

Integrate with other services

You'll often need to integrate Azure Monitor with other systems, and build customized
solutions that use your monitoring data.

Azure Service Health

● It can notify you, help you understand the impact of issues, and keep you
updated as the issue is resolved.
● Azure Service Health can also help you prepare for planned maintenance and
changes that could affect the availability of your resources.

Azure Service Health is composed of the following views.

● Global view of the health state of Azure services.

● With Azure Status, you can get up-to-the-minute information on service
availability.
○ Everyone has access to Azure Status and can view all services that report
their health state.
Principles of resource groups

Resource groups
● A resource group is a logical container for resources deployed on Azure.
● All resources must be in a resource group and a resource can only be a member
of a single resource group.
● Many resources can be moved between resource groups with some services
having specific limitations or requirements to move.
● Resource groups can't be nested.
● Before any resource can be provisioned, you need a resource group for it to be
placed in.

Logical grouping

● By placing resources of similar

○ usage,
○ type, or
○ location,

Life cycle

● If you delete a resource group, all resources contained within are also deleted.
● Organizing resources by life cycle can be useful in non-production
environments, where you might try an experiment, but then dispose of it when
done.
● Resource groups make it easy to remove a set of resources at once.

Authorization

● Resource groups are also a scope for applying role-based access control
(RBAC) permissions.
Create a Resource Group
Resource groups can be created by using:

● Azure portal
● Azure PowerShell
● Azure CLI
● Templates
● Azure SDKs (like .NET, Java)

Use resource groups for organization

So how can you use resource groups to your advantage in your new organization?
There are some guidelines and best practices that can help with the organization.

Consistent naming convention

● using an understandable naming convention.

Organizing principles

● Examples. You might put all resources that are core infrastructure into this
resource group.
● But you could also organize them strictly by resource type.

● organize them by environment (prod, qa, dev).

● You could organize them by department (marketing, finance, human resources).

● A combination of these strategies and organized by environment and

department.

Strategy you use to organize resources: authorization, resource life cycle, and
billing.
Use tagging to organize resources

What are tags?

● Tags are name/value pairs of text data that you can apply to resources and
resource groups.
● department (like finance, marketing, and more)
● environment (prod, test, dev)
● cost center
● life cycle and automation (like shutdown and startup of virtual machines)
● A resource can have up to 50 tags.
○ The name is limited to 512 characters for all types of resources
○ except storage accounts, which have a limit of 128 characters.
○ The tag value is limited to 256 characters for all types of resources.
● Tags aren't inherited from parent resources.
● Not all resource types support tags, and
● tags can't be applied to classic resources.

Tags can be added and manipulated through the Azure portal, Azure CLI, Azure
PowerShell, Resource Manager templates, and through the REST API.

Example using Azure CLI

az resource tag --tags Department=Finance \

--resource-group msftlearn-core-infrastructure-rg \

--name msftlearn-vnet1 \

--resource-type "Microsoft.Network/virtualNetworks"

● You can use Azure Policy to automatically add or enforce tags for resources

Use tags for organization

● You can use tags to group your billing data.
● You can also use tags to categorize costs by runtime environment,
● When exporting billing data or accessing it through billing APIs, tags are
included in that data and can be used to further slice your data from a cost
perspective.
● Tagging resources can also help in monitoring to track down impacted
resources.
● It's also common for tags to be used in automation. If you want to automate the
shutdown and startup of virtual machines in development…
Use policies to enforce standards
Take a look at how policies can help you enforce standards in your Azure environment.

Azure Policy
● Azure Policy is a service you can use to
○ create,
○ assign, and
○ manage policies.
● You can also enforce that specific tags are applied to resources. You'll take a
look at how policies work.

Create a policy
● Policies can be created and assigned through the
○ Azure portal,
○ Azure PowerShell, or
○ Azure CLI.

Create a policy assignment

● You've created the policy, but you haven't actually put it into effect yet.
● To enable the policy, you need to create an assignment.
○ Ex: you'll assign it to the scope of our msftlearn-core-infrastructure-rg
resource group, so that it applies to anything inside the resource group.

Use policies to enforce standards

● You could use policy to restrict which types of virtual machine sizes can be
deployed.
● You could also use policy to enforce naming conventions.
Secure resources with role-based access
control
... but we have a second issue we need to solve: how do we protect those resources
once they are deployed? - Role-Based Access Control (RBAC).

● you can grant users the specific rights they need to perform their jobs.
● RBAC is considered a core service and is included with all subscription levels at
no cost.

Using RBAC, you can:

● Allow one user to manage VMs in a subscription, and another user to

manage virtual networks.
● Allow a database administrator (DBA) group to manage SQL databases in a
subscription.
● Allow a user to manage all resources in a resource group, such as VMs,
websites, and virtual subnets.
● Allow an application to access all resources in a resource group.

How RBAC defines access

● RBAC uses an allow model for access.

● When you are assigned to a role, RBAC allows you to perform specific actions,
such as read, write, or delete.

Best Practices for RBAC

● grant only the amount of access to users that they need

● grant users the lowest privilege level
● Use Resource Locks to ensure critical resources aren't modified or
deleted
Use resource locks to protect resources

What are resource locks?

● Resource locks are a setting that can be applied to any resource to block
modification or deletion.
● Resource locks can be set to either Delete or Read-only.
○ Delete will allow all operations against the resource but block the ability to
delete it.
○ Read-only will only allow read activities to be performed against it
● Resource locks can be applied to subscriptions, resource groups, and to
individual resources, and are
● inherited when applied at higher levels.
Factors affecting costs

Resource type

Costs are resource-specific, so the usage that a meter tracks and the number of meters
associated with a resource depend on the resource type.

Services

● Azure usage rates and billing periods can differ between

○ Enterprise,
○ Web Direct, and
○ Cloud Solution Provider (CSP) customers.
● Some subscription types also include usage allowances, which affect costs.
● The Azure team develops and offers first-party products and services,
● while products and services from third-party vendors are available in the Azure
Marketplace .
○ Different billing structures apply to each of these categories.

Location

● Usage costs vary between locations that offer particular

○ Azure products,
○ services, and
○ resources based on popularity, demand, and local infrastructure costs.

Azure billing zones

● Most of the time inbound data transfers (data going into Azure datacenters)
are free.
● For outbound data transfers (data going out of Azure datacenters), the data
transfer pricing is based on Billing Zones.
● In most zones, the first outbound 5GB per month are free.
Note

● Billing zones aren't the same as an Availability Zone.

● In Azure, the term zone is for billing purposes only, and the full term
Availability Zone refers to the failure protection that Azure provides for
datacenters.
Estimate costs with the Azure pricing
calculator

Azure pricing calculator

● The Azure pricing calculator is a free web-based tool that allows you to input
Azure services and modify properties and options of the services.
● It outputs the costs per service and total cost for the full estimate.

The options that you can configure in the pricing calculator vary between products, but
basic configuration options include:

Option Description

Region Lists the regions from which you can provision a product. Southeast Asia, central
Canada, the western United States, and northern Europe are among the possible
regions available for some resources.

Tier Sets the type of tier you wish to allocate to a selected resource, such as Free Tier,
Basic Tier, etc.

Billing Options Highlights the billing options available to different types of customers and
subscriptions for a chosen product.

Support Options Allows you to pick from included or paid support pricing options for a selected
product.

Programs and Allows you to choose from available price offerings according to your customer or
Offers subscription type.

Azure Dev/Test Lists the available development and test prices for a product. Dev/Test pricing
Pricing applies only when you run resources within an Azure subscription that is based on a
Dev/Test offer.
Predict and optimize with Cost
Management and Azure Advisor

Azure Advisor
● Azure Advisor is a free service built into Azure that provides recommendations
on high availability, security, performance, operational excellence, and cost.

Advisor makes cost recommendations

1. Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits.

2. Buy reserved instances to save money over pay-as-you-go.
3. Right-size or shutdown underutilized virtual machines.

Azure Cost Management

● Azure Cost Management is another free service

● You can see historical breakdowns of what services you are spending your
money on and how it is tracking against budgets that you have set.
● You can set budgets, schedule reports, and analyze your cost areas.
Estimate the Total Cost of Ownership with
the Azure TCO calculator
● The pricing calculator and cost management advisor can help you predict
and analyze your spend for new or existing services.
● If you are starting to migrate to the cloud, a useful tool you can use to predict
your cost savings is the Total Cost of Ownership (TCO) calculator.

Save on infrastructure costs

We have seen how to create cost estimates for environments you'd like to build, walked
through some tools to get details on where we're spending money, and projected future
expenses. Our next challenge is to look at how to reduce those infrastructure costs.

Use Azure credits

● The monthly Azure credit for Visual Studio subscribers is for development and
testing only and does not carry a financially-backed SLA.
● Azure will suspend any instance (VM or cloud service) that runs continuously for
more than 120 hours or if it's determined that the instance is being used for
production.
● This benefit is made available to Visual Studio subscribers on a best efforts
basis; there is no guarantee of capacity availability.

Use spending limits

● By default, Azure subscriptions that have associated monthly credits (which
includes trial accounts) have a spending limit to ensure you aren't charged once
you have used up your credits.
● This feature is useful for development teams exploring new solution architectures
as it ensures you won't have an unexpectedly large bill at the end of the month.

Note
● Azure provides the spending limits feature to help prevent you from exhausting
the credit on your account within each billing period.
● When your Azure usage results in charges that use all the included monthly
credit, the services that you deployed are disabled and turned off for the rest of
that billing period. Once a new billing period starts, assuming there are credits
available, the resources are reactivated and deployed.
● You are notified by email when you hit the spending limit for your subscription. In
addition, the Azure portal includes notifications about your credit spend. You can
adjust the spending limit as desired or turn it off completely.

Important

The spending limit feature is specific to subscriptions that include a monthly Azure credit
allotment. It is not available on pay-only subscriptions.

Use reserved instances

● If you have virtual machine workloads that are static and predictable, using
reserved instances is a fantastic way to potentially save up to 70 to 80 percent off
the pay-as-you-go cost.

● You commit to reserved instances in one-year or three-year terms.

● Payment can be made in full for the entire commitment period, or the
commitment can be billed monthly.

Choose low-cost locations and regions

● The cost of Azure products, services, and resources can vary across locations
and regions, and if possible, you should use them in those locations and regions
where they cost less.

Right-size underutilized virtual machines

● Right-sizing a virtual machine is the process of resizing it to a proper size.
○ The following illustration shows a 50 percent savings achieved by moving
one size down within the same series.

Deallocate virtual machines in off hours

Delete unused virtual machines

Migrate to PaaS or SaaS services

Save on licensing costs

Linux vs. Windows

● The cost of the product can be different based on the OS you choose.

Azure Hybrid Benefit for Windows Server

● Many customers have invested in Windows Server licenses and would like to
repurpose this investment on Azure.
● The Azure Hybrid Benefit gives customers the right to use these licenses for
virtual machines on Azure.

Azure Hybrid Benefit for SQL Server

● Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you
to use your SQL Server licenses with active Software Assurance to pay a
reduced rate.
● You can use this benefit even if the Azure resource is active, but the reduced
rate will only be applied from the time you select it in the portal.

Azure SQL Database vCore-based options

For Azure SQL Database, the Azure Hybrid Benefit works as follows:

● If you have Standard Edition per-core licenses with active Software

Assurance, you can get one vCore in the General Purpose service tier for
every one license core you own on-premises.

Use Dev/Test subscription offers

● The Enterprise Dev/Test and Pay-As-You-Go (PAYG) Dev/Test offers are a
benefit you can take advantage of to save costs on your non-production
environments.
● This benefit also requires any users of these environments (excluding testers)
must be covered under a Visual Studio subscription.

Bring your own SQL Server license

● If you are a customer on an Enterprise Agreement and already have an
investment in SQL Server licenses, and they have freed up as part of moving
resources to Azure, you can provision bring your own license (BYOL) images off
the Azure Marketplace, giving you the ability to take advantage of these unused
licenses and reduce your Azure VM cost.
● An Enterprise Agreement subscription is required to use these certified BYOL
images.

Use SQL Server Developer Edition

● Many people are unaware that SQL Server Developer Edition is a free product
for nonproduction use.

Use constrained instance sizes for database workloads

● Many customers have high requirements for memory, storage, or I/O bandwidth.
But they also often have low requirements for CPU core counts.
● Based on this popular request, Microsoft has made available the most popular
VM sizes (DS, ES, GS, and MS) in new sizes that constrain the vCPU count to
one half or one-quarter of the original VM size, while maintaining the same
memory, storage, and I/O bandwidth.