2. Andrew Brown's 3-hour video (broken into individual videos for every topic)
3. My collection of Microsoft documentation links
Availability Options
An Azure geography is a discrete market, typically containing at least one or more regions, that preserves data residency and compliance boundaries.
An Azure region is a set of datacenters, deployed close by and connected through a dedicated regional low-latency network. Each Azure region is paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away, which together make a region pair
Examples of geographies and corresponding regions:
Geography | Regions (Location of datacenters) |
India | Central India (Pune), South India (Chennai), West India (Mumbai) |
Europe | North Europe (Ireland), West Europe (Netherlands) |
UK | UK South (London), UK West (Cardiff) |
Azure Availability Zones are unique physical locations (different datacenter buildings) within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
Service types:
- Foundational – Available in all recommended and alternate regions when the region.
- Mainstream – Available in all recommended regions, demand-driven in alternate regions.
- Specialized – Targeted service offerings, often industry-focused or backed by customized/specialized hardware. Demand-driven availability across regions.
Availability sets
Availability sets are a way for you to ensure your application remains online if a high-impact maintenance event is required, or if a hardware failure occurs.
Availability sets are made up of Update domains (UD) and Fault domains (FD).
- Update domains. When a maintenance event occurs (such as a performance update or critical security patch applied to the host), the update is sequenced through update domains.
Sequencing updates using update domains ensures that the entire datacenter isn't unavailable during platform updates and patching.
Update domains are a logical section of the datacenter, and they are implemented with software and logic.
It could be that when any update is started, it is like U0->U1->U2->….->Un. When one update domain is being updated then others are working normally.
- Fault domains. Fault domains provide for the physical separation of your workload across different hardware in the datacenter.
Virtual machines in the same fault domain share a common power source and physical network switch.
In the event the hardware that supports a server rack becomes unavailable, only that rack of servers would be affected by the outage.
Maximum Fault Domains are 3, Maximum Update domains can be 20.
Azure Management Tools
brew update && brew install azure-cli
Azure Powershell – Can be installed on Windows Powershell or Powershell Core (cross-platform version of Powershell, can be installed on Linux and MacOS)
Azure REST API
Azure Policy is a tool to create, manage, assign policies that control and enforce the properties of resources.
Imagine we allow anyone in our organization to create virtual machines (VMs) with not more than 4 CPUs.
Once the policy is implemented, Azure Policy will
1. stop anyone from creating a new VM outside the list of allowed stock-keeping units (SKUs).
2. If you try to update an existing VM, it will be checked against policy.
3. Finally, Azure Policy will audit all the existing VMs in our organization to ensure our policy is enforced. It can audit non-compliant resources, alter the resource properties, or stop the resource from being created.
Initiatives: An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.
Azure RBAC
Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Key points:
- Security Principal
- Role Definition
- Scope (Management Groups, Subscriptions, Resource Groups)
- Role Assignments/Deny Assignments
Azure Blueprints
Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
- Role Assignments
- Policy Assignments
- Azure Resource Manager templates (ARM templates)
- Resource Groups
Resource Locks/Management Locks
Delete: Users can read/update resource but can’t delete it.
Read Only: Read Only
Need Owner or User Access Admin to create or delete these locks
Locks are inherited, meaning if you set a lock at resource group, it is applied to all the resources of the group.
Azure Network Security Group (NSG)
Once inside a virtual network (VNet), it's crucial that you limit communication between resources to only what is required.
For communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication.
Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
They provide a list of allowed and denied communication to and from network interfaces and subnets, and are fully customizable.
CIA Security Principle
Confidentiality: Least privilege principle
Integrity: prevent unauthorized changes
Availability: services always available to authorized users
Azure Advisor vs Azure Monitor
Advisor suggests best practices to optimize costs, improve reliability, operational excellence, security and performance.
Monitor is a one stop shop for searching and viewing logs and analysing metrics.
Service Health
Dashboard that tells about health of services in regions across the world. Also mentions planned maintenance events and gives RCA for any issues.
Also health of individual resources can be checked.
Service Trust Portal vs Trust Center vs Compliance Manager
STP: Where compliance managers/officers go to check Azure’s audit reports.
Trust Center: Where one can read Microsoft’s privacy policies, Data collection policies etc.
Security Center vs Sentinel
Azure Security Center plays a vital role in “Collect” and “Detect” roles. While Azure Sentinel in addition to the first two roles also designed to perform “Investigate” and “Respond” roles.
ASC helps to setup azure and hybrid environment as securely as possible.
Sentinel has lot many connectors so it can get data from ASC and other 3rd party security tools also. It is a tool for infosec professionals.
Azure DDoS protection, combined with application design best practices, provides defense against DDoS attacks.
Every property in Azure is protected by Azure's infrastructure DDoS (Basic) Protection. Azure DDoS protection Standard provides additional mitigation capabilities over the Basic service tier that are tuned specifically to Azure Virtual Network resources.
Network Resources
VNets can be connected to each other using vNet Peering or VPN Gateways.
VPN Gateways can be used to connect onprem resources to Azure network or two different azure networks. Only one VPN Gateway per vnet, so obviously one VPN Gateway can have multiple connections.
Load Balancer: Can be used to distribute traffic in, out and within a vnet. Public LB can be used to let the traffic coming from internet. Private LB manages traffic between resources in the vnet.
Application Gateway does traffic distribution for internet applications only.
Traffic Manager uses DNS closest to user.
Points to remember
- Tags are not inherited
- Permissions are inherited
Comments