9. Other than the generic azure regions that we have access, there are a few separate regions
that we do not have access to.
Primarily they are being used by state governments such as USA and China
●
Azure for US Government
●
Azure China Government ( independently operated and transacted by Shanghai Blue
Cloud Technology Co., Ltd. ("21Vianet"))
AZURE SOVEREIGN REGIONS
10. FREE TIER - AZURE
Azure
●
You get $200 credit to spend in the first 30 days after you sign up.
●
You are able to use any Azure services without any restriction under the cap of $200.
●
Some popular services which are free for 12 months
●
25+ other services, which are always free
●
Only one free Azure account can be created for a single Microsoft license
11. FREE TIER - AWS
AWS
●
There are services which are free for 12 months, services which are always free and
services with free trials
●
[12 Months]
●
EC2 750 hours, S3 5 GB, RDS 750 hours, API Gateway 1 Million
●
[Always Free]
●
DynamoDB 25 GB, Lambda 1 Million, SNS 1 Million, CloudFront 50 GB
●
[Free Trial]
●
SageMaker 2 Months, GuardDuty 2 Months, Inspector 90 Days
[Reference: https:/
/aws.amazon.com/free/]
12. ACCOUNTS
Azure subscriptions are a grouping of resources with an assigned owner responsible for
billing and permissions management.
Unlike AWS, where any resources created under the AWS account are tied to that
account, where subscriptions exist independently of their owner accounts, and can be
reassigned to new owners as needed.
In Azure, subscriptions are assigned to three types of administrative accounts
●
Account Administrator – The subscription owner with subscription billing access
●
Service Administrator – Same as Account admin except the subscription billing access
●
Co-Administrator – Can have up to 200 co-admins per subscription.
17. AZURE SUBSCRIPTIONS
You can create multiple subscriptions in your Azure Account
You need to have a Microsoft Account in order to have a subscription.
Resources created in Azure need to be created under a given subscription
This will help you to create multiple billing accounts for multiple departments in your
organization.
This is similar to AWS organizations in AWS
18. AZURE MANAGEMENT GROUPS
It is an administrative model for organizations that have many Azure
subscriptions
With this feature you can delegate permissions and deploy Azure Policy to lots
of subscriptions at once. All subscriptions within a management group
automatically inherit the conditions applied to the management group.
For example, you can apply policies to a management group that limits the
regions available for virtual machine (VM) creation. This policy would be
applied to all management groups, subscriptions, and resources under that
management group by only allowing VMs to be created in that region
19. AZURE RESOURCE GROUPS
Resource Group is a logical grouping / a container of resources in an Azure solution
Each resource can be in only one Resource Group
You can add or delete resources to any Resource Group at anytime
You can move a resource from one Resource Group to another at any given time
Resources in multiple regions can be in one Resource Group
You can give user level access to Resource Groups.
The IAM permissions defined at the resource group level would be inherited by resources
defined in that resource group.
22. NETWORK SECURITY GROUP (NSG)
This is similar to “Security Groups” in AWS
Network Security Group can be attached to,
●
A Virtual Network Interface of a Virtual Machine
●
An entire Subnet – valid for all Virtual Machines within the Subnet
Consists of Inbound and Outbound security rules. By default inbound rules are not exposed
to the public Internet. Inbound rules are open only within the Virtual Private Network
(between subnets) or to Azure Load Balancers.
23. APPLICATION SECURITY GROUP (ASG)
Application Security Group (ASG) is
another logical grouping that helps you
to group application layers (web tier,
database tier, etc), which can help you
to configure your Network Security
Group (NSG) rules in a more organized
way.
For example, you can have web tier
(multiple VM instances) as one
Application Security Group and
database tier (multiple VM instances)
as another Application Security Group
24. There are multiple connectivity options available
●
Virtual Private Network Peering
●
Point to Site VPN Connection
●
Site to Site VPN Connection
●
Azure Express Route (Azure Dedicated Channel)
AZURE CONNECTIVITY OPTIONS
25. Point to Site VPN Connection
Site to Site VPN Connection
Virtual Private Network Peering Connection
26. AZURE TRAFFIC MANAGER
This is similar to Route 53 in AWS
Azure Traffic Manager is a DNS-based routing tool, compared to Azure Load
Balancer, which is a IP based routing tool. This service allows you to distribute
traffic to your public facing applications across the global Azure regions. Also
provides your public endpoints with high availability and quick responsiveness.
The Routing can be done based on the Priority and the Weightage.
Unlike, Route 53, Azure still does not offer DNS registration.
28. COMPUTE - SCALABILITY
This is an IaaS part of Azure compute along
with Azure Virtual Machines
A group of identical, load balanced Virtual
Machines are called Scaled Sets. They can
be activated/ deactivated as needed
It ensures the High Availability for your
applications.
Similar to Auto Scaling Groups (ASGs) in
AWS along with Launch Templates /
Configurations
No additional cost involved Only pay for
additional scaled VM’s, Storage and
Network Cost
Can span across multiple AZs
29. COMPUTE - AVAILABILITY
For a single VM (without any availability option) you will get 99.9% availability only
There are multiple ways to make sure the VM availability within Azure
●
Use “Availability Zones” to protect from Data Center Failures
●
Configure multiple Virtual Machines in an “Availability Set”
●
Configure each application tier into separate Availability Sets
●
Combine a Load Balancer with Availability Zones or Availability Sets
With the “Availability Zone” approach you will get 99.99% availability
With the “Availability Set” approach you will get 99.95% availability
30. AZURE CONTAINER INSTANCES
Representation of running Docker containers on Azure
Benefits:
●
Manage application dependencies well. All the dependencies for an application are
included in the container image. You can manage the application and its dependencies
with confidence.
●
Increase Portability – Applications running in containers can be deployed easily to multiple
different operating systems and hardware platforms
●
Less overhead – Virtual machines require a lot more maintenance overheads. Containers
do not have much overheads related to their maintenance.
●
Development and deployment much easier
●
Works well with Azure Portal, CLI and PowerShell
31. AZURE APP SERVICES
This is the PaaS part of Azure compute.
App Services is also a fully managed platform. That means your servers, network and
storage is handled by Azure. You just need to focus on the business logic
App Services are coming in three different flavors
●
1. Azure Web Apps
●
2. Azure Web Apps for Containers
●
3. Azure API Apps
33. AZURE MANAGED DISKS
Azure managed disks are block-level storage volumes that are managed by Azure
and used with Azure Virtual Machines.
Managed disks are like a physical disk in an on-premises server but, virtualized.
With managed disks, all you have to do is specify the disk size, the disk type, and
provision the disk. Once you provision the disk, Azure handles the rest.
The available types of disks are ultra disks, premium solid-state drives (SSD),
standard SSDs, and standard hard disk drives (HDD).
Managed disks are designed for 99.999% availability. Managed disks achieve this by
providing you with three replicas of your data, allowing for high durability. If one or
even two replicas experience issues, the remaining replicas help ensure persistence
of your data and high tolerance against failures.
34. AZURE STORAGE ACCOUNT
An Azure storage account contains all of your Azure Storage data objects: blobs,
files, queues, tables, and disks.
The storage account provides a unique namespace for your Azure Storage data that
is accessible from anywhere in the world over HTTP or HTTPS.
Data in your Azure storage account is durable and highly available, secure, and
massively scalable.
35. AZURE BLOB STORAGE
This is similar to S3 in AWS
This is the object storage on Azure
Can store massive amounts of unstructured data on the cloud (From 500TB to 5PB)
You need to create a “container” to store objects in the Blob Storage (similar to
“buckets” in S3)
There are three different types of blobs
●
Block Blobs – To store text and binary data
●
Append Blobs – To store logging data
●
Page Blobs – To store virtual hard disk files for Azure Virtual machines.
36. BLOB STORAGE – ACCESS TIERS
Access Tiers can be changed at the Storage Account level and the Container
Object Level.
There are multiple access tiers identified in the Blob Storage
●
Hot – Frequently accessed data
●
Cool – Infrequently accessed data
●
Archive – Rarely accessed data. Access is restricted when objects in this tier.
37. AZURE FILE STORAGE
This enables you to set up highly available network file shares that can be accessed
by using the standard SMB protocol.
That mean multiple Virtual Machines can share the same files with both read and
write access.
You can also read the files using the REST interface or the storage client libraries.
It clearly distinguishes Azure files from files on a corporate file share is that you can
access the files from anywhere in the world using a URL that points to the file and
includes a shared access signature token.
38. AZURE QUEUE STORAGE
Similar to SQS in AWS
Queue Service can decouple the application logic to process data.
When an application writes data to a queue, other subscriber applications will listen
to the queue and can process them.
40. AZURE SQL DATABASE (PAAS) DEPLOYMENT OPTIONS
This is Azure MSSQL server PaaS offerings
This has three deployment options
●
Single Database (DbaaS) – Database Server Instance in managed by Azure. Gets the latest
stable version of SQL server as SQL database
●
Elastic Pool (DbaaS) – A collection of multiple SQL databases, where one single database is
working as a single tenant. Alll the databases are managed by a pool of resources. Good for
applications relying on multiple databases with unpredictable usage.
●
Managed Instance (PaaS) – Azure manages the SQL server instance (Not the DB instance).
Lift and Shift ready.
41. AZURE SQL SERVER ON AZURE VM (IAAS)
Can migrate to Azure without any database changes.
Lift and Shift ready.
Has full control over SQL Server database engine, SQL Server licenses, VM Operating System
Has to take care of High Availability, Disaster Recovery, Performance, Change Control and
Security
43. AZURE MONITOR SERVICE
Azure Monitor Service is similar to CloudWatch in AWS
Delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from
your cloud and on-premises environments.
With this approach, it maximizes the availability and performance of your applications and
services. It heps you understand how your applications are performing and proactively
identifies issues affecting them and resources they depend on.
You can check “Metrics”, “Activity Log”, “Alerts”, etc
“Alerts” could be handled based on “Metrics” and the “Activity Log”
44. AZURE LOG ANALYTICS WORKSPACE
Similar to CloudTrail in AWS
This is the Azure environment that can be
used to store log data
You can use this environment to collect log
data from various data sources.
●
Azure resources
●
From on-premise computers, which are
connected via Azure System Center
Operations Manager (similar to AWS SSM)
●
From Azure Storage Log Data
47. JUST IN TIME VM ACCESS
By default, when you allow access to your VMs in Azure through network security
groups security rules, the access provided is unlimited, there is no time-related
restriction implemented. So, all allowed IP addresses will be able to connect to your
Azure VM.
The just-in-time (JIT) virtual machine (VM) access feature in Azure Security Center
provides you the possibility to allow inbound traffic to your Azure Virtual Machines,
for a specific and limited period of time. This reduces exposure to attacks while
providing easy access ONLY when you need to connect to a VM
Reference:
https:/
/docs.microsoft.com/en-us/azure/security-center/security-center-just-in-t
ime?tabs=jit-config-asc%2Cjit-request-asc