Azure Fundamentals
This is a WIP
Written for audience who know Cloud Basics, just need to brush up on Azure
1. Management Group
Management groups: These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.
A subscription logically associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
2. Subscription
A subscription logically associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
2.1 Azure Subscription Quota Increase
To request a quota increase, you should open a new support request by navigating first to Help + support, on the Azure portal menu
https://docs.microsoft.com/en-us/azure/azure-portal/supportability/per-vm-quota-requests
3. Resource Group
Resource Group is a container to hold resources (Web App, VM, DB, Storage Accounts). Resource Group is used to manage the lifecycle of related resources together.
a. All the resources in your resource group should share the same lifecycle.
You deploy, update, and delete them together.
If you delete a resource group, all resources in that resource group will be deleted as well.
b. Resource Group is assigned to a single region.
c. You need a resource group before creating a resource.
d. Nesting of Resource Group within a Resource Group is NOT possible.
e. A resource group can contain resources from multiple Azure regions. The location you choose for the resource group has nothing to do with the location you choose for your resources.
4. Management Scope
You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels.
4.1 Hierarchy of management groups
Each directory is given a single top-level management group called the "Root" management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it.
Important facts about the Root management group
- By default, the root management group's display name is Tenant root group. The ID is the Azure Active Directory ID.
- The root management group can't be moved or deleted, unlike other management groups.
- All subscriptions and management groups fold up to the one root management group within the directory.
- All resources in the directory fold up to the root management group for global management.
- New subscriptions are automatically defaulted to the root management group when created.
As you can see, Management Groups can be nested within another Mgmt Group.
5. Pricing: Bandwidth
Outbound data transfer is charged at the normal rate and inbound data transfer is free. The pricing rule that you should keep in mind is this: outbound traffic (leaving Azure cloud or an Azure region) is NOT free, inbound traffic is free.
https://azure.microsoft.com/en-au/pricing/details/bandwidth/
Region: Data transfer between Azure services located within the same region is not charged.
Availability Zones: Data transfer within same Availability Zone is free. Data transfer between Availability Zones is charged (*from 1 Jul 2022).
5.1 Express Route
Region: Data transfer between Azure services located within the same region is not charged.
Availability Zones: Data transfer within same Availability Zone is free. Data transfer between Availability Zones is charged (*from 1 Jul 2022).
Availability Zones: Data transfer within same Availability Zone is free. Data transfer between Availability Zones is charged (*from 1 Jul 2022).
5.1 Express Route
With Azure ExpressRoute, all inbound data transfer is free of charge and all outbound data transfer is charged based on a pre-determined rate
https://azure.microsoft.com/en-us/pricing/details/expressroute/
You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Settings for user and computer objects in Azure AD DS are often managed using Group Policy Objects (GPOs). There are some predefined built-in GPOs and you can customize these to configure Group Policy as needed for your environment.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview
Azure AD join ONLY applies to Windows 10 devices.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
8.1 Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools. In this scenario, you need to run your own apps, and therefore require an infrastructure.
Examples: Email, Calendaring and Office tools (such as Microsoft Office 365)
https://azure.microsoft.com/en-gb/global-infrastructure/geographies/
6. Azure Locks
When you apply a lock at a parent scope, all resources within that scope inherit the same lock.You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
7. Azure AD
Multiple subscriptions can trust the same Azure AD directory. Each subscription can ONLY trust a single directory.
Lifecycle: If your subscription expires, you lose access to all the other resources associated with the subscription. However, the Azure AD directory remains in Azure. You can associate and manage the directory using a different Azure subscription.
Lifecycle: If your subscription expires, you lose access to all the other resources associated with the subscription. However, the Azure AD directory remains in Azure. You can associate and manage the directory using a different Azure subscription.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
7.1 Azure Active Directory Domain Services (AD DS)
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.Settings for user and computer objects in Azure AD DS are often managed using Group Policy Objects (GPOs). There are some predefined built-in GPOs and you can customize these to configure Group Policy as needed for your environment.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview
7.2 Azure AD Join
Azure AD join allows you to join devices directly to Azure AD without the need to join to on-premises Active Directory while keeping your users productive and secure.
Azure AD join ONLY applies to Windows 10 devices.
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
8. Types of cloud services
Examples: Email, Calendaring and Office tools (such as Microsoft Office 365)
8.2 Platform as a service (PaaS) is a complete development and deployment environment in the cloud. PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.
It provides additional memory to apps by changing pricing tiers.
It can automatically scale the number of instances.
Examples: Azure Cosmos DB, Azure App Service and Azure SQL databases
8.3 Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the internet. The IaaS service provider manages the infrastructure, while you purchase, install, configure, and manage your own software.
Examples: Azure Virtual Machines, Azure Disk Storage, Azure Security Center,
8.4 Serverless: Serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code.
Examples: Azure Functions,
It provides additional memory to apps by changing pricing tiers.
It can automatically scale the number of instances.
Examples: Azure Cosmos DB, Azure App Service and Azure SQL databases
8.3 Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the internet. The IaaS service provider manages the infrastructure, while you purchase, install, configure, and manage your own software.
Examples: Azure Virtual Machines, Azure Disk Storage, Azure Security Center,
8.4 Serverless: Serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code.
Examples: Azure Functions,
https://azure.microsoft.com/en-us/overview/what-is-paas/
https://azure.microsoft.com/en-us/overview/serverless-computing/
https://azure.microsoft.com/en-us/overview/serverless-computing/
9. Azure Geographies
North America, South America, Europe, Australia and Asia have multiple Regions.
Africa has only one region.
Africa has only one region.
https://azure.microsoft.com/en-gb/global-infrastructure/geographies/
9.1 Regions:
A set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.9.1.1 Recommended Region:
A region that provides the broadest range of service capabilities and is designed to support Availability Zones now, or in the future. These are designated in the Azure portal as Recommended.9.1.2 Alternate (other) Region:
A region that extends Azure's footprint within a data residency boundary where a recommended region also exists. Alternate regions help to optimize latency and provide a second region for disaster recovery needs. They are not designed to support Availability Zones (although Azure conducts regular assessment of these regions to determine if they should become recommended regions).
9.2 Availability Zones:
Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more data centres equipped with independent power, cooling, and networking.
Zone-redundant services replicate your applications and data across Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure offers industry best 99.99% VM uptime SLA.
9.3 Azure Site Recovery (ASR)
Azure Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery replicates workloads running on physical and virtual machines (VMs) from a primary site to a secondary location.
You can set up disaster recovery of Azure VMs from a primary region to a secondary region.
10. Azure Virtual Machine Scale Sets
Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs.
11. Azure Resource Manager templates (ARM templates)
You can use Azure Resource Manager templates to automate the creation of the Azure resources. Deploying resource through templates is known as "Infrastructure as code".
To implement infrastructure as code for your Azure solutions, use Azure Resource Manager templates. The template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.
12. Azure Repos - Version Control
Azure Repos is a set of version control tools that you can use to manage your code.Azure Repos provides two types of version control:
- Git: distributed version control
- Team Foundation Version Control (TFVC): centralized version control
13. Azure Monitor
Azure Monitor maximizes the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Note that it can monitor BOTH Cloud and On-Premises environments.13.1 Alerts
Azure Monitor uses Target Resource, which is the scope and signals available for alerting. A target can be ANY Azure resource. Example targets:- Virtual Machines.
- Storage Accounts.
- Virtual Machine Scale Set
- Log Analytics workspace.
- Application Insights.
Example Alert Criteria:
- Percentage CPU > 70%
- Server Response Time > 4 ms
- Result count of a log query > 100
Alert rules in Azure Monitor use action groups, which contain unique sets of recipients and actions that can be shared across multiple rules.
Azure Monitor can correlate events from multiple resources into a centralized repository.
13.1.1 Budget Alerts
Budget alerts notify you when spending, based on usage or cost, reaches or exceeds the amount defined in the alert condition of the budget. Cost Management budgets are created using the Azure portal or the Azure Consumption API.
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
13.2 Azure Application Insights
Azure Application Insights detects and diagnoses anomalies in web applications.Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app.
14. Azure Data Bricks - Analytics
Azure Databricks is an Apache Spark-based analytics platform optimized for the Microsoft Azure cloud services platform.
Azure Databricks offers three environments for developing data intensive applications: Databricks SQL, Databricks Data Science & Engineering, and Databricks Machine Learning.
https://docs.microsoft.com/en-us/azure/databricks/scenarios/what-is-azure-databricks
Azure Databricks offers three environments for developing data intensive applications: Databricks SQL, Databricks Data Science & Engineering, and Databricks Machine Learning.
https://docs.microsoft.com/en-us/azure/databricks/scenarios/what-is-azure-databricks
15. Azure Cloud Shell
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. Being browser-based, Azure Cloud Shell can be run on a browser from a tablet or mobile phone that runs the Android operating system.With Azure Cloud Shell, you can create virtual machines using Bash or PowerShell. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell.
To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash.
15.1 Create VM using CLI
A. Create a Resource Group
az group create --name myResourceGroup --location eastus
B. Create a Virtual machine
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
15.2 Azure Az PowerShell Module
The Az PowerShell module is a set of cmdlets for managing Azure resources directly from PowerShell. PowerShell provides powerful features for automation that can be leveraged for managing your Azure resources for examples in the context of a CI/CD pipeline.https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-6.0.0
15.3 Azure CLI for Windows
You can install Azure CLI on your computer that runs Windows 10.For Windows, the Azure CLI is installed via a MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell.
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&tabs=azure-cli
16. Azure Security Center - Regulatory Compliance
Used to track company’s compliance to regulatory standards and regulations, such as ISO 27001.
https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard
Note: Compliance Manager will soon be removed from the Service Trust Portal, and all configurations and information will be lost. Now if you are a Microsoft-365 user you can use Microsoft-365 compliance, and if you are and Azure user, you can use Regulatory Compliance included in Azure Security Center.
https://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud
Note: Compliance Manager will soon be removed from the Service Trust Portal, and all configurations and information will be lost. Now if you are a Microsoft-365 user you can use Microsoft-365 compliance, and if you are and Azure user, you can use Regulatory Compliance included in Azure Security Center.
https://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud
17. Azure Policy
Azure policies can be used to define requirements for resource properties during deployment and for already existing resources. Azure Policy controls properties such as the types or locations of resources.
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for noncompliance with assigned policies. All data stored by Azure Policy is encrypted at rest.
Azure Policy offers several built-in policies that are available by default. For example, make sure that Azure resources are created in an Azure region where each office is located - Use Allowed Locations Policy for geo-compliance
Built-in policies examples:
- Allowed Storage Account SKUs (Deny): Determines if a storage account being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that don't adhere to the set of defined SKU sizes.
- Allowed Resource Type (Deny): Defines the resource types that you can deploy. Its effect is to deny all resources that aren't part of this defined list.
- Allowed Locations (Deny): Restricts the available locations for new resources. Its effect is used to enforce your geo-compliance requirements.
- Allowed Virtual Machine SKUs (Deny): Specifies a set of virtual machine SKUs that you can deploy.
- Add a tag to resources (Modify): Applies a required tag and its default value if it's not specified by the deploy request.
- Not allowed resource types (Deny): Prevents a list of resource types from being deployed.
18. Azure Previews
In Azure Portal, you are able to distinguish between services that are generally available (GA) or in public preview. During Private Preview phase, Microsoft invites a few customers to take part in early access to new concepts and features. After the public preview is completed, the feature is open for any licensed customer to use and is supported via all Microsoft support channels.
Any new service that is in the Public Preview state is marked in Azure portal with a (Preview) label, which makes it easy to distinguish the service from a service that is in GA phase.
After a service is tested, improved and transitioned to GA phase, it can be purchased and used by any Azure customer. The service will continue to be updated and receive updates until Azure decides to discontinue and retire the product.
Once the service transitions to generally available (GA) phase, you can simply continue to use the service, as before. You DON'T need to recreate the service in Azure.
To Summarize:
Service transition: Private preview --> Public preview --> General Availability (GA).
The private preview is only available to certain Azure customers for evaluation purposes.
The public preview is available to all Azure customers.
https://azure.microsoft.com/en-gb/support/legal/preview-supplemental-terms/
App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.
https://docs.microsoft.com/en-us/azure/app-service/overview
After a service is tested, improved and transitioned to GA phase, it can be purchased and used by any Azure customer. The service will continue to be updated and receive updates until Azure decides to discontinue and retire the product.
Once the service transitions to generally available (GA) phase, you can simply continue to use the service, as before. You DON'T need to recreate the service in Azure.
To Summarize:
Service transition: Private preview --> Public preview --> General Availability (GA).
The private preview is only available to certain Azure customers for evaluation purposes.
The public preview is available to all Azure customers.
https://azure.microsoft.com/en-gb/support/legal/preview-supplemental-terms/
19. Azure App Service
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.
https://docs.microsoft.com/en-us/azure/app-service/overview
20. Azure Functions
Azure Functions provides a platform for serverless code. Azure Functions is a serverless compute service that lets you run event-triggered code without having to explicitly provision or manage infrastructure. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
Comments
Post a Comment