Basic Terminologies:
Cloud Computing : The
delivery of computing services over the internet. Flexible Resources, Pay As you Go.
Types of Cloud : Public
Cloud, Private Cloud and Hybrid Cloud.
HA - High Availability - Ability of a system to
remain operational to users during planned or unplanned outage. It also measured in terms of total uptime.
Scalability - Ability of the system to scale up or down by adding resources based on the demand.
Vertical Scaling - Scaling Up or Scaling down by addition additional resources such as CPU , Memory.
Horizontal Scaling - Scaling Out and Scaling In by adding
additional servers.
Elasticity - Ability of the system to quickly and
easily scale up/down automatically based on the demand. This is also called as Autoscaling -
Based on the resource monitoring alerts.
Reliability - The ability of the system to recover from failures. Auto Scaling , multi region, Data backups and replication.
Predictability - Ability of the system to forecast and control the performance and behavior of the system.
Governance - The process of defining, implementing and monitoring the policies defined at Org level for cloud operations. Perform basic auditing and reporting . Compliant with industry standard such as HIPAA or PCC or GDPR.
HIPAA - Health Insurance Portability and Accountability Act. US Law.
PHI - Protected Health Information.
GDPR - General Data Protection Regulation - EU Law.
Azure Concepts and Services
Regions
- Geographical areas where Azure datacentres are
located.
Region Pairs
- Regions interconnected with a low-latency network.
Sovereign Regions
- Private cloud regions requiring approval to create
or join a subscription.
Public Clouds
- Also known as Azure Commercial.
Availability Zones
- Physical datacentre locations within a region, with
up to three availability zones interconnected by a low-latency network.
Types of Availability Zone (AZ)
Services
- Zonal Services: Services present in a specific AZ,
like virtual machines.
- Zonal-Redundant Services: Multi-AZ services, such
as load balancers and SQL databases, with replicas for failover.
- Always Available Services: Azure-managed or global
services deployed across multiple regions, like Active Directory or Azure
Front Door.
Resources, Resource Groups, and
Subscriptions
- Resources: All services provided by Azure.
- Resource Groups: Collections of related resources,
helping manage services like all DEV resources. Access permissions can be
set at the resource group level.
- Subscriptions: Billing units for resources, with
companies able to subscribe to multiple subscriptions, e.g., one for each
department.
- Management Groups: Optional service for managing
multiple subscriptions, though not widely used.
Core Azure Services
- Compute Services
- Network Services
- Storage Services
- Database Services
Compute Services
- Virtual Machines (VMs)
- VM Scale Sets: Also known as Auto Scaling Groups.
- App Services / Web Apps
- Azure Container Instances (ACI): Single container
instances for running container images.
- Azure Container Apps: Multiple containers with load
balancers.
- Azure Kubernetes Service (AKS): Container
orchestration service.
- Azure Virtual Desktop (AVD): Virtualized desktops
accessible from mobile and web browsers.
Virtual Machine Scale Sets
- Auto-scaling groups for horizontal scaling,
increasing VM count based on demand.
- Includes a load balancer to distribute load across
VMs.
- Can handle 100 to 1,000 VMs.
Availability Sets
- Also known as Placement Groups in OCI.
- Place multiple instances in separate fault domains
or RACs to avoid failures.
- Separate update domains ensure patches are applied
in batches, minimizing downtime.
Proximity Groups
- Placement groups for VMs to reduce latency by
placing them nearby.
App Services / Web Apps
- PaaS services provided by Azure, with no access to
hardware.
Windows VM - Installing New
Software
- Use Server Manager to install new software.
- Use Add Roles and Features to add new software.
- Adding the Web Service IIS server role allows for
adding a web server.
Vertical Scaling
- Requires a VM restart.
Web Apps
- Server names must be globally unique.
- Select runtime stack (Java/.NET/PHP/Python/Node)
during creation.
- Choose VM type (Windows or Linux) and pricing plan.
- Configure databases and GitHub during provisioning.
Azure Functions
- Create functions by selecting supported technology,
which creates a function executor.
- Inside the executor, create the code to perform
tasks.
- Choose execution methods (HTTP URL, scheduled,
event-based).
- Azure provides sample code that can be updated as
needed.
- Select the default URL to invoke the API.
Container Instances / Container
Apps
- Use Azure Registry or an external registry to
download images.
Azure Networking
Virtual Network (VNets)
- Assigned with IPv4 or IPv6 network addresses.
- These IPs are private and cannot be accessed from
the internet.
- All VNets are subdivided into subnets, each with an
IP address that is a subset of the VNet’s IP address.
- All VMs are attached to a subnet via a Virtual
Network Interface Card (VNIC). Some VMs can have more than one VNIC and
can connect to multiple subnets.
- VMs can be assigned a public IP address to be
accessed from the internet.
Network Security Group (NSG)
- Acts like a virtual firewall. All traffic passes
through NSG rules.
- By default, all traffic is disabled. ALLOW rules
must be defined to enable traffic.
- Rules are executed in ascending order.
- An Access Control List (ACL) is defined to control
ingress and egress flows.
- NSG rules are based on the following five tuples:
- Source IP
- Source Port
- Destination IP
- Destination Port
- Protocol
Peering
- Allows two VMs on different VNets to communicate.
- Enables connection between subnets on different
VNets.
Azure DNS (Domain Name System)
- Can be used to resolve local hostnames, also known
as private domain names.
- It’s a private DNS available over the internet.
VPN (Virtual Private Network)
- Encrypts traffic between two points.
- A VPN physical device must be installed on a
private/on-premises network to establish a VPN connection.
- Azure provides a VPN Gateway to be installed on the
Azure network to establish the VPN connection.
- The VPN Gateway needs to be installed on a separate
subnet.
- Desktop to office VPN connection is also called
Point-to-Site (P2S) VPN connection.
- Network-to-network (on-premises to cloud)
connection is called Site-to-Site (S2S) VPN connection.
ExpressRoute
- Provides a direct wired connection to Azure.
- Offers low latency connection.
- Connection is established from an Internet Service
Provider (ISP) to Azure.
- It’s a private connection.
Azure Storage:
- Container Storage (Blob Storage): Used
to store objects.
- File Storage
- Queue Storage
- Table Storage
- Disk Storage: Used for VM storage,
including SSD, SSDv2, and Ultra Disk (Solid State Drives).
General Purpose (GP) Storage:
- Data Lakes: Used for high volume and
large size data storage.
Container Storage:
- Stores unstructured data/files.
- Can be public or private.
- It’s a regional service and can be created in any
region.
- Provides redundancy services, storing files in
multiple zones or fault domains.
- Offers global redundancy, storing files across
multiple regions.
- Data is stored in four tiers:
- HOT: Frequently accessed, balanced
cost.
- COOL: Infrequent access, cheaper
storage, expensive retrieval. 30 days
- COLD: More than 90 Days
- ARCHIVE: Very cheap, used for data
archival. 180 days
Creating a Storage Account:
- Generates a unique URL to access files.
- Options include:
- LRS: Local Redundancy Service
- ZRS: Zonal Redundancy Service
- GRS: Geo/Global Redundancy Service
- GZRS: Geo Zonal Redundancy Service
- Enable versioning.
- Enable event notifications to track changes.
- Make files immutable.
- Files are encrypted by default using Microsoft
Managed Keys (MMK).
Inside a Storage Account:
- Create specific storage types such as Container,
File, Queue, or Table.
- Generate a Shared Access Signature (SAS) at the
Container/File/Account level to access files.
- Create lifecycle management rules to move files
between tiers.
- Use Azure Storage Explorer desktop app to access
files.
- Use AzCopy to copy files between containers on
different subscriptions or within the same subscription:
- AzCopy copy 'Source SAS URL' 'Destination SAS URL'
Azure File Storage:
- Follows a hierarchical structure.
- Can be mounted to VM machines and added as a drive.
- Supports SMB (Server Message Blocks) and NFS
(Network File Storage) protocols:
- SMB: All platforms.
- NFS: Linux.
- Azure File Sync: Allows applications to
use both on-premises and cloud file storage, with binaries on-premises and
app files in the cloud.
Azure Migrate:
- Tool to perform assessment and migrate servers. It
discovers, assesses, and migrates servers.
Azure Data Box:
- Comes in three flavors: Data Box, Data Box Disk,
and Data Box Heavy, to move files from on-premises to the cloud.
- A person, application, or device can have an
identity. Devices can include printers, etc.
- Azure Active Directory (Azure AD) is
now called Microsoft Entra ID.
- Active Directory runs on a server and
handles many identities.
- Entra ID is not a replacement for
Active Directory; it is the cloud version of Active Directory.
- Active Directory uses LDAP and Kerberos protocols
for communication.
- Entra ID uses SAML and OAuth protocols for
communication.
- Can integrate Entra with Azure cloud services.
- Supports SSO and federations using social media
authentications.
- Entra ID - Conditional Access: A paid
service used to detect unexpected, suspicious attempts (from different
geo-locations, new IPs, etc.). Based on the assessment, it enforces MFA to
ensure the right user is accessing the application.
MFA - Multi-Factor
Authentication: A free service that includes:
- Something we know - Password
- Something we have - Token/Phone/Apps
- Something we are - Biometric
RBAC - Role-Based Access
Control:
- The premium version of Entra allows the creation of
custom roles.
- Pre-built roles can be used for access control.
- Start with least privileges and extend access as
needed.
- Three basic roles:
- Reader
- Contributor: Full access but cannot
assign permissions to others.
- Owner: Full access and can assign
permissions.
Zero Trust Policy Model:
- Verify every access attempts.
- Use least privilege.
- JIT - Just-In-Time Access: Elevate
access for a specific short period and then revert it.
- JEA - Just-Enough-Access
Microsoft Defender:
- A paid service that includes a list of security
products to enhance security.
- Checks security setups and detects threats.
Azure Management and Governance
Factors Affecting Costs:
- Time: Charged on an hourly basis.
- Consumption of Storage, Compute, and Bandwidth:
Functions are charged based on consumption.
- Service Tiers: Basic, Standard, Premium
(e.g., Entra ID).
- Computing Power: CPU/RAM.
- Software Licenses.
- Egress Bandwidth Charges.
- Ingress Bandwidth: Free.
Tools and Concepts:
- Azure Pricing Calculator: Calculate usage
charges upfront.
- TCO (Total Cost of Ownership): Helps
determine the cost incurred for owning and using Azure services.
- Cost Management: Analyze costs, perform
budgeting, create cost reports, etc.
- Automated Tags: Policies can be created to
add automated tags.
Governance and Compliance:
- Implementation: Security, legal governance,
etc., set at the company level.
- Sample Rules:
- All servers must run on the latest supported
Microsoft versions.
- All servers must be backed up every 24 hours.
- All firewalls must block requests other than those
on port 443 from external IPs.
- Policy Management:
- Deploy resources using ARM templates.
- Use prebuilt or custom JSON policies to manage
rules.
- Demo:
- Azure Portal -> Search for Policy.
- Definitions -> Search for Policy.
- Select the specific policy to apply.
- Select Assign.
- Select the Scope (Subscription).
- Select the Resource Group to apply the policy.
- Resource Locks: Prevent deletion or changes.
- Read-Only Lock.
- Delete Lock.
- Microsoft Purview: Data governance rules.
CLI Commands:
- Commands Start with AZ:
- az.
- The AZ PowerShell module can be used for executing
AZ commands.
Azure Arc:
- Management: Manage VMs, containers, and
physical servers outside Azure.
- Compatibility: Supports on-premises or other
cloud providers.
- Data Services: Supported.
- Kubernetes Cluster Management.
- VM Extensions: Required for server
management.
IaC (Infrastructure as Code):
- Tools:
- ARM Templates (JSON files).
- Terraform.
- Bicep.
- Chef, Puppet.
- PowerShell scripts.
- ARM (Azure Resource Manager):
- Management layer for all commands, API calls, and
portal actions.
- Authenticates commands/actions and passes them to
create/modify resources.
Monitoring Tools:
- Azure Advisor:
- Dashboard displays status and recommendations.
- Categories: Cost, Security, Reliability,
Operational Excellence, Performance, Service Health.
- Managed Service Status:
- Monitor Azure service status.
- Create alerting rules for unplanned outages.
- Provides historical status.
- Azure Monitor:
- Centralized monitoring tool.
- Tracks logging and analytics across the account.
- Enable insights at the service level to capture
logs and display on the monitor dashboard.
- Query logs using Kusto Query Language (KQL).
- Use metrics to monitor graphs.
!
