With the rise of remote work, bring your own device (BYOD), mobile applications, and cloud applications, the primary security boundary has shifted from firewalls and physical access controls to identity.

Understanding who is using your systems and what they have permission to do are critical to keeping your data safe from attackers. To stay organized, manage costs, and meet your compliance goals, you need a good cloud governance strategy.

Learn how Azure can help you secure access to cloud resources, what it means to build a cloud governance strategy, and how Azure adheres to common regulatory and compliance standards.

Traditionally, protecting access to systems and data involved the on-premises network perimeter and physical access controls.

With people increasingly able to work from anywhere, plus the rise of bring your own device (BYOD) strategies, mobile applications, and cloud applications, many of those access points are now outside the company's physical networks.

Identity has become the new primary security boundary. Accurately proving that someone is a valid user of your system, with an appropriate level of access, is critical to maintaining control of your data. This identity layer is now more often the target of attack than the network is.

Meet Tailwind Traders

Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.

Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.

How will Tailwind Traders secure access to its cloud applications?

The mobile workforce of Tailwind Traders is increasing, as are the number of applications that the company runs in the cloud.

Retail employees located around the world are issued tablet devices from which they can create orders for customers, track delivery schedules, and plan their work schedules.

Delivery drivers can use their own mobile devices to access scheduling and logistics applications. Some delivery drivers are permanent employees of Tailwind Traders. Others work on short-term contract.

Tailwind Traders uses Active Directory to secure its on-premises environment. It needs to ensure that only employees can sign in and access the company's business applications. It also needs to ensure that short-term staff can access these applications only when they're under active contract.

How can Azure Active Directory (Azure AD) help Tailwind Traders consistently secure all of its applications accessed from the intranet and from public networks?

Learning objectives

After completing this module, you'll be able to:

• Explain the difference between authentication and authorization.

• Describe how Azure AD provides identity and access management.

• Explain the role that single sign-on (SSO), multifactor authentication, and Conditional Access play in managing user identity.

5.1.2 Compare authentication and authorization

Recall that Tailwind Traders must ensure that only employees can sign in and access its business applications.

Tailwind Traders also needs to ensure that employees can access only authorized applications. For example, all employees can access inventory and pricing software, but only store managers can access payroll and certain accounting software.

Two fundamental concepts that you need to understand when talking about identity and access are authentication (AuthN) and authorization (AuthZ).

Authentication and authorization both support everything else that happens. They occur sequentially in the identity and access process.

Let's take a brief look at each.

What is authentication?

Authentication is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.

What is authorization?

Authentication establishes the user's identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.

How are authentication and authorization related?

The identification card represents credentials that the user has to prove their identity (you'll learn more about the types of credentials later in this module.) Once authenticated, authorization defines what kinds of applications, resources, and data that user can access.

5.1.3 What is Azure Active Directory?

In this part, you learn how Azure Active Directory (Azure AD) provides identity services that enable your users to sign in and access both Microsoft cloud applications and cloud applications that you develop. You also learn how Azure AD supports single sign-on (SSO).

Tailwind Traders already uses Active Directory to secure its on-premises environments. The company doesn't want its users to have a different username and password to remember for accessing applications and data in the cloud. Can the company integrate its existing Active Directory instance with cloud identity services to create a seamless experience for its users?

Let's start with how Azure AD compares to Active Directory.

How does Azure AD compare to Active Directory?

Active Directory is related to Azure AD, but they have some key differences.

Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user.

For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that's managed by your own organization. Azure AD is Microsoft's cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally. If you've worked with Active Directory, Azure AD will be familiar to you.

When you secure identities on-premises with Active Directory, Microsoft doesn't monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.

Who uses Azure AD?

Azure AD is for:

· IT administrators

Administrators can use Azure AD to control access to applications and resources based on their business requirements.

· App developers

Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user's existing credentials.

· Users

Users can manage their identities. For example, self-service password reset enables users to change or reset their password with no involvement from an IT administrator or help desk.

· Online service subscribers

Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers are already using Azure AD.

A tenant is a representation of an organization. A tenant is typically separated from other tenants and has its own identity.

Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant.

What services does Azure AD provide?

Azure AD provides services such as:

· Authentication

This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.

· Single sign-on

SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts.

· Application management

You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single-sign on provide a better user experience.

· Device management

Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based conditional access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.

What kinds of resources can Azure AD help secure?

Azure AD helps users access both external and internal resources.

External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.

Internal resources might include apps on your corporate network and intranet, along with any cloud applications developed within your organization.

What's single sign-on?

Single sign-on enables a user to sign in one time and use that credential to access multiple resources and applications from different providers.

More identities mean more passwords to remember and change. Password policies can vary among applications. As complexity requirements increase, it becomes increasingly difficult for users to remember them. The more passwords a user has to manage, the greater the risk of a credential-related security incident.

Consider the process of managing all those identities. Additional strain is placed on help desks as they deal with account lockouts and password reset requests. If a user leaves an organization, tracking down all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this might allow access when it should have been eliminated.

With SSO, you need to remember only one ID and one password. Access across applications is granted to a single identity that's tied to the user, which simplifies the security model. As users change roles or leave an organization, access is tied to a single identity. This change greatly reduces the effort needed to change or disable accounts. Using SSO for accounts makes it easier for users to manage their identities and increases your security capabilities.

You'll find resources at the end of this module about how to enable SSO through Azure AD.

How can I connect Active Directory with Azure AD?

Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users.

There are a few ways to connect your existing Active Directory installation with Azure AD. Perhaps the most popular method is to use Azure AD Connect.

Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems. Self-service password reset prevents users from using known compromised passwords.

As Tailwind Traders integrates its existing Active Directory instance with Azure AD, it creates a consistent access model across its organization. Doing so greatly simplifies its ability to sign in to different applications, manage changes to user identities and control, and monitor and block unusual access attempts.

5.1.4 What are multifactor authentication and Conditional Access?

Tailwind Traders allows delivery drivers to use their own mobile devices to access scheduling and logistics applications. Some delivery drivers are permanent employees of Tailwind Traders. Others work on short-term contract. How can the IT department ensure that an access attempt is really from a valid Tailwind Traders worker?

In this part, you'll learn about two processes that enable secure authentication: Azure AD Multi-Factor Authentication and Conditional Access. Let's start with a brief look at what multifactor authentication is in general.

What's multifactor authentication?

Multifactor authentication is a process where a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan.

Think about how you sign in to websites, email, or online gaming services. In addition to your username and password, have you ever needed to enter a code that was sent to your phone? If so, you've used multifactor authentication to sign in.

Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate.

These elements fall into three categories:

· Something the user knows

This might be an email address and password.

· Something the user has

This might be a code that's sent to the user's mobile phone.

· Something the user is

This is typically some sort of biometric property, such as a fingerprint or face scan that's used on many mobile devices.

Multifactor authentication increases identity security by limiting the impact of credential exposure (for example, stolen usernames and passwords). With multifactor authentication enabled, an attacker who has a user's password would also need to have possession of their phone or their fingerprint to fully authenticate.

Compare multifactor authentication with single-factor authentication. Under single-factor authentication, an attacker would need only a username and password to authenticate. Multifactor authentication should be enabled wherever possible because it adds enormous benefits to security.

What's Azure AD Multi-Factor Authentication?

Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.

These services provide Azure AD Multi-Factor Authentication capabilities:

· Azure Active Directory

The Azure Active Directory free edition enables Azure AD Multi-Factor Authentication for administrators with the global admin level of access, via the Microsoft Authenticator app, phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD tenant.

Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configuration of Azure AD Multi-Factor Authentication through Conditional Access policies (explained shortly).

· Multifactor authentication for Office 365

A subset of Azure AD Multi-Factor Authentication capabilities is part of your Office 365 subscription.

For more information on licenses and Azure AD Multi-Factor Authentication capabilities, see Available versions of Azure AD Multi-Factor Authentication.

What's Conditional Access?

Conditional Access is useful when you need to:

· Require multifactor authentication to access an application.

You can configure whether all users require multifactor authentication or only certain users, such as administrators.

You can also configure whether multifactor authentication applies to access from all networks or only untrusted networks.

· Require access to services only through approved client applications.

For example, you might want to allow users to access Office 365 services from a mobile device as long as they use approved client apps, like the Outlook mobile app.

· Require users to access your application only from managed devices.

A managed device is a device that meets your standards for security and compliance.

· Block access from untrusted sources, such as access from unknown or unexpected locations.

Conditional Access comes with a What If tool, which helps you plan and troubleshoot your Conditional Access policies. You can use this tool to model your proposed Conditional Access policies across recent sign-in attempts from your users to see what the impact would have been if those policies had been enabled. The What If tool enables you to test your proposed Conditional Access policies before you implement them.

Where is Conditional Access available?

To use Conditional Access, you need an Azure AD Premium P1 or P2 license. If you have a Microsoft 365 Business Premium license, you also have access to Conditional Access features.

5.1.5 Knowledge check

1. How can the IT department ensure that employees at the company's retail stores can access company applications only from approved tablet devices?

o SSO

o Conditional Access

o Conditional Access enables you to require users to access your applications only from approved, or managed, devices.

o Multifactor authentication

2. How can the IT department use biometric properties, such as facial recognition, to enable delivery drivers to prove their identities?

o SSO

o Conditional Access

o Multifactor authentication

o Authenticating through multifactor authentication can include something the user knows, something the user has, and something the user is.

3. How can the IT department reduce the number of times users must authenticate to access multiple applications?

o SSO

o SSO enables a user to remember only one ID and one password to access multiple applications.

o Conditional Access

o Multifactor authentication

12 Units

Learn how access policies, resource locks, and tags, as well as Azure services such as Azure Policy and Azure Blueprints, can help you build a comprehensive cloud governance strategy.

5.2.1 Introduction

The term governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced.

When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. Maintaining control over your environment ensures that you stay compliant with:

• Industry standards, like PCI DSS.

• Corporate or organizational standards, such as ensuring that network data is encrypted.

Governance is most beneficial when you have:

• Multiple engineering teams working in Azure.

• Multiple subscriptions to manage.

• Regulatory requirements that must be enforced.

• Standards that must be followed for all cloud resources.

Meet Tailwind Traders

Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.

Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.

How will Tailwind Traders improve agility while maintaining control?

Tailwind Traders is continuing its migration to the cloud. For its existing datacenter, development and test teams must submit support tickets to request access to virtual machines, storage, and networking components. It can take IT staff anywhere from two weeks to two months to purchase, provision, and configure these components.

By working in the cloud, you essentially have immediate access to compute, storage, and networking components. Many kinds of groups and users, including people from development, test, operations, and security teams, can potentially have direct access to cloud resources.

Going forward, Tailwind Traders could enforce similar processes that prevent teams from directly creating or configuring resources on Azure, similar to its existing approach where central IT provisions infrastructure. But the company knows that these restrictions reduce team agility and the ability to innovate. How can they enable innovation while still maintaining control?

In this module, you'll help the company explore ways it can enforce standards while still enabling teams to create and manage the cloud resources they need.

Learning objectives

After completing this module, you'll be able to:

• Make organizational decisions about your cloud environment by using the Cloud Adoption Framework for Azure.

• Define who can access cloud resources by using Azure role-based access control.

• Apply a resource lock to prevent accidental deletion of your Azure resources.

• Apply tags to your Azure resources to help describe their purpose.

• Control and audit how your resources are created by using Azure Policy.

• Enable governance at scale across multiple Azure subscriptions by using Azure Blueprints.

5.2.2 Accelerate your cloud adoption journey by using the Cloud Adoption Framework for Azure

The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. The Cloud Adoption Framework helps you create and implement the business and technology strategies needed to succeed in the cloud.

Tailwind Traders needs to control its cloud environment so that it complies with several industry standards, but it's not sure where to start. It has existing business requirements, and it understands how these requirements relate to its on-premises workloads. These requirements also must be met by any workloads it runs in the cloud.

You've been tasked with investigating what's available on Azure and to define and implement the governance strategy for Tailwind Traders. You decide to start with the Cloud Adoption Framework.

What's in the Cloud Adoption Framework?

https://www.microsoft.com/en-us/videoplayer/embed/RWEA1P?postJsllMsg=true

As mentioned in the video, Cloud Adoption Framework consists of tools, documentation, and proven practices. The Cloud Adoption Framework includes these stages:

1. Define your strategy.

2. Make a plan.

3. Ready your organization.

4. Adopt the cloud.

5. Govern and manage your cloud environments.

The govern stage focuses on cloud governance. You can refer back to the Cloud Adoption Framework for recommended guidance as you build your cloud governance strategy.

To help build your adoption strategy, the Cloud Adoption Framework breaks out each stage into further exercises and steps. Let's take a brief look at each stage.

Define your strategy

Here, you answer why you're moving to the cloud and what you want to get out of cloud migration. Do you need to scale to meet demand or reach new markets? Will it reduce costs or increase business agility?

Here are the steps in this stage.

Step 1: Define your strategy

1. Define and document your motivation: meeting with stakeholders and leadership can help you answer why you're moving to the cloud.

2. Document business outcomes: meet with leadership from your finance, marketing, sales, and human resource groups to help you document your goals.

3. Develop a business case: validate that moving to the cloud gives you the right return on investment (RIO) for your efforts.

4. Choose the right first project: choose a project that's achievable but also shows progress toward your cloud migration gloas.

Step 2: Make a plan

Here, you build a plan that maps your aspiration goals to specific actions. A good plan helps ensure that your efforts map to the desired business outcomes. Here are the stpes in this stage.

1. Digital estate: create an inventory of the existing digital assets and workloads that you plan to migrate to the cloud.

2. Initial organisational alignment: ensure that the right peoplw are involved in your organisation efforts, both from a technical standpoint as well as from a cloud governance standpoint.

3. Skills readiness plan: build a plan that helps individuals build the skills they need to operate in the cloud.

4. Cloud adoption plan: build a comprehensive plan that brings together the development, operations, and business teams towards a shared cloud adoption goal.

Step 3: Ready your organisation

Here you create a landing zone, or an environment in the cloud to begin hosting your workloads. Here are the steps in this stage.

1. Azure setup guide: review the Azure setup guide to become familiar with the tools and apporaches you need to use to create a landing zone.

2. Azure landing zone: begin to build out the Azure subscriptions that support each of the major areas of your business. A landing zone includes cloud infrastructure as well as governance, accounting, and security capabilities.

3. Expand the landing zone: fefine your landing zone to ensure that it meets your operations, governance, and security needs.

4. Best practices: start with recommended and proven practices to help esnure that your cloud migration efforts are scalable and maintainable.

Step 4: Adopt the cloud

Here, you begin to migrate your applications to the cloud. Along the way, you might find ways to modernise your applications and build innovative solutions that use cloud services. The Cloud Adoption Framework breaks this stage into two parts: migrate and innovate.

Migrate: here are the steps in the migrate part of this stage.

1. Migrate your first workload: use the Azure migration guide to deploy your first project to the cloud.

2. Migration scenarios: use additional in-depth guides to explore more complex migration scenarios.

3. Best practices: check in with the Azure cloud migration best practices checklist to verify that you're following recommended practices.

4. Process improvement: identify ways to make the migration process scale while requiring less effort.

Innovate: here are the steps in the migrate part of this stage.

1. 1. Business value consensus: verify that investments in new innovatios add value to the business and meet customer needs.

   2. Azure innovation guide: use this guide to accelerate development and build a minimum viable product (MVP) for your idea.

   3. Best practices: verify that your progress maps to recommended practices before you move forward.

   4. Feedback loops: check in frequently with your customers to verify that you're building what they need.

Step 5: Govern and manage your cloud environments

Here, you begin to form your cloud governance and cloud management strategies. As the cloud estate changes over the time, so do cloud governance processes and policies. You need to create resilient solutions that are constantly optimised.

Govern: here are the steps in the govern part of this stage.

1. Methodology: consider your end state solution. Then define a methodology that incrementally takes you from your first steps all the way to full cloud governance.

2. Benchmark: Use the governance benchmark tool to assess your current state and future state to establish a vision for applying the framework.

3. Initial governance foundation: create an MVP that captures the first steps of your governance plan.

4. Improve the initial governance foundation: Iteratively add governance controls that address tangible risks as you progress toward your end estate solution.

Manage: here are the steps in the manage part of this stage.

1. Establish a management baseline: define your minimum commitment to operations management. A management baseline is the minimum set of tools and processes that should be applied to every asset in an environment.

2. Define business commitments: document supported workloads to establish operational commitments with the business and agree on cloud managment investments for each workload.

3. Expand the management baseline: apply recommended best practices to iterate on your initial management baseline.

4. Advanced operations and design principles: for workloads that require a higher level of business commitment, perform a deeper architecture review to deliver on your resiliency and reliability commitments.

5.2.3 Create a subscription governance strategy

In Plan and discuss Azure deployments, you learned that the organizing structure for resources in Azure has four levels:

1. management groups,

2. subscriptions,

3. resource groups, and

4. resources.

At the beginning of any cloud governance implementation, you identify a cloud organization structure that meets your business needs. This step often involves forming a cloud center of excellence team (also called a cloud enablement team or a cloud custodian team). This team is empowered to implement governance practices from a centralized location for the entire organization.

Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits.

Let's look at each of these aspects in more detail.

Billing

You can create one billing report per subscription. If you have multiple departments and need to do a "chargeback" of cloud costs, one possible solution is to organize subscriptions by department or by project.

Resource tags can also help. You'll explore tags later in this module. When you define how many subscriptions you need and what to name them, take into account your internal billing requirements.

Access control

A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.

When you design your subscription architecture, consider the deployment boundary factor. For example, do you need separate subscriptions for development and for production environments? With separate subscriptions, you can control access to each one separately and isolate their resources from one another.

Subscription limits

Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase. If you'll need to exceed those limits, you might need to add more subscriptions. If you hit a hard limit maximum, there's no flexibility to increase it.

Management groups are also available to assist with managing subscriptions. A management group manages access, policies, and compliance across multiple Azure subscriptions. You'll learn more about management groups later in this module.

5.2.4 Control access to cloud resources by using Azure role-based access control

When you have multiple IT and engineering teams, how can you control what access they have to the resources in your cloud environment? It's a good security practice to grant users only the rights they need to perform their job, and only to the relevant resources.

Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created, Azure enables you to control access through Azure role-based access control (Azure RBAC).

Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all of the associated access permissions.

How is role-based access control applied to resources?

Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

Scopes include:

• A management group (a collection of multiple subscriptions).

• A single subscription.

• A resource group.

• A single resource.

Observers, Users managing resources, Admins, and Automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles.

When you grant access at a parent scope, those permissions are inherited by all child scopes. For example:

• When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.

• When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.

• When you assign the Contributor role to an application at the resource group scope, the application can manage resources of all types within that resource group, but not other resource groups within the subscription.

When should I use Azure RBAC?

Use Azure RBAC when you need to:

• Allow one user to manage VMs in a subscription and another user to manage virtual networks.

• Allow a database administrator group to manage SQL databases in a subscription.

• Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.

• Allow an application to access all resources in a resource group.

These are just a few examples. You'll find the complete list of built-in roles at the end of this module.

How is Azure RBAC enforced?

Azure RBAC is enforced on any action that's initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn't enforce access permissions at the application or data level. Application security must be handled by your application.

RBAC uses an allow model. When you're assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

Who does Azure RBAC apply to?

You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities. These identity types are used by applications and services to automate access to Azure resources.

Tailwind Traders has the following teams with an interest in some part of their overall IT environment:

• IT Administrators
  This team has ultimate ownership of technology assets, both on-premises and in the cloud. The team requires full control of all resources.
  

• Backup and Disaster Recovery
  This team is responsible for managing the health of regular backups and invoking any data or system recoveries.
  

• Cost and Billing
  People in this team track and report on technology-related spend. They also manage the organization's internal budgets.
  

• Security Operations
  This team monitors and responds to any technology-related security incidents. The team requires ongoing access to log files and security alerts.

How do I manage Azure RBAC permissions?

You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.

5.2.5 Prevent accidental changes by using resource locks

A resource lock prevents resources from being accidentally deleted or changed.

Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed.

For example, at Tailwind Traders, an IT administrator was performing routine cleanup of unused resources in Azure. The admin accidentally deleted resources that appeared to be unused. But these resources were critical to an application that's used for seasonal promotions. How can resource locks help prevent this kind of incident from happening in the future?

How do I manage resource locks?

You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.

To view, add, or delete locks in the Azure portal, go to the Settings section of any resource's Settings pane in the Azure portal.

What levels of locking are available?

You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly.

• CanNotDelete means authorized people can still read and modify a resource, but they can't delete the resource without first removing the lock.

• ReadOnly means authorized people can read a resource, but they can't delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.

Combine resource locks with Azure Blueprints

What if a cloud administrator accidentally deletes a resource lock? If the resource lock is removed, its associated resources can be changed or deleted.

To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure Blueprints can automatically replace the resource lock if that lock is removed.

You'll learn more about Azure Blueprints later in this module.

5.2.6 Exercise - Protect a storage account from accidental deletion by using a resource lock

In this exercise, you see how resource locks help prevent accidental deletion of your Azure resources.

To do so, you create a resource group from the Azure portal. Think of a resource group as a container for related Azure resources. Then you add a lock to your resource group and verify that you can't delete the resource group.

You then add a storage account to your resource group and see how the lock from the parent resource group prevents the storage account from being deleted. A storage account is a container that groups a set of Azure Storage services together.

Important

You need your own Azure subscription to complete the exercises in this module. If you don't have an Azure subscription, you can still read along.

Create the resource group

Here you create a resource group that's named my-test-rg.

1. Go to the Azure portal and sign in.

2. At the top of the page, select Resource groups.

3. Select + New. The Create a resource group page appears.

4. In the Basics tab, fill in the fields.

5. You can also select a region that's closer to you.

6. Select Review + create, and then select Create.

Delete the resource group and the storage account

You no longer need your resource group or storage account. Here you remove both.

When you delete a resource group, you also delete its child resources, such as the storage account you previously created.

To delete the resource group, you first need to remove the resource lock.

1. From the Azure portal, select Home > Resource groups > my-test-rg to go to your resource group.

2. Under Settings, select Locks.

3. Locate rg-delete-lock, and select Delete on that same row.

4. Select Overview, and then select Delete resource group.

5. At the prompt, enter my-test-rg, and then select OK.

The deletion operation might take a few moments to complete.

6. When the operation completes, select Home > Resource groups.

You see that the my-test-rg resource group no longer exists in your account. Your storage account is also deleted.

Nice work. You can now apply resource locks to help prevent the accidental deletion of your Azure resources.

5.2.7 Organize your Azure resources by using tags

As your cloud usage grows, it's increasingly important to stay organized. A good organization strategy helps you understand your cloud usage and can help you manage costs.

For example, as Tailwind Traders prototypes new ways to deploy its applications on Azure, it needs a way to mark its test environments so that it can easily identify and delete resources in these environments when they're no longer needed.

One way to organize related resources is to place them in their own subscriptions. You can also use resource groups to manage related resources. Resource tags are another way to organize resources. Tags provide extra information, or metadata, about your resources. This metadata is useful for:

• Resource management
  Tags enable you to locate and act on resources that are associated with specific workloads, environments, business units, and owners.
  

• Cost management and optimisation
  Tags enable you to group resources so that you can report on costs, allocate internal cost centers, track budgets, and forecast estimated cost.
  

• Operations management
  Tags enable you to group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs). An SLA is an uptime or performance guarantee between you and your users.
  

• Security
  Tags enable you to classify data by its security level, such as public or confidential.
  

• Governance and regulatory compliance
  Tags enable you to identify resources that align with governance or regulatory compliance requirements, such as ISO 27001.

Tags can also be part of your standards enforcement efforts. For example, you might require that all resources be tagged with an owner or department name.

• Workload optimization and automation
  Tags can help you visualize all of the resources that participate in complex deployments. For example, you might tag a resource with its associated workload or application name and use software such as Azure DevOps to perform automated tasks on those resources.

How do I manage resource tags?

You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.

You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, but those tags aren't automatically applied to the resources within that resource group. You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group. You'll learn more about Azure Policy later in this module.

You can also use Azure Policy to enforce tagging rules and conventions. For example, you can require that certain tags be added to new resources as they're provisioned. You can also define rules that reapply tags that have been removed.

5.2.8 Control and audit your resources by using Azure Policy

Now that you've identified your governance and business requirements, how do you ensure that your resources stay compliant? How can you be alerted if a resource's configuration has changed?

Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.

How does Azure Policy define policies?

Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you've created. Azure Policy can also prevent noncompliant resources from being created.

Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring.

For example, say you define a policy that allows only a certain stock-keeping unit (SKU) size of virtual machines (VMs) to be used in your environment. After you enable this policy, that policy is applied when you create new VMs or resize existing VMs. Azure Policy also evaluates any current VMs in your environment.

In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources. For example, if all resources in a certain resource group should be tagged with the AppName tag and a value of "SpecialOrders," Azure Policy can automatically reapply that tag if it has been removed.

Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment phases of your applications.

Azure Policy in action

Implementing a policy in Azure Policy involves these three steps:

1. Create a policy definition.

2. Assign the definition to resources.

3. Review the evaluation results.

Let's examine each step in more detail.

1. Create a policy definition

A policy definition expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed in certain Azure regions. You also could audit your storage accounts to verify that they only accept connections from allowed networks.

Every policy definition has conditions under which it's enforced. A policy definition also has an accompanying effect that takes place when the conditions are met. Here are some example policy definitions:

Allowed virtual machine SKUs

This policy enables you to specify a set of VM SKUs that your organization can deploy.

Allowed locations

This policy enables you to restrict the locations that your organization can specify when it deploys resources. Its effect is used to enforce your geographic compliance requirements.

MFA should be enabled on accounts with write permissions on your subscription

This policy requires that multifactor authentication (MFA) be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.

CORS should not allow every resource to access your web applications

Cross-origin resource sharing (CORS) is an HTTP feature that enables a web application running under one domain to access resources in another domain. For security reasons, modern web browsers restrict cross-site scripting by default. This policy allows only required domains to interact with your web app.

System updates should be installed on your machines

This policy enables Azure Security Center to recommend missing security system updates on your servers.

2. Assign the definition to resources

To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group.

Policy assignments are inherited by all child resources within that scope. If a policy is applied to a resource group, that policy is applied to all resources within that resource group. You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment.

3. Review the evaluation results

When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant. You can review the noncompliant policy results and take any action that's needed.

Policy evaluation happens about once per hour. If you make changes to your policy definition and create a policy assignment, that policy is evaluated over your resources within the hour.

What are Azure Policy initiatives?

An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.

For example, Azure Policy includes an initiative named Enable Monitoring in Azure Security Center. Its goal is to monitor all of the available security recommendations for all Azure resource types in Azure Security Center.

Under this initiative, the following policy definitions are included:

Monitor unencrypted SQL Database in Security Center

This policy monitors for unencrypted SQL databases and servers.

Monitor OS vulnerabilities in Security Center

This policy monitors servers that don't satisfy the configured OS vulnerability baseline.

Monitor missing Endpoint Protection in Security Center

This policy monitors for servers that don't have an installed endpoint protection agent.

In fact, the Enable Monitoring in Azure Security Center initiative contains over 100 separate policy definitions.

Azure Policy also includes initiatives that support regulatory compliance standards such as HIPAA and ISO 27001.

How do I define an initiative?

You define initiatives by using the Azure portal or by using command-line tools. From the Azure portal, you can search the list of built-in initiatives that are already provided by Azure. You also can create your own custom policy definition.

How do I assign an initiative?

Like a policy assignment, an initiative assignment is an initiative definition that's assigned to a specific scope of a management group, a subscription, or a resource group.

Even if you have only a single policy, an initiative enables you to increase the number of policies over time. Because the associated initiative remains assigned, it's easier to add and remove policies without the need to change the policy assignment for your resources.

5.2.9 Exercise - Restrict deployments to a specific location by using Azure Policy

In this exercise, you create a policy in Azure Policy that restricts the deployment of Azure resources to a specific location. You verify the policy by attempting to create a storage account in a location that violates the policy.

Tailwind Traders wants to limit the location where resources can be deployed to the East US region. It has two reasons:

Improved cost tracking

To track costs, Tailwind Traders uses different subscriptions to track deployments to each of its regional locations. The policy will ensure that all resources are deployed to the East US region.

Adhere to data residency and security compliance

Tailwind Traders must adhere to a compliance rule that states where customer data can be stored. Here, customer data must be stored in the East US region.

Recall that you can assign a policy to a management group, a single subscription, or a resource group. Here, you assign the policy to a resource group so that policy doesn't affect any other resources in your Azure subscription.

Important

You need your own Azure subscription to complete the exercises in this module. If you don't have an Azure subscription, you can still read along.

For details please visit the source link included below.

5.2.10 Govern multiple subscriptions by using Azure Blueprints

So far, you've explored a number of Azure features that can help you implement your governance decisions, monitor the compliance of your cloud resources, and control access and protect critical resources from accidental deletion.

What happens when your cloud environment starts to grow beyond just one subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions?

Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they're building within organizational compliance with a set of built-in components that speed the development and deployment phases.

Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:

• Role assignments

• Policy assignments

• Azure Resource Manager templates

• Resource groups

Azure Blueprints in action

When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization.

Implementing a blueprint in Azure Blueprints involves these three steps:

1. Create an Azure blueprint.

2. Assign the blueprint.

3. Track the blueprint assignments.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.

Blueprints are also versioned. Versioning enables you to track and comment on changes to your blueprint.

What are blueprint artifacts?

Each component in the blueprint definition is known as an artifact.

It is possible for artifacts to have no additional parameters (configurations). An example is the Deploy threat detection on SQL servers policy, which requires no additional configuration.

Artifacts can also contain one or more parameters that you can configure. The following screenshot shows the Allowed locations policy. This policy includes a parameter that specifies the allowed locations.

You can specify a parameter's value when you create the blueprint definition or when you assign the blueprint definition to a scope. In this way, you can maintain one standard blueprint but have the flexibility to specify the relevant configuration parameters at each scope where the definition is assigned.

How will Tailwind Traders use Azure Blueprints for ISO 27001 compliance?

ISO 27001 is a standard that applies to the security of IT systems, published by the International Organization for Standardization. As part of its quality process, Tailwind Traders wants to certify that it complies with this standard. Azure Blueprints has several built-in blueprint definitions that relate to ISO 27001.

As an IT administrator, you decide to investigate the ISO 27001: Shared Services Blueprint definition. Here's an outline of your plan.

1. Define a management group that's named PROD-MG.

Recall that a management group manages access, policies, and compliance across multiple Azure subscriptions. Every new Azure subscription is added to this management group when the subscription is created.

2. Create a blueprint definition that's based on the ISO 27001: Shared Services Blueprint template. Then publish the blueprint.

3. Assign the blueprint to your PROD-MG management group.

5.2.11 Knowledge check

1. How can Tailwind Traders allow some users to control the virtual machines in each environment but prevent them from modifying networking and other resources in the same resource group or Azure subscription?

o Create a role assignment through Azure role-based access control (Azure RBAC).

o Azure RBAC enables you to create roles that define access permissions. You might create one role that limits access only to virtual machines and a second role that provides administrators with access to everything.

o Create a policy in Azure Policy that audits resource usage.

o Split the environment into separate resource groups.

2. Which is the best way for Tailwind Traders to ensure that the team deploys only cost-effective virtual machine SKU sizes?

o Create a policy in Azure Policy that specifies the allowed SKU sizes.

o After you enable this policy, that policy is applied when you create new virtual machines or resize existing ones. Azure Policy also evaluates any current virtual machines in your environment.

o Periodically inspect the deployment manually to see which SKU sizes are used.

o Create an Azure RBAC role that defines the allowed virtual machine SKU sizes.

3. Which is likely the best way for Tailwind Traders to identify which billing department each Azure resource belongs to?

o Track resource usage in a spreadsheet.

o Split the deployment into separate Azure subscriptions, where each subscription belongs to its own billing department.

o Apply a tag to each resource that includes the associated billing department.

o Tags provide extra information, or metadata, about your resources. The team might create a tag that's named BillingDept whose value would be the name of the billing department. You can use Azure Policy to ensure that the proper tags are assigned when resources are provisioned.

5.2.12 Summary

You've been tasked with defining and implementing the governance strategy for Tailwind Traders.

Cloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption Framework for Azure can help you define and implement your governance strategy. There are several services and features in Azure to support these efforts:

• Azure role-based access control (Azure RBAC) enables you to create roles that define access permissions.

• Resource locks prevent resources from being accidentally deleted or changed.

• Resource tags provide extra information, or metadata, about your resources.

• Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.

• Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure resources that your organization requires.

With these points in mind, you're ready to take the next step toward building a good cloud governance strategy.

Learn more

The Control and organize Azure resources with Azure Resource Manager module is a good next step. There you'll go deeper on how to use Azure Resource Manager to organize resources, enforce standards, and protect critical assets from deletion.

Here are additional resources to help you go further:

• Get started with the Cloud Adoption Framework for Azure.

• Learn more about Azure subscription and service limits, quotas, and constraints.

• Review the complete list of Azure built-in roles for Azure RBAC.

• To learn how Azure Policy can enforce tagging rules and conventions, see Assign policies for tag compliance.

• For recommendations on how to implement your own tagging strategy, see Resource naming and tagging decision guide.

• Explore additional Azure Policy samples.

For a more advanced topic, see Creating a custom policy definition. This tutorial gets you started.

8 Units

Learn about the decisions you make before creating a virtual machine, the options to create and manage the VM, and the extensions and services you use to manage your VM.

5.3.1 Introduction

Suppose you work for a company doing medical research and you're responsible for managing the on-premises servers. The servers you administer run all the company infrastructure, from web servers to databases. However, the hardware is aging and starting to struggle to keep up with some of the new data analysis applications being deployed to it.

You could upgrade all the hardware, but that's not appealing for several reasons:

1. The servers are physically scattered all around the world with minimal staff in each location. We'd like to centralize the upgrade to our home office.
   

2. The company runs custom data analysis software on several versions and flavors of Windows and Linux, sometimes set up with odd configurations that aren't entirely understood. We need a way to test our deployments completely and try different configurations to make sure everything is working before we transition the work.
   

3. Business is booming, and the company is growing fast. It's likely that the load on the internal servers, particularly the databases, will continue to grow, requiring us to either buy for the future or come up with a scaling plan to handle the growth.

For these reasons, you decide that it's time to explore the cloud to see if it can help solve the load and scale problem. Since you have a bunch of mixed servers and custom software, it makes sense to look at trying to move servers one at a time into Azure using Azure Virtual Machines (VMs).

Azure VMs are one of several types of on-demand, scalable computing resources that Azure offers. With VMs, you have total control over the configuration and can install anything you need to perform the work. You don't need to purchase physical hardware when you need to scale or extend your datacenter. Finally, Azure provides additional services to monitor, secure, and manage updates and patches to the OS.

We're going to look at the decisions made before creating a VM, the options to create and manage the VM, and the extensions and services you use to manage your VM.

Learning objectives

In this module, you will:

• Compile a checklist for creating a virtual machine

• Describe the options to create and manage virtual machines

• Describe the additional services available to administer virtual machines

5.3.2 Compile a checklist for creating an Azure Virtual Machine

Performing a migration of on-premises servers to Azure requires planning and care. You can move them all at once, or more likely, in small batches or even individually. Before you create a single VM, you should sit down and sketch out your current infrastructure model and see how it might map to the cloud.

Required resources for IaaS Virtual Machines

https://www.microsoft.com/en-us/videoplayer/embed/RWjVUg?postJsllMsg=true

Let's walk through a checklist of things to think about.

1. Start with the network

2. Name the VM

3. Decide the location for the VM

4. Determine the size of the VM

5. Understanding the pricing model

6. Storage for the VM

7. Select an operating system

Start with the network

The first thing you should think about isn't the virtual machine at all - it's the network.

Virtual networks (VNets) are used in Azure to provide private connectivity between Azure Virtual Machines and other Azure services. VMs and services that are part of the same virtual network can access one another. By default, services outside the virtual network cannot connect to services within the virtual network. You can, however, configure the network to allow access to the external service, including your on-premises servers.

This latter point is why you should spend some time thinking about your network configuration. Network addresses and subnets are not trivial to change once you have them set up, and if you plan to connect your private company network to the Azure services, you will want to make sure you consider the topology before putting any VMs into place.

When you set up a virtual network, you specify the available address spaces, subnets, and security. If the VNet will be connected to other VNets, you must select address ranges that are not overlapping. This is the range of private addresses that the VMs and services in your network can use. You can use unroutable IP addresses such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, or define your own range. Azure will treat any address range as part of the private VNet IP address space if it is only reachable within the VNet, within interconnected VNets, and from your on-premises location. If someone else is responsible for the internal networks, you should work with that person before selecting your address space to make sure there is no overlap and to let them know what space you want to use, so they don’t try to use the same range of IP addresses.

Segregate your network

After deciding the virtual network address space(s), you can create one or more subnets for your virtual network. You do this to break up your network into more manageable sections. For example, you might assign 10.1.0.0 to VMs, 10.2.0.0 to back-end services, and 10.3.0.0 to SQL Server VMs.

Note: Azure reserves the first four addresses and the last address in each subnet for its use.

Secure the network

By default, there is no security boundary between subnets, so services in each of these subnets can talk to one another. However, you can set up Network Security Groups (NSGs), which allow you to control the traffic flow to and from subnets and to and from VMs. NSGs act as software firewalls, applying custom rules to each inbound or outbound request at the network interface and subnet level. This allows you to fully control every network request coming in or out of the VM.

Plan each VM deployment

Once you have mapped out your communication and network requirements, you can start thinking about the VMs you want to create. A good plan is to select a server and take an inventory:

• What does the server communicate with?

• Which ports are open?

• Which OS is used?

• How much disk space is in use?

• What kind of data does this use? Are there restrictions (legal or otherwise) with not having it on-premises?

• What sort of CPU, memory, and disk I/O load does the server have? Is there burst traffic to account for?

We can then start to answer some of the questions Azure will have for a new virtual machine.

Name the VM

One piece of information people often don't put much thought into is the name of the VM. The VM name is used as the computer name, which is configured as part of the operating system. You can specify a name of up to 15 characters on a Windows VM and 64 characters on a Linux VM.

This name also defines a manageable Azure resource, and it's not trivial to change later. That means you should choose names that are meaningful and consistent, so you can easily identify what the VM does. A good convention is to include the following information in the name:

Name the VM

For example, devusc-webvm01 might represent the first development web server hosted in the US South Central location.

What is an Azure resource?

An Azure resource is a manageable item in Azure. Just like a physical computer in your datacenter, VMs have several elements that are needed to do their job:

• The VM itself

• Storage account for the disks

• Virtual network (shared with other VMs and services)

• Network interface to communicate on the network

• Network Security Group(s) to secure the network traffic

• Public Internet address (optional)

Azure will create all of these resources if necessary, or you can supply existing ones as part of the deployment process. Each resource needs a name that will be used to identify it. If Azure creates the resource, it will use the VM name to generate a resource name - another reason to be very consistent with your VM names!

Decide the location for the VM

Azure has datacenters all over the world filled with servers and disks. These datacenters are grouped into geographic regions ('West US', 'North Europe', 'Southeast Asia', etc.) to provide redundancy and availability.

When you create and deploy a virtual machine, you must select a region where you want the resources (CPU, storage, etc.) to be allocated. This lets you place your VMs as close as possible to your users to improve performance and to meet any legal, compliance, or tax requirements.

Two other things to think about regarding the location choice. First, the location can limit your available options. Each region has different hardware available and some configurations are not available in all regions. Second, there are price differences between locations. If your workload isn't bound to a specific location, it can be very cost effective to check your required configuration in multiple regions to find the lowest price.

Determine the size of the VM

Once you have the name and location set, you need to decide on the size of your VM. Rather than specify processing power, memory, and storage capacity independently, Azure provides different VM sizes that offer variations of these elements in different sizes. Azure provides a wide range of VM size options allowing you to select the appropriate mix of compute, memory, and storage for what you want to do.

The best way to determine the appropriate VM size is to consider the type of workload your VM needs to run. Based on the workload, you're able to choose from a subset of available VM sizes. Workload options are classified as follows on Azure:

General purpose
General-purpose VMs are designed to have a balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers.

Compute optimized
Compute optimized VMs are designed to have a high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers.

Memory optimized
Memory optimized VMs are designed to have a high memory-to-CPU ratio. Great for relational database servers, medium to large caches, and in-memory analytics.

Storage optimized
Storage optimized VMs are designed to have high disk throughput and IO. Ideal for VMs running databases.

GPU
GPU VMs are specialized virtual machines targeted for heavy graphics rendering and video editing. These VMs are ideal options for model training and inferencing with deep learning.

High performance computes
High performance compute is the fastest and most powerful CPU virtual machines with optional high-throughput network interfaces.

You're able to filter on the workload type when you configure the VM size in the Azure. The size you choose directly affects the cost of your service. The more CPU, memory, and GPU you need, the higher the price point.

What if my size needs change?

Azure allows you to change the VM size when the existing size no longer meets your needs. You can upgrade or downgrade the VM - as long as your current hardware configuration is allowed in the new size. This provides a fully agile and elastic approach to VM management.

The VM size can be changed while the VM is running, as long as the new size is available in the current hardware cluster the VM is running on. The Azure portal makes this obvious by only showing you available size choices. The command line tools will report an error if you attempt to resize a VM to an unavailable size. Changing a running VM size will automatically reboot the machine to complete the request.

If you stop and deallocate the VM, you can then select any size available in your region since this removes your VM from the cluster it was running on.

Warning
Be careful about resizing production VMs - they will be rebooted automatically which can cause a temporary outage and change some configuration settings such as the IP address.

Understanding the pricing model

There are two separate costs the subscription will be charged for every VM: compute and storage. By separating these costs, you scale them independently and only pay for what you need.

Compute costs - Compute expenses are priced on a per-hour basis but billed on a per-minute basis. For example, you are only charged for 55 minutes of usage if the VM is deployed for 55 minutes. You are not charged for compute capacity if you stop and deallocate the VM since this releases the hardware. The hourly price varies based on the VM size and OS you select. The cost for a VM includes the charge for the Windows operating system. Linux-based instances are cheaper because there is no operating system license charge.

Tip
You might be able to save money by reusing existing licenses for Windows with the Azure Hybrid benefit.

Storage costs - You are charged separately for the storage the VM uses. The status of the VM has no relation to the storage charges that will be incurred; even if the VM is stopped/deallocated and you aren’t billed for the running VM, you will be charged for the storage used by the disks.

You're able to choose from two payment options for compute costs.

Pay as you go
With the pay-as-you-go option, you pay for compute capacity by the second, with no long-term commitment or upfront payments. You're able to increase or decrease compute capacity on demand as well as start or stop at any time. Prefer this option if you run applications with short-term or unpredictable workloads that cannot be interrupted. For example, if you are doing a quick test, or developing an app in a VM, this would be the appropriate option.

Reserved Virtual Machine Instances
The Reserved Virtual Machine Instances (RI) option is an advance purchase of a virtual machine for one or three years in a specified region. The commitment is made up front, and in return, you get up to 72% price savings compared to pay-as-you-go pricing. RIs are flexible and can easily be exchanged or returned for an early termination fee. Prefer this option if the VM has to run continuously, or you need budget predictability, and you can commit to using the VM for at least a year.

Storage for the VM

Best practice is that all Azure virtual machines will have at least two virtual hard disks (VHDs). The first disk stores the operating system, and the second is used as temporary storage. You can add additional disks to store application data; the maximum number is determined by the VM size selection (typically two per CPU). It's common to create one or more data disks, particularly since the OS disk tends to be quite small. Also, separating out the data to different VHDs allows you to manage the security, reliability, and performance of the disk independently.

The data for each VHD is held in Azure Storage as page blobs, which allows Azure to allocate space only for the storage you use. It's also how your storage cost is measured; you pay for the storage you are consuming.

What is Azure Storage?

Azure Storage is Microsoft's cloud-based data storage solution. It supports almost any type of data and provides security, redundancy, and scalable access to the stored data. A storage account provides access to objects in Azure Storage for a specific subscription. VMs always have one or more storage accounts to hold each attached virtual disk.

Virtual disks can be backed by either Standard or Premium Storage accounts. Azure Premium Storage leverages solid-state drives (SSDs) to enable high performance and low latency for VMs running I/O-intensive workloads. Use Azure Premium Storage for production workloads, especially those that are sensitive to performance variations or are I/O intensive. For development or testing, Standard storage is fine.

When you create disks, you will have two options for managing the relationship between the storage account and each VHD. You can choose either unmanaged disks or managed disks.

Unmanaged disks
With unmanaged disks, you are responsible for the storage accounts that are used to hold the VHDs that correspond to your VM disks. You pay the storage account rates for the amount of space you use. A single storage account has a fixed-rate limit of 20,000 I/O operations/sec. This means that a storage account is capable of supporting 40 standard virtual hard disks at full utilization. If you need to scale out with more disks, then you'll need more storage accounts, which can get complicated.

Managed disks
Managed disks are the newer and recommended disk storage model. They elegantly solve this complexity by putting the burden of managing the storage accounts onto Azure. You specify the size of the disk, up to 4 TB, and Azure creates and manages both the disk and the storage. You don't have to worry about storage account limits, which makes managed disks easier to scale out.

Select an operating system

Azure provides a variety of OS images that you can install into the VM, including several versions of Windows and flavors of Linux. As mentioned earlier, the choice of OS will influence your hourly compute pricing as Azure bundles the cost of the OS license into the price.

If you are looking for more than just base OS images, you can search the Azure Marketplace for more sophisticated install images that include the OS and popular software tools installed for specific scenarios. For example, if you needed a new WordPress site, the standard technology stack would consist of a Linux server, Apache web server, a MySQL database, and PHP. Instead of setting up and configuring each component, you can leverage a Marketplace image and install the entire stack all at once.

Finally, if you can't find a suitable OS image, you can create your disk image with what you need, upload it to Azure storage, and use it to create an Azure VM. Keep in mind that Azure only supports 64-bit operating systems.

5.3.3 Exercise - Create a VM using the Azure portal

This module requires a sandbox to complete. A sandbox gives you access to free resources. Your personal subscription will not be charged. The sandbox may only be used to complete training on Microsoft Learn. Use for any other reason is prohibited, and may result in permanent loss of access to the sandbox.

You've planned out the network infrastructure and identified a few VMs to migrate to the cloud. You have several choices for creating your VMs. The choice you make depends on the environment you're comfortable with. Azure supports a web-based portal for creating and administering resources. You can also choose to use command-line tools that run on Windows, Linux, and macOS.

Create an Azure VM with the Azure portal

Let's assume you want to create a VM running an Ubuntu server. Setting up a site isn't difficult, but there are a couple of things to keep in mind. You need to install and configure an operating system, configure a website, install a database, and worry about things like firewalls. We're going to cover creating VMs in the next few modules, but let's create one here to see how easy it is. We won't go through all the options - check out one of the Create a VM module to get complete details on each option.

1. Sign in to the Azure portal using the same account you activated the sandbox with.

2. On the Azure home page, under Azure services, select Create a resource.

3. As you can see, there are many selectable options. We want to create a VM running an Ubuntu server. VMs are Azure compute resources, so in the left menu pane, select Compute, and in the search box, enter Ubuntu Server, and press Enter. The Marketplace pane appears with many Ubuntu Server options.

4. Select Ubuntu Server 18.04 LTS. The Ubuntu Server 18.04 LTS pane appears.

5. Select Create. The Create virtual machine pane appears.

Configure the VM

We need to configure the basic parameters of our Ubuntu virtual machine. If some of the options at this point are unfamiliar to you, that's OK. We're going to describe all of these options in a future module. You're welcome to copy the values used here.

5.3.4 Describe the options available to create and manage an Azure Virtual Machine

The Azure portal is the easiest way to create resources such as VMs when you are getting started. However, it's not necessarily the most efficient or quickest way to work with Azure, particularly if you need to create several resources together. In our case, we will eventually be creating dozens of VMs to handle different tasks. Creating them manually in the Azure portal wouldn't be a fun task!

Let's look at some other ways to create and administer resources in Azure:

• Azure Resource Manager

• Azure PowerShell

• Azure CLI

• Azure REST API

• Azure Client SDK

• Azure VM Extensions

• Azure Automation Services

Azure Resource Manager

Let's assume you want to create a copy of a VM with the same settings. You could create a VM image, upload it to Azure, and reference it as the basis for your new VM. This process is inefficient and time-consuming. Azure provides you with the option to create a template from which to create an exact copy of a VM.

Typically, your Azure infrastructure will contain many resources, many of them related to one another in some way. For example, the VM we created has the virtual machine itself, storage and network interface. Azure Resource Manager makes working with these related resources more efficient. It organizes resources into named resource groups that let you deploy, update, or delete all of the resources together. When we created the Ubuntu VM site, we identified the resource group as part of the VM creation, and Resource Manager placed the associated resources into the same group.

Resource Manager also enables you to create templates, which can be used to create and deploy specific configurations.

What are Resource Manager templates?

Resource Manager templates are JSON files that define the resources you need to deploy for your solution.

Create resource templates from the Automation section for a specific VM by selecting Export template.

You have the option to save the resource template for later use, or immediately deploy a new VM based on this template. For example, you might create a VM from a template in a test environment, and find it doesn’t quite work to replace your on-premises machine. You can delete the resource group, which deletes all of the resources, tweak the template, and try again. If you only want to make changes to the existing deployed resources, you can change the template used to create it, and deploy it again. Resource Manager will change the resources to match the new template.

After you have it working the way you want it, you can take that template and easily re-create multiple versions of your infrastructure, such as staging and production. You can parameterize fields such as the VM name, network name, storage account name, and so on, and load the template repeatedly, using different parameters to customize each environment.

You can use automation scripting tools such as the Azure CLI, Azure PowerShell, or even the Azure REST APIs with your favorite programming language to process resource templates, making this a powerful tool for quickly spinning up your infrastructure.

Azure PowerShell

Creating administration scripts is a powerful way to optimize your workflow. You can automate everyday, repetitive tasks, and after a script has been verified, it will run consistently, likely reducing errors. Azure PowerShell is ideal for one-off interactive tasks and/or the automation of repeated tasks.

Note

PowerShell is a cross-platform shell that provides services like the shell window and command parsing. Azure PowerShell is an optional add-on package that adds the Azure-specific commands (referred to as cmdlets). You can learn more about installing and using Azure PowerShell in a separate training module.

For example, you can use the New-AzVM cmdlet to create a new Azure virtual machine.

PowerShell

New-AzVm `

-ResourceGroupName "TestResourceGroup" `

-Name "test-wp1-eus-vm" `

-Location "East US" `

-VirtualNetworkName "test-wp1-eus-network" `

-SubnetName "default" `

-SecurityGroupName "test-wp1-eus-nsg" `

-PublicIpAddressName "test-wp1-eus-pubip" `

-OpenPorts 80,3389

As shown here, you supply various parameters to handle the large number of VM configuration settings available. Most of the parameters have reasonable values; you only need to specify the required parameters. Learn more about creating and managing VMs with Azure PowerShell in the Automate Azure tasks using scripts with PowerShell module.

Azure CLI

Another option for scripting and command-line Azure interaction is the Azure CLI.

The Azure CLI is Microsoft's cross-platform command-line tool for managing Azure resources such as virtual machines and disks from the command line. It's available for Windows, Linux and macOS, or in the browser using the Cloud Shell. Like Azure PowerShell, the Azure CLI is a powerful way to streamline your administrative workflow. Unlike Azure PowerShell, the Azure CLI does not need PowerShell to function.

For example, you can create an Azure VM with the az vm create command.

Azure CLI

az vm create \

--resource-group TestResourceGroup \

--name test-wp1-eus-vm \

--image win2016datacenter \

--admin-username jonc \

--admin-password aReallyGoodPasswordHere

The Azure CLI can be used with other scripting languages, for example, Ruby and Python. Both languages are commonly used on non-Windows-based machines where the developer might not be familiar with PowerShell.

Learn more about creating and managing VMs in the Manage virtual machines with the Azure CLI tool module.

Programmatic (APIs)

Generally speaking, both Azure PowerShell and Azure CLI are good options if you have simple scripts to run and want to stick to command-line tools. When it comes to more complex scenarios, where the creation and management of VMs form part of a larger application with complex logic, another approach is needed.

You can interact with every type of resource in Azure programmatically.

Azure REST API

The Azure REST API provides developers with operations categorized by resource as well as the ability to create and manage VMs. Operations are exposed as URIs with corresponding HTTP methods (GET, PUT, POST, DELETE, and PATCH) and a corresponding response.

The Azure Compute APIs give you programmatic access to virtual machines and their supporting resources. With this API, you have operations to:

• Create and manage availability sets

• Add and manage virtual machine extensions

• Create and manage managed disks, snapshots, and images

• Access the platform images available in Azure

• Retrieve usage information of your resources

• Create and manage virtual machines

• Create and manage virtual machine scale sets

Azure Client SDK

Even though the REST API is platform and language agnostic, most often developers will look toward a higher level of abstraction. The Azure Client SDK encapsulates the Azure REST API, making it much easier for developers to interact with Azure.

The Azure Client SDKs are available for a variety of languages and frameworks, including .NET-based languages such as C#, Java, Node.js, PHP, Python, Ruby, and Go.

Here's an example snippet of C# code to create an Azure VM using the Microsoft.Azure.Management.Fluent NuGet package.

C#

var azure = Azure

.Configure()

.WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)

.Authenticate(credentials)

.WithDefaultSubscription();

// ...

var vmName = "test-wp1-eus-vm";

azure.VirtualMachines.Define(vmName)

.WithRegion(Region.USEast)

.WithExistingResourceGroup("TestResourceGroup")

.WithExistingPrimaryNetworkInterface(networkInterface)

.WithLatestWindowsImage("MicrosoftWindowsServer", "WindowsServer", "2012-R2-Datacenter")

.WithAdminUsername("jonc")

.WithAdminPassword("aReallyGoodPasswordHere")

.WithComputerName(vmName)

.WithSize(VirtualMachineSizeTypes.StandardDS1)

.Create();

Here's the same snippet in Java using the Azure Java SDK.

Java

String vmName = "test-wp1-eus-vm";

// ...

VirtualMachine virtualMachine = azure.virtualMachines()

.define(vmName)

.withRegion(Region.US_EAST)

.withExistingResourceGroup("TestResourceGroup")

.withExistingPrimaryNetworkInterface(networkInterface)

.withLatestWindowsImage("MicrosoftWindowsServer", "WindowsServer", "2012-R2-Datacenter")

.withAdminUsername("jonc")

.withAdminPassword("aReallyGoodPasswordHere")

.withComputerName(vmName)

.withSize("Standard_DS1")

.create();

Azure VM extensions

Let's assume you want to configure and install additional software on your virtual machine after the initial deployment. You want this task to use a specific configuration, monitored and executed automatically.

Azure VM extensions are small applications that enable you to configure and automate tasks on Azure VMs after initial deployment. Azure VM extensions can be run with the Azure CLI, PowerShell, Azure Resource Manager templates, and the Azure portal.

You bundle extensions with a new VM deployment, or run them against an existing system.

Azure Automation services

Saving time, reducing errors, and increasing efficiency are some of the most significant operational management challenges faced when managing remote infrastructure. If you have a lot of infrastructure services, you might want to consider using higher-level services in Azure to help you operate from a higher level.

Azure Automation enables you to integrate services that allow you to automate frequent, time-consuming, and error-prone management tasks with ease. These services include process automation, configuration management, and update management.

· Process Automation. Let's assume you have a VM that is monitored for a specific error event. You want to take action, and fix the problem as soon as it's reported. Process automation enables you to set up watcher tasks that can respond to events that may occur in your datacenter.

· Configuration Management. Perhaps you want to track software updates that become available for the operating system that runs on your VM. There are specific updates you may want to include or exclude. Configuration management enables you to track these updates, and take action as required. You use Microsoft Endpoint Configuration Manager to manage your company's PC, servers, and mobile devices. You can extend this support to your Azure VMs with Configuration Manager.

· Update Management. This is used to manage updates and patches for your VMs. With this service, you're able to assess the status of available updates, schedule installation, and review deployment results to verify updates applied successfully. Update management incorporates services that provide process and configuration management. You enable update management for a VM directly from your Azure Automation account. You can also enable update management for a single virtual machine from the virtual machine pane in the portal.

As you can see, Azure provides a variety of tools to create and administer resources so that you can integrate management operations into a process that works for you. Let's examine some of the other Azure services to make sure your infrastructure resources are running smoothly.

5.3.5 Manage the availability of your Azure VMs

Frequently, the success of a services company is directly related to the service level agreements (SLA) the company has with its customers. Your customers expect the services you provide always to be available, and their data kept safe. This is something that Microsoft takes very seriously. Azure provides tools you can use to manage availability, data security, and monitoring, so you know your services are always available for your customers.

Administration of an Azure VM isn't limited to managing the operating system, or software that runs on the VM. It helps to know which services Azure provides that ensure service availability and support automation. These services help you to plan your organization's business continuity and disaster recovery strategy.

Here, we'll cover an Azure service that helps you improve VM availability, streamlines VM management tasks, and keeps your VM data backed up and safe. Let's start by defining availability.

What is availability?

Availability is the percentage of time a service is available for use.

Let's assume you have a website, and you want your customers to be able to access information at all times. Your expectation is 100% availability concerning website access.

Why do I need to think about availability when using Azure?

Azure VMs run on physical servers hosted within the Azure Datacenter. As with most physical devices, there's a chance that there could be a failure. If the physical server fails, the virtual machines hosted on that server will also fail. If this happens, Azure will move the VM to a healthy host server automatically. However, this self-healing migration could take several minutes, during which, the application(s) hosted on that VM will not be available.

The VMs could also be affected by periodic updates initiated by Azure itself. These maintenance events range from software updates to hardware upgrades and are required to improve platform reliability and performance. These events usually are performed without impacting any guest VMs, but sometimes the virtual machines will be rebooted to complete an update or upgrade.

Note
Microsoft does not automatically update your VMs OS or software. You have complete control and responsibility for that. However, the underlying software host and hardware are periodically patched to ensure reliability and high performance at all times.

To ensure your services aren't interrupted and avoid a single point of failure, it's recommended to deploy at least two instances of each VM. This feature is called an availability set.

What is an availability set?

An availability set is a logical feature used to ensure that a group of related VMs are deployed so that they aren't all subject to a single point of failure and not all upgraded at the same time during a host operating system upgrade in the datacenter. VMs placed in an availability set should perform an identical set of functionalities and have the same software installed.

Tip
Microsoft offers a 99.95% external connectivity service level agreement (SLA) for multiple-instance VMs deployed in an availability set. That means that for the SLA to apply, there must be at least two instances of the VM deployed within an availability set.

You can create availability sets through the Azure portal in the disaster recovery section. Also, you can build them using Resource Manager templates, or any of the scripting or API tools. When you place VMs into an availability set, Azure guarantees to spread them across Fault Domains and Update Domains.

What is a fault domain?

A fault domain is a logical group of hardware in Azure that shares a common set of hardware components, and that share a single point of failure. You can think of it as a rack within an on-premises datacenter. The first two VMs in an availability set will be provisioned into two different racks so that if the network or the power failed in a rack, only one VM would be affected. Fault domains are also defined for managed disks attached to VMs.

What is an update domain?

An update domain is a logical group of hardware that can undergo maintenance, or be rebooted at the same time. Azure will automatically place availability sets into update domains to minimize the impact when the Azure platform introduces host operating system changes. Azure then processes each update domain one at a time.

Availability sets are a powerful feature to ensure the services running in your VMs are always available to your customers. However, they aren't foolproof. What if something happens to the data or the software running on the VM itself? For that, we'll need to look at other disaster recovery and backup techniques.

Failover across locations

You can also replicate your infrastructure across sites to handle regional failover. Azure Site Recovery replicates workloads from a primary site to a secondary location. If an outage happens at your primary site, you can fail over to a secondary location. This failover enables users to continue to access your applications without interruption. You can then fail back to the primary location after it's up and running again. Azure Site Recovery is about replication of virtual or physical machines; it keeps your workloads available in an outage.

While there are many attractive technical features to Site Recovery, there are at least two significant business advantages:

· Site Recovery enables the use of Azure as a destination for recovery, thus eliminating the cost and complexity of maintaining a secondary physical datacenter.

· Site Recovery makes it incredibly simple to test failovers for recovery drills without impacting production environments. This makes it easy to test your planned or unplanned failovers. After all, you don’t have a good disaster recovery plan if you’ve never tried to failover.

The recovery plans you create with Site Recovery can be as simple or as complex as your scenario requires. They can include custom PowerShell scripts, Azure Automation runbooks, or manual intervention steps. You can leverage the recovery plans to replicate workloads to Azure, easily enabling new opportunities for migration, temporary bursts during surge periods, or development and testing of new applications.

Azure Site Recovery works with Azure resources, or Hyper-V, VMware, and physical servers in your on-premises infrastructure and can be a key part of your organization’s business continuity and disaster recovery (BCDR) strategy by orchestrating the replication, failover, and recovery of workloads and applications if the primary location fails.

5.3.6 Back up your virtual machines

Data backup and recovery is a necessary piece of the planning for any good infrastructure. Assume a bug erases some company data, or maybe you need to retrieve some archived data for auditing purposes. Maintaining a good backup strategy will ensure you aren't scrambling when data or software needs to be restored.

Azure Backup is a backup as a service offering that protects physical or virtual machines no matter where they reside: on-premises or in the cloud.

Azure Backup can be used for a wide range of data backup scenarios, such as:

• Files and folders on Windows OS machines (physical or virtual, local or cloud)

• Application-aware snapshots (Volume Shadow Copy Service)

• Popular Microsoft server workloads such as Microsoft SQL Server, Microsoft SharePoint, and Microsoft Exchange

• Native support for Azure Virtual Machines, both Windows, and Linux

• Linux and Windows 10 client machines

Advantages of using Azure Backup

Traditional backup solutions don't always take full advantage of the underlying Azure platform. The result is a solution that tends to be expensive or inefficient. The solution either offers too much or too little storage, does not offer the correct types of storage, or has cumbersome and long-winded administrative tasks. Azure Backup was designed to work in tandem with other Azure services and provides several distinct benefits.

• • • Automatic storage management. Azure Backup automatically allocates and manages backup storage and uses a pay-as-you-use model. You only pay for what you use.
      

    • Unlimited scaling. Azure Backup uses the power and scalability of Azure to deliver high availability.
      

    • Multiple storage options. Azure Backup offers locally redundant storage where all copies of the data exist within the same region and geo-redundant storage where your data is replicated to a secondary region.
      

    • Unlimited data transfer. Azure Backup does not limit the amount of inbound or outbound data you transfer. Azure Backup also does not charge for the data that is transferred.
      

    • Data encryption. Data encryption allows for secure transmission and storage of your data in Azure.
      

    • Application-consistent backup. An application-consistent backup means that a recovery point has all required data to restore the backup copy. Azure Backup provides application-consistent backups.
      

    • Long-term retention. Azure doesn't limit the length of time you keep the backup data.

Use Azure Backup

Azure Backup uses several components that you download and deploy to each computer you want to back up. The component that you deploy depends on what you want to protect.

• Azure Backup agent

• System Center Data Protection Manager

• Azure Backup Server

• Azure Backup VM extension

Azure Backup uses a Recovery Services vault for storing the backup data. A vault is backed by Azure Storage blobs, making it a very efficient and economical long-term storage medium. With the vault in place, you can select the machines to back up, and define a backup policy (when snapshots are taken and for how long they’re stored).

5.3.7 Knowledge check

1. Suppose you want to run a network appliance on a virtual machine. Which workload option should you choose?

o General purpose

o Compute optimized

o Compute optimized virtual machines are designed to have a high CPU-to-memory ratio. Suitable for medium traffic web servers, network appliances, batch processes, and application servers.

o Memory optimized

o Storage optimized

2. True or false: Resource Manager templates are JSON files?

o True

o Resource Manager templates are JSON files that define the resources you need to deploy for your solution. The template can then be used to easily re-create multiple versions of your infrastructure, such as staging and production.

o False

5.3.8 Summary

In this module, you looked at the decisions you need to make before creating a virtual machine. These decisions include aspects such as the VM size, types of disks used, operating system image selected, and the types of resources created.

You also looked at the options to create and manage virtual machines in Azure. You saw how easy it is to create and manage VMs using the portal, and when to use Resource Manager templates, PowerShell, the Azure CLI, and the Azure Client SDK.

Finally, you looked at the extensions and services available to more easily administer your VMs.

9 Units

Learn about Microsoft's commitment to privacy and how Azure adheres to common regulatory and compliance standards.

5.4.1 Introduction

In this module, you'll learn about Microsoft's commitment to privacy and how Azure adheres to common regulatory and compliance standards.

If your organization is a government department or agency, or you need to deploy to regions of China, you'll also learn about some considerations that don't apply to other Azure users.

In general, compliance means to adhere to a law, standard, or set of guidelines. Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws that governing bodies enforce.

Meet Tailwind Traders

Tailwind Traders is a fictitious home improvement retailer. It operates retail hardware stores across the globe and online.

Tailwind Traders specializes in competitive pricing, fast shipping, and a large range of items. It's looking at cloud technologies to improve business operations and support growth into new markets. By moving to the cloud, the company plans to enhance its shopping experience to further differentiate itself from competitors.

How will Tailwind Traders protect its data in the cloud and stay compliant?

Tailwind Traders is planning its migration to the cloud. It's used to having full control of all of its application data, which is stored on servers that it manages in its datacenter.

Tailwind Traders knows that moving an application to the cloud means that data is now outside of its own walls. The company also understands that the cloud provider has access to the server hardware and infrastructure. How is the privacy of its application data protected?

Tailwind Traders must also adhere to multiple regulatory and compliance frameworks. For example, it must follow certain rules to ensure that it properly handles credit card data. It will still need to ensure that its applications comply with applicable regulations and standards. How does infrastructure on Azure already adhere to these same standards?

To answer these questions, you'll start by learning about the types of compliance offerings that are available on Azure.

Learning objectives

After completing this module, you'll be able to:

• Explain the types of compliance offerings that are available on Azure.
  

• Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum to learn what personal data Microsoft collects, how Microsoft uses it, and for what purposes.
  

• Gain insight into regulatory standards and compliance on Azure from the Trust Center and from the Azure compliance documentation.
  

• Explain Azure capabilities that are specific to government agencies.

5.4.2 Explore compliance terms and requirements

In this unit, you learn about the types of compliance offerings that are available on Azure.

As Tailwind Traders moves to running its applications in the cloud, it wants to know how Azure adheres to applicable regulatory compliance frameworks. The company asks:

• How compliant is Azure when it comes to handling personal data?

• How compliant are each of Azure's individual services?

Microsoft's online services build upon a common set of regulatory and compliance controls. Think of a control as a known good standard that you can compare your solution against to ensure security. These controls address today's regulations and adapt as regulations evolve.

Which compliance categories are available on Azure?

Although there are many more, the following image shows some of the more popular compliance offerings that are available on Azure. These offerings are grouped under four categories: Global, US Government, Industry, and Regional.

To get a sense of the variety of the compliance offerings available on Azure, let's take a closer look at a few of them.

While not all of these compliance offerings will be relevant to you or your team, they show that Microsoft's commitment to compliance is comprehensive, ongoing, and independently tested and verified.

Criminal Justice Information Service

Any US state or local agency that wants to access the FBI's Criminal Justice Information Services (CJIS) database is required to adhere to the CJIS Security Policy.

Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy. Microsoft adheres to the same requirements that law enforcement and public safety entities must meet.

Cloud Security Alliance STAR Certification

Azure, Intune, and Microsoft Power BI have obtained Cloud Security Alliance (CSA) STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider's security posture.

STAR Certification is based on achieving International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27001 certification and meeting criteria specified in the Cloud Controls Matrix (CCM). This certification demonstrates that a cloud service provider:

• Conforms to the applicable requirements of ISO/IEC 27001.

• Has addressed issues critical to cloud security as outlined in the CCM.

• Has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.

European Union Model Clauses

Microsoft offers customers European Union (EU) Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU.

Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data. Meeting this standard ensures that Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI).

Azure offers customers a HIPAA Business Associate Agreement (BAA), which stipulates adherence to certain security and privacy provisions in HIPAA and the HITECH Act. To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.

International Organization of Standards/International Electrotechnical Commission 27018

Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, which covers the processing of personal information by cloud service providers.

Multi-Tier Cloud Security Singapore

After rigorous assessments conducted by the Multi-Tier Cloud Security (MTCS) Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications:

• Infrastructure as a service (IaaS)

• Platform as a service (PaaS)

• Software as a service (SaaS)

Microsoft is the first global cloud solution provider to receive this certification across all three classifications.

Service Organization Controls 1, 2, and 3

Microsoft-covered cloud services are audited at least annually against the Service Organization Controls (SOC) report framework by independent third-party auditors.

The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.

National Institute of Standards and Technology Cybersecurity Framework

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks.

Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits. Microsoft cloud services certified according to the FedRAMP standards.

Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.

United Kingdom Government G-Cloud

The United Kingdom (UK) Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK government.

5.4.3 Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum

In this part, you learn how the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum explain the personal data Microsoft collects, how Microsoft uses it, and for what purposes.

For Tailwind Traders, understanding Microsoft's commitment to privacy helps ensure that their customer and application data will be protected.

Watch the following video to see an overview on how Microsoft runs on trust.

Let's continue with a brief look at the Microsoft Privacy Statement and where to find it.

What's in the Microsoft Privacy Statement?

The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes.

The privacy statement covers all of Microsoft's services, websites, apps, software, servers, and devices. This list ranges from enterprise and server products to devices that you use in your home to software that students use at school.

Microsoft's privacy statement also provides information that's relevant to specific products such as Windows and Xbox.

What's in the Online Services Terms?

The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft's online services that you license through a subscription, including Azure, Dynamics 365, Office 365, and Bing Maps.

What is the Data Protection Addendum?

The Data Protection Addendum (DPA) further defines the data processing and security terms for online services. These terms include:

• Compliance with laws.

• Disclosure of processed data.

• Data Security, which includes security practices and policies, data encryption, data access, customer responsibilities, and compliance with auditing.

• Data transfer, retention, and deletion.
  

To access the DPA:

1. Go to the Licensing Terms and Documentation.

2. In the search bar, enter DPA.

3. From the search results, locate the link to the DPA in your preferred language.

Alternatively, in the search bar that appears, enter your preferred language to filter the results.

Transparency is important when it comes to how a cloud provider communicates its privacy policies and how it treats your data. The Microsoft Privacy Statement, the OST, and the DPA detail Microsoft's commitment to protecting data and privacy in the cloud.

5.4.4 Explore the Trust Center

Tailwind Traders needs to stay up to date on the latest security standards for protecting its data. Today, the security team needs to verify whether Azure meets ISO 27001, a commonly used information security standard. Where can the company access this information?

The Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.

The Trust Center provides:

• In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products.

• Additional resources for each topic.

• Links to the security, privacy, and compliance blogs and upcoming events.

The Trust Center is a great resource for other people in your organization who might play a role in security, privacy, and compliance. These people include business managers, risk assessment and privacy officers, and legal compliance teams.

Explore the Trust Center

As an optional exercise, let's take a brief look at the Trust Center's entry for ISO 27001.

Access to the Trust Center doesn't require an Azure subscription or a Microsoft account.

1. Go to the Trust Center.

2. Locate the Additional resources section on the page. Under Compliance offerings, select Learn more.

You're taken to Microsoft compliance offerings.

The offerings are grouped into four categories: Global, US Government, Industry, and Regional.

3. Under Global, select ISO 27001.

The ISO 27001 Information Security Management Standards page is typical of the type of compliance information we provide.

4. Briefly review the documentation for ISO/IEC 27001.

You see:

• • • • An overview of the standard.

      • Which cloud services are in scope.

      • An overview of the audit cycle and links to audit reports.

      • Answers to frequently asked questions.

      • Additional resources and white papers.

The areas of documentation for other compliance offerings will vary, but this format is the typical one that you'll find.

5.4.5 Access Azure compliance documentation

Here, you learn how to access detailed documentation about legal and regulatory standards and compliance on Azure.

E-commerce is an important part of Tailwind Traders' sales strategy. Its online retail store enables customers to easily browse and order products. Customers typically pay by credit card, so Tailwind Traders has a responsibility under the Payment Card Industry (PCI) Data Security Standard (DSS). This global standard, known as PCI DSS, seeks to prevent fraud through increased control of credit card data. The standard applies to any organization that stores, processes, or transmits payment and cardholder data.

You've been tasked with investigating whether hosting the company's e-commerce application on Azure would be compliant with PCI DSS. You start with the Azure compliance documentation.

What is the Azure compliance documentation?

The Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.

Here you find compliance offerings across these categories:

• Global

• US government

• Financial services

• Health

• Media and manufacturing

• Regional

There are also additional compliance resources, such as audit reports, privacy information, compliance implementations and mappings, and white papers and analyst reports. Country and region privacy and compliance guidelines are also included. Some resources might require you to be signed in to your cloud service to access them.

Examine PCI DSS compliance

The legal team at Tailwind Traders wants to learn more about how PCI DSS relates to the company's e-commerce application on Azure.

As an optional exercise, here you follow along.

https://docs.microsoft.com/en-us/azure/compliance/

1. Go to the Azure compliance documentation.

2. Under Financial services, select PCI DSS.

There you see:

• • • • An overview of the PCI DSS standard.

      • How PCI DSS applies to Microsoft.

      • Which cloud services are in scope.

      • An overview of the audit cycle.

      • Answers to frequently asked questions.

      • Additional resources and white papers.

Access additional compliance resources

From the Azure compliance documentation, you can access additional compliance resources.

For example, from the Audit reports section, you find a link to audit reports for PCI DSS.

From there, you can access several different files, including the Attestation of Compliance reports and the PCI DSS Shared Responsibility Matrix.

Under Compliance blueprints, you find reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription. The PCI DSS blueprint deploys a core set of policies that map to PCI DSS compliance and help you govern your Azure workloads against this standard.

You can then see if the Azure resources in your application architecture have been configured correctly for PCI DSS compliance, or which resources you need to remediate.

Because standards evolve, the Tailwind Traders team might check the audit report periodically to ensure that Azure has any recent changes.

5.4.6 What is Azure Government?

Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel.

Azure Government services handle data that is subject to certain government regulations and requirements:

• Federal Risk and Authorization Management Program (FedRAMP)

• National Institute of Standards and Technology (NIST) 800.171 Defense Industrial Base (DIB)

• International Traffic in Arms Regulations (ITAR)

• Internal Revenue Service (IRS) 1075

• Department of Defense (DoD) L4

• Criminal Justice Information Service (CJIS)

To provide the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks located only in the US. Azure Government customers, such as the US federal, state, and local government or their partners, are subject to validation of eligibility.

Azure Government provides the broadest compliance and Level 5 DoD approval. Azure Government is available in eight geographies and offers the most compliance certifications of any cloud provider.

5.4.7 What is Azure China 21Vianet?

Azure China 21Vianet is operated by 21Vianet. It's a physically separated instance of cloud services located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.

According to the China Telecommunication Regulation, providers of cloud services, infrastructure as a service (IaaS) and platform as a service (PaaS), must have value-added telecom permits. Only locally registered companies with less than 50 percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft.

As the first foreign public cloud service provider offered in China in compliance with government regulations, Azure China 21Vianet provides world-class security as discussed on the Trust Center, as required by Chinese regulations for all systems and applications built on its architecture.

Azure products and services available in China

The Azure services are based on the same Azure, Office 365, and Power BI technologies that make up the Microsoft global cloud service, with comparable service levels. Azure agreements and contracts in China, where applicable, are signed between customers and 21Vianet.

Azure includes the core components of IaaS, PaaS, and software as a service (SaaS). These components include network, storage, data management, identity management, and many other services.

Azure China 21Vianet supports most of the same services that global Azure has, such as geosynchronous data replication and autoscaling. Even if you already use global Azure services, to operate in China you might need to rehost or refactor some or all your applications or services.

5.4.8 Knowledge check

1. Where can the team access details about the personal data Microsoft processes and how the company processes it, including for Cortana?

o Microsoft Privacy Statement

o The Microsoft Privacy Statement provides information that's relevant to specific services, including Cortana.

o The Azure compliance documentation

o Microsoft compliance offerings

2. Where can the legal team access information around how the Microsoft cloud helps them secure sensitive data and comply with applicable laws and regulations?

o Microsoft Privacy Statement

o Trust Center

o The Trust Center is a great resource for people in your organization who might play a role in security, privacy, and compliance.

o Online Services Terms

3. Where can the IT department find reference blueprints that it can apply directly to its Azure subscriptions?

o Online Services Terms

o Azure compliance documentation

o The compliance documentation provides reference blueprints, or policy definitions, for common standards that you can apply to your Azure subscription.

o Microsoft Privacy Statement

5.4.9 Summary

In this module, you learned about Microsoft's approach to privacy, security, and compliance. You explored resources specific to online services, including Azure, and how governments can use Azure to meet their specific security and compliance needs.

The security team at Tailwind Traders now has a better understanding of what resources are available to help it protect its data in the cloud and stay compliant:

• The Microsoft Privacy Statement provides trust in how Microsoft collects, protects, and uses customer data.

• The Trust Center provides you with documentation about compliance standards and how Azure can support your business.

• The Azure compliance documentation includes detailed information about legal and regulatory standards and compliance on Azure.

Keep in mind that compliance status for Azure products and services doesn't automatically translate to compliance for the service or application you build or host on Azure. You're responsible for ensuring that you achieve compliance with the legal and regulatory standards that you must follow.

Most services are the same on both Azure Government and global Azure. But there are some differences that you should be aware of. To learn more, compare Azure Government and global Azure.