Embedded Files
Azure Security
Azure Security Center
monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises.
Automatically apply required security settings to new resources as they come online.
Provide security recommendations that are based on your current configurations, resources, and networks.
Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.
Azure Sentinel
Collect and act on security data from many different sources
Detect previously undetected threats Minimize false positives by using Microsoft's comprehensive analytics and threat intelligence.
Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
Respond to incidents rapidly Use built-in orchestration and automation of common tasks.
Azure Key Vault
Manage secrets You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
Store secrets backed by hardware security modules (HSMs) These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
Cloud Services
Serverless
Iaas
Cloud based VM etc
Paas
Operating system
SQL DBMS as a setc
Saas
Email as service etc
Baas - Backup As A Service
Daas - Database as a service
Idaas - Identity and Access as service
....
Cloud types
Private
Single tenant/client
AKA on-premise cloud
Access over private network (Verify it)
Public
Multi-tenant/client cloud
Hybrid
Mix of public and private
Cloud distributions
Regions
Collection of data centers
Region is paired in the same geographical region. It allows that one region is updated at a time
Availabilty zone
It is within a region
Not all regions have availability zone
Protects against data center failure
Availability set
Multiple VM and hardware to handle any hardware issue
Azure resource
Azure compute
Virtual machine
Azure container instance (ACI)
AKS (Azure Kubernetes Service)
Windows virtual Desktop
Azure Function -> Similar to AWS Lambda (Serverless)
Azure networking
Virtual network
Isolate and segment virtual resources
Contained to single region
If you need to connect different region, use VNET pairing or VPN gateway
VPN Gateway
Can be used to connect on-premise with cloud
Can be used to connect two regions
Number of connections allowed is dependent on SKU, you choose
Virtual network pairing
To connect virtual networks(VNETs) in same region
Express route
Provide private connectivity to cloud
Azure storage resources
Blob
Stores unstructured data, like audio/video/documents
Disk
provides persistent storage
Types
Operating system disk
Data disk
File
To share file. Like S3 bucket in AWS??
Uses SMB(Server message block) protocol
Shares can be mounted to a system(VM??)
Table??
Queue??
Azure Databse
Cosmos DB
Globally distributed
Automatically replicate data closer to the user
Azure SQL
DaaS
Highly available
Automatic backup
Azure MySQL
Azure PostgresSQL
SQL managed instance
Fully managed (PaaS)
Ever green deployment.. always having latest version
Data access tier
Hot tier
Highest cost
Least latency
Cold tier
Lowest cost
High access latency
Archive tier
Data must not be accessed within 30 days
Access can take hours or even days
Subscription model
Types
Pay as you use
Free account
12 months, $260 credits per month, over 25 free service
RBAC is used for managing access as per subscription policy
Resource group
Bundle of resources
Resource applied to resource group should have same lifetime as resource group
If resource group is deleted, all associated resources are deleted by system, by default
Resource group access tools
Powershell
Azure Portal
Azure CLI
REST client
Azure Marketplace
A place where partners, solution providers and independent software vendors can offer customized solutions
Big data analytics
HDInsight
Azure Databricks
Machine learning/Cognitive services
Vision
Speech
Language
Decision
Search
Azure Bot services
Understand speech and natural language to answer questions
Azure solution architect
Subject matter expertise in designing cloud and hybrid solutions
networking
compute
storage
security
migration
Business continuity
Tenant handling
Tenant Root group ---> Management groups ----> Subscription groups -----> Resource groups -------> Resource
Example
Tenant Root group ---> (Tailwinds--> Sales, corporate, IT-->Production) ----> Subscription groups -----> Resource groups -------> Resource
Types of Tenants
Security
Privacy
Compliance
Transparency
Tips for management group
Reduce the number of levels
Each level should have unique names
Tips for resource group
Group resources which have same life cycle
Group by type, app, department etc
Apply RBAC and policies to group
Use resource lock to avoid individual resource from deletion or change
Tag resource
Tips for subscription
Consider dedicated shared services subscription. Common services, everyone share
Subscription should be different for various environments - Dev, QA, production
Tips for resource policy
Apply tags to resource first
Create policy to validate the naming convention for management/resource groups
Use initiative to combine policies
Azure blueprint -> It consists of
ARM(Azure Resource Manager) templates
Provides infrastructure as a code
It is JSON file
Resource groups
RBAC
Policy definitions
Azure Network Security
Defense in Depth
Contains seven layers
Network Security Group
It allows or deny network traffic to and from resources in an Azure VNet subnet
It runs on priority order
Azure Firewall
For example, allow traffic only from the specific FQDN
Azure DDoS protection
Architectural decision
Location - closer to user
Replication
Cost
Compliance
Administrative overhead
Security
Refer https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/
Azure Identity Service
RBAC
Resource lock
Cant delete lock
Read only lock
Azure cost management
Based on
Resource type
Services
Location
Cost reduction stretagy
Reserve instance
Bring your own windows License
Spot pricing
Cost estimation
Online pricing calculator
Total Cost of Ownership
Azure SLA
Connectivity guarantees
Frameworks
WAF (Well Architected Framework)
C- Cost Efficiency
O- Operational Excellence
CICD
Automation
....
R- Reliability
P- Performance
S- Security
CAF (Cloud Architecture Framework)
Define Stretagy
Planning
Ready
Link - Azure Well-Architected Review - Assessments | Microsoft Docs
Microsoft Azure Well-Architected Framework
Migration
Lift and shift approach
Database
Structured data
SQL
Semi Structured data -> It can be stored in blob or no-sql
JSON
YAML
Unstructured data -> It can be stored in blob or no-sql
Video
Audio
Image
Use cache, network acceleration, shradding for performance
BLOB -> Binary Large Object
Azure SQL storage
SQL virtual machine
Single instance
Instance pool
Single database
Elastic Pool
Azure Messaging
Azure Queue storage
Service bus publish-subscribe topics
Like Azure Queue, but between multiple producers and multiple consumers
Page updated
Google Sites
Report abuse