Code -- ("Functions") for Event-Driven Workloads.
Purpose: Running small pieces of code (functions) in response to events like changes in data, timers, or HTTP requests without managing infrastructure.
Steps: (6)
Create Function App: In Azure Portal or using Azure CLI, create a Function App, choosing the hosting plan (Consumption, Premium, or Dedicated), runtime stack, and region.
Write Function Code: Develop your function in the language of your choice (e.g., C#, JavaScript, Python). Functions can be written directly in the portal, Azure DevOps, or locally with tools like Visual Studio or VS Code.
Configure Triggers: Set up triggers for your function like HTTP, Blob storage changes, queues, timers, etc., based on the event you need to respond to.
Integration: Connect your functions to other Azure services or external APIs if necessary for data processing or integration.
Test and Deploy: Test your functions locally or in Azure, then deploy. Use deployment slots for zero-downtime deployments if using a Dedicated plan.
Monitor and Log: Utilize Application Insights for monitoring performance, usage, and errors. Set up alerts for critical conditions.
References:
MFA & Security Defaults -- via Azure AD through Conditional Access.
BLUF: Deploying and configuring Multi-Factor Authentication (MFA) in Azure involves several steps, mainly using Azure Active Directory (Azure AD) for implementing security through Conditional Access policies or security defaults. Here's how to do it:
STEPS (Azure AD Setup). (5) -- (1o2)
Step 1: Ensure Azure AD Setup.
Azure AD Subscription: Confirm you have an Azure AD subscription that supports MFA. Azure AD Free offers some basic security features, but for more advanced MFA capabilities, you'll need Azure AD Premium P1 or P2.
Step 2: Decide on MFA Method.
Per-User MFA: This is deprecated but still available for legacy scenarios where Conditional Access isn't used.
Conditional Access Policies: Recommended for fine-grained control; requires Azure AD P1 or P2.
Security Defaults: For organizations requiring straightforward security with less customization (Azure AD Free and above).
Step 3: For Conditional Access Policies:
Configure Conditional Access
Navigate to Azure Portal: Go to portal.azure.com and sign in with an account that has at least Conditional Access Administrator permissions.
Access Conditional Access: -- Go to Azure Active Directory > Security > Conditional Access.
Create a New Policy:Â
Click on New policy;Â
Name: Give your policy a descriptive name;Â
Assignments:
Users and groups: Select which users or groups this policy applies to. Use exclusions for emergency access accounts.
Cloud apps or actions: Choose All cloud apps or specific applications.
Conditions: Optionally configured based on sign-in risk, device platforms, locations, etc.
Access Controls:
Grant: Choose Grant access, check Require multi-factor authentication, and click Select.
Enable Policy:
Set Enable policy to On and click Create.
Step 4: Configure MFA Settings.
Authentication Methods: Go to Azure Active Directory > Security > Authentication methods to enable and configure methods like Microsoft Authenticator app, phone, or text message.
Step 5: User Registration.
MFA Registration Policy:
Go to Azure Active Directory > Security > Identity Protection > MFA registration policy.
Enable this policy to require users to register for MFA methods. Users will be prompted to register at their next sign-in.
STEPS (For Security Defaults): (3) -- (2o2)
Enable Security Defaults
Navigate to Azure Portal: Log in with at least a Security Administrator account.
Access Azure AD Properties:
Go to Azure Active Directory > Properties.
Click on Manage security defaults.
Enable Security Defaults:
Toggle Enable Security defaults to Yes. This will enforce MFA for all users except those explicitly excluded.
Additional Considerations:
User Communication: Ensure users are informed about the MFA requirement and trained on how to register and use it.
Testing: Test your policies with a small group or in a test tenant before applying to the whole organization to avoid lockouts.
Monitoring: Use Azure AD sign-in logs to monitor MFA usage and troubleshoot issues.
Legacy Authentication: Be aware that legacy authentication methods (like IMAP, POP, SMTP) bypass these MFA policies. Consider blocking legacy authentication or using app passwords for these scenarios.:
Blob Storage for Data Archiving.
Purpose: Storing large amounts of unstructured data like documents, images, videos, or backups that need to be accessed via HTTP or HTTPS.
Steps: (6)Â
Create a Storage Account: In the Azure portal, create a new storage account specifying the performance tier (Standard or Premium), redundancy options (LRS, ZRS, GRS, etc.), and access tier (Hot, Cool, Archive).
Configure Blob Containers: Within the storage account, create blob containers to organize data. Set access levels (private, blob, or container) based on security requirements.
Upload Data: Use Azure Storage Explorer, Azure CLI, or SDKs to upload your data to the containers. You can automate this with Azure Data Factory for large-scale data ingestion.
Manage Access: Implement Role-Based Access Control (RBAC) or Shared Access Signatures (SAS) for controlled data access.
Lifecycle Management: Configure lifecycle management policies to automatically move data between different access tiers or delete old data to manage costs.
Monitoring: Use Azure Monitor to track blob storage metrics like capacity, transactions, and availability.
References:
Deploy VMs for 101.
BLUF: This process ensures that your VM is not only deployed but also configured to meet your operational needs in terms of performance, security, and manageability.
Purpose:
Application Hosting: Deploying applications that require specific OS configurations or software not supported by Azure App Services.
Development and Testing: Providing isolated environments for software development, testing, or staging.
Legacy System Migration: Migrating on-premises systems to the cloud for scalability, reliability, or compliance reasons.
High Performance Computing: For workloads requiring intensive CPU, memory, or specialized hardware like GPUs.
Steps to Deploy a VM:
Plan Your VM Requirements:
Operating System: Decide if you need Windows or Linux, and whether to use an Azure Marketplace image or bring your image.
Size: Choose the VM size based on CPU, memory, storage, and network performance requirements.
Networking: Decide if you need public IP, what network security rules to apply, and if the VM should be in an existing or new Virtual Network (VNet).
Create a Resource Group:
This group(s) related resources for easier management. Navigate to the Azure portal, select "Resource groups," and create a new one or use an existing group.
Select VM Image:
In the Azure Marketplace or from your custom images, select the OS image you'll use for your VM.
Configure VM Basics:
Name: Give your VM a unique name.
Region: Choose the Azure region closest to your users or where your data needs to reside for compliance.
Authentication: Choose between a password or SSH public key for Linux, or a password for Windows.
Size Selection:
Azure offers various VM sizes. Select one that matches your workload requirements from the list provided in the portal.
Configure Additional Settings:
Disks: Choose between standard HDDs or SSDs, configure OS disk type, and add data disks if necessary.
Networking: Configure or select VNet, subnet, public IP, and Network Security Group (NSG). Set inbound port rules for access (e.g., RDP for Windows, SSH for Linux).
Management: Enable boot diagnostics, OS guest diagnostics, auto-shutdown if needed for cost management, and backup options.
Review + Create:
Review all settings, ensure they meet your requirements, and then click "Create".
Deployment:
Azure will validate your configuration and deploy the VM. This process might take a few minutes.
Post-Deployment Tasks:
Connect to the VM: Use RDP (for Windows) or SSH (for Linux) to log into your VM and perform initial configuration like installing applications or services.
Setup Monitoring: Use Azure Monitor to track VM health, performance, and set up alerts.
Security: Ensure you apply updates, configure firewalls, and if needed, set up endpoint protection like Microsoft Defender for Cloud.
Backup and Disaster Recovery:
Configure Azure Backup for VM snapshots or use Azure Site Recovery for disaster recovery planning.
References:
Azure Documentation: Create a Windows virtual machine in the Azure portal
Azure Documentation: Create a Linux virtual machine in the Azure portal
Deploy Virtual Machines (VMs) for Application Hosting.
Purpose: Deploy applications or services requiring specific OS configurations or software unavailable through Azure App Services.
Steps: (6)
Select VM Size and OS: Choose the appropriate VM size based on your application needs (CPU, memory, storage, network performance) and select an operating system image from Azure Marketplace or your custom image.
Configure Network Settings: Set up a Virtual Network (VNet) if not already in place, configure subnets, and secure with Network Security Groups (NSGs). Ensure you configure public IP addresses if external access is needed.
Deploy the VM: Use Azure Portal, Azure CLI, or ARM templates to deploy the VM. Set up necessary inbound and outbound rules for security.
Install and Configure Software: SSH or RDP is added to the VM to install your application or service. Configure any necessary software, services, or security patches.
Set Up Monitoring: Implement Azure Monitor to track VM performance, set up alerts for when thresholds are breached, and use Log Analytics for deeper insights.
Backup and Disaster Recovery: Configure Azure Backup for regular backups and consider Azure Site Recovery for disaster recovery scenarios.
References: