It's the delivery of computing services over the internet, which is otherwise known as the cloud. These services include servers, storage, databases, networking, software, analytics, and intelligence. Cloud computing offers faster innovation, flexible resources, and economies of scale.
Why is cloud computing typically cheaper to use?
Using a pay as you go pricing model you typically only pay for the services you actually use.
helping you:
Mainly cloud computing is a way to rent more storage and computing power from a data centre. The provider takes care of the infrastructure for you.
Cloud computing advantages?
Reliability - Cloud applications can provide a continuous user experience with practically no downtime.
Scalability - Applications in the cloud can scale in two different ways:
Elasticity - Cloud applications can be configured to take advantage of autoscaling to always have the resources they need.
Agility - Cloud-based resources can be deployed & configured quickly as your requirements change.
Geo-Distribution - Applications and Data can be deployed to regional datacentres globally to customers in all regions can get the best performance.
Disaster Recovery - Cloud based backup services, data replication and geo distribution ensure confidence that your data is safe even if a disaster should occur.
Cloud service models
IaaS - Infrastructure as a Service. The cloud provider keeps hardware up to date, but OS maintenance and network configuration is handled by the cloud tenant.
PaaS - Platform as a Service. A managed hosting environment. Cloud provider manages VMs and networking resources. Cloud tenant deploys their applications into the managed hosting environment. Azure App Services provides PaaS.
SaaS - Software as a Service. The cloud provider manages all aspects of application environment eg. VMs, Data Storage, Networking and applications. Cloud tenant only needs to provide their data to the app managed by the cloud provider. Office 365 is an example of this you create content Office 365 in the cloud takes care of the rest.
The services that might run in each cloud model:
Varying levels of responsibility between cloud provider and cloud tenant:
What is serverless computing?
Overlapping with PaaS, serverless computing enables developers to build applications faster by eliminating the need for them to manage infrastructure. With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code. Serverless architectures are highly scalable and event-driven. They use resources only when a specific function or trigger occurs.
In understanding the definition of serverless computing, it's important to note that servers are still running the code. The serverless name comes from the fact that the tasks associated with infrastructure provisioning and management are invisible to the developer. This approach enables developers to increase their focus on the business logic and deliver more value to the core of the business. Serverless computing helps teams increase their productivity and bring products to market faster. It allows organizations to better optimize resources and stay focused on innovation.
Public, Private & Hybrid Clouds
These are the 3 deployment models for cloud computing.
Public Cloud - Services are offered over the internet to anyone who wants to purchase them. Cloud resources like servers and storage are owned by a 3rd party cloud provider and delivered over the internet.
Private Cloud - Computing resources are used exclusively by users from one business or organisation. A private cloud can be physically located at your own datacentre or by a third party provider.
Hybrid Cloud - Combines a public and private cloud by allowing data and applications to be shared between them.
Part 2: What is Azure?
Azure provides a wealth of cloud-based services like remote storage, database hosting, and centralised account management. Additionally it offers AI services and Internet of Things and security services.
What does Azure offer?
Azure offers the following benefits:
Be ready for the future - Cloud innovation supports your development today and your future product plans .
Build on your terms - With open source commitment and all language support, build how you want - deploy where you want.
Operate Hybrid Seamlessly - Integrate and manage your environments with services & tools designed for a hybrid solution
Trust your cloud - Security from the ground up backed by a team of experts.
What can I do with Azure?
Azure offers more than 100 services. Most teams start by moving their existing apps to VMs that run in Azure. However cloud is a lot more than that.
What is the Azure portal?
It is a web based unified console that provides an alternative to command line tools. You can use it to:
Build, manage and monitor simple web apps to complex cloud deployments
Create custom dashboards
Configure accessibility options
The Azure portal is designed for resiliency and continuous availability. It maintains a presence in every Azure datacentre.
What is Azure Marketplace?
Marketplace where independent software vendors can sell azure optimised solutions. Azure Marketplace customers can find, try, purchase, and provision applications and services from hundreds of leading service providers. All solutions and services are certified to run on Azure.
Tour of Azure Services
There are 8 main categories:
Compute Services - Cover VMs, Containers & Serverless computing.
Cloud Storage - Disks attached to VMs, fileshares and Databases
Networking - Let you set up private network connection to your on prem environments
App Hosting - Lets you run your entire application on a managed platform
AI - Including machine learning and prebuilt cognitive services. Good for data analysis and trends.
IOT - Allows you to integrate sensors and devices and managed them.
Integration - Allows for workflow to orchestrate business processes.
Security - Integrated into every aspect of Azure.
Part 3: Cloud Computing and Cloud Models
Cloud Computing Advantages (in depth):
Cloud computing is a consumption based model:
No upfront costs
No need to purchase or manage costly infrastructure that you may not use to its fullest
Ability to pay for additional resources only when needed
Ability to stop paying for resources that are no longer needed
IaaS, PaaS, SaaS in depth
Infrastructure as a Service (IaaS) Advantages:
No capital expenditure (buying servers etc)
Agility. Apps can be made accessible quickly and deprovisioned whenever needed
Consumption based model. Pay for what you use under an Operational Expenditure model
Flexibility IaaS is most flexible as you control , configure and manage hardware running your app.
Platform as a Service (PaaS) advantages:
No CapEx
Agility. PaaS is more agile than IaaS as you don't need to configure servers for running apps.
No deep technical skills required
Productivity. Focus on development rather than platform management
PaaS disadvantages:
Software as a Service (SaaS) advantages:
No CapEx
Agility. Users can provide staff with access to latest software quickly and easily
Pay as you go (subscription model)
No technical skills required
Users can access the same application data anywhere
SaaS Disadvantages:
Part 4: Core Azure Architectural Components
Azure Resource Organising Structure:
From the bottom up:
Resources: These are instances of services that you create like VMs, Storage or SQL databases.
Resource Groups: Resources are combined into resource groups which act as a logical container into which Azure resources like web apps, databases and storage accounts are deployed and managed.
Subscriptions: A subscription groups together user accounts and the resources created by them.
Management groups: These groups help you manage access, policy and compliance for multiple subscriptions.
Info on management groups:
10,000 management groups can be supported in a single directory.
A management group tree can support up to six levels of depth. This limit doesn't include the root level or the subscription level.
Each management group and subscription can support only one parent.
Each management group can have many children.
All subscriptions and management groups are within a single hierarchy in each directory.
Azure resource manager
Azure resource manager is the deployment and management service for azure. It provides a management layer that enables you to create, update and delete resources in your Azure account.
When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which takes the requested action. Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools.
The role Azure resource manager plays in handling Azure requests:
All capabilities that are available in the Azure portal are also available through PowerShell, the Azure CLI, REST APIs, and client SDKs.
Regions
Azure Regions
A region is a geographical area on the planet that contains at least one but potentially multiple datacentres that are nearby and networked together with a low-latency network.
When you deploy a resource in Azure you'll often need to choose the region where you want your resource deployed.
Examples of regions are: West US, Canada Central, West Europe, Australia East
Why are regions important?
Azure has more global regions than any other cloud provider. These regions give you the flexibility to bring applications closer to your users no matter where they are. Global regions provide better scalability and redundancy. They also preserve data residency for your services.
Availability Zones
These help to make your app highly available. Availability Zones are physically separate datacentres within an Azure region. Each availability zone is made up of one or more datacentres equipped with independent power, cooling, and networking. An availability zone is set up to be an isolation boundary. If one zone goes down, the other continues working.
Availability zones are primarily for VMs, managed disks, load balancers, and SQL databases.
Region Pairs
Each Azure region is paired with another region for redundancy. This way natural disasters are less likely to affect availability. West US is paired with East US. South East Asia is paired with East Asia. If one goes down the other should still be available.
Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.
Part 5: Azure Databases
Azure Cosmos DB
Azure Cosmos DB is a globally distributed, multi model database service. Azure Cosmos DB supports schema-less data, which lets you build highly responsive and "Always On" applications to support constantly changing data.
It is very flexible. Your choices include SQL, MongoDB, Cassandra, Tables, and Gremlin. This level of flexibility means that as you migrate your company's databases to Azure Cosmos DB, your developers can stick with the API that they're the most comfortable with.
Azure SQL Database
Azure SQL Database is a relational database based on the latest stable version of the Microsoft SQL Server database engine. You can use it to build data-driven applications and websites in the programming language of your choice, without needing to manage infrastructure.
Azure SQL Database is a platform as a service (PaaS) database engine. It handles most of the database management functions, such as upgrading, patching, backups, and monitoring, without user involvement. Microsoft handles all updates to the SQL and operating system code. You don't have to manage the underlying infrastructure.
You can migrate your existing SQL Server databases with minimal downtime by using the Azure Database Migration Service.
Azure SQL Managed Instance
Azure SQL Managed Instance is a scalable cloud data service that provides the broadest SQL Server database engine compatibility with all the benefits of a fully managed platform as a service.
Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available to Azure SQL Database.
You can migrate your existing SQL Server databases with minimal downtime by using the Azure Database Migration Service
Azure Database for MySQL
Azure Database for MySQL is a relational database service in the cloud, and it's based on the MySQL Community Edition database engine.
Azure Database for MySQL offers several service tiers, and each tier provides different performance and capabilities to support lightweight to heavyweight database workloads. You can build your first app on a small database for a few dollars a month, and then adjust the scale to meet the needs of your solution.
Azure Database for PostgreSQL
Azure Database for PostgreSQL is a relational database service in the cloud. The server software is based on the community version of the open-source PostgreSQL database engine.
Azure Database for PostgreSQL is available in two deployment options: Single Server and Hyperscale (Citus).
The Hyperscale (Citus) option horizontally scales queries across multiple machines by using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance, generally workloads that are approaching, or already exceed, 100 GB of data.
Azure Synapse Analytics
Azure Synapse Analytics is a limitless analytics service that brings together enterprise data warehousing and big data analytics. You can query data on your terms by using either serverless or provisioned resources at scale
Azure HDInsight
Azure HDInsight is a fully managed open source analytics service for enterprises. It's a cloud service that makes it easier, faster, and more cost-effective to process massive amounts of data. You can run popular open-source frameworks and create cluster types such as Apache Spark , Apache Hadoop , Apache Kafka , Apache HBase , Apache Storm , and Machine Learning Services .
Azure Databricks
Azure Databricks helps you unlock insights from all your data and build artificial intelligence solutions. You can set up your Apache Spark environment in minutes, and then autoscale and collaborate on shared projects in an interactive workspace.
Azure Data Lake Analytics
Azure Data Lake Analytics is an on-demand analytics job service that simplifies big data.
your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it's running, making it more cost-effective.
Part 6: Azure Compute Services
Azure Virtual Machines
With Azure Virtual Machines, you can create and use VMs in the cloud. VMs provide infrastructure as a service (IaaS) in the form of a virtualized server.
VMs are an ideal choice when you need:
Total control over the operating system (OS).
The ability to run custom software.
To use custom hosting configurations.
You can run single VMs for testing, development, or minor tasks. Or you can group VMs together to provide high availability, scalability, and redundancy.
Virtual machine scale sets let you create and manage a group of identical, load-balanced VMs. Imagine you're running a website that enables scientists to upload astronomy images that need to be processed. If you duplicated the VM, you'd normally need to configure an additional service to route requests between multiple instances of the website. Virtual machine scale sets could do that work for you.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications.
Azure Container Instances & Azure Kubernetes Service
While virtual machines are an excellent way to reduce costs versus the investments that are necessary for physical hardware, they're still limited to a single operating system per virtual machine. If you want to run multiple instances of an application on a single host machine, containers are an excellent choice.
Containers are managed through a container orchestrator, which can start, stop, and scale out application instances as needed. There are two ways to manage both Docker and Microsoft-based containers in Azure: Azure Container Instances and Azure Kubernetes Service (AKS).
Azure Container Instances offers the fastest and simplest way to run a container in Azure without having to manage any virtual machines or adopt any additional services. It's a platform as a service (PaaS) offering that allows you to upload your containers, which it runs for you.
AKS The task of automating, managing, and interacting with a large number of containers is known as orchestration. Azure Kubernetes Service is a complete orchestration service for containers with distributed architectures and large volumes of containers.
Azure App Service
App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers automatic scaling and high availability. App Service supports Windows and Linux and enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.
Azure Functions
Azure Functions is serverless computing for when some of your application logic is event driven. In other words, for a large amount of time, your application is waiting for a particular input before it performs any processing.
Serverless computing includes the abstraction of servers, an event-driven scale, and micro-billing:
Abstraction of servers: Serverless computing abstracts the servers you run on. You never explicitly reserve server instances. The platform manages that for you. Each function execution can run on a different compute instance. With serverless architecture, you deploy your code, which then runs with high availability.
Event-driven scale: Serverless computing is an excellent fit for workloads that respond to incoming events. Events include triggers by:
Timers, for example, if a function needs to run every day at 10:00 AM UTC.
HTTP, for example, API and webhook scenarios.
Queues, for example, with order processing.
And much more.
Instead of writing an entire application, the developer authors a function, which contains both code and metadata about its triggers and bindings. The platform automatically schedules the function to run and scales the number of compute instances based on the rate of incoming events. Triggers define how a function is invoked. Bindings provide a declarative way to connect to services from within the code.
eg. You could use a function to run a stock update every time an item is bought.
Azure Logic Apps
Logic apps are similar to functions. Both enable you to trigger logic based on an event. Where functions execute code, logic apps execute workflows that are designed to automate business scenarios and are built from predefined logic blocks. Low/No code solution that can integrate with lots of APIs.
Windows Virtual Desktop
Windows Virtual Desktop on Azure is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux.
Part 7: Azure Storage Services
The first step is creating an Azure Storage Account which provides you with a variety of options for storing your data.
Disk Storage
Disk Storage provides disks for Azure VMs. Applications and other services can access and use these disks as needed. Disk Storage allows data to be persistently stored and accessed from an attached virtual hard disk.
Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to traditional spinning hard disk drives (HDDs), with varying performance tiers.
You can use standard SSD and HDD disks for less critical workloads, premium SSD disks for mission-critical production applications, and ultra disks for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.
Azure Blob Storage
Azure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Blob Storage is ideal for:
Serving images or documents directly to a browser.
Storing files for distributed access.
Streaming video and audio.
Storing data for backup and restore, disaster recovery, and archiving.
Storing data for analysis by an on-premises or Azure-hosted service.
Storing up to 8 TB of data for virtual machines.
You store blobs in containers, which helps you organize your blobs depending on your business needs.
Azure Storage offers different access tiers for your blob storage, helping you store object data in the most cost-effective manner. The available access tiers include:
Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).
Azure Files Fundamentals
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block and Network File System (preview) protocols.
Use Case:
Store configuration files on a file share and access them from multiple VMs. Tools and utilities used by multiple developers in a group can be stored on a file share, ensuring that everybody can find them, and that they use the same version.
Write data to a file share, and process or analyse the data later. For example, you might want to do this with diagnostic logs, metrics, and crash dumps.
One thing that distinguishes Azure Files from files on a corporate file share is that you can access the files from anywhere in the world, by using a URL that points to the file. You can also use Shared Access Signature (SAS) tokens to allow access to a private asset for a specific amount of time.
Part 8: Azure Networking ServicesAzure virtual networks - An emulation of physical networking infrastructure.
Isolation & Segmentation - Virtual Network is designed for isolation, segmentation, communication, filtering, routing between resources. (internet and on prem).
VNets are scoped to a single region.
Can be segmented into subnets for effective address allocation and network filtering.
Virtual networks - can connect not only VMs but other Azure resources, such as the App Service Environment for Power Apps, Azure Kubernetes Service, and Azure virtual machine scale sets.
Service endpoints - You can use service endpoints to connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription. In effect, you can create a network that spans both your local and cloud environments. There are three mechanisms for you to achieve this connectivity:
Point-to-site virtual private networks - This approach is like a virtual private network (VPN) connection that a computer outside your organization makes back into your corporate network, except that it's working in the opposite direction. In this case, the client computer initiates an encrypted VPN connection to Azure to connect that computer to the Azure virtual network.
Site-to-site virtual private networks - A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.
Azure Express Route - For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides dedicated private connectivity to Azure that doesn't travel over the internet.
Azure VPN Gateway - Connects on premises with the Virtual Network and can connect Vnets with each other (however you might use Vnet peering for the second part instead)
Azure Load Balancer - Even traffic distribution for non-HTTP (non-web) traffic
Azure Application Gateway - A load balancer specifically for web traffic. Even traffic distribution for HTTP traffic.
Azure content delivery network (CDN) - Global content caching and distributions to offload web applications and reduce latency. You can store static content (web pages, images)
all over the world so that someone connecting in Europe doesn't have to make a request all the way to west us. There are 120+ CDN locations to store content.
Part 9: Other Services
AI
Azure machine learning - A platform for making predictions. It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result. After you've run experiments to test the model, you can deploy and use it in real time via a web API endpoint.
Choose Azure Machine Learning when your data scientists need complete control over the design and training of an algorithm using your own data.
Azure Cognitive Services - provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason. Use Azure Cognitive Services to solve general problems, such as analyzing text for emotional sentiment or analyzing images to recognize objects or faces. You don't need special machine learning or data science knowledge to use these services.
While Azure Machine Learning requires you to bring your own data and train models over that data, Azure Cognitive Services, for the most part, provides pretrained models so that you can bring in your live data to get predictions on.
ACS provides services in the following categories: Language, Speech, Vision, Decision/
Azure Bot Service & Bot Framework - Platforms for creating virtual agents that understand and reply to questions like humans. Bots can be used to shift simple, repetitive tasks, such as taking a dinner reservation or gathering profile information, on to automated systems that might no longer require direct human intervention.
Azure DevOps Services
Azure DevOps refers to a series of Azure Devops services listed below:
Azure Repos is a centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration.
Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
Azure Pipelines is a CI/CD pipeline automation tool.
Azure Artifacts' is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps.
Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.
Azure DevOps
has a much more granular set of permissions than GitHub that allow organizations to refine who is able to perform most operations across the entire toolset.
reporting is the area where Azure DevOps excels. Azure DevOps is highly customizable, which allows an administrator to add custom fields to capture metadata and other information alongside each work item.
Azure DevTest Labs - Creates testing environments on the cloud in VMs that accurately and consistenly match the production environment. This means no time is wasted on configuring testing environments and more time can be spent testing. Additionally it will automatically destroy VMs when they're no longer in use.
Monitoring Fundamentals
Azure Advisor - evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.
The recommendations are divided into five categories:
Reliability: Used to ensure and improve the continuity of your business-critical applications.
Security: Used to detect threats and vulnerabilities that might lead to security breaches.
Performance: Used to improve the speed of your applications.
Cost: Used to optimize and reduce your overall Azure spending.
Operational Excellence: Used to help you achieve process and workflow efficiency, resource manageability, and deployment best practices.
Azure Monitor - a platform for collecting, analysing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment.
Azure Service Health - provides a personalized view of the health of the Azure services, regions, and resources you rely on. Azure Service Health displays both major and smaller, localized issues that affect you. You can set up alerts that help you triage outages and planned maintenance. After an outage, Service Health provides official incident reports.
Managing and Configuring Azure Environments
At a high level, there are two broad categories of management tools: visual tools and code-based tools.
Visual tools provide full, visually friendly access to all the functionality of Azure. However, visual tools might be less useful when you're trying to set up a large deployment of resources with interdependencies and configuration options.
When you're attempting to quickly set up and configure Azure resources, a code-based tool is usually the better choice. This approach is known as "infrastructure as code"
There are two approaches to infrastructure as code: imperative code and declarative code. Imperative code details each individual step that should be performed to achieve a desired outcome. By contrast, declarative code details only a desired outcome, and it allows an interpreter to decide how to best achieve that outcome.
declarative code can provide a more robust approach to deploying dozens or hundreds of resources simultaneously and reliably.
Tool options:
Azure Portal - web based UI visual tool that gives you access to all cloud resources for config management. As your Azure usage grows you are likely to choose a more repeatable code-centric approach.
Azure Mobile App - Access your Azure resources on the go, monitor, check for alerts and run Azure CLI to manage resources.
Azure PowerShell - Azure PowerShell is a shell with which developers and DevOps and IT professionals can execute commands called cmdlets (pronounced command-lets). These commands call the Azure Rest API to perform every possible management task in Azure. Azure PowerShell is available for Windows, Linux, and Mac.
Azure CLI - The Azure CLI command-line interface is an executable program with which a developer, DevOps professional, or IT professional can execute commands in Bash. The commands call the Azure Rest API to perform every possible management task in Azure.
Arm Templates - By using Azure Resource Manager templates (ARM templates), you can describe the resources you want to use in a declarative JSON format. The benefit is that the entire ARM template is verified before any code is executed to ensure that the resources will be created and connected correctly. This can be used instead of imperative code
Serverless Technology
Serverless computing is a term used to describe an execution environment that's set up and managed for you. You merely specify what you want to happen by writing code or connecting and configuring components in a visual editor, and then specify the actions that trigger your functionality, such as a timer or an HTTP request. Best of all, you never have to worry about an outage, your code can scale instantly to meet demand, and you pay based only on the actual usage of your code.
Serverless computing is ordinarily used to handle back-end scenarios. In other words, serverless computing is responsible for sending message from one system to another, or processing messages that were sent from other systems. It's not used for user-facing systems but, rather, it works in the background.
Azure IOT Services
Azure IOT Hub : is a managed service that's hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices,
Azure IOT Central : builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices. The visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages.
Azure Sphere: creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Sphere has built-in communication and security features for internet-connected devices.
Part 10: Azure Security
Azure Security Centre - a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Automatically apply required security settings to new resources as they come online.
Provide security recommendations that are based on your current configurations, resources, and networks.
Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
Secure Score - Secure score is based on security controls, or groups of related security recommendations. Your score is based on the percentage of security controls that you satisfy.
Azure Sentinel - Microsoft's cloud-based Security information and event management (SIEM) system. It uses intelligent security analytics and threat analysis.
Azure Sentinel enables you to:
Collect cloud data at scale Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
Detect previously undetected threats Minimize false positives by using Microsoft's comprehensive analytics and threat intelligence.
Investigate threats with artificial intelligence Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
Respond to incidents rapidly Utilize built-in orchestration and automation of common tasks.
Azure Key Vault - is a centralized cloud service for storing an application's secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
Manage secrets You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Manage encryption keys You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.
Manage SSL/TLS certificates Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources.
Store secrets backed by hardware security modules (HSMs) These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
Azure Dedicated Host - Some companies must follow regulations requiring dedicated hardware for their applications. While regular VMs are isolated they are on shared servers. Azure Dedicated Host provides isolated servers on which to deploy your workload
Secure Network Connectivity on Azure
Defence in depth - You can visualize defense in depth as a set of layers, with the data to be secured at the center.
Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
The physical security layer is the first line of defense to protect computing hardware in the datacenter (physical security, check points, cameras etc.).
The identity and access layer controls access to infrastructure and change control.
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
The network layer limits communication between resources through segmentation and access controls.
The compute layer secures access to virtual machines.
The application layer helps ensure that applications are secure and free of security vulnerabilities.
The data layer controls access to business and customer data that you need to protect.
Azure Firewall - is a managed, cloud-based network security service that helps protect resources in your Azure virtual networks. Azure Firewall provides a central location to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Azure DDoS Protection - DDoS attacks aim to overwhelm and exhaust resources, they can target any resource that's publicly reachable through the internet, including websites. The DDoS Protection service helps protect your Azure applications by analysing and discarding DDoS traffic at the Azure network edge, before it can affect your service's availability.
Network Security Groups - enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
When creating a complete security solution. Consider all layers of defence in depth.
Securing Perimeter Layer:
Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users.
Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
Secure Network Layer: At this layer, the focus is on limiting network connectivity across all of your resources to allow only what's required.
Limit communication between resources by segmenting your network and configuring access controls.
Deny by default. (denies all incoming and outgoing traffic that is not expressly permitted)
Restrict inbound internet access and limit outbound where appropriate.
Implement secure connectivity to on-premises networks.
Azure Identity Services
Identity has become the new primary security boundary. Accurately proving that someone is a valid user of your system, with an appropriate level of access, is critical to maintaining control of your data. This identity layer is now more often the target of attack than the network is.
Two fundamental concepts that you need to understand when talking about identity and access are authentication (AuthN) and authorization (AuthZ).
Authentication is the process of establishing the identity of a person or service that wants to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.
Authentication establishes the user's identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.
Azure Active Directory - Azure Active Directory (Azure AD) is different to Active Directory
Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user. For on-premises environments, Active Directory running on Windows Server provides an identity and access management service that's managed by your own organization.
Azure AD is Microsoft's cloud-based identity and access management service. With Azure AD, you control the identity accounts, but Microsoft ensures that the service is available globally.
Azure AD provides:
Authentication This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services.
Single sign-on SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model.
Application management You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single-sign on provide a better user experience.
Device management Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based conditional access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
Conditional Access - based on conditions like where the user is. If they are logging in from an unusual location it will require more strict authentication. Another condition could be device, if it is not an approved device then access is not granted or further authentication is required.
Part 11: Build a cloud governance strategy on Azure
The term governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced.
Governance is most beneficial when you have:
Multiple engineering teams working in Azure.
Multiple subscriptions to manage.
Regulatory requirements that must be enforced.
Standards that must be followed for all cloud resources.
Cloud Adoption Framework for Azure - provides you with proven guidance to help with your cloud adoption journey. The Cloud Adoption Framework helps you create and implement the business and technology strategies needed to succeed in the cloud.
Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits.
Billing - You can create one billing report per subscription. If you have multiple departments and need to do a "chargeback" of cloud costs, one possible solution is to organize subscriptions by department or by project.
Access Control - A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. When you design your subscription architecture, consider the deployment boundary factor. For example, do you need separate subscriptions for development and for production environments? With separate subscriptions, you can control access to each one separately and isolate their resources from one another.
Subscription Limits - Subscriptions also have some resource limitations. For example, the maximum number of network Azure ExpressRoute circuits per subscription is 10. Those limits should be considered during your design phase.
Azure Role Based Access Control (RBAC) - Give users roles and limit resource access for individual roles only to what is needed. You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.
Resource Lock - Even with Azure role-based access control (Azure RBAC) policies in place, there's still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed.
You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized people can still read and modify a resource, but they can't delete the resource without first removing the lock.
ReadOnly means authorized people can read a resource, but they can't delete or change the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.
Azure Policy enables you to define both individual policies and groups of related policies, known as initiatives. Azure Policy evaluates your resources and highlights resources that aren't compliant with the policies you've created. Azure Policy can also prevent noncompliant resources from being created.
An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.
Resource Tags - You can add tags to resources in order to efficiently identify which resources have similar attributes. Eg a tag for each regulation it is compliant with or tag test deployments so they can be tracked for deletion later.
Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure resources that your organization requires.
Part 12: Compliance, Cost Management and SLAs
Trust Center showcases Microsoft's principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
Plan Manage Azure Costs
Total Cost of Ownership (TCO) Calculator - Azure compliance documentation provides you with detailed documentation about legal and regulatory standards and compliance on Azure.
Factors that affect cost - The way you use resources, your subscription type, and pricing from third-party vendors are common factors.
Usage Meters - When you provision a resource, Azure creates meters to track usage of that resource. Azure uses these meters to generate a usage record that's later used to help calculate your bill.
Azure Pricing Calculator - Tool to estimate how much resources will cost, including the following factors: Usage, Region, Tier (free or basic), Billing Options, Support Options, Programs and Offers,
Service Level Agreements SLA
A service level agreement is a formal agreement between a service company and the customer. For Azure, this agreement defines the performance standards that Microsoft commits to for you, the customer.
To compute the composite SLA for a set of services, you multiply the SLA of each individual service. Eg: 99.9% × 99.9% × 99.99% × 99.99% = 99.78%
A service credit is the percentage of the fees you paid that are credited back to you according to the claim approval process.
An SLA describes how Microsoft responds when an Azure service fails to perform to its specification. For example, you might receive a discount on your Azure bill as compensation when a service fails to perform according to its SLA.