Paas - focus on application built on top of infra, send sms, container service, etc to create business functions Saas - focus on business functions like crm Micrsoft global network connectivity via - PoP (point of presence) via ISP/internet or site to site vpn over internet, private connection over fiber / Express route / meet me Governance - - what - policy - who - RBAC - how much - budgets IDP (identity provider) - Azure AD Azure ARC - applying azure tools to on-prem pick burstible VMs for testing - B series stop (deallocated) - does not charge agility - refers to the ability of an organization to quickly and easily adapt its IT infrastructure to changing business needs. azure blueprints - automate the env creation site-to-site vpn - created between on-premise vpn device and azure vpn gw over internet DDoS - protected in perimeter layer Azure login apps - executes workflows (serverless technology) are designed in a web-based designer and can execute logic triggered by Azure services without writing any code. cloud shell - launhed via portal Azure batch - allows to scale to thousands of VMs vm scale set - to launch matching load balanced vm set mgmt groups - to organize the subscriptions into hierachy EKS, AKS, App service - PaaS Under Paas runtime and OS owned by Azure under IaaS cx has to manage Config, patching, backup and anti-virus in VMs but handled under PaaS zonal - limited to 1 AZ like VM zone redundent - span accross multiple AZs,like public IP creating a resource group helps to remove the demo resources at once can apply RBAC, policy and Budgets to RGs managemeny groups - to organize the subscriptions ARM - all the interfaces interact with ARM when accessing resources Bicep - a simple declarative IaaC language that converts to a ARM JSON ARC - extends the Azure control plane functions like ARM to env outside Azure gp vm - cores to mem ratio 1:4 compute optimized - 1:2 mem optimized - 1:8 SKU - units VMSS - vm scale set - like asg AKS creates a VMSS for deploying containers App service - serverless compute for web app deployment - PaaS 2 types of serverless: functions logic apps - for wf execution, visual designer ACI - azure container instances ----------------------------- subnet size is based on the available IPs / CIDR block VMs are attched to the subnet via the Network interface card azure reserves 5 ips from every subnet ip block CIDR table https://www.ripe.net/about-us/press-centre/understanding-ip-addressing if /24 means 24 used out of 32 bits and only 8 bits available then subnet mask is 255.255.255.0 and available ips - 8 bits - 2 to the power 8 - gives 0 to 255 /24 means 3 segments used and 8 bits available (256 ips) /32 means only 255.255.255.255 is avaible /0 means 2 to the power 32 ips are available any ip in azure ia a private ip and and not publically routable when connecting to internet need to get a public ip and connect via the LB to subnet resources to connect two vnets best option is peering to connect to on premis use site to site vpn over internet (VPN device at on-prem and vpn gw at Azure vnet) policy based connectivity for legacy data centers latest connectivity method - route based dedeicated link - connects on-prem data center with Azure VNET via express route over MSN and connecting to VNET via Express route GW private peering - sharing IP spaces over private Express route and makes the services in the VNET available for on-prem Microsoft peering - enables the services that are not available in VNET over express route service endpoints - enables VNETs to access Azure services like storage accounts outside VNET via a firewall Private endpoints - enable VNETs to access Azure services like storage accounts outside VNET via private IP - is a private IP address within a subnet Public endpoint - internet facing access to resources Private endpoint - internal access to resources without going via public endpoints ------------------ Blobs - block (common) - maininly for read only, created inside containers, Az data lake gen2 page - for random read /write, strored in disks, storage used for VMs, premium ssd - used for production, ultra disk - lets manually confidure iops and throughput file - SMB/NFS shares, for file shares, Azure file synch allows synch with on-prem file synchs Quesus - FIFO Tables - key, value pair based data ------------ Azure SQL DB - Pass service Azure SQL MI - managed instance, runs in your VNET and its a dedicated instance, for migrating onprem workloads that uses some advanced features Sharding - distributing data among multiple servers Postgres Citus - support sharding, hyperscale Cosmos DB : No SQL DB multi model - sql, document (mongodb complied), column (casendra), Table (ley, value), Graph multi consistency block access tiers - hot, cool, archive(not online) ------ Azure cloud shell = powershell = Azure CLI Azure CLI - from cmd type az login and can use az commands to perform azure functions ------ Data movement & migration options: Online - storage explorer - to upload files and folders (blobs, files, tables and queue data), interactive - Az copy (for automation, copy/synch) - Azure migrate - for migration of VMs, DBs - Azure file synch - SMB based Offline - Azure Data box - importing, exporting, 80TB - Azure Data box Disks - importing into Azure, no outbound - Data box heavy - 770TB Azure Well Architected Framework - COPRS -cost optimization -operational excellance -performance efficiency -Reliability -Security ----- Azuer private marketplace Azure IoT Hub: PaaS mcu devices - micro controler units device -> cloud metrics - req response device -> cloud upload could -> device IoT provides flows and SDK required to write the apps Azure IoT central - uses IoT hub - SaaS solution - dashboards/apps - device templates, simulate devices - common industry scenarios - full customise - add rules signal -> condition -> action azure sphere - end to end solution including mcus --------------- BIG DATA - Data Factory - data lake - HDInsight - hadoop, storm, spark (mem based), kafka, hive, hbase open source fw - Databricks - based on spark, deltalake - Azure Synapse Analytics - end to end including data lake , DWH solution, own workspace on demand dw workloads includes data factory, HDInsight and Databricks --------- Azure ML Azure Machine learning: - get data - train, eveluate models - pipeline experiments - deploy algorithms - > expose as api end point Azure cognitive services - prebuilt models Azure Bot service - chat, virtual agent --- serverless are event driven App service - for serverless webservers azure functions - running some code logic apps (consumption based)- workflows for tasks (template and designer based), connectors - low code/no code based ------------ Azure devops - repos - GIT, TPVC - boards - Pipelines - ci/cd - Artifacts - compiled images GITHUB - repos - GIT - Actions - ci/cd ++, workflows for different integrations - env - projects Azure Dev Test Labs - ARM templates ------------------- ** best practise to provision resources - ARM Templates ARM templates - not user friendly BICEP - user friendly, converts to an ARM template ------------------ Security: Microsoft Defender for cloud (Azure security center) - Vulnerability Assessment tool Key Valt - secrets, Keys, certificates - Access policy - no granularity - RBAC - granularity (preferred) read / write access controled for each item for each user Managed Identity - tied to a particular resource Microsoft Sentinel - SIEM system (security investigation and event mgmt) detecting security breaches and looking into the problem SOAR system - security orchastration automation and response system - automatically fix the security breach operates on top of log analytics workspace uses security logs and signals Dedicated Hosts, Isolated VM Sizes Defence in Depth - many layers of protection Zero Trust - - verify explicitly - least privilage (just enough permissions) - Assume Breach things to check - identity, endpoint, network, INfra to understand the context of the request -> control the risk via conditional access Network security groups - applied to a subnet or NIC - layer 4 Azure firewall - supports layer 4 and layer 7 - deployed within Azurefirewallsubnet - network rules and application rules - fully managed and auto scalled - TLS encryption DDoS attack types: attacking the availablity - volumetric - flooding the server - protocol - sending malformed packets over tcp or udp, excoss the resources on firewall and load balancer - application - exploiting application weeknesses like http flooding, slow post slow read etc preventing DDoS - basic DDoS protection - available by default in azure - not enough protection - standard DDoS protection - can enable for a VNet - ML tune - reporting - Metrics - can direct to azure moitor - rapid response (human assist) - credit ----------------------------- Identity Governance - authentication and authorization - authN via password, biometric, token - authz via RBAC Azure AD: - Idp, multi tenent - supporting protocols - OIDC, SAML, WS, Oauth 2.0 - flat structure of users - conditional access - MFA - SSO regular active directory - supports kerbros, NTLM, LDAP - can create user hierachies, group policy and different levels Azure AD connect - to synch on prem AD with AAD RBAC - role - set of actions that can be performed on resources and they are inherited down the hierachy resource locks - read only/ cannot delete, applied at the ARM level (mgmt plane) and not applied at data plane azure policy effects - audit, deny, append, if not exist policy - ability to create guardrails can be defined at mgmt group, RG or rources and are inherited Governance Hierachy: Azure AD - Root - Management groups (depts, div etc) - Subscriptions - Resource Groups - Resources things applied to above structure: - policy - RBAC - Budget Blueprints - subscription templatess for creating governed subscriptions - includes RG, ARM templates, Policy, RBAC - lock assignment sovereign regions - china, german, us government azure clouds compliance, gdpr, .. - trust center ------------------------------- cost Management: factors effecting the cost: - resource type - SKU - stock keeping units - defernt versions of the product, like D1, A1 for VMs - TIER - Location Metered based on: - exist - running - number of instances, like in a Azure scale set - work - serverless - storage - used - provisioned - interactions - licences factors for reducing the cost: - use autoscale for instances or serverless - move to PaaS from IaaS - select the correct SKU - deallocate when not running, shutdown - auto at night - delete unused resources - use life cycle mgmt to move the resouces to relevent tiers - use tagging for identifying the resources, helps in removing unwanted - use azure advisor - use reserved instances for long term usage - if on-prem licences available windows vm, select azure hybrid benefit - spot vm - super cheap - for workloads that can be stopped and resumed total cost of ownership (TCO) calculator - for migrating workloads to cloud - includes electricity bills etc as well - give the on-prem resources and generating the cloud migration cost Azure status - service impaction dashboard composit SLA - to improve SLA use OR in setting up resources service lifecycle - private preview, public preview, generally available (sla support) --------------