You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Decide which cloud deployment model is best for you
What is cloud computing?
Every business has different needs and requirements. Cloud computing is flexible and cost-efficient, which can be beneficial to every business, whether it's a small start-up or a large enterprise.
Benefits of cloud computing
Cloud computing makes running a business easier. It’s cost-effective, scalable, elastic, current, reliable, and secure. This means you’re able to spend more time on what matters and less time managing the underlying details.
Compliance terms and requirements
When selecting a cloud provider to host your solutions, you should understand how that provider can help you comply with regulations and standards. Some questions to ask about a potential provider include:
How compliant is the cloud provider when it comes to handling sensitive data?
How compliant are the services offered by the cloud provider?
How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
What terms are part of the privacy statement for the provider?
Economies of scale
Economies of scale is the ability to do things more efficiently or at a lower-cost per unit when operating at a larger scale. This cost advantage is an important benefit in cloud computing.
Capital expenditure (CapEx) versus operational expenditure (OpEx)
Capital Expenditure (CapEx): CapEx is the spending of money on physical infrastructure up front, and then deducting that expense from your tax bill over time. CapEx is an upfront cost, which has a value that reduces over time.
(Server, Storage,Network, Backup and archive, Organization continuity and disaster recoverym Datacenter infrastructure, Technical personnel)
Benefits: Plan your expenses at the start of a project or budget period. Your costs are fixed, meaning you know exactly how much is being spent. This is appealing when you need to predict the expenses before a project starts due to a limited budget.
Operational Expenditure (OpEx): OpEx is spending money on services or products now and being billed for them now. You can deduct this expense from your tax bill in the same year. There's no upfront cost. You pay for a service or product as you use it.
(Leasing a cloud-based server, Leasing software and customized features, Scaling charges based on usage/demand instead of fixed hardware or capacity, Billing at the user or organization level)
Benefits: Demand and growth can be unpredictable and can outpace expectation.Companies wanting to try a new product or service don't need to invest in equipment. Instead, they pay as much or as little for the infrastructure as required.
High scalability/agility – you don’t have to buy a new server in order to scale
Pay-as-you-go pricing – you pay only for what you use, no CapEx costs
You’re not responsible for maintenance or updates of the hardware
Minimal technical knowledge to set up and use - you can leverage the skills and expertise of the cloud provider to ensure workloads are secure, safe, and highly available
Disadvantages
There may be specific security requirements that cannot be met by using public cloud
There may be government policies, industry standards, or legal requirements which public clouds cannot meet
You don't own the hardware or services and cannot manage them as you may want to
Unique business requirements, such as having to maintain a legacy application might be hard to meet
Private
Advantages
You have complete control over the resources and can ensure the configuration can support any scenario or legacy application
You have complete control (and responsibility) over security
Private clouds can meet strict security, compliance, or legal requirements in ways a public cloud might not be able to
Disadvantages
You have upfront CapEx costs and must purchase the hardware for startup and maintenance
Owning the equipment limits the agility - to scale you must buy, install, and setup new hardware
Private clouds require IT skills and expertise that's hard to come by
Hybrid
Advantages
Some advantages of a hybrid cloud versus a private cloud are:
You can keep any systems running and accessible that use out-of-date hardware or an out-of-date operating system
You have flexibility with what you run locally versus in the cloud
You can take advantage of economies of scale from public cloud providers for services and resources where it's cheaper, and then supplement with your own equipment when it's not
You can use your own equipment to meet security, compliance, or legacy scenarios where you need to completely control the environment
Disadvantages
It can be more expensive than selecting one deployment model since it involves some CapEx cost up front
It can be more complicated to set up and manage
Cloud computing is flexible and gives you the ability to choose how you want to deploy it. The cloud deployment model you choose depends on your budget, and on your security, scalability, and maintenance needs.
IaaS, PaaS, and SaaS each contain different levels of managed services. You may easily use a combination of these types of infrastructure. You could use Office 365 on your company’s computers (SaaS), and in Azure, you could host your VMs (IaaS) and use Azure SQL Database (PaaS) to store your data. With the cloud’s flexibility, you can use any combination that provides you with the maximum result.
Summary
In this module, you've learned about cloud computing, what it is and what its key characteristics are. Here are some of the things you covered.
Different types of cloud models that are available and the considerations of using those different models.
Some of the key terms and concepts such as high availability, agility, elasticity, fault tolerance, and CapEx vs. OpEx.
The different cloud services available, the benefits of using the different types, and the management responsibilities under each service type.
Cloud models such as public, private and hybrid, and what the key characteristics of each model are.
The different types of cloud service available: IaaS, PaaS, and SaaS; what the key characteristics of each service are and when you would choose one over the other.
Services you'll find on Azure:
Compute services such as VMs and containers that can run your applications
Database services that provide both relational and NoSQL choices
Identity services that help you authenticate and protect your users
Networking services that connect your datacenter to the cloud, provide high availability or host your DNS domain
Storage solutions that can accommodate massive amounts of both structured and unstructured data
AI and machine-learning services that can naturally communicate with your users through vision, hearing, and speech
Azure is Microsoft's cloud computing platform. Azure is a continually expanding set of cloud services that help your organization meet your current and future business challenges. Azure gives you the freedom to build, manage, and deploy applications on a massive global network using your favorite tools and frameworks.
What is Azure?
Microsoft's cloud computing platform, which provides compute power, storage, and services over the Internet using a pay-as-you-go pricing model.
Which of the following is an example of an Azure compute service?
Azure Virtual Machine
When should you scale out your deployment?
When you need additional virtual machines to speed up your application.
A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. Azure intelligently assigns and controls the resources within each region to ensure workloads are appropriately balanced.
Special Azure regions
You might want to use when building out your applications for compliance or legal purposes. These include:
US DoD Central, US Gov Virginia, US Gov Iowa and more
China East, China North and more: Azure and 21Vianet whereby Microsoft does not directly maintain the datacenters.
Germany Central and Germany Northeast: Available through a data trustee model whereby customer data remains in Germany under control of T-Systems
Geographies
Discrete market typically containing two or more regions that preserve data residency and compliance boundaries.
Benefits
Geographies allow customers with specific data residency and compliance needs to keep their data and applications close.
Geographies ensure that data residency, sovereignty, compliance, and resiliency requirements are honored within geographical boundaries.
Geographies are fault-tolerant to withstand complete region failure through their connection to dedicated high-capacity networking infrastructure.
Geographies are broken up into the following areas:
Americas
Europe
Asia Pacific
Middle East and Africa
Availability Zones
Availability Zones are physically separate datacenters within an Azure region. Each is made up of one or more datacenters equipped with independent power, cooling, and networking.
Azure services that support Availability Zones fall into two categories:
You can use Availability Zones to run mission-critical applications and build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones.
Zonal services: you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)
Zone-redundant services: platform replicates automatically across zones (for example, zone-redundant storage, SQL Database)
Region Pairs
Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. This approach allows for the replication of resources (such as virtual machine storage) across a geography that helps reduce the likelihood of interruptions due to events such as natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once.
Examples of region pairs in Azure are West US paired with East US, and SouthEast Asia paired with East Asia.
Additional advantages of region pairs include:
If there's an extensive Azure outage, one region out of every pair is prioritized to help reduce the time it takes to restore them for applications.
Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.
Data continues to reside within the same geography as its pair (except for Brazil South) for tax and law enforcement jurisdiction purposes.
Service Level Agreements for Azure
SLAs for Azure products and services
There are three key characteristics of SLAs for Azure products and services:
Performance Targets
Uptime and Connectivity Guarantees
Service credits
Service Credits
SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to its governing SLA's specification.
For example, customers may have a discount applied to their Azure bill, as compensation for an under-performing Azure product or service.
Example for a VM
MONTHLY UPTIME PERCENTAGE
SERVICE CREDIT PERCENTAGE
< 99.9
10
< 99
25
< 95
100
Composing SLAs across services
When combining SLAs across different service offerings, the resultant SLA is a called a Composite SLA.
Calculating downtime
Consider an App Service web app that writes to Azure SQL Database. These Azure services currently have the following SLAs:
99.95 percent × 99.99 percent = 99.94 percent
Conversely, you can improve the composite SLA by creating independent fallback paths. For example, if SQL Database is unavailable, you can put transactions into a queue for processing at a later time.
If the expected percentage of time for a simultaneous failure is 0.0001 × 0.001, the composite SLA for this combined path of a database or queue would be:
1.0 − (0.0001 × 0.001) = 99.99999 percent
Therefore, if we add the queue to our web app, the total composite SLA is:
99.95 percent × 99.99999 percent = ~99.95 percent
Notice we've improved our SLA behavior. However, there are trade-offs to using this approach: the application logic is more complicated, you are paying more to add the queue support, and there may be data-consistency issues you'll have to deal with due to retry behavior.
Improve your app reliability
Understand your app requirements
Resiliency
Resiliency is the ability of a system to recover from failures and continue to function. It's not about avoiding failures, but responding to failures in a way that avoids downtime or data loss. The goal of resiliency is to return the application to a fully functioning state following a failure. High availability and disaster recovery are two crucial components of resiliency.
When designing your architecture you need to design for resiliency, and you should perform a *Failure Mode Analysis (FMA). The goal of an FMA is to identify possible points of failure and to define how the application will respond to those failures.
Cost and complexity vs. high availability
Availability refers to the time that a system is functional and working. Devising preventative measures can be difficult and expensive, and often results in complex solutions.
As your solution grows in complexity, you will have more services depending on each other. Therefore, you might overlook possible failure points in your solution if you have several interdependent services.
Considerations for defining application SLAs
If your application SLA defines four 9's (99.99%) performance targets, recovering from failures by manual intervention may not be enough to fulfill your SLA. Your Azure solution must be self-diagnosing and self-healing instead.
It is difficult to respond to failures quickly enough to meet SLA performance targets above four 9's.
Carefully consider the time window against which your application SLA performance targets are measured. The smaller the time window, the tighter the tolerances. If you define your application SLA as hourly or daily uptime, you need to understand these tighter tolerances might not allow for achievable performance targets.
Summary
Microsoft provides more global presence than any other cloud provider with over 54 regions distributed worldwide. This infrastructure gives you the scale needed to bring your applications closer to users around the world. Azure also has dedicated regions to support government use and applications that need to be deployed in China so you can ensure data security and residency and meet compliance and resilience requirements for your customers no matter what type of business requirements you have.
Check your knowledge
True or False. You can select the specific datacenter you want to deploy your app into.
(X)True
( )False
Correct. Azure organizes infrastructure around regions which include multiple datacenters. You can't select a specific datacenter, but you can pick the region you want resources deployed into.
True or False. Every region has an availability zone.
( )True
(X)False
Correct. Regions that support Availability Zones include Central US, North Europe, and SouthEast Asia.
Application availability refers to what?
( )The service level agreement of the associated resource.
( )Whether the application supports an availability zone.
(X)The overall time that a system is functional and working.
Correct. The time that a system is working is referred to as the application availability.
Learn about the different types of Azure accounts and subscriptions
Understand how billing works in Azure
Create a free Azure account
Learn how to get help when you need it
Azure accounts and subscriptions
What is an Azure account?
An Azure account is tied to a specific identity and holds information like:
Name, email, and contact preferences
Billing information such as a credit card
What is an Azure subscription?
An Azure subscription is a logical container used to provision resources in Microsoft Azure.
Subscription types
Azure offers free and paid subscription options to suit different needs and requirements. The most commonly used subscriptions are:
Free
Pay-As-You-Go
Enterprise Agreement
Student
Using multiple Azure subscriptions
You can create multiple subscriptions under a single Azure account. This is particularly useful for businesses because access control and billing occur at the subscription level, not the account level.
Access management
You can create separate subscriptions on your Azure account to reflect different organizational structures. For example, you could limit engineering to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription.
Billing
One bill is generated for every Azure subscription on a monthly basis. The payment is charged automatically to the associated account credit or debit card within 10 days after the billing period ends. On your credit card statement, the line item would say MSFT Azure.
Authenticate access with Azure Active Directory
Authentication for your account is performed using Azure Active Directory (Azure AD ). Azure AD is a modern identity provider that supports multiple authentication protocols to secure applications and services in the cloud.
Azure AD is not the same as Windows Active Directory. Windows Active Directory is focused on securing Windows desktops and servers. In contrast, Azure AD is all about web-based authentication standards such as OpenID and OAuth.
Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization. When you sign up for a Microsoft cloud service subscription such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of Azure AD is automatically created for your organization.
When it comes to Azure AD tenants, there is no concrete definition of "organization" — tenants can be owned by individuals, teams, companies, or any other group of people. Tenants are commonly associated with companies. If you sign up for Azure with an email address that's not associated with an existing tenant, the sign-up process will walk you through creating a tenant, owned entirely by you.
The email address you use to sign in to Azure can be associated with more than one tenant. You might see this if you have an Azure account and you use Microsoft Learn's Azure Sandbox to complete exercises. In the Azure portal, you can only view resources belonging to one tenant at a time. To switch the tenant, you're viewing resources for select the Book and filter icon at the top of the portal and choose a different tenant in the Switch directory section.
Azure AD tenants and subscriptions have a many-to-one trust relationship: A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant. This structure allows organizations to manage multiple subscriptions and set security rules across all the resources contained within them.
Azure support options
Every Azure subscription includes free access to the following essential support services:
Billing and subscription support
Azure products and services documentation
Online self-help documentation
Whitepapers
Community support forums
Paid Azure support plans
Paid Azure support plans
Microsoft offers four paid Azure support plans for customers who require technical and operational support: Developer, Standard, Professional Direct, and Premier.
Summary
You have learned about Azure accounts, subscriptions, and tenants.
You have seen how billing and support are managed in Azure.
You have created a free account for Microsoft Azure and learned how to sign in using that account.
Which of the following defines an Azure subscription correctly?
Using Azure does not require a subscription
All Azure subscriptions are always free
An account cannot have more than one subscription
An Azure subscription is a logical unit of Azure services that is linked to an Azure account
Using Azure requires an Azure subscription. Azure offer free and paid subscription options to suit different customer needs and requirements, and an account can have one or more subscriptions, with different billing models and access-management policies applied to each . A subscription provides authenticated and authorized access to Azure products and services, and allows you to provision resources.
True or False. Azure has free services you can use once you have an Azure subscription.
False
True -there are several free services available.
This is true. Azure has several free services you can use including Azure App Services, Functions, and Azure Kubernetes containers.
Billing in Azure is ______________
Annually for each Azure account based on usage.
Monthly for each Azure subscription based on usage.
Billing is performed monthly for each subscription in the account, based on the resource usage.
The Azure Portal lets you create and manage all your Azure resources. Here you will learn how to sign in to the portal and navigate the portal interface. You will also learn how to customize the dashboard, so it is convenient to locate and monitor your most essential services.
Learning objectives
Learn about Azure management options
Navigate the Azure portal
Customize the dashboard
Azure management options
Tools that are commonly used for day-to-day management and interaction include:
Azure portal for interacting with Azure via a Graphical User Interface (GUI).
Is a website that you can access with a web browser, by going to the URL https://portal.azure.com. From here, you can interact manually with all the Azure services.
Azure PowerShell and Azure Command-Line Interface (CLI) for command line and automation-based interactions with Azure.
Is a module that you can install for Windows PowerShell, or PowerShell Core, which is a cross-platform version of PowerShell that runs on Windows, Linux or macOS. Azure PowerShell enables you to connect to your Azure subscription and manage resources.
Azure CLI is a cross-platform command-line program that connects to Azure and executes administrative commands on Azure resources.
Azure Cloud Shell for a web-based command-line interface.
Linux users can opt for a Bash experience, while Windows users can opt for PowerShell. An Azure storage account is required to use the cloud shell.
You can access Azure Cloud Shell by going to https://shell.azure.com/.
Navigate the portal
Azure portal layout
The Azure portal is the primary graphical user interface (GUI) for controlling Microsoft Azure.
Resource Panel. In the left-hand sidebar of the portal is the resource pane, which lists the main resource types.You can customize this with the specific resource types you tend to create or administer most often.You can also collapse this pane; with the << caret.
What is a blade?
The Azure portal uses a blades model for navigation. A blade is a slide-out panel containing the UI for a single level in a navigation sequence.
For example, each of these elements in this sequence would be represented by a blade: Virtual machines > Compute > Ubuntu Server.
What is the Azure Marketplace?
This blade is often where you will start when creating new resources in Azure. The Marketplace allows customers to find, try, purchase, and provision applications and services from hundreds of leading service providers, all certified to run on Azure.
Configuring settings in the Azure portal
The Azure portal displays several configuration options, mostly in the status bar at the top-right of the screen.
Notifications
Clicking the bell icon displays the Notifications pane. This pane lists the last actions that have been carried out, along with their status.
Cloud Shell
If you click the Cloud Shell icon (>_), you will create a new Azure Cloud Shell session.
Settings
Click the gear icon to change the Azure portal settings. These settings include:
Sign out time
Color and contrast themes
Toast notifications (to a mobile device)
Language and regional format
Feedback blade
The smiley face icon opens the Send us feedback about Azure. You can decide whether Microsoft can respond to your feedback by email.
Help blade
Click the question mark icon to show the Help blade. Here you choose from several options, including:
Help + Support
What's new
Azure roadmap
Launch guided tour
Keyboard shortcuts
Show diagnostics
Privacy + terms
Help + Support options
This opens the main support area for the Azure portal and includes documentation options for a variety of common questions. One of the hidden areas here is the New support request link which is on this page. This is how you can open a support ticket with the Azure team.The availability of support for other issues depends on the support plan you have.
You can then check the status and details of your support request, through the All support requests from the Help + support blade.
Directory and subscription
Click the Book and Filter icon to show the Directory + subscription blade.
Azure allows you to have more than one subscription associated with one directory. On the Directory + subscription blade, you can change between subscriptions. Here, you can change your subscription or change to another directory.
Profile settings
If you click on your name in the top right-hand corner, a menu opens with a few options:
Sign in with another account, or sign out entirely
View your account profile, where you can change your password
Check your permissions
View your bill (click the "..." button on the right-hand side)
Update your contact information (click the "..." button on the right-hand side)
If you click "..." and then View my bill, Azure takes you to the Cost Management + Billing - Invoices page, which helps you analyze where Azure is generating costs.
Azure Advisor
Provides recommendations on high availability, security, performance, and cost. You can view it on the portal or download them in PDF or CSV format.
With Azure Advisor, you can:
Get proactive, actionable, and personalized best practices recommendations.
Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs.
Get recommendations with proposed actions inline.
Access Azure Advisor by selecting Advisor from the navigation menu, or search for it in the All Services menu.
Azure Portal dashboards
What is a dashboard?
A dashboard is a customizable collection of UI tiles displayed in the Azure portal. You add, remove, and position tiles to create the exact view you want, and then save that view as a dashboard. Multiple dashboards are supported, and you can switch between them as needed. You can even share your dashboards with other team members.
Dashboards are stored as JavaScript Object Notation (JSON) files. This means they can be uploaded and downloaded to other computers, or shared with members of the Azure directory.
Access public and private preview features
Microsoft offer previews of Azure features for evaluation purposes. With Azure Preview Features, you can test beta and other pre-release features, products, services, software, and regions.
Some of the common areas you will see previews for include:
New storage types
New Azure services, such as Machine Learning enhancements
New or enhanced integration with other platforms
New APIs for services
Feature preview categories
Private Preview. Available to specific Azure customers for evaluation purposes.
Public Preview. Available to all Azure customers for evaluation purposes.
Accessing preview features
You can activate specific preview features through the preview features page
Azure portal preview features
Another preview area you can try is the next version of the Azure portal. Use the URL https://preview.portal.azure.com (notice the preview prefix).
Get notified about GA releases
The Azure portal "What's New" link on the ? help menu provides a list of recent updates you can periodically check to see what's changed in Azure. Alternatively, you can use the Azure Updates page.
Summary
We have covered a lot of ground in this module.
You have learned how to sign into Azure using an Azure account.
You reviewed the features of the Azure portal and its customization options.
You created, customized, and shared a dashboard.
An Azure dashboard is stored as which type of file?
XML
JSON
Azure dashboards are stored as JSON files which allows them to be uploaded and downloaded to share with other members of the Azure directory.
PNG
Azure Advisor provides advice on: (Select one)
Creating an Azure account
Best practices and Security for your services
Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, and cost.
Using the Azure portal effectively
True or false: Azure Cloud Shell is an interactive, browser-accessible shell for managing Azure resources?
True
Azure Cloud Shell is an interactive shell for managing Azure resources. You can control and administer all of your Azure resources in the current subscription through a command-line interface built right into the portal.
Select compute options that are appropriate for your business
Essential Azure compute concepts
What is Azure compute?
Azure compute is an on-demand computing service for running cloud-based applications.
There are four common techniques for performing compute in Azure:
Virtual machines
Containers
Azure App Service
Serverless computing
What are virtual machines?
Virtual machines, or VMs, are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources.
Containers are a virtualization environment for running applications. Unlike virtual machines, they do not include an operating system. Instead, they include the libraries and components needed to run the application and reference the operating system of the host environment that runs the container. For example, if five containers are running on a server with a specific Linux kernel, all five containers are running on that same kernel.
What is Azure App Service?
Azure App Service is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance.
What is Serverless Computing?
Serverless computing is a cloud-hosted execution environment that runs your code but completely abstracts the underlying hosting environment. You create an instance of the service, and you add your code; no infrastructure configuration or maintenance is required, or even allowed.
Explore Azure Virtual Machines
VMs are an ideal choice when you need:
Total control over the operating system (OS)
The ability to run custom software, or
To use custom hosting configurations
Moving to the cloud with VMs
VMs are also an excellent choice when moving from a physical server to the cloud ("lift and shift").
Scaling VMs in Azure
Azure has several features so that no matter what your uptime requirements are, Azure can meet them. These features include:
Availability sets
Virtual Machine Scale Sets
Azure Batch
What are availability sets?
An availability set is a logical grouping of two or more VMs that help keep your application available during planned or unplanned maintenance.
A planned maintenance event is when the underlying Azure fabric that hosts VMs is updated by Microsoft.
A planned maintenance event is done to patch security vulnerabilities, improve performance, and add or update features.
Unplanned maintenance events involve a hardware failure in the data center, such as a power outage or disk failure. VMs that are part of an availability set automatically switch to a working physical server so the VM continues to run.
With an availability set, you get:
Up to three fault domains that each have a server rack with dedicated power and network resources
Five logical update domains
There's no cost for an availability set. You only pay for the VMs within the availability set. We highly recommend that you place each workload in an availability set to avoid a single point of failure in your VM architecture.
What are virtual machine scale sets?
Azure Virtual Machine Scale Sets let you create and manage a group of identical, load balanced VMs.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications.
What is Azure Batch?
Azure Batch enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.
When you're ready to run a job, Batch:
Starts a pool of compute VMs for you
Installs applications and staging data
Runs jobs with as many tasks as you have
Identifies failures
Requeues work
Scales down the pool as work completes
Explore Containers in Azure
If you wish to run multiple instances of an application on a single virtual machine, containers are an excellent choice. The container orchestrator can start, stop, and scale out application instances as needed.
Another benefit of containers is you can run multiple isolated applications on a single VM host. Since containers are secured and isolated, you don't need separate VMs for each app.
Azure supports Docker containers, and there are several ways to manage containers in Azure.
Azure Container Instances (ACI). It is a PaaS offering that allows you to upload your containers and execute them directly.
Azure Kubernetes Service (AKS). The task of automating and managing and interacting with a large number of containers is known as orchestration. Azure Kubernetes Service (AKS) is a complete orchestration service for containers with distributed architectures with multiple containers.
Containers are often used to create solutions using a microservice architecture. This is where you break solutions into smaller, independent pieces. For example, you may split a website into a container hosting your front end, another hosting your back end, and a third for storage. This allows you to separate portions of your app into logical sections that can be maintained, scaled, or updated independently.
Imagine your website backend has reached capacity but the front end and storage aren't being stressed. You could scale the back end separately to improve performance, or you could decide to use a different storage service. Or you could even replace the storage container without affecting the rest of the application.
Azure App Service
Azure App Service enables you to build and host web apps, background jobs, mobile backends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.
App Service costs
You pay for the Azure compute resources your app uses while it processes requests based on the App Service Plan you choose. The App Service plan determines how much hardware is devoted to your host
Types of web apps
With Azure App Service, you can host most common web app styles including:
Web Apps
API Apps
WebJobs
Mobile Apps
Web Apps
App Service includes full support for hosting web apps using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can choose either Windows or Linux as the host operating system.
API Apps
Much like hosting a website, you can build REST-based Web APIs using your choice of language and framework. You get full Swagger support, and the ability to package and publish your API in the Azure Marketplace. The produced apps can be consumed from any HTTP(s) based client.
Web Jobs
WebJobs allows you to run a program (.exe, Java, PHP, Python or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app. They can be scheduled, or run by a trigger. This is often used to run background tasks as part of your application logic.
Mobile Apps
Use the Mobile Apps feature of Azure App Service to quickly build a back-end for iOS and Android apps. With just a few clicks in the Azure portal you can:
Store mobile app data in a cloud-based SQL database
Authenticate customers against common social providers such as MSA, Google, Twitter and Facebook
Send push notifications
Execute custom back-end logic in C# or Node.js
On the mobile app side, there is SDK support for native iOS & Android, Xamarin, and React native apps.
Explore Serverless computing in Azure
With serverless computing, Azure takes care of managing the server infrastructure and allocation/deallocation of resources based on demand.
This could be a REST endpoint, a periodic timer, or even a message received from another Azure service. The serverless app runs only when it's triggered by an event.
Azure has two implementations of serverless compute:
Azure Functions which can execute code in almost any modern language.
Azure Logic Apps which are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.
Azure Functions
They're commonly used when you need to perform work in response to an event, often via a REST request, timer, or message from another Azure service and when that work can be completed quickly, within seconds or less.
Azure Functions scale automatically based on demand, so they're a solid choice when demand is variable.
Azure Functions can be either stateless (the default) where they behave as if they're restarted every time they respond to an event), or stateful (called "Durable Functions") where a context is passed through the function to track prior activity.
Azure Logic Apps
Logic Apps execute workflows built from predefined logic blocks. They are specifically designed to automate your business processes.
You create Logic App workflows using a visual designer on the Azure Portal or in Visual Studio. The workflows are persisted as a JSON file with a known workflow schema.
Azure provides over 200 different connectors and processing blocks to interact with different services - including most popular enterprise apps. You can also build custom connectors and workflow steps if the service you need to interact with isn't covered.
Functions vs. Logic Apps
Functions and Logic Apps can both create complex orchestrations. An orchestration is a collection of functions or steps, that are executed to accomplish a complex task. With Azure Functions, you write code to complete each step, with Logic Apps, you use a GUI to define the actions and how they relate to one another.
-
Functions
Logic Apps
State
Normally stateless, but Durable Functions provide state
Stateful
Development
Code-first (imperative)
Designer-first (declarative)
Connectivity
About a dozen built-in binding types, write code for custom bindings
Large collection of connectors, Enterprise Integration Pack for B2B scenarios, build custom connectors
Actions
Each activity is an Azure function; write code for activity functions
Large collection of ready-made actions
Monitoring
Azure Application Insights
Azure portal, Log Analytics
Management
REST API, Visual Studio
Azure portal, REST API, PowerShell, Visual Studio
Execution context
Can run locally or in the cloud
Runs only in the cloud.
Sumary
Check your knowledge
Suppose you have an existing application running locally on your own server. You need additional capacity but prefer to move to Azure instead of buying upgraded on-premises hardware. Which compute option would likely give you the quickest route to getting your application running in Azure?
Serverless computing
Containers
Virtual machines
You have full control over the VM setup, so you can configure it to match your on-premises server. This will allow your existing application to run on the Azure VM with little or no change.
Imagine that you work on a photo-sharing application that runs on millions of mobile devices. Demand is unpredictable because you see a spike in usage whenever a locally or nationally significant event occurs. Which Azure compute resource is the best match for this workload?
Serverless computing
The photo-sharing app is event driven and needs to handle unpredictable demand. Serverless computing is a good fit for this because it is event based and can scale instantly to process spikes in traffic. It should also be a cost-effective choice because you will pay for compute time only when processing user data.
Containers
Virtual machines
The compute options give you different levels of control over the configuration of the environment in which your application runs. Which of the following lists the compute options in order from "most control" to "least control"?
Virtual machines, containers, serverless computing
Virtual machines give you full control over the environment. Containers give you limited control. Serverless computing does not allow you to do any infrastructure configuration.
Discover how Azure data storage can meet your business demands
Compare Azure data storage with on-premises storage
Benefits of using Azure to store data
The Azure data storage options are cloud-based, secure, and scalable. Its features address the key challenges of cloud storage and provide you with a reliable and durable storage solution.
Here are some of the important benefits of Azure data storage:
Automated backup and recovery: mitigates the risk of losing your data if there is any unforeseen failure or interruption.
Replication across the globe: copies your data to protect it against any planned or unplanned events, such as scheduled maintenance or hardware failures. You can choose to replicate your data at multiple locations across the globe.
Support for data analytics: supports performing analytics on your data consumption.
Encryption capabilities: data is encrypted to make it highly secure; you also have tight control over who can access the data.
Multiple data types: Azure can store almost any type of data you need. It can handle video files, text files, and even large binary files like virtual hard disks. It also has many options for your relational and NoSQL data.
Data storage in virtual disks: Azure also has the capability of storing up to 8 TB of data in its virtual disks. This is a significant capability when you're storing heavy data such as videos and simulations.
Storage tiers: storage tiers to prioritize access to data based on frequently used versus rarely used information.
Types of data
There are three primary types of data that Azure Storage is designed to hold.
Structured data. Structured data is data that adheres to a schema, so all of the data has the same fields or properties. Structured data can be stored in a database table with rows and columns. Structured data relies on keys to indicate how one row in a table relates to data in another row of another table. Structured data is also referred to as relational data, as the data's schema defines the table of data, the fields in the table, and the clear relationship between the two. Structured data is straightforward in that it's easy to enter, query, and analyze. All of the data follows the same format. Examples of structured data include sensor data or financial data.
Semi-structured data. Semi-structured data doesn't fit neatly into tables, rows, and columns. Instead, semi-structured data uses tags or keys that organize and provide a hierarchy for the data. Semi-structured data is also referred to as non-relational or NoSQL data.
Unstructured data. Unstructured data encompasses data that has no designated structure to it. This also means that there are no restrictions on the kinds of data it can hold. For example, a blob can hold a PDF document, a JPG image, a JSON file, video content, etc. As such, unstructured data is becoming more prominent as businesses try to tap into new data sources.
How Azure data storage can meet your business storage needs
How Azure data storage can meet your business storage needs
Azure provides several storage options that accommodate specific types of data storage needs.
Azure SQL Database
Azure SQL Database is a relational database as a service (DaaS) based on the latest stable version of the Microsoft SQL Server database engine.
You can migrate your existing SQL Server databases with minimal downtime using the Azure Database Migration Service. The service uses the Microsoft Data Migration Assistant to generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration.
Azure Cosmos DB
Azure Cosmos DB is a globally distributed database service. It supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data.
Azure Blob storage
Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blobs are highly scalable and apps work with blobs in much the same way as they would work with files on a disk, such as reading and writing data. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Azure Blob storage lets you stream large video or audio files directly to the user's browser from anywhere in the world. Blob storage is also used to store data for backup, disaster recovery, and archiving. It has the ability to store up to 8 TB of data for virtual machines. The following illustration shows an example usage of Azure blob storage.
Azure Data Lake Storage Gen2
The Data Lake feature allows you to perform analytics on your data usage and prepare reports. Data Lake is a large repository that stores both structured and unstructured data.
Azure Data Lake Storage Gen2 combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities.
Azure Files
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS. Applications running in Azure virtual machines or cloud services can mount a file storage share to access file data, just as a desktop application would mount a typical SMB share.
Azure Queue
Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world.
Queue storage provides asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.
Typically, there are one or more sender components and one or more receiver components. Sender components add messages to the queue, while receiver components retrieve messages from the front of the queue for processing. The following illustration shows multiple sender applications adding messages to the Azure Queue and one receiver application retrieving the messages.
Use queue storage to:
Create a backlog of work and to pass messages between different Azure web servers.
Distribute load among different web servers/infrastructure and to manage bursts of traffic.
Build resilience against component failure when multiple users access your data at the same time.
Disk Storage
Disk storage provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk. The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user.
Storage tiers
Azure offers three storage tiers for blob object storage:
Hot storage tier: optimized for storing data that is accessed frequently.
Cool storage tier: optimized for data that is infrequently accessed and stored for at least 30 days.
Archive storage tier: for data that is rarely accessed and stored for at least 180 days with flexible latency requirements.
Encryption and replication
Azure provides security and high availability to your data through encryption and replication features.
Encryption for storage services
The following encryption types are available for your resources:
Azure Storage Service Encryption (SSE) for data at rest helps you secure your data to meet the organization's security and regulatory compliance. It encrypts the data before storing it and decrypts the data before retrieving it. The encryption and decryption are transparent to the user.
Client-side encryption is where the data is already encrypted by the client libraries. Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.
Replication for storage availability
A replication type is set up when you create a storage account. The replication feature ensures that your data is durable and always available. Azure provides regional and geographic replications to protect your data against natural disasters and other local disasters like fire or flooding.
Comparison between Azure data storage and on-premises storage
The term "on-premises" refers to the storage and maintenance of data on local hardware and servers. There are several factors to consider when comparing on-premises to Azure data storage.
Cost effectiveness
An on-premises storage solution requires dedicated hardware that needs to be purchased, installed, configured, and maintained.
Azure data storage provides a pay-as-you-go pricing model which is often appealing to businesses as an operating expense instead of an upfront capital cost. It's also scalable
Reliability
On-premises storage requires data backup, load balancing, and disaster recovery strategies.
Azure data storage provides data backup, load balancing, disaster recovery, and data replication as services to ensure data safety and high availability.
Storage types
Sometimes multiple different storage types are required for a solution, such as file and database storage.
An on-premises approach often requires numerous servers and administrative tools for each storage type. Azure data storage provides a variety of different storage options including distributed access and tiered storage.
Agility
Requirements and technologies change. For an on-premises deployment this may mean provisioning and deploying new servers and infrastructure pieces, which is a time consuming and expensive activity.
Azure data storage gives you the flexibility to create new services in minutes. This flexibility allows you to change storage back-ends quickly without needing a significant hardware investment.
Knowledge Check
Suppose you work at a startup with limited funding. Why might you prefer Azure data storage over an on-premises solution?
To ensure you run on a specific brand of hardware which will let you to form a marketing partnership with that hardware vendor.
The Azure pay-as-you-go billing model lets you avoid buying expensive hardware.
There are no large, up-front capital expenditures (CapEx) with Azure. You pay monthly for only the services you use (OpEx)
To get exact control over the location of your data store.
Which of the following situations would yield the most benefits from relocating an on-premises data store to Azure?
Unpredictable storage demand that increases and decreases multiple times throughout the year.
Azure data storage is flexible. You can quickly and easily add or remove capacity. You can increase performance to handle spikes in load or decrease performance to reduce costs. In all cases, you pay for only what you use.
Long-term, steady growth in storage demand.
Consistent, unchanging storage demand.
Summary
Storage of both structured and unstructured data
High security that supports global compliance standards
Load balancing, high availability, and redundancy capabilities
The ability to store large volumes of data directly to the browser using features such as Azure Blob storage
How an Azure virtual network provides secure network communication among resources such as virtual machines and other networks
What high availability and resiliency mean and how Azure Load Balancer can increase resiliency within a single geographic region
What latency is and how Traffic Manager helps reduce network latency and provides resiliency across geographic locations
Deploy your site to Azure
Your e-commerce site at a glance
There are several strategies and patterns employed by software architects and designers to make these complex systems easier to design, build, manage, and maintain. Let's look at a few of them, starting with loosely coupled architectures.
An architectural pattern that can be used to build loosely coupled systems is N-tier.
An N-tier architecture divides an application into two or more logical tiers. Architecturally, a higher tier can access services from a lower tier, but a lower tier should never access a higher tier.
Tiers help separate concerns and are ideally designed to be reusable. Using a tiered architecture also simplifies maintenance. Tiers can be updated or replaced independently, and new tiers can be inserted if needed.
Three-tier refers to an n-tier application that has three tiers. Your e-commerce web application follows this three-tier architecture:
The web tier provides the web interface to your users through a browser.
The application tier runs business logic.
The data tier includes databases and other storage that hold product information and customer orders.
Your e-commerce site running on Azure
Let's say you choose to run your e-commerce site on virtual machines. Here's what that might look like in your test environment running on Azure. The following illustration shows a three-tier architecture running on virtual machines with security features enabled to restrict inbound requests.
Let's break this down.
What's an Azure region?
A region is one or more Azure data centers within a specific geographic location. In this instance, you see that the application is running in the East US region.
What's a virtual network?
A virtual network is a logically isolated network on Azure. A virtual network allows Azure resources to securely communicate with each other, the internet, and on-premises networks. A virtual network is scoped to a single region; however, multiple virtual networks from different regions can be connected together using virtual network peering.
Virtual networks can be segmented into one or more subnets. Subnets help you organize and secure your resources in discrete sections.
The web, application, and data tiers each have a single VM. All three VMs are in the same virtual network but are in separate subnets.
Users interact with the web tier directly, so that VM has a public IP address along with a private IP address. Users don't interact with the application or data tiers, so these VMs each have a private IP address only.
You can also keep your service or data tiers in your on-premises network, placing your web tier into the cloud, but keeping tight control over other aspects of your application. A VPN gateway (or virtual network gateway), enables this scenario. It can provide a secure connection between an Azure Virtual Network and an on-premises location over the internet.
Azure manages the physical hardware for you. You configure virtual networks and gateways through software, which enables you to treat a virtual network just like your own network. You choose which networks your virtual network can reach, whether that's the public internet or other networks in the private IP address space.
What's a network security group?
A network security group, or NSG, allows or denies inbound network traffic to your Azure resources. Think of a network security group as a cloud-level firewall for your network.
Port 22 enables you to connect directly to Linux systems over SSH. In practice, you might configure VPN access to your virtual network to increase security.
Summary
Your three-tier application is now running on Azure in the East US region. A region is an Azure data center within a specific geographic location.
Each tier can access services only from a lower tier. The VM running in the web tier has a public IP address because it receives traffic from the internet. The VMs in the lower tiers, the application and data tiers, each have private IP addresses because they don't communicate directly over the internet.
Virtual networks enable you to group and isolate related systems. You define network security groups to control what traffic can flow through a virtual network.
Check your knowledge
What is an Azure region?
One or more Azure data centers within a specific geographical location.
Azure regions help you deliver your apps and services closest to your users. West US and North Europe are examples.
A way of breaking networks into smaller networks.
Firewall rules which define the flow of traffic in and out of Azure.
Which of the following is true about virtual networks?
You configure virtual networks through software.
Software enables you to treat a virtual network just like your own network. Azure maintains the physical hardware for you.
A virtual network accepts network traffic on all ports. You configure the firewall through virtual machines.
Virtual networks are always reachable from the internet.
Scale with Azure Load Balancer
What are availability and high availability?
Availability refers to how long your service is up and running without interruption. High availability, or highly available, refers to a service that's up and running for a long period of time.
Five nines availability means that the service is guaranteed to be running 99.999 percent of the time.
What is resiliency?
Resiliency refers to a system's ability to stay operational during abnormal conditions.
These conditions include:
Natural disasters
System maintenance, both planned and unplanned, including software updates and security patches.
Spikes in traffic to your site
Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks
What is a load balancer?
A load balancer distributes traffic evenly among each system in a pool. A load balancer can help you achieve both high availability and resiliency. The load balancer becomes the entry point to the user. The user doesn't know (or need to know) which system the load balancer chooses to receive the request.
The load balancer receives the user's request and directs the request to one of the VMs in the web tier. If a VM is unavailable or stops responding, the load balancer stops sending traffic to it. The load balancer then directs traffic to one of the responsive servers.
The app and data tiers can also have a load balancer. It all depends on what your service requires.
What is Azure Load Balancer?
Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use Load Balancer with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.
When you manually configure typical load balancer software on a virtual machine, there's a downside: you now have an additional system that you need to maintain. If your load balancer goes down or needs routine maintenance, you're back to your original problem.
If instead, however, you use Azure Load Balancer, there's no infrastructure or software for you to maintain. You define the forwarding rules based on the source IP and port to a set of destination IP/ports.
Azure Application Gateway
If all your traffic is HTTP, a potentially better option is to use Azure Application Gateway. Application Gateway is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.
This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.
Here are some of the benefits of using Azure Application Gateway over a simple load balancer:
Cookie affinity. Useful when you want to keep a user session on the same backend server.
SSL termination. Application Gateway can manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that.
Web application firewall. Application gateway supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.
URL rule-based routes. Application Gateway allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network.
Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.
What is a Content Delivery Network?
A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users. It is a way to get content to users in their local region to minimize latency. CDN can be hosted in Azure or any other location. You can cache content at strategically placed physical nodes across the world and provide better performance to end users. Typical usage scenarios include web applications containing multimedia content, a product launch event in a particular region, or any event where you expect a high-bandwidth requirement in a region.
What about DNS?
DNS, or Domain Name System, is a way to map user-friendly names to their IP addresses. You can think of DNS as the phonebook of the internet.
You can bring your own DNS server or use Azure DNS, a hosting service for DNS domains that runs on Azure infrastructure.
The following illustration shows Azure DNS. When the user navigates to contoso.com, Azure DNS routes traffic to the load balancer.
Summary
With load balancing in place, your e-commerce site is now more highly available and resilient. When you perform maintenance or receive an uptick in traffic, your load balancer can distribute traffic to another available system.
Although you can configure your own load balancer on a VM, Azure Load Balancer reduces upkeep because there's no infrastructure or software to maintain.
DNS maps user-friendly names to their IP addresses, much like how a phonebook maps names of people or businesses to phone numbers. You can bring your own DNS server, or use Azure DNS.
Check your knowledge
Which is true about Azure Load Balancer?
You must use Azure Load Balancer if you want to distribute traffic among your virtual machines running in Azure.
Azure Load Balancer works with internet-facing traffic only.
Azure Load Balancer distributes traffic among similar systems, making your services more highly available.
If one system is unavailable, Azure Load Balancer stops sending traffic to it. It then directs traffic to one of the responsive servers.
Reduce latency with Azure Traffic Manager
What is network latency?
Latency refers to the time it takes for data to travel over the network. Latency is typically measured in milliseconds.
Compare latency to bandwidth. Bandwidth refers to the amount of data that can fit on the connection. Latency refers to the time it takes for that data to reach its destination.
Scale out to different regions
One way to reduce latency is to provide exact copies of your service in more than one region. The following illustration shows an example of global deployment
Notice the DNS name for each. How can you connect users to the service that's closest geographically, but under the contoso.com domain?
Use Traffic Manager to route users to the closest endpoint
One answer is Azure Traffic Manager. Traffic Manager uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.
The following illustration shows the role of the Traffic Manager.
Traffic Manager doesn't see the traffic that's passed between the client and server. Rather, it directs the client web browser to a preferred endpoint. Traffic Manager can route traffic in a few different ways, such as to the endpoint with the lowest latency.
You can connect Traffic Manager to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud.
Compare Load Balancer to Traffic Manager
Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user.
Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. In contrast, when Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.
Summary
Geographic distance is one of the biggest factors that contributes to latency. With Traffic Manager in place, you can host exact copies of your service in multiple geographic regions. That way, users in the United States, Europe, and Asia will all have a good experience using your e-commerce site.
Check your knowledge
What is network latency?
The amount of data that can fit on the connection.
The distance data must travel to reach its destination.
The time it takes for data to travel over the network.
Latency measures the time it takes for data to reach its destination. Latency is typically measured in milliseconds.
How does Azure Traffic Manager reduce latency?
It chooses only the fastest networks between endpoints.
It chooses the endpoint that's closest to the user's DNS server.
Choosing the server that's closest to the user is a good way to reduce latency.
It caches content, similar to how content delivery networks work.
With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. At this level, it's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure.
Moving to platform as a service (PaaS) outsources a lot of security concerns. At this level, Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. PaaS also comes with a lot of operational advantages. Rather than building whole infrastructures and subnets for your environments by hand, you can "point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed.
With software as a service (SaaS), you outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer.
A layered approach to security
Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Defense in depth can be visualized as a set of concentric rings, with the data to be secured at the center. Each ring adds an additional layer of security around the data. This approach removes reliance on any single layer of protection and acts to slow down an attack and provide alert telemetry that can be acted upon, either automatically or manually.
Data
In almost all cases, attackers are after data:
Stored in a database
Stored on disk inside virtual machines
Stored on a SaaS application such as Office 365
Stored in cloud storage
Application
Ensure applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.
Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.
Compute
Secure access to virtual machines.
Implement endpoint protection and keep systems patched and current.
Malware, unpatched systems, and improperly secured systems open your environment to attacks.
Networking
Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound, where appropriate.
Implement secure connectivity to on-premises networks.
At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.
Perimeter
Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.
At the network perimeter, it's about protecting from network-based attacks against your resources.
Identity and access
Control access to infrastructure and change control.
Use single sign-on and multi-factor authentication.
Audit events and changes.
The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.
Physical security
Physical building security and controlling access to computing hardware within the data center is the first line of defense.
With physical security, the intent is to provide physical safeguards against access to assets.
Summary
Security is still a shared responsibility. How much of that responsibility falls on us depends on which model we use with Azure.
We use the defense in depth rings as a guideline for considering what protections are adequate for our data and environments.
Get tips from Azure Security Center
Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:
Provide security recommendations based on your configurations, resources, and networks.
Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute.
Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Usage scenarios
You can integrate Security Center into your workflows and use it in many ways. Here are two examples.
Use Security Center for incident response.You can use Azure Security Center in different stages of an incident response.
Detect. Review the first indication of an event investigation. For example, you can use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.
Assess. Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.
Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.
Use Security Center recommendations to enhance security.
You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.
A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements.
Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls. For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.
To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
Identity and access
To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
Authentication and authorization
Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.
Authentication is sometimes shortened to AuthN, and authorization is sometimes shortened to AuthZ.
What is Azure Active Directory?
Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone.
Azure AD provides services such as:
Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.
Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
Device Management. Manage how your cloud or on-premises devices access your corporate data.
Single sign-on
With single sign-on (SSO), users need to remember only one ID and one password. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts.
SSO with Azure Active Directory
By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD. By using a centralized identity provider, you'll have centralized the security controls, reporting, alerting, and administration of your identity infrastructure.
Multi-factor authentication
Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
Something you know
Something you possess
Something you are
Something you know would be a password or the answer to a security question. Something you possess could be a mobile app that receives a notification or a token-generating device. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
Using MFA increases security of your identity by limiting the impact of credential exposure.
Azure AD has MFA capabilities built in and will integrate with other third-party MFA providers. It's provided free of charge to any user who has the Global Administrator role in Azure AD, because these are highly sensitive accounts. All other accounts can have MFA enabled by purchasing licenses with this capability — as well as assigning a license to the account.
Providing identities to services
Often, and against best practices, credential information is embedded in configuration files.
Azure AD addresses this problem through two methods: service principals and managed identities for Azure services.
Service Principal
An identity is just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates. As a bonus definition, an account is data associated with an identity.
A principal is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and principal separately, but think of using sudo on a Bash prompt in Linux or on Windows using "run as Administrator." In both those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing. Groups are often also considered principals because they can have rights assigned.
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
Managed identities for Azure services
A managed identity can be instantly created for any Azure service that supports it—and the list is constantly growing. When you create a managed identity for a service, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources.
Role-based access control
Roles are sets of permissions, like "Read-only" or "Contributor", that users can be granted to access an Azure service instance.
Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control. Administrators are able to ensure the minimum necessary permissions are granted.
Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy.
Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.
Privileged Identity Management
In addition to managing Azure resource access with role-based access control (RBAC), a comprehensive approach to infrastructure protection should consider including the ongoing auditing of role members as their organization changes and evolves. Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
Encryption
What is encryption?
Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted.
Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Encryption is typically approached in two ways:
Encryption at rest
Encryption in transit
Encryption at rest
Data at rest is the data that has been stored on a physical medium. Data at rest is the data that has been stored on a physical medium.
The actual data that is encrypted could vary in its content, usage, and importance to the organization. This could be financial information critical to the business, intellectual property that has been developed by the business, personal data about customers or employees that the business stores, and even the keys and secrets used for the encryption of the data itself.
Here's a diagram that shows what encrypted customer data might look like as it sits in a database.
Data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.
You can also set up a secure channel, like a virtual private network (VPN), at a network layer, to transmit data between two systems.
Here, customer data is encrypted as it's sent over the network. Only the receiver has the secret key that can decrypt the data to a usable form.
!Encryption in Transit
Encryption on Azure
Encrypt raw storage
Azure Storage Service Encryption. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services.
Encrypt virtual machine disks
How do you protect the virtual hard disks (VHDs) of virtual machines? If malicious attackers gained access to your Azure subscription and got the VHDs of your virtual machines, how would you ensure they would be unable to access the stored data?
Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Encrypt databases
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Database instances.
TDE encrypts the storage of an entire database by using a symmetric key called the database encryption key. By default, Azure provides a unique encryption key per logical SQL Server instance and handles all the details. Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault
Encrypt Secrets
In Azure, we can use Azure Key Vault to protect our secrets.
Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It is useful for a variety of scenarios:
Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
The benefits of using Key Vault include:
Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.
Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.
Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.
Summary
As you may know, encryption is often the last layer of defense from attackers and is an important piece of a layered approach to securing your systems. Azure provides built-in capabilities and services to encrypt and protect data from unintended exposure. Protection of customer data stored within Azure services is of paramount importance to Microsoft and should be included in any design. Foundational services such as Azure Storage, Azure Virtual Machines, Azure SQL Database, and Azure Key Vault can help secure your environment through encryption.
Protect your network
A layered approach to network security
A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.
Internet protection
We suggest first assessing the resources that are internet-facing, and to only allow inbound and outbound communication where necessary. Make sure you identify all resources that are allowing inbound network traffic of any type, and then ensure they are restricted to only the ports and protocols required.
Azure Security Center is a great place to look for this information, because it will identify internet-facing resources that don't have network security groups associated with them, as well as resources that are not secured behind a firewall.
What is a Firewall?
A firewall is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules, generally speaking, also include specific network protocol and port information.
To provide inbound protection at the perimeter, you have several choices.
Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Azure Application Gateway is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is specifically designed to protect HTTP traffic.
Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Stopping Distributed Denial of Service (DDos) attacks
These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.
When you combine Azure DDoS Protection with application design best practices, you help provide defense against DDoS attacks. The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service's availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.
This diagram shows network traffic flowing into Azure from both customers and an attacker. Azure DDoS protection identifies the attacker's attempt to overwhelm the network and blocks further traffic from reaching Azure services. Legitimate traffic from customers still flows into Azure without any interruption of service.
Azure DDoS Protection provides the following service tiers:
Basic. Automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.
Standard Additional mitigation capabilities tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
DDoS standard protection can mitigate the following types of attacks:
Volumetric attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Controlling the traffic inside your virtual network
Virtual network security
For communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication.
Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets, and are fully customizable.
Network integration
Virtual private network (VPN) connections are a common way of establishing secure communication channels between networks.
To provide a dedicated, private connection between your network and Azure, you can use Azure ExpressRoute. ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. You don't need to allow access to these services for your end users over the public internet, and you can send this traffic through appliances for further traffic inspection.
Summary
A layered approach to network security helps reduce your risk of exposure through network-based attacks. Azure provides several services and capabilities to secure your internet-facing resource, internal resources, and communication between on-premises networks.
You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. For example, you can use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside your virtual networks.
Protect your shared documents
Microsoft Azure Information Protection (MSIP or sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Labels can be applied automatically based on rules and conditions, manually, or a combination of both where users are guided by recommendations.
The following screen capture is an example of MSIP in action on a user's computer. In this example, the administrator has configured a label with rules that detect sensitive data. When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed. The tooltip recommends labeling the file as Confidential - All Employees, which is a label that the administrator has configured. This label classifies the document and protects it.
After your content is classified, you can track and control how the content is used. For example, you can:
Analyze data flows to gain insight into your business
Detect risky behaviors and take corrective measures
Track access to documents
Prevent data leakage or misuse of confidential information
Azure Advanced Threat Protection
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.
Azure ATP components
Azure ATP consists of several components.
Azure ATP portal
Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment. You can sign in to the Azure ATP portal at https://portal.atp.azure.com. You must sign in with a user account that is assigned to an Azure AD security group that has access to the Azure ATP portal.
Azure ATP sensor
Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
Azure ATP cloud service
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.
Summary
Defense in depth is the overriding theme - think about security as a multi-layer, multi-vector concern. Threats come from places we don't expect, and they can come with strength that will surprise us.
Azure has out-of-the-box help for a great deal of the security issues we face. One of the first steps we should take is assessing how much help from Azure we can use based on whether we're leveraging IaaS, PaaS, or SaaS.
Azure Security Center centralizes much of the help Azure has to offer. It provides a single dashboard, with a view into many of your services, and helps make sure you are following best practices. Continuously updated machine learning algorithms help identify whether the latest threats are aimed at your resources. And it helps your organization mitigate threats.
Check your knowledge
Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Which of these helps you most easily disable an account when an employee leaves your company?
Enforce multi-factor authentication (MFA)
Monitor sign-on attempts
Use single sign-on (SSO)
Which of these is the strongest way to protect sensitive customer data?
Encrypt data as it sits in your database
Encrypt data as it travels over the network
Encrypt data both as it sits in your database and as it travels over the network
There has been an attack on your public-facing website, and the application's resources have been overwhelmed and exhausted, and are now unavailable to users. What service should you use to prevent this type of attack?
DDoS protection
Azure Firewall
Network Security Group
Application Gateway
You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?
Good IT governance involves planning your initiatives and setting priorities on a strategic level to help manage and prevent issues.
In this module, you will:
Apply policies to control and audit resource creation
Learn how role-based security can fine-tune access to your resources
Understand Microsoft's policies and privacy guarantees
Learn how to monitor your resources
Define IT compliance with Azure Policy
Azure Policy is a service in Azure that you use to define, assign, and, manage standards for resources in your environment. It can prevent the creation of disallowed resources, ensure new resources have specific settings applied, and run evaluations of your existing resources to scan for non-compliance.
Creating a policy
The process of creating and implementing an Azure Policy begins with creating a policy definition. To apply a policy, you will:
Create a policy definition
Assign a definition to a scope of resources
View policy evaluation results
What is a policy definition?
A policy definition expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used.
Assign a definition to a scope of resources
Once you've defined one or more policy definitions, you'll need to assign them. A policy assignment is a policy definition that has been assigned to take place within a specific scope.
Policy effects
Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Policy creates a list of all assignments that apply to the resource and then evaluates the resource against each definition. Policy processes several of the effects before handing the request to the appropriate Resource Provider to avoid any unnecessary processing if the resource violates policy.
View policy evaluation results
Azure Policy can allow a resource to be created even if it doesn't pass validation. In these cases, you can have it trigger an audit event which can be viewed in the Azure Policy portal, or through command-line tools.
Organize policy with initiatives
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group.
Once defined, initiatives can be assigned just as policies can - and they apply all the associated policy definitions.
Defining initiatives
Initiative definitions simplify the process of managing and assigning policy definitions by grouping a set of policies into a single item.
You can define initiatives using the Azure portal, or command-line tools. In the portal, you use the "Authoring" section.
Assigning initiatives
Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group.
Enterprise governance management
Access management occurs at the Azure subscription level. This allows an organization to configure each division of the company in a specific fashion based on their responsibilities and requirements.
Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group.
The following diagram shows an example of creating a hierarchy for governance using management groups.
Create a hierarchy so you can apply a policy, for example, limit VM locations to US West Region on the group "Infrastructure Team management group". This policy will inherit onto both EA subscriptions under that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.
Another scenario where you would use management groups is to provide user access to multi subscriptions. By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group, which will inherit that access to all the subscriptions.
You can manage your Azure subscriptions more effectively by using Azure Policy and Azure role-based access controls (RBACs). These provide distinct governance conditions that you can apply to each management group. The resources and subscriptions you assign to a management group automatically inherit the conditions that you apply to that management group.
Define standard resources with Azure Blueprints
To help you with auditing, traceability, and compliance with your deployments, use Azure Blueprint artifacts and tools. Azure Blueprint allows you to define a repeatable set of Azure resources that implement and adhere to your organization's standards, patterns, and requirements.
Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups
The process of implementing Azure Blueprint consists of the following high-level steps:
Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments
With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved deployment tracking and auditing.
Azure Blueprints are different from Azure Resource Manager Templates. When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or source control). By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment. Managing relationships, in this way, improves auditing and tracking capabilities.
Azure Blueprints are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.
Explore your service compliance with Compliance Manager
Microsoft takes this management very seriously and provides full transparency with four sources:
Microsoft Privacy Statement
Microsoft Trust Center
Service Trust Portal
Compliance Manager
Microsoft Privacy Statement
The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
What is the Microsoft Trust Center?
Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
What is the Service Trust Portal?
The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
Service Trust Portal is a companion feature to the Trust Center, and allows you to:
Access audit reports across Microsoft cloud services on a single page.
Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations.
Access trust documents to help you understand how Microsoft cloud services help protect your data.
Compliance Manager
Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
Monitor your service health
Azure provides two primary services to monitor the health of your apps and resources.
Azure Monitor
Azure Service Health
Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
Data sources
Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself.
Diagnostic Settings
Activity Logs record when resources are created or modified and Metrics tell you how the resource is performing and the resources that it's consuming.
You can extend the data you're collecting into the actual operation of the resources by enabling diagnostics and adding an agent to compute resources. Under the resource settings you can enable Diagnostics
Enable guest-level monitoring
Performance counters: collect performance data
Event Logs: enable various event logs
Crash Dumps: enable or disable
Sinks: send your diagnostic data to other services for more analysis
Agent: configure agent settings
Getting more data from your apps
Azure Monitor includes several features and tools that provide valuable insights into your applications, and the other resources they may depend on.
Application Insights
Azure Monitor for containers
Azure Monitor for VMs
Responding to alert conditions
In addition to allowing you to analyze your monitoring data interactively, an effective monitoring solution must respond proactively to any critical conditions that are identified within the data it collects. This might involve, for example, sending a text or email to an administrator who is responsible for investigating an issue, or launching an automated process that attempts to correct an error condition.
Alerts. Azure Monitor proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions.
Autoscale. Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively.
Visualize monitoring data
Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences. Other tools you may use for visualizing data, for particular audiences and scenarios, include:
Dashboards
Views
Power BI
Integrate with other services
You'll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data. Other Azure services can work with Azure Monitor to provide this integration.
Azure Service Health
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.
Azure Service Health is composed of the following views.
Azure Status: provides a global view of the health state of Azure services.
Service Health: provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.
Resource Health: Helps you diagnose and obtain support when an Azure service issue affects your resources.
Summary
Check your knowledge
True or false: You can download published audit reports and other compliance-related information related to Microsoft’s cloud service from the Service Trust Portal
True
False
Which Azure service allows you to configure fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs?
Locks
Policy
Initiatives
Role-based Access Control
Role-based access control is the correct answer. Role-based access control (RBAC) provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscriber.
Which Azure service allows you to create, assign, and, manage policies to enforce different rules and effects over your resources and stay compliant with your corporate standards and service-level agreements (SLAs)?
Azure Policy
Azure Policy is the correct answer. Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs).
Azure Blueprints
Azure Security Center
Role-based Access Control
Which of the following services provides up-to-date status information about the health of Azure services?
Compliance Manager
Azure Monitor
Service Trust Portal
Azure Service Health
Azure Service Health is the correct answer, because it provides you with a global view of the health of Azure services. With Azure Status, a component of Azure Service Health, you can get up-to-the-minute information on service availability.
Where can you obtain details about the personal data Microsoft processes, how Microsoft processes it, and for what purposes?
Azure Resource Manager has a number of features that you can use to organize resources, enforce standards, and protect critical Azure resources from accidental deletion
In this module, you will:
Use resource groups to organize Azure resources
Use tags to organize resources
Apply policies to enforce standards in your Azure environments
Use resource locks to protect critical Azure resources from accidental deletion
Azure Resource Manager has a number of features that you can use to organize resources, enforce standards, and protect critical Azure resources from accidental deletion
In this module, you will:
Use resource groups to organize Azure resources
Use tags to organize resources
Apply policies to enforce standards in your Azure environments
Use resource locks to protect critical Azure resources from accidental deletion
Principles of Resouce Groups
What are resource groups?
A resource group is a logical container for resources deployed on Azure. These resources are anything you create in an Azure subscription like virtual machines, Application Gateways, and CosmosDB instances. All resources must be in a resource group and a resource can only be a member of a single resource group. Many resources can be moved between resource groups with some services having specific limitations or requirements to move. Resource groups can't be nested. Before any resource can be provisioned, you need a resource group for it to be placed in.
Logical grouping
Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure. Logical grouping is the aspect that we're most interested in here, since there's a lot of disorder among our resources.
Life cycle
If you delete a resource group, all resources contained within are also deleted. Organizing resources by life cycle can be useful in non-production environments, where you might try an experiment, but then dispose of it when done.
Authorization
Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.
Create a Resource Group
Resource groups can be created by using the following methods:
Azure portal
Azure PowerShell
Azure CLI
Templates
Azure SDKs (like .NET, Java)
Use resource groups for organization
There are some guidelines and best practices that can help with the organization.
Consistent naming convention
You can start with using an understandable naming convention. Naming conventions can vary widely between and even within companies, but some planning can help.
Organizing principles
We might put all resources that are core infrastructure into this resource group. But we could also organize them strictly by resource type. For example, put all VNets in one resource group, all virtual machines in another resource group, and all Azure Cosmos DB instances in yet another resource group.
We could organize them by environment (prod, qa, dev). In this case, all production resources are in one resource group, all test resources are in another resource group, and so on.
We could organize them by department (marketing, finance, human resources). Marketing resources go in one resource group, finance in another resource group, and HR in a third resource group.
We could even use a combination of these strategies and organize by environment and department. Put production finance resources in one resource group, dev finance resources in another, and the same for the marketing resources.
Organizing for authorization
Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them. If your database administration team is responsible for managing all of your Azure SQL Database instances, putting them in the same resource group would simplify administration. You could give them the proper permissions at the resource group level to administer the databases within the resource group. Similarly, the database administration team could be denied access to the resource group with virtual networks, so they don't inadvertently make changes to resources outside the scope of their responsibility.
Organizing for life cycle
We mentioned earlier that resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it. Use this to your advantage, especially in areas where resources are more disposable, like non-production environments. If you deploy 10 servers for a project that you know will only last a couple of months, you might put them all in a single resource group. One resource group is easier to clean up than 10 or more resource groups.
Organizing for billing
Lastly, placing resources in the same resource group is a way to group them for usage in billing reports. If you're trying to understand how your costs are distributed in your Azure environment, grouping them by resource group is one way to filter and sort the data to better understand where costs are allocated.
Use tagging to organize resources
Tags can be helpful as you look to improve organization of your Azure resources.
What are tags?
Tags are name/value pairs of text data that you can apply to resources and resource groups. Tags allow you to associate custom details about your resource, in addition to the standard Azure properties a resource has:
department (like finance, marketing, and more)
environment (prod, test, dev),
cost center
life cycle and automation (like shutdown and startup of virtual machines).
A resource can have up to 15 tags. The name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. The tag value is limited to 256 characters for all types of resources. Tags aren't inherited from parent resources. Not all resource types support tags, and tags can't be applied to classic resources.
Tags can be added and manipulated through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager templates, and through the REST API.
You can use Azure Policy to automatically add or enforce tags for resources your organization creates based on policy conditions that you define.
You can retrieve all the resources in your subscription with a specific tag name or value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management.
Tagging resources can also help in monitoring to track down impacted resources. Monitoring systems could include tag data with alerts, giving you the ability to know exactly who is impacted.
It's also common for tags to be used in automation.
Use policies to enforce standards
Resource grouping and tagging have made a difference in the existing resources, but how do you ensure that new resources follow the rules? Let's take a look at how policies can help you enforce standards in your Azure environment.
What is Azure Policy?
Azure Policy is a service you can use to create, assign, and manage policies. These policies apply and enforce rules that your resources need to follow. These policies can enforce these rules when resources are created, and can be evaluated against existing resources to give visibility into compliance.
Policies can enforce things such as only allowing specific types of resources to be created, or only allowing resources in specific Azure regions. You can enforce naming conventions across your Azure environment. You can also enforce that specific tags are applied to resources.
Create a policy
Policies can be created and assigned through the Azure portal, Azure PowerShell, or Azure CLI.
To enable the policy, we need to create an assignment, so that it applies to anything inside a resource group.
Test out the policy
Please note that the policy assignment may take up to 30 minutes to take effect.
Use policies to enforce standards
We could use policy to restrict which Azure regions we can deploy resources to. We could use policy to restrict which types of virtual machine sizes can be deployed. We could also use policy to enforce naming conventions.
Secure resources with role-based access control
RBAC provides fine-grained access management for Azure resources, enabling you to grant users the specific rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription levels at no cost.
Using RBAC, you can:
Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
Allow a database administrator (DBA) group to manage SQL databases in a subscription.
Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.
Allow an application to access all resources in a resource group.
To view access permissions, use the Access Control (IAM) blade in the Azure portal. On this blade, you can see who has access to an area and their role. Using this same blade, you can also grant or remove access.
How RBAC defines access
RBAC uses an allow model for access. When you are assigned to a role, RBAC allows you to perform specific actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.
Best Practices for RBAC
Here are some best practices you should use when setting up resources.
Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only specific actions at a particular scope.
When planning your access control strategy, grant users the lowest privilege level that they need to do their work.
Use Resource Locks to ensure critical resources aren't modified or deleted
Use resource locks to protect resources
What are resource locks?
Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only.. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.
Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
Applying Read-only can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a Read-only lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations.
When a resource lock is applied, you must first remove the lock in order to perform that activity. By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your administrators from doing something they may not have intended to do. Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you'll actually be able to perform the blocked activity.
Use resource locks to protect those key pieces of Azure that could have a large impact if they were removed or modified.
Check your Knowledge
Tags can be applied to any type of resource on Azure
True
False
Tags applied at a resource group level are propagated to resources within the resource group.
True
False
Which of the following is not a feature of resource groups?
Resources can be in only one resource group.
Resources can be moved from one resource group to another resource group.
Resource groups can be nested.
Role based access control can be applied to the resource group.
Which of the following might be a good usage of tags?
Using tags to associate a cost center with resources for internal chargeback
Using tags in conjunction with Azure Automation to schedule maintenance windows
Using tags to store environment and department association
All of the above are good ways to use tags
Which of the following would be the most efficient way to ensure a naming convention was followed across your subscription?
Send out an email with the details of your naming conventions and hope it is followed
Create a policy with your naming requirements and assign it to the scope of your subscription
Give all other users except for yourself read-only access to the subscription. Have all requests to create resources sent to you so you can review the names being assigned to resources, and then create them.
Which of the following would be good to put a resource lock on?
An ExpressRoute circuit with connectivity back to your on-premises network
A non-production virtual machine used to test occasional application builds
A storage account used to temporarily store images processed in a development environment
Summary
We've taken a look at several features you can use to put organization and control around your Azure resources.
We talked about how resource groups worked, and some ways you can use them to organize your resources.
We looked at how tags allow you to add custom contextual information to your resources, for use in areas such as billing and filtering.
We saw how we could use policies to enforce standards across our Azure resources.
We used resource locks to prevent accidental deletion of critical resources.
By using these tools throughout your Azure environment, you'll have greater organization across your Azure resources.
When planning a solution in the cloud, there's always the challenge of balancing cost against performance.
In this module, you will:
Learn the different options you have to purchase Azure services
Estimate costs with the Azure pricing calculator
Predict and optimize costs with Azure Cost Management and Azure Advisor
Apply best practices for saving on infrastructure costs
Apply best practices for saving on licensing costs
Purchasing Azure products and services
There are three main customer types on which the available purchasing options for Azure products and services are contingent, including:
Enterprise - Enterprise customers sign an Enterprise Agreement with Azure that commits them to spend a negotiated amount on Azure services, which they typically pay annually. Enterprise customers also have access to customized Azure pricing.
Web direct - Direct Web customers pay general public prices for Azure resources, and their monthly billing and payments occur through the Azure website.
Cloud Solution Provider - Cloud Solution Provider (CSP) typically are Microsoft partner companies that a customer hires to build solutions on top of Azure. Payment and billing for Azure usage occur through the customer's CSP.
Usage meters
When you provision an Azure resource, Azure creates one or more meter instances for that resource. The meters track the resources' usage, and generate a usage record that is used to calculate your bill.
The meters and pricing vary per product and often have different pricing tiers based on the size or capacity of the resource. Check the documentation for specific details on what each service area costs.
The key takeaway is that resources are always charged based on usage.
De-allocating a VM is not the same as deleting a VM. De-allocation means the VM is not assigned to a CPU or network in a datacenter. However, your persistent disks remain, and the resource is present in your subscription. It's similar to turning off your physical computer.
Factors affecting costs
There are several elements that will affect your monthly costs when using Azure services. Let's look at a few of the primary factors including resource type, services, the user's location, and the billing zone.
Resource type
Costs are resource-specific, so the usage that a meter tracks and the number of meters associated with a resource depend on the resource type.
The usage that a meter tracks correlates to a number of billable units. Those are charged to your account for each billing period, and the rate per billable unit depends on the resource type you are using.
Services
Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include usage allowances, which affect costs.
The Azure team develops and offers first-party products and services, while products and services from third-party vendors are available in the Azure Marketplace . Different billing structures apply to each of these categories.
Location
Usage costs vary between locations that offer particular Azure products, services, and resources based on popularity, demand, and local infrastructure costs.
Azure billing zones
Bandwidth refers to data moving in and out of Azure datacenters. Most of the time inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones.
A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include the listed countries (regions) listed.
Zone
Areas
Zone 1
United States, Europe, Canada, UK, France
Zone 2
Asia Pacific, Japan, Australia, India, Korea
Zone 3
Brazil
DE Zone 1
Germany
In most zones, the first outbound 5 GB per month is free. After that, you are billed a fixed price per GB.
Billing zones aren't the same as an Availability Zone. In Azure, the term zone is for billing purposes only, and the full term Availability Zone refers to the failure protection that Azure provides for datacenters.
Estimate costs with the Azure pricing calculator
Introducing the Azure pricing calculator
The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify properties and options of the services. It outputs the costs per service and total cost for the full estimate.
The options that you can configure in the pricing calculator vary between products, but basic configuration options include:
Option
Description
Region
Lists the regions from which you can provision a product.
Tier
Sets the type of tier you wish to allocate to a selected resource, such as Free Tier, Basic Tier, etc.
Billing Options
Highlights the billing options available to different types of customer and subscriptions for a chosen product.
Support Options
Allows you to pick from included or paid support pricing options.
Programs and Offers
Allows you to choose from available price offerings according to your customer or subscription type.
Azure Dev/Test Pricing
Lists the available development and test prices for a product. Dev/Test pricing applies only when you run resources within an Azure subscription that is based on a Dev/Test offer.
Products. This tab is where you'll do most of your activity. This tab has all the Azure services listed and is where you'll add or remove services to put together your estimate.
Estimates. This tab has all of your previously saved estimates. We'll go through this process in a moment.
FAQ. Just as it says, this tab has answers to some frequently asked questions.
Estimate a solution
Looking through your estimate, you should see a summary cost for each service you've added and a full total for the entire estimate. You can try playing with some of the options - particularly the location you place these resources in - to see the estimate go up and down.
If you have resources that are not location-sensitive, you can save a lot of money by locating them in less expensive regions. Checking the pricing calculator can help you determine the most cost-effective place to put these services.
Share and save your estimate
We can save this estimate, so we can come back to it later and adjust it if necessary. We can also export it to Excel for further analysis or share the estimate via a URL. We can either share the Excel spreadsheet, or we can click on the Share button in the calculator. If you are logged in with your Azure account, you can save the estimate, so you can come back to it later.
Check your knowledge
Which tab of the Azure pricing calculator will you use to put together your estimate?
Estimate
Products
This tab has all the Azure services listed and is where you'll add or remove services to get your estimate.
True or false: You can share your estimate through an Excel spreadsheet or through a URL.
True
Clicking Export at the bottom of the estimate will export an Excel spreadsheet that you can share, or you can click Share to get a URL link that you can share with your team
False
Predict and optimize with Cost Management and Azure Advisor
What is Azure Advisor?
Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across those four areas.
Advisor makes cost recommendations in the following areas:
Reduce costs by eliminating unprovisioned Azure ExpressRoute circuits. This identifies ExpressRoute circuits that have been in the provider status of Not Provisioned for more than one month and recommends deleting the circuit if you aren't planning to provision the circuit with your connectivity provider.
Buy reserved instances to save money over pay-as-you-go. This will review your virtual machine usage over the last 30 days and determine if you could save money in the future by purchasing reserved instances. Advisor will show you the regions and sizes where you potentially have the most savings and will show you the estimated savings you might achieve from purchasing reserved instances.
Right-size or shutdown underutilized virtual machines. This monitors your virtual machine usage for 14 days and then identifies underutilized virtual machines. Virtual machines whose average CPU utilization is 5 percent or less and network usage is 7 MB or less for four or more days are considered underutilized virtual machines. The average CPU utilization threshold is adjustable up to 20 percent.
Azure Cost Management
Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where your cloud money is going. You can see historical breakdowns of what services you are spending your money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and analyze your cost areas.
Cloudyn
Cloudyn, a Microsoft subsidiary, allows you to track cloud usage and expenditures for your Azure resources and other cloud providers including Amazon Web Services and Google. Easy-to-understand dashboard reports help with cost allocation and chargebacks. Usage for Azure is free, and there are paid options for premium support and to view data from other clouds.
Check your knowledge
Azure Advisor provides recommendations for _________.
Costs only
High availability, security, performance, and cost
Azure Advisor provides recommendations on high availability, security, performance, and cost.
High availability, performance, and cost
Azure Cost Management allows you to _________.
See historical breakdowns of what services you are spending your money on.
Cost Management analyzes where you are historically spending your money and can track it against budgets you have set.
See estimates of what your services might cost if you make a change.
Estimate the Total Cost of Ownership with the Azure TCO calculator
The pricing calculator and cost management advisor can help you predict and analyze your spend for new or existing services.
If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings is the Total Cost of Ownership (TCO) calculator.
To use the TCO calculator, you need to complete four steps.
Define your workloads. Start by entering details about your on-premises infrastructure into the TCO calculator according to four groups: Servers, databases, storages and networking.
Step 3:
Adjust assumptions. Adjust the values of assumptions that the TCO calculator makes, which might vary between customers. The assumptions you can customize include: Storage, IT labor, Hardware, Software, Electricity, Virtualization, Datacenter Networking, Database.
Step 4:
View the report: The TCO calculator generates a detailed report based on the details you enter and the adjustments you make.
Save on infrastructure costs
Our next challenge is to look at how to reduce those infrastructure costs.
Use Azure credits
Visual Studio subscribers can activate a monthly credit benefit that allows you to experiment with, develop, and test new solutions on Azure. Use Azure credits to try out new services such as App Service, Windows 10 VMs, Azure SQL Server databases, Containers, Cognitive Services, Functions, Data Lake, and more without incurring any monetary costs.
The monthly Azure credit for Visual Studio subscribers is for development and testing only and does not carry a financially-backed SLA. Azure will suspend any instance (VM or cloud service) that runs continuously for more than 120 hours or if it's determined that the instance is being used for production. This benefit is made available to Visual Studio subscribers on a best efforts basis; there is no guarantee of capacity availability.
Use spending limits
By default, Azure subscriptions that have associated monthly credits (which includes trial accounts) have a spending limit to ensure you aren't charged once you have used up your credits
Azure spending limits are not the same as Subscription, Service, or Resource Group limits and quotas.
You are notified by email when you hit the spending limit for your subscription. In addition, the Azure portal includes notifications about your credit spend. You can adjust the spending limit as desired or even turn it off.
The spending limit feature is specific to subscriptions that include a monthly Azure credit allotment. It is not available on pay-only subscriptions.
Use reserved instances
If you have VM workloads that are static and predictable, particularly ones that run 24x7x365, using reserved instances is a fantastic way to potentially save up to 70-80%, depending on the VM size.
The following illustration shows that using Azure reserved instances saves you up to 72% and using reserved instance plus Azure Hybrid Benefit saves up to 80% in costs.
Choose low-cost locations and regions
The cost of Azure products, services, and resources can vary across locations and regions, and if possible, you should use them in those locations and regions where they cost less.
Some resources are metered and billed according to how much outgoing network bandwidth they consume (egress). You should provision connected resources that are bandwidth metered in the same region to reduce egress traffic between them.
Research available cost-saving offers
Keep up-to-date with the latest Azure customer and subscription offers, and switch to offers that provide the most significant cost-saving benefit.
Right-size underutilized virtual machines
Recall from our previous discussion that Azure Cost Management and Azure Advisor might recommend right-sizing or shutting down VMs. Right-sizing a virtual machine is the process of resizing it to a proper size.
Over-sized virtual machines are a common unnecessary expense on Azure and one that can be easily fixed. You can change the size of a VM through the Azure portal, Azure PowerShell, or the Azure CLI.
Resizing a VM requires it to be stopped, resized, and then restarted. This may take a few minutes depending on how significant the size change is. Plan for an outage, or shift your traffic to another instance while you perform this task.
Deallocate virtual machines in off hours
If you have virtual machine workloads that are only used during certain periods, but you're running them every hour of every day, you're wasting money. These VMs are great candidates to shut down when not in use and start back up on a schedule, saving you compute costs while the VM is deallocated.
Azure now has an automation solution fully available for you to leverage in your environment.
You can also use the auto-shutdown feature on a virtual machine to schedule automated shutdowns.
Delete unused virtual machines
This advice may sound obvious, but if you aren't using a service, you should shut it down. It's not uncommon to find non-production or proof-of-concept systems left around following a project that is no longer needed
Migrate to PaaS or SaaS services
Lastly, as you move workloads to the cloud, a natural evolution is to start with infrastructure-as-a-service (IaaS) services and then move them to platform-as-a-service (PaaS) as appropriate, in an iterative process.
PaaS services typically provide substantial savings in both resource and operational costs. The challenge is that depending on the type of service, varying levels of effort will be required to move to these services from both a time and resource perspective. You might be able to move a SQL Server database to Azure SQL Database easily, but it might take substantially more effort to transfer your multi-tier application to a container or serverless-based architecture. It's a good practice to continuously evaluate the architecture of your applications to determine if there are efficiencies to be gained through PaaS services.
The Azure Architecture Center is a great place to get ideas for transforming your application, as well as best practices across a wide array of architectures and Azure services.
Check your knowledge
Which one of these is not a cost-saving solution?
Deallocate virtual machines during off hours.
Use Azure Reserved Virtual Machine Instances.
Load balance your virtual machines for incoming messages.
Load balancing is used for performance optimization not cost savings.
Right-size underutilized virtual machines.
True or false: PaaS is generally less expensive than IaaS.
True
IaaS requires Azure to dedicate resources while PaaS give Azure more flexibility in how services are delivered. This means Azure can fill and operate hardware efficiently and therefore offer PaaS services at a savings over IaaS.
False
Save on licensing costs
Licensing is another area that can dramatically impact your cloud spending. Let's look at some ways you can reduce your licensing costs.
Linux vs. Windows
Many of the Azure services you deploy have the choice of running on Windows or Linux. In some cases, the cost of the product can be different based on the OS you choose. Where you have a choice, and your application doesn't depend on the underlying OS, it's useful to compare pricing to determine whether you can save money.
Azure Hybrid Benefit for Windows Server
Many customers have invested in Windows Server licenses and would like to repurpose this investment on Azure. The Azure Hybrid Benefit gives customers the right to use these licenses for virtual machines on Azure. That means you won't be charged for the Windows Server license and will instead be billed at the Linux rate.
To be eligible for this benefit, your Windows licenses must be covered by Software Assurance. The following guidelines will also apply:
Each two-processor license or each set of 16-core licenses is entitled to two instances of up to 8 cores or one instance of up to 16 cores.
Standard Edition licenses can only be used once either on-premises or in Azure. That means you can't use the same license for an Azure VM and a local computer.
Datacenter Edition benefits allow for simultaneous usage both on-premises and in Azure so that the license will cover two running Windows machines.
Azure Hybrid Benefit for SQL Server
The Azure Hybrid Benefit for SQL Server helps you maximize the value from your current licensing investments and accelerate your migration to the cloud. Azure Hybrid Benefit for SQL Server is an Azure-based benefit that enables you to use your SQL Server licenses with active Software Assurance to pay a reduced rate.
Azure SQL Database vCore-based options
For Azure SQL Database, the Azure Hybrid Benefit works as follows:
If you have Standard Edition per core licenses with active Software Assurance, you can get one vCore in the General Purpose service tier for every one license core you own on-premises.
If you have Enterprise Edition per core licenses with active Software Assurance, you can get one vCore in the Business Critical service tier for every one license core you own on-premises. Note that the Azure Hybrid Benefit for SQL Server for the Business Critical service tier is available only to customers who have Enterprise Edition licenses.
If you have highly virtualized Enterprise Edition per core licenses with active Software Assurance, you can get four vCores in the General Purpose service tier for every one license core you own on-premises. This is a unique virtualization benefit available only on Azure SQL Database.
For SQL Server in Azure Virtual Machines, the Azure Hybrid Benefit works as follows:
If you have Enterprise Edition per core licenses with active Software Assurance, you can get one core of SQL Server Enterprise Edition in Azure Virtual Machines for every one license core you own on-premises.
If you have Standard Edition per core licenses with active Software Assurance, you can get one core of SQL Server Standard Edition in Azure Virtual Machines for every one license core you own on-premises.
Use Dev/Test subscription offers
The Enterprise Dev/Test and Pay-As-You-Go Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments. This benefit gives you several discounts, most notably for Windows workloads, eliminating license charges and only billing you at the Linux rate for virtual machines. This also applies to SQL Server and any other Microsoft software that is covered under a Visual Studio subscription (formerly known as MSDN).
There are a few requirements for this benefit, one being that it's only for non-production workloads, and another being that any users of these environments (excluding testers) must be covered under a Visual Studio subscription. In short, for non-production workloads, this allows you to save money on your Windows, SQL Server, and other Microsoft virtual machine workloads.
Bring your own SQL Server license
If you are a customer on an Enterprise Agreement and already have an investment in SQL Server licenses, and they have freed up as part of moving resources to Azure, you can provision bring your own license (BYOL) images off the Azure Marketplace, giving you the ability to take advantage of these unused licenses and reduce your Azure VM cost.
An Enterprise Agreement subscription is required to use these certified BYOL images.
Use SQL Server Developer Edition
A lot of people are unaware that SQL Server Developer Edition is a free product for nonproduction use. Developer Edition has all the same features that Enterprise Edition has, but for nonproduction workloads, you can save dramatically on your licensing costs.
Use constrained instance sizes for database workloads
Many customers have high requirements for memory, storage, or I/O bandwidth but low CPU core counts. Based on this popular request, Microsoft has made available the most popular VM sizes (DS, ES, GS, and MS) in new sizes that constrain the vCPU count to one half or one-quarter of the original VM size, while maintaining the same memory, storage, and I/O bandwidth.
Because database products like SQL Server and Oracle are licensed per CPU, this allows customers to reduce licensing cost by up to 75 percent but still maintain the high performance their database requires.
Check your knowledge
True or false: If you already have Windows Server licenses, you have to pay for them again on Azure.
True
False
Under certain circumstances, you can utilize the hybrid benefit for Windows Server and pay only the Linux rate.
True or false: Azure has money-saving options for test and development servers.
True
The Azure Enterprise Dev/Test and Azure Pay-As-You-Go Dev/Test benefits give you several discounts, most notably for Windows workloads, eliminating license charges and billing you only at the Linux rate for virtual machines. This also applies to SQL Server and any other Microsoft software that is covered under a Visual Studio subscription.
False
Summary
Azure Advisor provides recommendations in many areas, including cost.
Azure Cost Management gives you reporting and billing information, so you can gain insights into where you're spending your money.
Cloudyn takes this even further and gives you detailed information that you can use for chargebacks and to identify areas of inefficiency.
Check your knowledge
Which of the following are used to determine Azure costs for each billing period?
The Azure website
Number of created virtual machines
The Azure pricing calculator
Usage meters
Correct. Azure is billed according to your consumption based on monthly usage meters.
Which of the following is a factor affecting costs?
Global infrastructure
Location
The location you place your resources will vary the price for the resource.
Availability zone
Complete the following sentence. As an Azure customer, Azure Reservations offer discounted prices if you _________
Pay in advance
Azure Reservations offer discounted prices on certain Azure products and resources. To get a discount, you reserve products and resources by paying in advance. You can prepay for one or three year's use of certain Azure resources.
An organization that defines standars used by the United States government.
NIST
A tool that provides guidance and recommendations on high availability, security, performance, and cost.
Azure Advisor.
Provides serverless computing functionalities.
Function Apps
Your company implements ___ to automatically add a watermark to Microsoft Word documents that contain credit card information
Azure Information Protection
What can Azure Information Protection encrypt?
Documents and email messages
To what should an application connect to retrieve security tokens
Azure Active Directory (Azure AD).
Support plan that can offer an Architecture Review
Premer Support plan
Serice to limit the amount of Inbound traffic to all the Azure virtual networks
Azure firewall.
Azure Key Vault is used to store secrets for Azure Active Directory (Azure AD) ___ accounts.
administrativeand user
If a resource group named RG1 has a delete lock, the delete lock must be removed before an administrator
A platform as a service (PaaS) solution that hosts web apps in Azure provides professional development service to continuosly add features to custom applications.
If the resource becomes unavailable for an extended period due to a service outage.
automatically credit your accountMicrosoft will send you a coupon code that you can redeem for Azure credits
Azure Germany can be used by:
any user or enterprise that requires its data to reside in Germany
You create a new subscription. The virtual machines can be moved to the new subscription.
When you need to delegate permissions to several Azure virtual machines simultaneously,
you must deploy the Azure virtual machines to the same resource group
A support plan solution that gives you best practice information, health status and notifications, and 24/7 access to billing information at the lowest possible cost is a
Basic support plan.
Correlate events service from multiple resources into a centralized repository
Azure Log Analytic.
Azure resource manager provides a common platform for deploying objects to a cloud infrastructure and for implementing consistency across the Azure environment
You assign an Azure policy specifying that virtual networks are not an allowed resource type in RG1.
VNET1 is deleted automatically.
You need to prevent the creation of virtual machines only in RG1.
A lock
All the Azure resources deployed to a single resource group can be on different Azure regions.
DDoS protection
Secures websites from attacks
Generates reports that contain details of attempted attacks What should you include in the solution?
Evaluate whether your company's Azure environment meets regulatory requirements
The Security Center blade from the Azure portal
When planning to migrate a public website to Azure, you must
plan to pay monthly usage costs
Provide organizations with the ability to manage the compliance of Azure resources across multiple subscriptions.
Azure policies
Analyzes where you are historically spending your money and can track it against budgets you have set.
Cost Management
What is required to use Azure Cost Management?
Enterprise Agreement (EA).
You need to recommend an Azure solution to limit the types of connections from the web servers to the database servers
NSG
Artificial Intelligence (AI) solution in Azure. use to build, test, and deploy predictive analytics solutions?
Azure Machine Learning Studio
Enables organizations to configure automated responses to detected suspicious actions related to user identities.
Azure Active Directory Identity Protection
Enables you to control the distribution of traffic across your application endpoints.
Azure Traffic Manager
Prevent the creation of virtual machines only in RG1.
Use of lock
If you assign a tag to a resource group, all the Azure resource group are assigned to the same tag.
NO. Non inheritable.
Azure provides flexibility between capital expenditure (CapEx) and operatuinal exponditure (OpEx).
An integrated solution for the deployment of code.
Azure DevOps
In which Azure support plans can you open a new support request?
Premier, Professional Direct, Standard, and Developer only
Which Azure service should you use from the Azure portal to view service failure notifications
Azure Monitor
You can view which user turned off a specific virtual machine during the last 14 days.
Azure Activity Log
You plan to deploy 20 virtual machines to an Azure environment. To ensure that a virtual machine named VM1 cannot connect to the other virtual machines, VM1 must be deployed to a separate
Resource Group
You plan to map a network drive from several computers that run Windows 10 to Azure Storage. You need to create a storage solution in Azure for the planned mapped drive. What should you create?
a Files service in a storage account.
You need to recommend an Azure solution to limit the types of connections from the web servers to the database servers. What should you include in the recommendation?
Network security groups (NSGs).
An organization that defines international standards across all industries
ISO
A single Microsoft account can be used to manage multiple Azure subscriptions.
Yes
a European policy that regulates data privacy and data proteccion
GDPR
A dedicated public cloud for federal and state agencies in the United States.
Azure Government
Detects and diagnoses anomalies in web apps
Azure Application Insights
An Azure service in public preview is released to all Azure customers.
Yes
You plan to deploy several Azure virtual machines. You need to ensure that the services running on the virtual machines are available if a single data center fails. Solution: You deploy the virtual machines to two or
more availability zones. Does this meet the goal?
Yes
A big data analysis services for machine learning
Azure Databricks
Processess data from millions of sensors
Azure IoT Hub
Azure Multi-Factor Authentication (MFA) can be required for administrative and nonadministrative user accounts.
YES
Your company plans to migrate all on-premises data to Azure. You need to identify whether Azure complies with the company's regional requirements. What should you use?
the Trust Center
Provides a digital online assistant that provides speech support
Azure Al bot
Uses past trainings to provide predictions that have high probability
Azure Machine Learning
A simplified tool told to build intelligent Artificial Intelligence (AI) applications.
Azure Cognitive Services
You plan to store 20 TB of data in Azure. The data will be infrequently and visualized by using Microsoft Power BI. You need to recommend a storage solution for the data. Which two solutions should you recommend? A. Azure Data Lake
C. Azure SQL Data Warehouse
A and C
Can add data concurrently from multiple regions
Can store JSON Panel principal
Azure Cosmos DB
One of the benefits of Azure SQL Data Warehouse is that high availability is built into the platform.
20 VMS. To ensure that a virtual machine named VM1 cannot connect to the other virtual machines, VM1 must be deployed to a separate virtual network.
Azure Key Vault is used to store secrets for Azure Active Directory (Azure AD) user accounts.
Most of the time inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data going out of Azure datacenters),
