Azure Fundamentals — Almost all you need to know

Important: This article is a 20-minute long read, but what should make it worth your while is the fact that it introduces a lot of important Azure / Cloud concepts for starters. So I hope you enjoy it, let’s begin!

Let’s start with the reason why any cloud is a cheaper option than others: Economies of Scale. Economy of scale is the ability to reduce costs and gain efficiency when operating at a larger scale in comparison to operating at a smaller scale. Cloud services offer high availability, fault tolerance, agility, scalability, elasticity, global reach, disaster recovery, security and lots more.

It involves moving away from CapEx (Capital expenditure — server / storage / network upfront costs) into OpEx ( Operational Expenditure — deductible expense on cloud services used). The following diagram shows how with CapEx you are always playing catch up and are either under-provisioned or over-provisioned most of the time, whereas with OpEx model you depend on a cloud service to auto-scale (up or down) and then pay the appropriate costs for rendered services later (no upfront costs).

You need an Azure subscription to start using Azure. An Azure subscription is a logical unit of Azure services that links to an Azure account, which is an identity in Azure Active Directory (Azure AD — will be discussed later) or in a directory that an Azure AD trusts. An account can have one subscription or multiple subscriptions that have different billing models and to which you apply different access-management policies. You usually create subscriptions for different environments, departments / organizational structure, billing models and because of the inherent limits of a subscription

A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. A region is where you deploy your workload. Azure has more global regions than any other cloud provider.

Azure Global regions as of Feb 2020

Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. If a region in a pair was affected by a natural disaster, for instance, services would automatically fail over to the other region in its region pair. Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.

Azure has specialized regions that you might want to use when building out your applications for compliance or legal purposes. These include:

• US DoD Central, US Gov Virginia, US Gov Iowa and more: These are physical and logical network-isolated instances of Azure for US government agencies and partners. These datacenters are operated by screened US persons and include additional compliance certifications.
• China East, China North and more: These regions are available through a unique partnership between Microsoft and 21Vianet, whereby Microsoft does not directly maintain the datacenters.

Regions are what you use to identify the location for your resources, but there are two other terms you should also be aware of: geographies and availability zones.

An Azure geography is a discrete market typically containing two or more regions that preserve data residency and compliance boundaries. Geographies are broken up into the following areas:

• Americas
• Europe
• Asia Pacific
• Middle East and Africa

Availability Zones are physically separate data centers within an Azure region. Each Availability Zone is made up of one or more data centers equipped with independent power, cooling, and networking. You can use Availability Zones to run mission-critical applications and build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones.

Azure services that support Availability Zones fall into two categories:

• Zonal services — you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)
• Zone-redundant services — platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

Not every region has support for Availability Zones.

Note: Some services or virtual machine features are only available in certain regions, such as specific virtual machine sizes or storage types. There are also some global Azure services that do not require you to select a particular region, such as Microsoft Azure Active Directory, Microsoft Azure Traffic Manager, and Azure DNS.

Tools that are commonly used for day-to-day management and interaction include:

• Azure portal for interacting with Azure via a Graphical User Interface (GUI).

• Azure PowerShell and Azure Command-Line Interface (CLI) for command line and automation-based interactions with Azure. For example, in Azure Powershell — you can use Connect-AzAccount command to sign-in into your account and then use various commands to manage resources such as New-AzVM command to create a new VM.

In Azure CLI, you can sign in to Azure using the command az login, create a resource group, then use a command such as:

Azure Cloud Shell for a web-based command-line interface. You can switch between the two shells, and both support the Azure CLI and Azure PowerShell module. You can create, build, and deploy apps right from this browser-based environment. It’s all persistent as well — you’re prompted to create an Azure Storage Account when you access the Azure Cloud Shell. This storage area is used as your $HOME folder and any scripts or data you place here is kept across sessions. Each subscription has a unique storage account associated with it, so you can keep the data and tools you need specific to each account you manage.

• Azure mobile app for monitoring and managing your resources from your mobile device
• REST API
• Azure SDK

Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across those areas. You can view recommendations in the portal or download them in PDF or CSV format.

There are three key characteristics of SLAs (Service Level Agreement) for Azure products and services:

1. Performance Targets — specific to each Azure product or service.
2. Uptime and Connectivity Guarantees — A typical SLA specifies performance-target commitments that range from 99.9 percent (“three nines”) to 99.999 percent (“five nines”), for each corresponding Azure product or service.

3. Service credits — SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to its governing SLA’s specification. For example, customers may have a discount applied to their Azure bill, as compensation for an under-performing Azure product or service. For example, if the monthly uptime for Azure VMs go down below 95%, the customer is entitled to a 100% discount.

When combining SLAs across different service offerings, the resultant SLA is called a Composite SLA. Consider an App Service web app that writes to Azure SQL Database. These Azure services currently have the following SLAs:

The composite SLA value for this application is:

99.95 percent × 99.99 percent = 99.94 percent

This means the combined probability of failure is higher than the individual SLA values. You can improve the composite SLA by creating independent fallback paths. For example, if the SQL Database is unavailable, you can put transactions into a queue for processing at a later time.

If the expected percentage of time for a simultaneous failure of the Database and the Queue is 0.0001 × 0.001, the composite SLA for this combined path of a database or queue would be:

1.0 − (0.0001 × 0.001) = 99.99999 percent

Therefore, if we add the queue to our web app, the total composite SLA is:

99.95 percent × 99.99999 percent = ~99.95 percent

Important: You can use SLAs to evaluate how your Azure solutions meet business requirements and the needs of your clients and users. By creating your own SLAs, you can set performance targets to suit your specific Azure application. This approach is known as an Application SLA. When designing your architecture you need to design for resiliency, and you should perform a Failure Mode Analysis (FMA). The goal of an FMA is to identify possible points of failure and to define how the application will respond to those failures.

Not all Azure Services are depicted here

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts. Security of the operational environment is now a concern shared by both cloud providers and customers.

The shared responsibility is broken down on multiple aspects shown on the left and are shared between the cloud provider (Microsoft) and the customer as show below. Here IaaS stands for Infrastructure as a Service (Azure VM), PaaS stands for Platform as a Service (App Service) and Saas stands for Software as a Service (MS 365). Thus, more SaaS offerings that you use, lesser responsibility you have for the overall security posture of your system. This shows however that even with the adoption of cloud, you would continue to be responsible for the security of your data, endpoints, access and account management.

Another concept to be aware of in security is Defense in depth, which basically means that you employ security entities at each layer, from physical to logical. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.

To provide inbound protection at the perimeter, you have several choices.

• Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
• Azure Application Gateway is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.
• Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.

A great place to start when examining the security of your Azure-based solutions is Azure Security Center. Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.

Azure provides services to manage both authentication and authorization through Azure Active Directory (Azure AD). Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. It also provides SSO (Single Sign-on), B2B and B2C identity services.

Important: For authentication and authorization, there are certain key terms you need to be aware of: Identity, Principal and Service principal. An identity is just a thing that can be authenticated, which can be a user or even an application or a service. A principal is an identity acting with certain roles or claims. A service principal is an identity that is used by a service or application and like other identities, it can be assigned roles.

Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance. Identities are mapped to roles directly or through group membership. Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances. This process of performing access control based on roles is called Role-Based Access Control (RBAC).

Azure Storage Service Encryption and Azure Disk Encryption are used for encryption of data at rest for physical and virtual hard disks respectively. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Synapse Analytics against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Azure Key Vault is used to protect secrets, passwords, certificates and perform key management. Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Azure Policy is the primary service used for IT Compliance. It is used to create, assign and, manage policies, that enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. For example, you might have a policy that allows virtual machines of only a certain size in your environment.

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Azure Policy can audit all the existing resources in our organization to ensure our policy is enforced. It can audit non-compliant resources, alter the resource properties, or stop the resource from being created.

Azure Storage Service Encryption and Azure Disk Encryption are used for encryption of data at rest for physical and virtual hard disks respectively. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Synapse Analytics against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Azure Key Vault is used to protect secrets, passwords, certificates and perform key management. Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Azure Policy is the primary service used for IT Compliance. It is used to create, assign and, manage policies, that enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. For example, you might have a policy that allows virtual machines of only a certain size in your environment.

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Azure Policy can audit all the existing resources in our organization to ensure our policy is enforced. It can audit non-compliant resources, alter the resource properties, or stop the resource from being created.

RBAC vs. Azure Policy: As mentioned earlier, RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to anything in that resource group. Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

Example and common policy definitions:

Policy assignment — To apply a policy, we can use the Azure portal, Azure CLI or Azure PowerShell by first adding the Microsoft.PolicyInsights extension and then assign the policy defined to a particular scope. This scope could range from a full subscription down to a resource group.

Policy assignments are inherited by all child resources. This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment. For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups.

Each policy definition in Azure Policy has a single effect. That effect determines what happens when the associated policy rule is matched.

Initiatives — Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That’s where initiatives come in. An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Similar to a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.

Azure Management Groups — They are logical containers for managing access, policies, and compliance across multiple Azure subscriptions. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group. For the first management group, a root management group is created in the Azure Active Directory (Azure AD) organization.

Any Azure AD user in the organization can create a management group. The creator is given an Owner role assignment. A single Azure AD organization can support 10,000 management groups.

Azure Blueprints — It enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

• Role assignments
• Policy assignments
• Azure Resource Manager templates
• Resource groups

With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments.

Compute services are often one of the primary reasons why companies move to the Azure platform.

Scaling VMs in Azure — Azure provides multiple features to meet your scaling needs.

• Availability sets — An availability set is a logical grouping of two or more VMs that help keep your application available during planned (security updates, platform upgrades etc.) or unplanned (power outage, disk failure etc.) maintenance. Availability sets provide up to three fault domains (A fault domain represents a group of virtual machines that share a common power source and network switch) that each have a server rack with dedicated power and network resources and five logical update domains (an update domain represents an entity which can be updated, for e.g. a VM) which then can be increased to a maximum of 20. The diagram on the right shows an example where you have six VMs in two availability sets distributed across the two fault domains and five update domains.

• Virtual machine scale sets — They let you create and manage a group of identical, load balanced VMs. Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications. The number of VM instances can automatically increase or decrease in response to demand or a defined schedule.
• Azure Batch — It enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.

Migrating apps to containers

You can move existing applications to containers and run them within AKS. You can control access via integration with Azure Active Directory (Azure AD) and access Service Level Agreement (SLA)–backed Azure services, such as Azure Database for MySQL for any data needs, via Open Service Broker for Azure (OSBA).

The preceding figure depicts this process as follows:

1. You convert an existing application to one or more containers and then publish one or more container images to the Azure Container Registry.
2. By using the Azure portal or the command line, you deploy the containers to an AKS cluster.
3. Azure AD controls access to AKS resources.
4. You access SLA-backed Azure services, such as Azure Database for MySQL, via OSBA.
5. Optionally, AKS is deployed with a virtual network.

Networking functionality in Azure includes a range of options to connect the outside world to services and features in the global Microsoft Azure datacenters.

Load Balancer vs. Traffic Manager

Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that’s closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. When Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

These services all share several common characteristics:

• Durable and highly available with redundancy and replication.
• Secure through automatic encryption and role-based access control.
• Scalable with virtually unlimited storage.
• Managed, handling maintenance and any critical problems for you.
• Accessible from anywhere in the world over HTTP or HTTPS.

Azure provides multiple database services to store a wide variety of data types and volumes.

Azure includes first-class support to build and host web apps and HTTP-based web services.

There are a number of services that can assist and drive end-to-end solutions for IoT on Azure.

Microsoft Azure supports a broad range of technologies and services to provide big data and analytic solutions.

Cognitive Services are pre-built APIs you can leverage in your applications to solve complex problems like speech recognition etc.

There exists also the option to build your own models using the following products.

Azure DevOps Services allows you to create build and release pipelines that provide continuous integration, delivery, and deployment for your applications.

Azure Monitor —It is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor can collect data from a variety of sources such as:

It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. It includes various features such as:

• Autoscale — ensures that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add/remove resources to handle increases / decreases in load.
• Alerts — proactively notifies you of critical conditions using alerts, and can potentially attempt to take corrective actions. Alert rules based on metrics can provide alerts in almost real-time, based on numeric values.
• Application Insights — monitors the availability, performance, and usage of your web applications, whether they’re hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application’s operations.
• Azure Monitor for containers — monitors the performance of container workloads, which are deployed to managed Kubernetes clusters, hosted on Azure Kubernetes Service (AKS).
• Azure Monitor for VMs — monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes), be it on the cloud or on-premise.

Azure Service Health — provides personalized guidance and support when issues with Azure services affect you. Azure Service Health is composed of Azure Status (global view of the health state of Azure services), Service Health (customizable dashboard that tracks the state of your Azure services in the regions where you use them) and Resource Health (diagnose and obtain support when an Azure service issue affects your resources).

Depending on your needs, you can set up multiple invoices within the same billing account. To do this, create additional billing profiles. Each billing profile has its own monthly invoice and payment method.

The following diagram shows an overview of how billing is structured. If you’ve previously signed up for Azure or if your organization has an Enterprise Agreement, your billing might be set up differently.

All Azure customers can access billing, quota, and subscription-management support. The availability of support for other issues depends on the support plan you have.

• Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the ability to delete it. Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource.
• The cost of Azure products, services, and resources can vary across locations and regions, and if possible, you should use them in those locations and regions where they cost less.
• When you provision an Azure resource, Azure creates one or more meter instances for that resource. The meters track the resources’ usage, and generate a usage record that is used to calculate your bill.
• PaaS services typically provide substantial savings in both resource and operational costs than IaaS. The challenge is that depending on the type of service, varying levels of effort will be required to move to these services, from both a time and resource perspective.
• Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
• The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.
• Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
• Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels. Labels can be applied automatically based on rules and conditions. Labels can also be applied manually. You can also guide users to choose recommended labels with a combination of automatic and manual steps.
• Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.
• Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
• Azure Hybrid Benefit and BYOL (Bring your own license) allows you to use your existing Windows Server or SQL Server licenses on Azure.
• The Enterprise Dev/Test and Pay-As-You-Go (PAYG) Dev/Test offers are a benefit you can take advantage of to save costs on your non-production environments. This benefit gives you several discounts, most notably for Windows workloads, eliminating license charges and only billing you at the Linux rate for virtual machines.
• With Azure Preview Features, you can test beta and other pre-release features, products, services, software, and regions. There are two types of previews available: private preview which is available to specific Azure customers for evaluation purposes and is typically by invitation only, and public preview which is available to all Azure customers for evaluation purposes.
• Azure allows you to have more than one subscription associated with one directory. On the Directory + subscription pane, you can change between subscriptions. Here, you can change your subscription or change to another directory.
• For outbound data transfers (data going out of Azure datacenters), the data transfer pricing is based on Billing Zones (not the same as Availability zones). In most zones, the first outbound 5 gigabytes (GB) per month are free. After that amount, you are billed a fixed price per GB.