Azure AZ-900
There are three main customer types on which the available purchasing options for Azure products and services is contingent, including:
• Enterprise. Enterprise customers sign an Enterprise Agreement with Azure that commits them to spending a negotiated amount on Azure services, which they typically pay annually. Enterprise customers also have access to customized Azure pricing. • Web direct. Web direct customers pay public prices for Azure resources, and their monthly billing and payments occur through the Azure website. • Cloud Solution Provider. Cloud Solution Provider (CSP) typically are Microsoft partner companies that a customer hires to build solutions on top of Azure. Payment and billing for Azure usage occurs through the customer's CSP.
You might want to create additional subscriptions for resource or billing management purposes. For example, you might choose to create additional subscriptions to separate:
• Environments: When managing your resources, you can choose to create subscriptions to set up separate environments for development and testing, security, or to isolate data for compliance reasons. This is particularly useful because resource access control occurs at the subscription level. • Organizational structures: You can create subscriptions to reflect different organizational structures. For example, you could limit a team to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription. • Billing: You might want to also create additional subscriptions for billing purposes. Because costs are first aggregated at the subscription level, you might want to create subscriptions to manage and track costs based on your needs. For instance, you might want to create a subscription for your production workloads and another subscription for your development and testing workloads. You might also need additional subscriptions due to: • Subscription limits: Subscriptions are bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered as you create subscriptions on your account. If there is a need to go over those limits in particular scenarios, then you might need additional subscriptions.
Azure Security Center is available in two tiers:
• Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only. • Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
With Azure Advisor, you can:
• Get proactive, actionable, and personalized best practices recommendations. • Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs. • Get recommendations with proposed actions inline.
Azure AD is intended for:
• IT administrators. Administrators can use Azure AD to control access to apps and their resources, based on your business requirements. • App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that you build, such as adding Single-Sign-On functionality to an app, or allowing an app to work with a user's pre-existing credentials and other functionality. • Microsoft 365, Microsoft Office 365, Azure, or Microsoft Dynamics CRM Online subscribers. These subscribers are already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps using Azure AD.
The Trust Center site provides:
• In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products. • Recommended resources in the form of a curated list of the most applicable and widely used resources for each topic. • Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams. • Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal. • Direct guidance and support for when you can't find what you're looking for.
You can manage and apply the following resources at resource group level:
• Metering and billing • Policies • Monitoring and alerts • Quotas • Access control
Key features of Azure App Service
• Multiple languages and frameworks. App Service has first-class support for ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python. You can also run PowerShell and other scripts or executables as background services. • DevOps optimization. Set up continuous integration and deployment with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through test and staging environments. Manage your apps in App Service by using Azure PowerShell or the cross-platform command-line interface (CLI). • Global scale with high availability. Scale up or out manually or automatically. Host your apps anywhere in Microsoft's global datacenter infrastructure, and the App Service SLA promises high availability. • Connections to SaaS platforms and on-premises data. Choose from more than 50 connectors for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services (such as Facebook). Access on-premises data using Hybrid Connections and Azure Virtual Networks. • Security and compliance. App Service is ISO, SOC, and PCI compliant. Authenticate users with Azure Active Directory or with social login (Google, Facebook, Twitter, and Microsoft). Create IP address restrictions and manage service identities. • Application templates. Choose from an extensive list of application templates in the Azure Marketplace, such as WordPress, Joomla, and Drupal. • Visual Studio integration. Dedicated tools in Visual Studio streamline the work of creating, deploying, and debugging. • API and mobile features. App Service provides turn-key CORS support for RESTful API scenarios, and simplifies mobile app scenarios by enabling authentication, offline data sync, push notifications, and more. • Serverless code. Run a code snippet or script on-demand without having to explicitly provision or manage infrastructure, and pay only for the compute time your code actually uses.
There are some limitations with using tags, such as:
• Not all resource types support tags. • Each resource or resource group can have a maximum of 50 tag name/value pairs. Currently, storage accounts only support 15 tags, but that limit will be raised to 50 in a future release. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many values that are applied to a single tag name. A resource group can contain many resources that each have 50 tag name/value pairs. • The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters. • Virtual Machines and Virtual Machine Scale Sets are limited to a total of 2048 characters for all tag names and values. • Tags applied to the resource group are not inherited by the resources in that resource group.
Things to know about regional pairs:
• Physical isolation. When possible, Azure prefers at least 300 miles of separation between datacenters in a regional pair, although this isn't practical or possible in all geographies. Physical datacenter separation reduces the likelihood of natural disasters, civil unrest, power outages, or physical network outages affecting both regions at once. • Platform-provided replication. Some services such as Geo-Redundant Storage provide automatic replication to the paired region. •Region recovery order. In the event of a broad outage, recovery of one region is prioritized out of every pair. Applications that are deployed across paired regions are guaranteed to have one of the regions recovered with priority. •Sequential updates. Planned Azure system updates are rolled out to paired regions sequentially (not at the same time) to minimize downtime, the effect of bugs, and logical failures in the rare event of a bad update.
The options that you can configure in the Pricing Calculator vary between products, but basic configuration options include:
• Region. Lists the regions from which you can provision a product. Southeast Asia, central Canada, the western United States, and Northern Europe are among the possible regions available for some resources. • Tier. Sets the type of tier you wish to allocate to a selected resource, such as Free Tier, Basic Tier, etc. • Billing Options. Highlights the billing options available to different types of customer and subscriptions for a chosen product. • Support Options: Allows you to pick from included or paid support pricing options for a selected product. • Programs and Offers. Allows you to choose from available price offerings according to your customer or subscription type. • Azure Dev/Test Pricing. Lists the available development and test prices for a product. Dev/Test pricing applies only when you run resources within an Azure subscription that is based on a Dev/Test offer.
Key Vault Usage scenarios
• Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets. • Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data. • Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily. • Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
Semi-structured data
• Semi-structured data is less organized than structured data. • Semi-structured data is not stored in a relational format, meaning the fields do not neatly fit into tables, rows, and columns. • Semi-structured data contains tags that make the organization and hierarchy of the data apparent. • Semi-structured data is also known as non-relational or NoSQL data. • Examples of semi-structured data include books, blogs, and HTML documents.
Blob storage is ideal for:
• Serving images or documents directly to a browser. • Storing files for distributed access. • Streaming video and audio. • Storing data for backup and restore, disaster recovery, and archiving • Storing data for analysis by an on-premises or Azure-hosted service.
Unstructured data
• Unstructured data has no designated structure. • Unstructured data can hold any kind of data. • Unstructured data is becoming more prominent as businesses try to tap into new data sources. • Examples of unstructured data include a PDF document, a JPG image, a JSON file, and video content.
DDoS standard protection can mitigate the following types of attacks:
• Volumetric attacks. The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. • Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. • Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Structured data
•Structured data is data that adheres to a schema, so all the data has the same fields or properties. • Structured data can be stored in a database table with rows and columns. • Structured data relies on keys to indicate how one row in a table relates to data in another row of another table. • Structured data is also known as relational data. The data's schema defines the table of data, the fields in the table, and the clear relationship between the two. • Structured data is easy to enter, query, and analyze because all the data follows the same format. • Examples of structured data include sensor data or financial data.
DevOps
(Development and Operations) brings together people, processes, and technology, automating software delivery to provide continuous value to your users. Azure DevOps Services allows you to create, build, and release pipelines that provide continuous integration, delivery, and deployment for your applications. You can integrate repositories and application tests, perform application monitoring, and work with build artifacts.
Service-Level Agreements
(SLAs) capture the specific terms that define the performance standards that apply to Azure. Defines performance targets for an Azure product or service. For example, performance targets for some Azure services are expressed in terms of uptime or connectivity rates. A typical SLA specifics performance-target commitments that range from 99.9 percent ("three nines") to 99.99 percent ("four nines"). This means the combined value is lower than the individual SLA values, meaning higher probability of failure. This isn't surprising, because an application that relies on multiple services has more potential failure points.
Resource groups
A resource group is a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed.
Subscriptions
A subscription groups together user accounts and the resources that have been created by those user accounts. For each subscription, there are limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
Multi-Tier Cloud Security (MTCS) Singapore
After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and SaaS. Microsoft was the first global cloud solution provider (CSP) to receive this certification across all three classifications.
Public preview
An Azure feature is available to all Azure customers for evaluation purposes.
Private preview
An Azure feature is available to certain Azure customers for evaluation purposes.
Azure Monitor features can be organized into four categories, these categories are:
Analyze, Respond, Visualize and Integrate.
Criminal Justice Information Service (CJIS)
Any US state or local agency that wants to access the FBI's Criminal Justice Information Services (CJIS) database is required to adhere to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy, which commits Microsoft to adhering to the same requirements that law enforcement and public safety entities must meet.
Azure Advanced Threat Protection (ATP) cloud service
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.
Azure Advanced Threat Protection (ATP) portal
Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
Azure Advanced Threat Protection (ATP) sensor
Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
Azure Advanced Threat Protection components
Azure Advanced Threat Protection (ATP) portal Azure Advanced Threat Protection (ATP) sensor Azure Advanced Threat Protection (ATP) cloud service
Azure Distributed Denial of Service (DDoS) protection service tiers
Azure DDoS Protection provides the following service tiers: • Basic. The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft's online services use. Azure's global network is used to distribute and mitigate attack traffic across regions. • Standard. The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
Access control boundary
Azure will apply access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures. An example is that within a business, you have different departments to which you apply distinct Azure subscription policies. This allows you to manage and control access to the resources that users provision with specific subscriptions.
Cloud Security Alliance (CSA) STAR Certification
Azure, Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider's security posture. The STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
Billing Structure
Billing account > Billing Profile > Invoice Section > Azure Subscription
There are mainly three aspects to consider in relation to creating and managing subscriptions:
Billing, Access Control, and Subscription limits. • Billing: Reports can be generated by subscriptions, if you have multiple internal departments and need to do "chargeback", a possible scenario is to create subscriptions by department or project. • Access Control: A subscription is a deployment boundary for Azure resources and every subscription is associated with an Azure AD tenant that provides administrators the ability to set up role-based access control (RBAC). When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is isolated from each other from a resource perspective and managed using RBAC. • Subscription Limits: Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered during the design phase, if there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed. If you hit a hard limit, there is no flexibility.
Security
Cloud providers offer a broad set of policies, technologies, controls, and expert technology skills that can provide better security than most organizations can otherwise achieve. The result is strengthened security, which helps to protect data, apps, and infrastructure from potential threats.
Technical skill requirements and considerations
Cloud services can provide and manage hardware and software for workloads. Getting a workload up and running with cloud services demands less technical resources than having IT teams build and maintain a physical infrastructure for handling the same workload. A user can be an expert in the application they want to run without requiring skills to build and maintain the underlying hardware and software infrastructure.
Cloud computing services
Compute power - such as Linux servers or web applications. Storage - such as files and databases. Networking - such as secure connections between the cloud provider and your company. Analytics - such as visualizing telemetry and performance data.
microservice architecture
Containers are often used to create solutions using a microservice architecture. This architecture is where you break solutions into smaller, independent pieces. For example, you may split a website into a container hosting your front end, another hosting your back end, and a third for storage. This split allows you to separate portions of your app into logical sections that can be maintained, scaled, or updated independently.
Search
Enable apps and services to harness the power of a web-scale, ad-free search engine. Use search services to find information across billions of web pages, images, videos, and news search results.
Availability
Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.
Fault domains (Availability Sets)
Fault domains provide for the physical separation of your workload across different hardware in the datacenter. This includes power, cooling, and network hardware that supports the physical servers located in server racks. In the event the hardware that supports a server rack becomes unavailable, only that rack of servers would be affected by the outage.
What happens at the end of the 12 months of free products?
For 12 months after you upgrade your account, certain amounts of popular products for compute, networking, storage, and databases are free. After 12 months, any of these products you may be using will continue to run, and you'll be billed at the standard pay-as-you-go rates.
Usage meters
For example, a single virtual machine that you provision in Azure might have the following meters tracking its usage: • Compute Hours • IP Address Hours • Data Transfer In • Data Transfer Out • Standard Managed Disk • Standard Managed Disk Operations • Standard IO-Disk • Standard IO-Block Blob Read • Standard IO-Block Blob Write • Standard IO-Block Blob Delete
Customer latency capabilities
If customers are experiencing slowness with a particular cloud service, they are said to be experiencing some latency. Even though modern fiber optics are fast, it can still take time for services to react to customer actions if the service is not local to the customer. Cloud services have the ability to deploy resources in datacenters around the globe, which addresses any customer latency issues.
What is a microservice?
Imagine your website backend has reached capacity but the front end and storage aren't being stressed. You could scale the back end separately to improve performance, or you could decide to use a different storage service. Or you could even replace the storage container without affecting the rest of the application.
Data
In almost all cases, attackers are after data: • Stored in a database • Stored on disk inside virtual machines • Stored on a SaaS application such as Microsoft 365 • Stored in cloud storage It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.
IaaS
Infrastructure as a Service. requires the most user management of all the cloud services. The user is responsible for managing the operating systems, data, and applications.
International Organization of Standards/International Electrotechnical Commission (ISO/IEC) 27018
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.
European Union (EU) Model Clauses
Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU. Microsoft is the first company to receive joint approval from the EU's Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data, which ensures that Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world.
Service Organization Controls (SOC) 1, 2, and 3
Microsoft-covered cloud services are audited at least annually against the SOC report framework by independent third-party auditors. The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits and are certified according to the FedRAMP standards. Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Microsoft 365 is certified to the objectives specified in the NIST CSF.
Increased productivity
On-site datacenters typically require a lot of hardware setup (otherwise known as racking and stacking), software patching, and other time-consuming IT management chores. Cloud computing eliminates the need for many of these tasks. This allows IT teams to spend time focusing on achieving more important business goals.
Public cloud models have the following characteristics
Ownership - Ownership refers to the resources that an organization or end user uses. Examples include storage and processing power. Resources do not belong to the organization that is utilizing them, but rather they are owned and operated by a third party, such as the cloud service provider. Multiple end users - Public cloud modes may make their resources available to multiple organizations. Public access - Public access allows the public to access the desired cloud services. Availability - Public cloud is the most common cloud-type deployment model. Connectivity - Users and organizations are typically connected to the public cloud over the internet using a web browser. Skills - Public clouds do not require deep technical knowledge to set up and use its resources.
Private cloud models have the following characteristics
Ownership. The owner and user of the cloud services are the same. Hardware. The owner is entirely responsible for the purchase, maintenance, and management of the cloud hardware. Users. A private cloud operates only within one organization and cloud computing resources are used exclusively by a single business or organization. Connectivity. A connection to a private cloud is typically made over a private network that is highly secure. Public access. Does not provide access to the public. Skills. Requires deep technical knowledge to set up, manage, and maintain.
PaaS
Platform as a Service. requires less user management. The cloud provider manages the operating systems, and the user is responsible for the applications and data they run and store.
General Availability (GA)
Releasing a feature to all Azure customers
Authorization for Resource groups
Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.
Hybrid cloud models have the following characteristics
Resource location. Specific resources run or are used in a public cloud, and others run or are used in a private cloud. Cost and efficiency. Hybrid cloud models allow an organization to leverage some of the benefits of cost, efficiency, and scale that are available with a public cloud model. Control. Organizations retain management control in private clouds. Skills. Technical skills are still required to maintain the private cloud and ensure both cloud models can operate together.
Resources
Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
SaaS
Software as a Service. requires the least amount of management. The cloud provider is responsible for managing everything, and the end user just uses the software.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to certain security and privacy provisions in HIPAA and the HITECH Act - To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.
Confidentiality
The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.
United Kingdom (UK) Government G-Cloud
The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK Government.
Predictive cost considerations
The ability for users to predict the costs they will incur for a particular cloud service. Costs for individual services are made available, and tools are provided to allow you to predict the costs a service will incur. You can also perform analysis based on planned growth.
Elasticity
The ability to automatically or dynamically increase or decrease resources as needed. Elastic resources match the current needs, and resources are added or removed automatically to meet future needs when it's needed (and from the most advantageous geographic location). A distinction between scalability and elasticity is that elasticity is done automatically.
Scalability
The ability to increase or decrease resources for any given workload. You can add additional resources to service a workload (known as scaling out), or add additional capabilities to manage an increase in demand to the existing resource (known as scaling up). Scalability doesn't have to be done automatically.
High availability
The ability to keep services up and running for long periods of time, with very little downtime, depending on the service in question.
Global reach
The ability to reach audiences around the globe. Cloud services can have a presence in various regions across the globe, which you and your customer can access, giving you a presence in those regions even though you may not have any infrastructure in that region.
Agility
The ability to react quickly. Cloud services can allocate and deallocate resources quickly. They are provided on-demand via self-service, so vast amounts of computing resources can be provisioned in minutes. There is no manual intervention in provisioning or deprovisioning services.
Disaster recovery
The ability to recover from an event which has taken down a cloud service. Cloud services disaster recovery can happen very quickly, with automation and services being readily available to use.
Fault tolerance
The ability to remain up and running even in the event of a component (or service) no longer functioning. Typically, redundancy is built into cloud services architecture, so if one component fails, a backup component takes its place. This type of service is said to be tolerant of faults.
CIA
The common principles used to define a security posture are confidentiality, integrity, and availability, known collectively as CIA.
Integrity
The prevention of unauthorized changes to information at rest or in transit. A common approach used in data transmission is for the sender to create a unique fingerprint of the data using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The data's hash is recalculated and compared to the original by the receiver to ensure the data wasn't lost or modified in transit.
Management groups
These are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group. • 10,000 management groups can be supported in a single directory. • A management group tree can support up to six levels of depth. • This limit doesn't include the Root level or the subscription level. • Each management group and subscription can only support one parent. • Each management group can have many children.
Operational Expenditure (OpEx)
This is spending money on services or products now and being billed for them now. You can deduct this expense in the same year you spend it. There is no up front cost, as you pay for a service or product as you use it.
Capital Expenditure (CapEx)
This is the up front spending of money on physical infrastructure, and then deducting that up front expense over time. The up front cost from CapEx has a value that reduces over time.
Billing boundary
This subscription type determines how an Azure account is billed for using Azure. You can create multiple subscriptions for different types of billing requirements, and Azure will generate separate billing reports and invoices for each subscription so that you can organize and manage costs.
Visualize
Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences. Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences. Other tools you may use for visualizing data, for specific audiences and scenarios, include: • Dashboards • Views • Power BI
What happens once you use my free credit or I'm at the end of 30 days?
We'll notify you so you can decide if you want to upgrade to pay-as-you-go pricing and remove the spending limit. If you do, you'll have access to all the free products. If you don't, your account and products will be disabled, and you'll need to upgrade to resume usage.
Update domains (Availability Sets)
When a maintenance event occurs (such as a performance update or critical security patch applied to the host), the update is sequenced through update domains. Sequencing updates using update domains ensures that the entire datacenter isn't unavailable during platform updates and patching. Update domains are a logical section of the datacenter, and they are implemented with software and logic.
Failure Mode Analysis (FMA)
When designing your architecture you need to design for resiliency, and you should perform a _____________________ - The goal of an FMA is to identify possible points of failure and to define how the application will respond to those failures.
Tags
You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production, or tag by company departments. For example, the name of Department with a value of IT.
Data categories in Azure
You can generally think of data as structured, semi-structured, and unstructured.
Lock
You may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly:
Integrate
You'll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data. Other Azure services can work with Azure Monitor to provide this integration.
De-allocating
a VM is not the same as deleting a VM. De-allocation means the VM is not assigned to a CPU or network in a datacenter. However, your persistent disks remain, and the resource is present in your subscription. It's similar to turning off your physical computer.
Network Security Groups (NSG)
allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. • Limit communication between resources through segmenting your network and configuring access controls. • Deny by default. • Restrict inbound internet access and limit outbound where appropriate. • Implement secure connectivity to on-premises networks.
The Microsoft Azure mobile app
allows you to access, manage, and monitor all your Azure accounts and resources from your iOS or Android phone or tablet. Once installed, you can: • Check the status and important metrics of your services • Stay informed with notifications and alerts about important health issues • Quickly diagnose and fix issues anytime, anywhere• Review the latest Azure alerts • Start, stop, and restart virtual machines or web apps • Connect to your virtual machines• Manage permissions with role-based access control (RBAC) • Use the Azure Cloud Shell to run saved scripts or perform unplanned administrative tasks
Event Grid
allows you to easily build applications with event-based architectures. It's a fully managed, intelligent event routing service that uses a publish-subscribe model for uniform event consumption. Event Grid has built-in support for events coming from Azure services, such as storage blobs and resource groups.
Service Trust Portal (STP)
also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as: • ISO • SOC • NIST • FedRAMP
Azure Application Gateway
also provides a firewall, called the Web Application Firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.
Cognitive services
are a collection of domain-specific pre-trained AI models that can be customized with your data. They are categorized broadly into vision, speech, language, and search. For more information about each service, see the links in the resources section.
Containers
are a virtualization environment. • Containers reference the operating system of the host environment that runs the container. • Unlike virtual machines you do not manage the operating system. • Containers are lightweight and are designed to be created, scaled out, and stopped dynamically. • Containers allows you to respond to changes on demand and quickly restart in case of a crash or hardware interruption. • Azure supports Docker containers.
Virtual machine scale sets
are an Azure compute resource that you can use to deploy and manage a set of identical VMs.
Azure Functions
are ideal when you're concerned only about the code running your service and not the underlying platform or infrastructure. They're commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
Representational State Transfer (REST) APIs
are service endpoints that support sets of HTTP operations (methods), which provide create, retrieve, update, or delete access to the service's resources. A REST API defines a set of functions which developers can perform requests and receive responses via HTTP protocol such as GET and POST.
Virtual machines (VMs)
are software emulations of physical computers.
Distributed Denial of Service (DDoS)
attacks attempt to overwhelm and exhaust an application's resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.
Access Control (IAM)
blade in the Azure portal to view access permissions. This blade, shows who has access to an area and their role. Using this same blade, you can also grant or remove access.
Speech services
can convert spoken language into text, or produce natural-sounding speech from text using standard (or customizable) voice fonts.
Azure Load Balancer
can provide scale for your applications and create high availability for your services. Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications. You can use Load Balancer with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.
Language services
can understand the meaning of unstructured text or recognize the speaker's intent.
Azure Security Center
centralizes much of the help Azure has to offer. It provides a single dashboard, with a view into many of your services, and helps make sure you are following best practices. Continuously updated machine learning algorithms help identify whether the latest threats are aimed at your resources. And, it helps your organization mitigate threats.
Hybrid Cloud
combines both public and private clouds, allowing you to run your applications in the most appropriate location
Cloud provider
company providing the services
Identity and access
controls access to infrastructure and change control. • Control access to infrastructure and change control. • Use single sign-on and multi-factor authentication. • Audit events and changes. The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.
Knowledge services
create rich knowledge resources that integrate into apps and services.
A security policy
defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements.
Azure Blueprints
enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they're building within organizational compliance with a set of built-in components that speed up development and delivery.
Application security groups (ASG)
enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
Azure Virtual Network
enables many types of Azure resources such as Azure VMs to securely communicate with each other, the internet, and on-premises networks. A virtual network is scoped to a single region; however, multiple virtual networks from different regions can be connected using virtual network peering. With Azure Virtual Network you can provide isolation, segmentation, communication with on-premises and cloud resources, routing and filtering of network traffic.
Azure Files
enables you to set up highly available network file shares that can be accessed by using the standard Server Message Block (SMB) protocol. That means that multiple VMs can share the same files with both read and write access. You can also read the files using the REST interface or the storage client libraries.
Microsoft privacy statement
explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
Policy Definition
expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed if they are exposed to a public IP address. You also could prevent a hard disk from being used when deploying VMs to control costs.
Azure Advisor
feature identifies unused or under-utilized resources, and you can implement its recommendations by removing unused resources and configuring your resources to match your actual demand.
Spending Limits
feature to help prevent you from exhausting the credit on your account within each billing period. If you have a credit-based subscription and you reach your configured spending limit, Azure suspends your subscription until a new billing period begins.
resource locks
help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from within the Azure portal. To view, add, or delete locks, go to the SETTINGS section of any resource's settings blade.
Service Trust Portal (STP)
hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services. Service Trust Portal users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
Azure Monitor
includes several features and tools that provide valuable insights into your applications, and the other resources they may depend on. Monitoring solutions and features, such as Application Insights and Container Insights, provide you with a deeper look into different aspects of your application and Azure services.
Azure Blob storage (containers)
is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data, such as text or binary data.
Azure Active Directory
is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access resources: • External resources might include Microsoft 365, the Azure portal, and thousands of other software as a service (SaaS) applications. • Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Azure Cloud Shell
is a browser-based scripting environment in your portal. It provides the flexibility of choosing the shell experience that best suits the way you work. Linux users can opt for a Bash experience, while Windows users can opt for PowerShell. A storage account is required to use the Cloud Shell and you will be prompted to create one when accessing the Azure Cloud Shell.
Azure Key Vault
is a centralized cloud service for storing your applications' secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
Logic Apps
is a cloud service that helps you automate and orchestrate tasks, business processes, and workflows when you need to integrate apps, data, systems, and services across enterprises or organizations. Logic Apps simplifies how you design and build scalable solutions—whether in the cloud, on premises, or both—for app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) integration.
Azure Advanced Threat Protection (ATP)
is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.
Azure Information Protection (AIP)
is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).
Serverless computing
is a cloud-hosted execution environment that runs your code but abstracts the underlying hosting environment. You create an instance of the service and you add your code. No infrastructure configuration or maintenance is required, or even allowed.
Azure Kubernetes Service (AKS)
is a complete orchestration service for containers with distributed architectures and large volumes of containers. Orchestration is the task of automating and managing a large number of containers and how they interact.
Azure CLI
is a cross-platform command-line program that connects to Azure and executes administrative commands on Azure resources. Cross platform means that it can be run on Windows, Linux, or macOS. For example, to create a Virtual Machine, you would open a command prompt window, sign in to Azure using the command az login, create a resource group
A Content Delivery Network (CDN)
is a distributed network of servers that can efficiently deliver web content to users. It is a way to get content to users in their local region to minimize latency. CDN can be hosted in Azure or any other location. You can cache content at strategically placed physical nodes across the world and provide better performance to end users. Typical usage scenarios include web applications containing multimedia content, a product launch event in a region, or any event where you expect a high bandwidth requirement in a region.
Azure Advisor
is a free service built into Azure that provides recommendations on high availability, security, performance, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across those four areas.
IoT Central
is a fully managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage your IoT assets at scale. No cloud expertise is required to use IoT Central. As a result, you can bring your connected products to market faster while staying focused on your customers.
The Azure Database Migration Service
is a fully managed service designed to enable seamless migrations from multiple database sources to Azure data platforms with minimal downtime (online migrations). The service uses the Microsoft Data Migration Assistant to generate assessment reports that provide recommendations to help guide you through required changes prior to performing a migration. Once you assess and perform any remediation required, you're ready to begin the migration process. The Azure Database Migration Service performs all of the required steps.
Azure HDInsight
is a fully managed, open-source analytics service for enterprises. It is a cloud service that makes it easier, faster, and more cost-effective to process massive amounts of data. HDInsight allows you to run popular opensource frameworks and create cluster types such as Apache Spark ,Apache Hadoop ,Apache Kafka , Apache HBase ,Apache Storm ,Machine Learning Services . HDInsight also supports a broad range of scenarios such as extraction, transformation, and loading (ETL); data warehousing; machine learning; and IoT.
Zone
is a geographical grouping of Azure Regions for billing purposes. the following Zones exist and include the sample regions as listed below: • Zone 1 - West US, East US, Canada West, West Europe, France Central and others • Zone 2 - Australia Central, Japan West, Central India, Korea South and others • Zone 3 - Brazil South • DE Zone 1 - Germany Central, Germany Northeast
Microsoft Azure Cosmos DB
is a globally distributed database service that enables you to elastically and independently scale throughput and storage across any number of Azure's geographic regions. It supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data. You can use Cosmos DB to store data that is updated and maintained by users around the world. It makes it easy to build scalable, highly responsive applications at global scale.
Azure Synapse Analytics (formerly Azure SQL Data Warehouse)
is a limitless analytics service that brings together enterprise data warehousing and big data analytics.
Azure IoT Hub
is a managed service hosted in the cloud that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution backend. You can connect virtually any device to your IoT Hub.
Azure Firewall
is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can create, enforce, and log, application and network connectivity policies across subscriptions, and virtual networks, centrally. Azure Firewall uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
Azure Resource Manager
is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted. It provides a consistent management layer which allows you automate the deployment and configuration of resources using different automation and scripting tools, such as Microsoft Azure PowerShell, Azure Command-Line Interface (Azure CLI), Azure portal, REST API, and client SDKs.
Azure PowerShell
is a module that you add to Windows PowerShell or PowerShell Core that enables you to connect to your Azure subscription and manage resources. Azure PowerShell requires Windows PowerShell to function. PowerShell provides services such as the shell window and command parsing. Azure PowerShell then adds the Azure-specific commands. (PowerShell Core is a cross-platform version of PowerShell that runs on Windows, Linux or macOS.)
Azure Security Center
is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can: • Provide security recommendations based on your configurations, resources, and networks. • Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online. • Continuously monitor all your services and perform automatic security assessments to identify potential vulnerabilities before they can be exploited. • Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate can execute. • Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred. • Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Azure portal
is a public website that you can access with any web browser. After you sign in with your Azure account, you can create, manage, and monitor any available Azure services. You can identify a service you're looking for, get links for help on a topic, and deploy, manage, and delete resources. It also guides you through complex administrative tasks using wizards and tooltips
Azure SQL Database
is a relational database as a service (DaaS) based on the latest stable version of Microsoft SQL Server database engine. SQL Database is a high-performance, reliable, fully managed and secure database that you can use to build data-driven applications and websites in the programming language of your choice without needing to manage infrastructure.
Azure Government
is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel.
Azure Policy
is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs).
Azure Marketplace
is a service on Azure that helps connect end users with Microsoft partners, independent software vendors (ISVs), and start-ups that are offering their solutions and services, which are optimized to run on Azure. Azure Marketplace allows customers—mostly IT professionals and cloud developers—to find, try, purchase, and provision applications and services from hundreds of leading service providers, all certified to run on Azure.
A Firewall
is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules also include specific network protocol and port information.
Lab Services
is a service that helps developers and testers quickly create environments in Azure, while minimizing waste and controlling cost. Users can test their latest application versions by quickly provisioning Windows and Linux environments using reusable templates and artifacts. You can easily integrate your deployment pipeline with DevTest Labs to provision on-demand environments. With DevTest Labs you can scale up your load testing by provisioning multiple test agents and create pre-provisioned environments for training and demos.
Azure Storage
is a service that you can use to store files, messages, tables, and other types of information.
Initiative Definition
is a set of policy definitions to help track your compliance state for a larger goal. Initiative assignments reduce the need to make several initiative definitions for each scope.
A VPN gateway
is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure Virtual Network and an on-premises location over the public internet. It provides a more secure connection from on premises to Azure over the internet.
Defense in depth
is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to data. The objective of defense in depth is to protect and prevent information from being stolen by individuals not authorized to access it.
Azure Service Health
is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.
Pricing Calculator
is a tool that helps you estimate the cost of Azure products. It displays Azure products in categories, and you choose the Azure products you need and configure them according to your specific requirements. Azure then provides a detailed estimate of the costs associated with your selections and configurations.
Total Cost of Ownership Calculator
is a tool that you use to estimate cost savings you can realize by migrating to Azure. Enter details about your on-premises infrastructure into the TCO calculator according to four groups: • Servers. Enter details of your current on-premises server infrastructure. • Databases. Enter details of your on-premises database infrastructure in the Source section. In the Destination section, select the corresponding Azure service you would like to use. • Storage. Enter the details of your on-premises storage infrastructure. • Networking. Enter the amount of network bandwidth you currently consume in your on-premises environment.
resource group
is a unit of management for your resources in Azure. You can think of your resource group as a container that allows you to aggregate and manage all the resources required for your application in a single manageable unit. This allows you to manage the application collectively over its lifecycle, rather than manage components individually. Before any resource can be provisioned, you need a resource group for it to be placed in.
Azure Application Gateway
is a web traffic load balancer that enables you to manage traffic to your web applications. It is the connection through which users connect to your application. With Application Gateway you can route traffic based on source IP address and port to a destination IP address and port. You also can help protect a web application with a web application firewall, redirection, session affinity to keep a user on the same server, and many more configuration options.
Trust Center
is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.
Compliance Manager
is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Microsoft 365, Dynamics 365, and Azure.
Cost Management
is an Azure product that provides a set of tools for monitoring, allocating, and optimizing your Azure costs. The main features of the Azure Cost Management toolset include: • Reporting. Generate reports using historical data to forecast future usage and expenditure. • Data enrichment. Improve accountability by categorizing resources with tags that correspond to real-world business and organizational units. • Budgets. Create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns. • Alerting. Get alerts based on your cost and usage budgets. • Recommendations. Receive recommendations to eliminate idle resources and to optimize the Azure resources you provision. • Price. Free to Azure customers.
Initiative Assignment
is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group.
Azure Data Lake Analytics
is an on-demand analytics job service that simplifies big data. Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights. The analytics service can handle jobs of any scale instantly by setting the dial for how much power you need. You only pay for your job when it is running, making it more cost-effective.
Azure compute
is an on-demand computing service for running cloud-based applications. It provides computing resources such as disks, processors, memory, networking and operating systems. There are many compute services, two of the most common are: virtual machines and containers.
Azure China 21Vianet
is operated by 21Vianet is a physically separated instance of cloud services located in China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.
Private Cloud
is owned and operated by the organization that uses the resources from that cloud. They create a cloud environment in their own datacenter and provide self-service access to compute resources to users within their organization. The organization remains the owner, entirely responsible for the operation of the services they provide.
Public Cloud
is owned by the cloud services provider (also known as a hosting provider). It provides resources and services to multiple organizations and users, who connect to the cloud service via a secure network connection, typically over the internet.
Internet of Things (IoT)
is the ability for devices to garner and then relay information for data analysis.
Resiliency
is the ability of a system to recover from failures and continue to function. It's not about avoiding failures, but responding to failures in a way that avoids downtime or data loss. The goal of resiliency is to return the application to a fully functioning state following a failure. High availability and disaster recovery are two crucial components of resiliency.
economies of scale
is the ability to reduce costs and gain efficiency when operating at a larger scale in comparison to operating at a smaller scale
Cloud Computing
is the delivery of computing services—servers, storage, databases, networking, software, analytics, intelligence and more—over the internet (the cloud), enabling faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change.
Physical security
is the first line of defense to protect computing hardware in the datacenter. • Physical building security and controlling access to computing hardware within the data center is the first line of defense. With physical security, the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
Authentication
is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are. (Authentication is sometimes shortened to AuthN)
Authorization
is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it. (Authorization is sometimes shortened to AuthZ.)
The Azure Queue service
is used to store and retrieve messages. Queue messages can be up to 64 KB in size, and a queue can contain millions of messages. Queues are generally used to store lists of messages to be processed asynchronously.
Application
layer ensures applications are secure and free of vulnerabilities. • Ensure applications are secure and free of vulnerabilities. • Store sensitive application secrets in a secure storage medium. • Make security a design requirement for all application development. Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. We encourage all development teams to ensure their applications are secure by default, and that they're making security requirements non-negotiable.
Networking
layer limits communication between resources through segmentation and access controls. • Limit communication between resources. • Deny by default. • Restrict inbound internet access and limit outbound, where appropriate. • Implement secure connectivity to on-premises networks. At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement
Compute
layer secures access to virtual machines. • Secure access to virtual machines. • Implement endpoint protection and keep systems patched and current. Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues.
Perimeter
layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. • Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. • Use perimeter firewalls to identify and alert on malicious attacks against your network. At the network perimeter, it's about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.
Serverless computing
lets you run application code without creating, configuring, or maintaining a server. The core idea is that your application is broken into separate functions that run when triggered by some action. This is ideal for automated tasks - for example, you can build a serverless process that automatically sends an email confirmation after a customer makes an online purchase. you only pay for the processing time used by each function as it executes. VMs and containers are charged while they're running - even if the applications on them are idle
Vision
makes it possible for apps and services to accurately identify and analyze content within images and videos.
The organizing structure for resources in Azure has four levels:
management groups, subscriptions, resource groups, and resources
Azure Monitor
maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.
ReadOnly
means authorized admins can read a resource, but they can't delete or update the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role.
CanNotDelete
means authorized admins can still read and modify a resource, but they can't delete the resource.
Azure Reservations
offer discounted prices on certain Azure products and resources. To get a discount, you reserve products and resources by paying in advance. You can pre-pay for one year or three years of use of Virtual Machines, SQL Database Compute Capacity, Azure Cosmos Database Throughput, and other Azure resources. Azure Reservations are only available to Enterprise or CSP customers and for Pay-As-You-Go subscriptions.
Azure Container Instances
offers the fastest and simplest way to run a container in Azure without having to manage any virtual machines or adopt any additional services. It is a PaaS offering that allows you to upload your containers, which it will run for you.
Zone-redundant services
platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).
Containers
provide a consistent, isolated execution environment for applications. They're similar to VMs except they don't require a guest operating system. Instead, the application and all its dependencies is packaged into a "container" and then a standard runtime environment is used to execute the app. This allows the container to start up in just a few seconds, because there's no OS to boot and initialize. You only need the app to launch.
The Azure Machine Learning service
provides a cloud-based environment you can use to develop, train, test, deploy, manage, and track machine learning models. It fully supports open-source technologies, so you can use tens of thousands of open-source Python packages with machine learning components such as TensorFlow and scikit-learn.
Azure Multi-Factor Authentication
provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories: • Something you know could be a password or the answer to a security question. • Something you possess might be a mobile app that receives a notification, or a token-generating device. • Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
DevOps Services
provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing. DevOps Services was formerly known as Visual Studio Team Services (VSTS).
Disk storage
provides disks for virtual machines, applications, and other services to access and use as they need, similar to how they would in on-premises scenarios. Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk. The disks can be managed or unmanaged by Azure, and therefore managed and configured by the user. Typical scenarios for using disk storage are if you want to lift and shift applications that read and write data to persistent disks, or if you are storing data that is not required to be accessed from outside the virtual machine to which the disk is attached.
Role-based access control
provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers.
Bandwidth
refers to data moving in and out of Azure datacenters. Some inbound data transfers, such as data going into Azure datacenters, are free. For outbound data transfers, such as data going out of Azure datacenters, data transfer pricing is based on Zones.
Data residency
refers to the physical or geographic location of an organization's data or information. It defines the legal or regulatory requirements imposed on data based on the country or region in which it resides and is an important consideration when planning out your application data storage.
Azure Table storage
stores large amounts of structured data. The service is a NoSQL datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure tables are ideal for storing structured, nonrelational data.
VMs aren't the only computing choice
there are two other popular options: containers and serverless computing.
Perimeter layer protections
use Azure DDoS Protections and Azure Firewall
RBAC
uses an allow model. This means that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.
consumption-based model
which means that end users only pay for the resources that they use. Whatever they use is what they pay for.
Azure App Service
you can quickly and easily build web and mobile apps for any platform or device. Azure App Service enables you to build and host web apps, mobile back ends, and RESTful APIs in the programming language of your choice without managing infrastructure. It offers auto-scaling and high availability, supports both Windows and Linux, and enables automated deployments from GitHub, Azure DevOps, or any Git repo.
App services
you can quickly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform.
Zonal services
you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)
Azure offers free and paid subscription options to suit different needs and requirements.
• A free account. Get started with 12 months of popular free services, a credit to explore any Azure service for 30 days, and 25+ services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription. • Pay-As-You-Go. This subscription allows you to pay for what you use by attaching a credit or debit card to your account. Organizations can apply to Microsoft for invoicing privileges. • Member offers. Your existing membership to certain Microsoft products and services affords you credits for your Azure account and reduced rates on Azure services. For example, member offers are available to Microsoft Visual Studio subscribers, Microsoft Partner Network members, Microsoft BizSpark members, and Microsoft Imagine members.
Availability Options
• A single virtual machine with premium storage has an SLA of 99.9%. You can quickly migrate existing virtual machines to Azure through "lift and shift". Lift and shift is a no-code option where each application is migrated as-is, providing the benefits of the cloud without the risks or costs of making code changes. • By placing virtual machines in an availability set, you protect against datacenter failures and increases the SLA to 99.95%. • Adding virtual machines to availability zones protects from entire datacenter failures and increases the SLA to 99.99%, which is highest level of protection that is provided. • For multi-region disaster recovery, region pairs protect and provide data residency boundaries.
Service Trust Portal is a companion feature to the Trust Center, and allows you to:
• Access audit reports across Microsoft cloud services on a single page. • Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations. • Access trust documents to help you understand how Microsoft cloud services help protect your data.
Respond
• Alerts. Azure Monitor proactively notifies you of critical conditions using Alerts and can potentially attempt to take corrective actions. Alert rules based on metrics can provide alerts in almost real-time, based on numeric values. Alert rules based on logs allow for complex logic across data, from multiple sources. • Autoscale. Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load. Autoscale can also help reduce your Azure costs by removing resources that are not being used. You can specify a minimum and maximum number of instances and provide the logic that determines when Autoscale should increase or decrease resources.
Analyze
• Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application's operations. Application Insights can diagnose errors, without waiting for a user to report them. Application Insights includes connection points to a variety of development tools and integrates with Microsoft Visual Studio to support your DevOps processes. • Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected. • Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.
Azure Monitor collects data from each of the following tiers:
• Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform. • Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises. • Azure resource monitoring data: Data about the operation of an Azure resource. • Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself. • Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.
Azure AD provides services such as:
• Authentication - This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. • Single sign-on (SSO) - Enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts. "This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD" • Application management - You can manage your cloud and on-premises apps using Azure AD Application Proxy, single sign-on, the My apps portal (also referred to as Access panel), and SaaS apps. • Business to business - (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data • Business-to-customer - (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services. • Device management - Manage how your cloud or on-premises devices access your corporate data.
Multi-factor authentication (MFA) comes as part of the following Azure service offerings:
• Azure Active Directory premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises). • Multi-factor authentication for Microsoft 365. A subset of Azure Multi-Factor Authentication capabilities is available as a part of your Microsoft 365 subscription. • Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available to protect these accounts.
Azure Service Health is composed of the following:
• Azure Status provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state. • Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you. • Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you details with about the current and past state of your resources. It also provides technical support to help you mitigate problems. In contrast to Azure Status, which informs you about service problems that affect a broad set of Azure customers, Resource Health gives you a personalized dashboard of your resources' health. Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems. It's then easier for you to understand if an SLA was violated.
Things to know about regions
• Azure has more global regions than any other cloud provider. • Regions provide customers the flexibility and scale needed to bring applications closer to their users. • Regions preserve data residency and offer comprehensive compliance and resiliency options for customers. • For most Azure services, when you deploy a resource in Azure, you choose the region where you want your resource to be deployed.
Resource groups can be created by using the following methods:
• Azure portal • Azure PowerShell • Azure CLI • Templates • Azure SDKs (like .NET, Java)
Azure Firewall provides many features, including:
• Built-in high availability. • Unrestricted cloud scalability. • Inbound and outbound filtering rules. • Azure Monitor logging.
The benefits of using Key Vault include:
• Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution and reduces the chances that secrets may be accidentally leaked. • Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization. • Monitor access and use. Using Key Vault, you can monitor and control access to company secrets. • Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools. • Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.
Availability Zone features
• Each availability zone is an isolation boundary containing one or more datacenters equipped with independent power, cooling, and networking. • If one availability zone goes down, the other continues working. The availability zones are typically connected to each other through very fast, private fiber-optic networks. • Availability zones allow customers to run mission-critical applications with high availability and lowlatency replication. • Availability zones are offered as a service within Azure, and to ensure resiliency, there's a minimum of three separate zones in all enabled regions.
Under the resource settings you can enable Diagnostics
• Enable guest-level monitoring • Performance counters: collect performance data• Event Logs: enable various event logs • Crash Dumps: enable or disable • Sinks: send your diagnostic data to other services for more analysis • Agent: configure agent settings