Brief introduction to Microsoft Azure Fundamentals - Core Services

Hello guys,

As it's an era of Cloud Computing and Microsoft Azure being the leader in providing the cloud services, today, I would like to introduce you to the Microsoft Azure Core Services. This is just a brief introduction to Azure Core Services to prepare you for the AZ-900 Microsoft Azure Fundamentals certification.

Azure Regions
Each region has one or more data center(s). A region is a set of data centers deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.

There are 54 regions worldwide available in 140 countries as of writing this blog.

For more information, visit https://azure.microsoft.com/en-ca/global-infrastructure/regions/.

Azure Geographies

Azure Regions are group of one of more data centers. Azure broadens that into geographies. Each Geography contains two or more regions. These geographies are to preserve compliance and data residency. Examples of Geographies are Americas, or Europe, or Middle East & Africa, or Asia Pacific.

CDN

CDN stands for Content Delivery Network, which allows your media to be streamed or deployed. You cannot specify a specific Geography for CDN or for Azure Active Directory. They are kind of global.

Availability Zones

In short, Availability Zones are physical separate data centers within an Azure Region. Not all regions are supported or say, have Availability Zones. Availability Zones provide high availability and redundancy.

Region Pairs

Two regions within the same geography that are at least 300 miles apart.

Availability Sets

Availability Sets are logical grouping of 2 or more VMs that ensure you remain up during planned or unplanned maintenance.

Options to manage Azure

- Cloud Shell

There are two ways to access the Cloud Shell. One way is to go to https://shell.azure.com and another way is by clicking the Arrow with Underscore ">_" at the top after you log into portal.azure.com. You can either use Bash (Linux) or PowerShell (Windows) in Cloud Shell.

- CLI (Command Line Interface)

It is alternative to Cloud Shell. The Cloud Shell is accessed via the Web Interface, whereas CLI is nothing, but opening a PowerShell Window on your own Windows machine and manage your Azure Environment from there, but bear in mind that you need to have the Azure module installed on your computer first. So, once you have the Azure module installed, instead of accessing the Azure Cloud Shell from the web interface, you can open the PowerShell window on your local Windows machine and connect to your Azure Subscription from your local machine via PowerShell window and manage your Azure Environment from there.

You can install what's called PowerShell Core on Linux or Mac OS and you can install the Azure PowerShell module and manage it just like you would on any Windows machine.

- Azure Portal (https://portal.azure.com)

The last one is Azure Portal, the one that we normally use to manage our Azure Environment, but it is mostly being used to do one or two things. If you want to do your things more faster, for example, deploying hundreds of VMs, in other words, automating VM deployments, it is better to use the Cloud Shell or CLI in that case.

Last one thing to mention that there is one other way you can manage Azure. You can integrate your own application with Azure meaning like an API (Application Programmable Interface). So, if you are a developer, you can utilize these APIs, and you can control your Azure infrastructure with your own application. An API is an interface between your own application and your Azure environment, which means that it is an integration piece that links or say, allows your application to communicate with your Azure environment.

Azure also has a Cloud Shell App for iPhones and Android phones, which you can install on your phone and you can manage your Azure Environment from your smart phones as well.

JSON

JavaScript Object Notation. For any Azure Resource that you want to create repeatedly, you can JSON Script for it, which is nothing, but called as an Automation Script and it is also known as ARM (Azure Resource Manager) Templates. So, when you want to deploy the hundreds of VMs with similar configuration, you will use the ARM Templates i.e. the JSON Automation Script.

Computing with Cloud

It is basically an on-demand computing service built to run our web applications. So when we're deploying our websites or moving our infrastructure to the cloud, that's on-demand computing service. With Microsoft Azure, we have four big Compute service players - Virtual Machines, Containers, Azure App Services and Serverless computing.

Containers

ACI stands for Azure Container Instances. Containers, they're like VMs, but they take it to the next level. They're more efficient. They're, some would say, better. With containers, we are virtualizing OS (software) vs. Hardware. It provides a way to bundle the application with its dependencies, kind of an isolated island with its own self sustaining ecosystem. They are efficient and faster. Docker is a software platform that lets you build, test and deploy applications quickly with containers.

Serverless Computing

• Azure Functions (code), which are either stateless or stateful. Azure Functions execute code and they are mostly stateless, but can be stateful too.
• Azure Logic Apps (workflow) execute workflows from defined logic blocks.

Compute - Scaling

• Scale-sets (VM): Manage a group of identical, load balanced VMs
• Azure Batch for HPC (High Performance Computing): Large-scale job scheduling and compute management. Large scale means a job where we will need hundreds of VMs or thousands of VMs to do some massive supercomputing.

Virtual Machine Scale Sets (VMSS)

You can create Virtual machine scale sets to deploy and manage a load balanced set of identical Windows or Linux virtual machines. You can use autoscale to automatically scale virtual machine resources in and out.

Cloud-init Script

There is a script called cloud-init script that you can use with the Linux virtual machine to quickly setup everything that we need to setup any website.

Microservice

Microservice is nothing but breaking your solution (app) into smaller pieces. For example, there is an application that has Front-end piece, Back-end piece and the Storage. You divide this app in three different pieces in Azure, which allows you to upgrade, modify and maintain each piece independently. For example, you have your own website, and you want to upgrade only the Front-end of your website, which can be done easily when your web application has been broken down into smaller pieces.

AKS stands for Azure Kubernetes Service. AKS is the orchestration service to manage your Microservices.

Azure App Service

       Types of Apps:

- Web Apps

- API Apps

- Web jobs

- Mobile Apps

Benefits of Azure App Service:

- No more worrying about infrastructure

- Language of choice

- Auto-scaling

- High Availability

- Ready made codes from Github, Azure DevOps, any Git Repo

Cloud Storage Benefits

- Automated Backup and Recovery

- Replication

- Analytics

- Encryption

- Data Types - all types of data can be stored in a Cloud Storage ranging from large files to binary files to word documents to Excel files to PowerPoint Presentations to Relational Databases to Pictures to Videos to any kind of data.

- Tiers - which is going to be based on how often you need to access that data.

Types of Data that Azure is designed to hold:

1. Structured Data like Relational Databases

2. Semi-Structured Data like Non-relational data i.e. NoSQL data

3. Unstructured Data like pictures or video files. It's like your data that you upload to your One Drive or Google Drive.

Azure Structured Data

- Azure SQL Database

The Azure's offering for Structured Data is Azure SQL Database, which is also known as DaaS (Database as a service). DaaS is like PaaS, so you don't worry about the underlying Operating System or the server. You can migrate your existing on-prem databases to Azure Cloud using Azure Database Migration Service.

Azure Semi-Structured Data

- Azure Cosmos Database (for Semi-Structured Database)

A database for building blazing fast, planet scale applications with native support for NoSQL (i.e. Non-relational data). It is globally distributed. Data will be replicated anywhere where your users are. 

Unstructured Data

- Disk Storage (i.e. Regular HDD or Premium SSD)

- File Share (which is called as Azure Files)

- SMB

- Globally accessible

- Azure Blob

- Lot of data can be stored. Ideally, used for Backups and Archiving

- 8 TB. You can store up to 8 TB of data with a VM on the Azure Blob.

- No restrictions

- Highly scalable

- Many thousands of simultaneous uploads

- Azure Data Lake Storage Gen 2

- It has all features like Azure Blob

- Plus, it has the capability for Big Data Analytics

- Azure Queue

- It is used for storing messages (large number of messages)

Storage Tiers

There are three tiers in Storage.

1. Hot - accessed frequently. It's highly expensive.

2. Cool - accessed infrequently

- Stored for at least 30 days

- Less Expensive than Hot

3. Archive, which is basically stuff you never touch, or rarely accessed, typically stored for at least 180 days. It's not as expensive as Hot and Cool Storage tiers.

Data Encryption

1. Azure Storage Service Encryption (SSE)

- Data at rest

- Encrypts the data before its stored and decrypts it before retrieving. This type of Azure Storage encryption is automatic.

2. Client-side Encryption

- The data is already encrypted when Azure stores it and decrypted when retrieved. Here, you can generate your own key for Encryption-Decryption, and store it in "Azure Key Vault".

Azure Resource Manager

The Azure Portal is nothing, but called as the Azure Resource Manager. It is a user interface that we use to manage the Azure Resources. We need an Azure Account to log into the Azure portal (https://portal.azure.com) for which we sign up, and we get access to subscriptions. Subscriptions can be defined as Logical unit of Azure resources. In large organization, what you do is set up separate subscriptions for each department like Accounting, Marketing, Sales, etc., because all these departments will use some IT infrastructure. Each department will need access to some specific servers, file shares, all kind of stuff. There will be separate billing for each subscription. Just like an account has multiple subscriptions, a subscription can be managed by multiple accounts. So, I can have another admin from my organization who can manage my subscriptions. 

Networking in Azure:

Vnet logically isolates a network on Azure. Virtual Network is bound to only one region; it cannot span to multiple regions. We can divide the Virtual network into subnets to segment our resources like virtual machines. For example, Front End Servers in Front End subnet, whereas Back End Servers are in Back End subnet.

Network Security Group (NSG)

A Network Security Group is Azure's version of Network Firewall. By default, a Network Security Group will "deny all network traffic."

Azure Load Balancer

Benefits of Azure Load Balancer:

- Scale (Horizontal)

- Resiliency

- High availability

- Maintenance without downtime

Azure Application Gateway (combination of load balancer and firewall for Web application)

Azure Application Gateway. It actually uses, as part of its function, the Azure Load Balancer. But it adds a few extra things that are really great for web traffic that you may want.

So, we know it's load balancing, perfect. So it performs that function, but it also has a firewall built in as well. We call it a WAF, or a Web Application Firewall, because it's not just any old firewall.

It can actually do some pretty neat things. Azure Application Gateway is a bit more sophisticated. It's a little more fancy than your normal network security group. It can actually detect malicious attacks against your infrastructure. It has more detailed monitoring.

Another big reason you might want the Application Gateway versus just a standard load balancer for your web traffic, is that it has special URL based routing. It also has SSL termination, which is a Secure Socket Layer, which means that the website is secure and the connection to the website will be encrypted. And you also know it because it says HTTPS, which stands for secure, versus just HTTP. To make this happen for your website, you need SSL certificates. And you also know it because it says HTTPS, which stands for secure, versus just HTTP. To make this happen for your website, you need SSL certificates. And the Application Gateway can host or handle those certificates for you, keeping everything at the front end secure. It could also rewrite HTTP headers, which is basically just the information that comes into your website. It arrives with these HTTP headers and you can change some of the information about traffic, making it more secure, removing things you don't want, adding things you want to add. So when you think about the Azure Load Balancer, it's great for load balancing all sorts of things, including web traffic. But if you really want some killer features with your web traffic that are very HTTP focused, the Application Gateway will be your guy.

Azure Traffic Manager and Content Delivery Network

Azure Traffic Manager: Using DNS Servers to direct user traffic to the closest data center where your web apps are hosted.

Content Delivery Network: Distributed network of servers that can efficiently deliver web content to users using caching.

Azure AI (Artificial Intelligence)

AI: capability of a machine to imitate human behaviour.

Authentication

Authentication means to authenticate who you are and prove it. It means "Establishing your identity."

Authorization

Authorization means what you are authorized to access. It means the "Level of access" that you have.

RBAC - Role Based Access Control

Roles: Roles are set of permissions that users can be granted to access Azure services.

Scope: Set of resources that access applies to.

Encryption

There are two types of Encryption.

1. Symmetric: Same key for encryption and decryption

2. Asymmetric: Different Keys for encryption and decryption (Public Key + Private Key). For example, I am sending a message to Bob, and in this case, I will encrypt the message before sending it using my private key. Bob will then receive the message and decrypt it using the public key. So, here, when you use the public and private key pair, if you encrypt the message using private key, you decrypt it using its public key, and if you encrypt the message using public key, you decrypt it using its private key. This is also referred to as TLS - Transport Layer Security.

Azure Storage Service Encryption (SSE): Encryption is enabled by default for Blob, managed disks, Queue Storage and Azure files.

Azure Disk Encryption: For OS VHD attached to VM will not be encrypted by default, but you can encrypt it. Azure Disk Encryption is the option to encryption those VHDs.

Transparent Data Encryption: Databases in Azure are also encrypted by default using TDE (Transparent Data Encryption), which is actually symmetric encryption. Azure will provide you a unique encryption key for each database-- each logical database. Or you can bring your own key, which is often referred to as BYOK-- Bring Your Own Key. And again, because that's symmetric, you'll be using the same key-- the one key-- for both encryption and decryption. OK, we're encrypting your data, making it nice, safe, and secure by turning it to blah, blah, blah, blah, blah. And we're using the keys to lock it up. So whoever has the key can read it. But hold on a second. What if someone were to get our keys? Are the keys safe? Azure has the solution for it called "Azure Key Vault."

Azure Key Vault

Azure Key Vault is a centralized cloud service for all your secrets - Keys, passwords and certificates.

What's inside:

- Encryption Keys 

- Secrets like Tokens, API keys

- Certificates (SSL/TLS)

Benefits:

- Centralized Management

- Monitor Access and use

- Easily enroll and renew certs

- Integrate with other Azure Services

There are two products that Microsoft offers that will really push you over the edge to make it real secure. The first one is the Azure Information Protection, or AIP. It used to be called the Microsoft Azure Shared Information Protection, so like NZIP. This is all about protecting your documents, Microsoft Word, Excel, PowerPoint, and also your emails. So it's very Microsoft Office heavy. So, AIP is the cloud-based solution that helps us classify and protect our documents and emails.

The 2nd one is the Azure Advanced Threat Protection (Azure ATP). It identifies, detects, and helps you investigate compromised systems, and identities, and malicious insider actions. It actually has its own portal, which is port.atp.azure.com. This is where you'll go to manage all these threats and investigate all the bad stuff. We then have the ATP sensor. You install these sensors in your domain controller and it analyzes everything, user logins, user permissions, everything that happens with your domain controller, which a lot of stuff happens with your domain controller. It analyzes all of that and sends it to the ATP portal where you can log in and analyze all that stuff.

Azure Policy

Azure Policy is a service you use to define, assign, and manage standards for resources in your environment. This is to meet some kind of compliance or some kind of government standards. It provides an ability to manage how our resources are deployed, having a bit of control over that, and it's also known as governance. So, for example, we have an IT Engineering team, and we want to allow them to create some resources, say, virtual machines, but we put in our policy that says they cannot create a VM with over 4 vCPUs. I mean, you can create a policy on any kind of standard that you want to support or force in your environment, so for example, you could force a specific version of SQL Server, you could force a Windows and no Linux, you can assure that every website is being secured with HTTPS, or you could have a policy set up that will just tag your resources. So, if Windows Infrastructure team builds some new VMs, your policy can tag them as "WinInfra", for example.

How to create a policy?

Steps:

1) Policy definition

It means that what we are evaluating and what action we will take. For example, Engineering team tried to build a VM with more than 4 vCPUs. In that case, the action will be one of the following actions:

- Deny (policy will deny to build the VM)

- Disabled (ignore) (policy is disabled, so it will be ignored and Engineering team will be able to build a VM with more than 4 vCPUs.

- Append (tags) - Policy will add the tags to the resources that will be built

- Audit (Warning event) - Policy will allow to build the VM with more than 4 vCPUs, but it will generate an Audit Warning event letting the Engineering team know that they are being watched, even though they were allowed to build the VM.

- DeployifNotExist (template)

2) Policy Assignment

Once the policy is defined, we will assign that policy to something to make it happen. It means, we will assign it to some specific scope. So, it might be that you assign it to a specific subscription. So, it will apply to everything that you have in your subscription. Or you can assign it to some specific resource group.

We can also exclude some from the rule. So, for example, we have all different resource groups, and we can tell that this policy will be applied to everything in our subscription excluding some specific resource group.

Azure Management Groups

Azure Management Groups are containers for managing access, policies and compliance across multiple subscriptions.

Blueprints

Blueprints are a repeatable set of Azure resources that adhere to standards, patterns and requirements. It is like ARM templates, but it takes a step further by looking at your RBAC, your Role-based Access Control rules, all your permissions you've set, also all the policies you have implemented and your resource groups.

Azure Cost Affecting Factors

- Resource Type

Cost depends on the type of resource that you are deploying in cloud. Is it a VM or storage?

- Storage: For Storage, you pay based on the size of storage.

- Network: For network resource, you pay based on the bandwidth that you use.

- Services

- Cost also depends on the services that you use in Azure cloud. Are you deploying something from Azure Marketplace? For example, Windows Server 2016 Standard? Then, you pay for its license as well.

- Location

Cost depends on the location of the resources as well where they are being deployed. It would be high for one location, whereas it will low for the other location.

- Billing Zone

Resiliency

A system's ability to stay operational during abnormal conditions is known as Resiliency.

Tags

Tags are Name/value pairs of text data that you can apply to resources and resource groups.

Azure Monitor

Azure Monitor delivers a comprehensive solution for collecting, analyzing and acting on telemetry from your cloud and on-premises environments.

What is the functionality of an Azure Update page?

It reports the upcoming releases.