- 1. Examen et ressources de préparation
- 2. Azure Fundamentals part 1: Describe core Azure concepts
- 3. Azure Fundamentals part 2: Describe core Azure services
- 4. Azure Fundamentals part 3: Describe core solutions and management tools on Azure
- 4.1. Choose the best AI service for your needs
- 4.2. Choose the best tools to help organizations build better solutions
- 4.3. Choose the best monitoring service for visibility, insight, and outage mitigation
- 4.4. Choose the best tools for managing and configuring your Azure environment
- 4.5. Choose the best Azure serverless technology for your business scenario
- 4.6. Choose the best Azure IoT service for your application
- 5. Azure Fundamentals part 4: Describe general security and network security features
- 5.1. Protect against security threats on Azure
- 5.1.1. Protect against security threats by using Azure Security Center
- 5.1.2. Detect and respond to security threats by using Azure Sentinel
- 5.1.3. Differences between Azure Security Center vs Azure Sentinel
- 5.1.4. Store and manage secrets by using Azure Key Vault
- 5.1.5. Host your Azure virtual machines on dedicated physical servers by using Azure Dedicated Host
- 5.2. Secure network connectivity on Azure
- 5.2.1. What is defense in depth?
- 5.2.2. Protect virtual networks by using Azure Firewall
- 5.2.3. Protect from DDoS attacks by using Azure DDoS Protection
- 5.2.4. Filter network traffic by using Network Security Groups (NSGs)
- 5.2.5. Exercise - Configure network access to a VM by using a network security group
- 5.2.6. Combine Azure Services to create a complete network security solution
- 5.1. Protect against security threats on Azure
- 6. Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features
- 6.1. Secure access to your applications by using Azure identity services
- 6.2. Build a cloud governance strategy on Azure
- 6.2.1. Accelerate your cloud adoption journey by using the Cloud Adoption Framework for Azure
- 6.2.2. Create a subscription governance strategy
- 6.2.3. Control access to cloud resources by using Azure role-based access control
- 6.2.4. Prevent accidental changes by using resource locks
- 6.2.5. Organize your Azure resources by using Azure Tags
- 6.2.6. Control and audit your resources by using Azure Policy
- 6.2.7. Govern multiple subscriptions by using Azure Blueprints
- 6.2.8. Summary
- 6.3. Examine privacy, compliance, and data protection standards on Azure
- 6.3.1. Explore compliance terms and requirements
- 6.3.2. Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum
- 6.3.3. Explore the Trust Center
- 6.3.4. Access Azure compliance documentation
- 6.3.5. What is Azure Government?
- 6.3.6. What is Azure China 21Vianet?
- 6.4. Microsoft 365 Compliance Center
- 7. Azure Fundamentals part 6: Describe Azure cost management and service level agreements
- 7.1. Plan and manage your Azure costs
- 7.2. Choose the right Azure services by examining the SLAs and service lifecycle
- 8. OLD COURSE CONTENT, BEFORE 2020/11/09
- 9. Ressources
- 10. Mock exams
- 11. Lexique
Microsoft AZ-900 examen : https://docs.microsoft.com/fr-fr/learn/certifications/exams/az-900
|
❗
|
Exam updated on 2020/11/09
Exam was updated on 2020/11/09 with a new plan!
|
-
Azure Fundamentals part 1: Describe core Azure concepts
-
Azure Fundamentals part 2: Describe core Azure services
-
Azure Fundamentals part 3: Describe core solutions and management tools on Azure
-
Azure Fundamentals part 4: Describe general security and network security features
-
Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features
-
Azure Fundamentals part 6: Describe Azure cost management and service level agreements
Déroulement de la certification :
-
40 à 60 questions sur 1 heure
-
score minimum de 700 / 1000
|
📎
|
Pour plus d’informations sur la certification AZ-900, voir la description faite par testprep training : https://www.testpreptraining.com/blog/how-to-pass-microsoft-az-900-exam/ |
|
📎
|
Azure Virtual Training Days : Notions de bases
Pour information, j’ai assisté aux "Azure Virtual Training Days : Notions de bases" les 18 et 19/05 (6 heures au total). Néanmoins, plusieurs démos y sont présentées, et j’ai ajouté à ce doc les informations intéressantes que j’y ai notées avec le préfixe "AVTD". Le formateur de Microsoft était Mehdi SEBBANE, Azure Technical Trainer Microsoft. |
|
📎
|
Un grande partie de mes notes vient de la documentation Microsoft Learn, mais pas que 😉 |
|
|
Mes retours sur l’examen (certification obtenue le 04/06/2021)
|
Cloud computing: The delivery of computing services over the internet, which is otherwise known as the cloud. These services include servers, storage, databases, networking, software, analytics, and intelligence.
Cloud computing is a way to rent compute power and storage from someone else’s datacenter.
Cloud computing advantages:
-
High availability: Depending on the service-level agreement (SLA) that you choose, your cloud-based applications can provide a continuous user experience with no apparent downtime even when things go wrong.
-
Scalability: Applications in the cloud can be scaled in two ways:
-
Vertically: Computing capacity can be increased by adding RAM or CPUs to a virtual machine.
-
Horizontally: Computing capacity can be increased by adding instances of a resource, such as adding more virtual machines to your configuration.
-
-
Elasticity: Cloud-based applications can be configured to take advantage of autoscaling, so your applications will always have the resources they need.
-
AVTD - Cf le formateur Microsoft : l’élasticité, c’est la scalabilité automatisée.
-
-
Agility: Cloud-based resources can be deployed and configured quickly as your application requirements change.
-
Geo-distribution: Applications and data can be deployed to regional datacenters around the globe, so your customers always have the best performance in their region.
-
Disaster recovery: By taking advantage of cloud-based backup services, data replication, and geo-distribution, you can deploy your applications with the confidence that comes from knowing that your data is safe in the event that disaster should occur.
Cloud service models: IaaS / PaaS / SaaS
-
What is PaaS? :
-
Cloud platform services, also known as Platform as a Service (PaaS), provide cloud components to certain software while being used mainly for applications. PaaS delivers a framework for developers that they can build upon and use to create customized applications.
All servers, storage, and networking can be managed by the enterprise or a third-party provider while the developers can maintain management of the applications.
PaaS provides a platform for software creation. -
Examples of PaaS: AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, OpenShift
-
See https://azure.microsoft.com/en-gb/overview/what-is-paas/ or https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/
-
Serverless computing: With serverless applications, the cloud service provider automatically provisions, scales, and manages the infrastructure required to run the code. Serverless architectures are highly scalable and event-driven. They use resources only when a specific function or trigger occurs.
-
public cloud: Services are offered over the public internet and available to anyone who wants to purchase them. Cloud resources like servers and storage are owned and operated by a third-party cloud service provider and delivered over the internet.
-
le Cloud public est assimilé à de l'OpEx
-
-
private cloud: Computing resources are used exclusively by users from one business or organization. A private cloud can be physically located at your organization’s on-site datacenter. It also can be hosted by a third-party service provider.
-
le cloud privé est assimilé à du CapEx
-
-
hybrid cloud: This computing environment combines a public cloud and a private cloud by allowing data and applications to be shared between them.
Azure portal: a web-based, unified console that provides an alternative to command-line tools.
Most commonly used categories:
-
Compute Services: including micro-services
-
Networking features
-
Storage
-
Azure Blob storage: Storage service for very large objects, such as video files or bitmaps
-
Azure File storage: File shares that can be accessed and managed like a file server
-
Azure Queue storage: A data store for queuing and reliably delivering messages between applications
-
Azure Table storage: A NoSQL store that hosts unstructured data independent of any schema
-
-
Mobile
-
Databases
-
Web
-
Internet of Things
-
Big Data
-
Artificial Intelligence
-
includes cognitive services, such as vision, speech, knowledge mapping, Bing search, Natural Language Processing.
-
-
DevOps
-
App hosting: to run your entire web application on a managed platform in Windows or Linux
-
Integration: logic apps and service bus
-
Security
-
Cloud service providers operate on a consumption-based model, which means that end users only pay for the resources that they use.
-
Cloud services are categorized OpEx (Operational Expenditure) and not CapEx (Capital Expenditure), OpEx being a consumption-based model.
|
❗
|
|
IaaS, PaaS, and SaaS each contain different levels of managed services. You may easily use a combination of these types of infrastructure. You could use Microsoft 365 on your company’s computers (SaaS), and in Azure you could host your VMs (IaaS) and use Azure SQL Database (PaaS) to store your data. With the cloud’s flexibility, you can use any combination that provides you with the maximum result.
The organizing structure for resources in Azure has 4 levels: management groups, subscriptions, resource groups and resources.
-
A subscription provides you with authenticated and authorized access to Azure products and services. It also allows you to provision resources. An Azure subscription is a logical unit of Azure services that links to an Azure account, which is an identity in Azure Active Directory (Azure AD) or in a directory that Azure AD trusts.
-
An account can have one subscription or multiple subscriptions that have different billing models and to which you apply different access-management policies.
-
Azure applies access-management policies at the subscription level.
-
A subscription is a set of Azure services bundled together for tracking and billing purposes.
-
Level of scope above subscriptions.
-
All subscriptions within a management group automatically inherit the conditions applied to the management group.
-
All subscriptions within a single management group must trust the same Azure AD tenant.
Important facts about management groups:
-
10 000 management groups can be supported in a single directory.
-
A management group tree can support up to 6 levels of depth. This limit doesn’t include the root level or the subscription level.
-
Each management group and subscription can support only one parent.
-
Each management group can have many children.
-
All subscriptions and management groups are within a single hierarchy in each directory.
A manageable item that’s available through Azure. Virtual machines (VMs), storage accounts, web apps, databases, and virtual networks are examples of resources.
-
A resource group is a logical container for resources deployed on Azure.
-
All resources must be in a resource group, and a resource can only be a member of a single resource group.
-
Resource groups can’t be nested.
-
If you delete a resource group, all resources contained within it are also deleted.
-
Resource groups are also a scope for applying role-based access control (RBAC) permissions.
-
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account.
As benefits, it allows you to:
-
Manage your infrastructure through declarative templates rather than scripts. A Resource Manager template is a JSON file that defines what you want to deploy to Azure.
-
Apply access control to all services because role-based access control (RBAC) is natively integrated into the management platform.
-
Clarify your organization’s billing by viewing costs for a group of resources that share the same tag.
Resources are created in regions, which are different geographical locations around the globe that contain Azure datacenters.
A region is a geographical area on the planet that contains at least one but potentially multiple datacenters that are nearby and networked together with a low-latency network.
2 Data Centers en France pour Azure, Paris et Marseille (correspond à 2 "regions", France Central and France South)
https://azure.microsoft.com/fr-fr/global-infrastructure/geographies/
A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. At the time of writing this, Azure is generally available in 60 regions and available in 140 countries.
Cf site de Microsoft, "Azure has more global regions than any other cloud provider"
Availability zones are physically separate datacenters within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking.
An availability zone is set up to be an isolation boundary. If one zone goes down, the other continues working. Availability zones are connected through high-speed, private fiber-optic networks.
-
Availability zones are offered as a service within Azure, and to ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
-
Availability Zones are primarily for VMs, managed disks, load balancers, and SQL databases.
It’s possible that a large disaster could cause an outage big enough to affect even two datacenters. That’s why Azure also creates region pairs.
|
📎
|
Azure geographies
Azure divides the world into geographies that are defined by geopolitical boundaries or country borders. An Azure geography is a discrete market typically containing two or more regions that preserves data residency and compliance boundaries. |
-
Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away.
-
Data continues to reside within the same geography as its pair (except for Brazil South) for tax and law enforcement jurisdiction purposes.
|
📎
|
Dans tous les cas (comme la réplication inter-régionales), la bande passante est facturée au client |
Azure Cosmos DB is a globally distributed, multi-model database service.
You can elastically and independently scale throughput and storage across any number of Azure regions worldwide.
You can take advantage of fast, single-digit-millisecond data access by using any one of several popular APIs.
Azure Cosmos DB provides comprehensive service level agreements for throughput, latency, availability, and consistency guarantees.
Azure Cosmos DB is flexible. At the lowest level, Azure Cosmos DB stores data in atom-record-sequence (ARS) format.
The data is then abstracted and projected as an API, which you specify when you’re creating your database.
Your choices include SQL, MongoDB, Cassandra, Tables, and Gremlin.
This level of flexibility means that as you migrate your company’s databases to Azure Cosmos DB, your developers can stick with the API that they’re the most comfortable with.
|
📎
|
atom-record-sequence (ARS) format
As explained in https://stackoverflow.com/questions/48223881/how-atom-record-sequence-ars-helps-cosmosdb-to-be-multimodel:
Have also a look at https://stackoverflow.com/questions/44304947/what-does-it-mean-that-azure-cosmos-db-is-multi-model : Atoms consist of a small set of primitive types like string, bool, and number. Records are structs composed of these types. Sequences are arrays consisting of atoms, records, or sequences. |
-
Azure SQL Database is a relational database based on the latest stable version of the Microsoft SQL Server database engine.
-
It is a platform as a service (PaaS) database engine.
❗Oui, Azure SQL Database est bien considérée comme du PaaS et non du SaaS.
Un certain nombre de questions de l’AZ-900 reposent sur cela.La raison de ce PaaS et non SaaS semble être qu’Azure SQL Database propose plus d’options de gestion / configuration (High Availability, Disaster Recovery, etc.) qu’une solution SaaS.
Plus de détails sur ce sujet peuvent être trouvés ici. -
It provides 99,99% availability ("four nines")
-
Microsoft explains that the newest capabilities of SQL Server are released first to SQL Database, and then to SQL Server itself.
-
You can migrate your existing SQL Server databases with minimal downtime by using the Azure Database Migration Service.
-
Cf le formateur, ce service de base de données est distribué mondialement, contrairement aux implémentations Azure de MySQL et PostgreSQL, qui sont associées à 1 région.
-
Like Azure SQL Database, Azure SQL Managed Instance is a platform as a service (PaaS) database engine
-
99.99% uptime service level agreement (SLA)
-
Azure SQL Managed Instance makes it easy to migrate your on-premises data on SQL Server to the cloud using the Azure Database Migration Service (DMS) or native backup and restore.
Azure SQL Database and Azure SQL Managed Instance offer many of the same features; however, Azure SQL Managed Instance provides several options that might not be available to Azure SQL Database.
For a detailed list of the differences between Azure SQL Database and Azure SQL Managed Instance, check https://docs.microsoft.com/en-us/azure/azure-sql/database/features-comparison.
Here are some examples of differences:
-
Change Data Capture is only possible with Azure SQL Managed Instance
-
Azure SQL Database only uses the default "SQL_Latin1_General_CP1_CI_AS" server collation, it would not be possible to use Cyrillic characters for collation for example.
|
📎
|
Change Data Capture
For some complete details about Change Data Capture, check SQL Server description of this behavior
|
-
Azure Database for MySQL is a relational database service in the cloud
-
Based on the MySQL Community Edition database engine, versions 5.6, 5.7, and 8.0
-
You have a 99.99 percent availability service level agreement from Azure
-
You can use point-in-time restore to recover a server to an earlier state, as far back as 35 days
-
You can migrate your existing MySQL databases with minimal downtime by using the Azure Database Migration Service
-
Azure Database for PostgreSQL is a relational database service in the cloud.
-
Based on the community version of the open-source PostgreSQL database engine.
-
Adjustable automatic backups and point-in-time-restore for up to 35 days.
-
Enterprise-grade security and compliance to protect sensitive data at-rest and in-motion. This security covers data encryption on disk and SSL encryption between client and server communication.
-
Azure Database for PostgreSQL is available in two deployment options: Single Server and Hyperscale (Citus).
Single Server deployment:
-
Built-in high availability with no additional cost (99.99% SLA).
-
Ability to protect sensitive data at-rest and in-motion.
-
Automatic backups and point-in-time-restore for up to 35 days.
Hyperscale (Citus):
The Hyperscale (Citus) option horizontally scales queries across multiple machines by using sharding. Its query engine parallelizes incoming SQL queries across these servers for faster responses on large datasets. It serves applications that require greater scale and performance, generally workloads that are approaching, or already exceed, 100 GB of data.
The Hyperscale (Citus) deployment option supports multi-tenant applications, real-time operational analytics, and high throughput transactional workloads. Applications built for PostgreSQL can run distributed queries on Hyperscale (Citus) with standard connection libraries and minimal changes.
Microsoft Azure supports a broad range of technologies and services to provide big data and analytic solutions, including:
-
Azure Synapse Analytics (formerly Azure SQL Data Warehouse)
-
limitless analytics service that brings together data integration, enterprise data warehousing, and big data analytics.
-
gives you the freedom to query data on your terms, using either serverless or dedicated resources—at scale.
-
unified experience to ingest, explore, prepare, manage, and serve data for immediate BI and machine learning needs.
-
a good, logical, choice for analyzing large volumes of data
-
See Microsoft documentation: https://azure.microsoft.com/en-us/services/synapse-analytics/
-
-
Azure HDInsight ("Hadoop and Distributed Insight")
-
fully managed, open-source analytics service for enterprises
-
You can run popular open-source frameworks and create cluster types such as Apache Spark, Apache Hadoop, Apache Kafka, Apache HBase, Apache Storm, and Machine Learning Services.
-
supports a broad range of scenarios such as extraction, transformation, and loading (ETL), data warehousing, machine learning, and IoT.
-
-
Azure Databricks
-
set up your Apache Spark environment in minutes, and then autoscale and collaborate on shared projects in an interactive workspace.
-
supports Python, Scala, R, Java, and SQL, as well as data science frameworks and libraries including TensorFlow, PyTorch, and scikit-learn.
-
-
Azure Data Lake Analytics
-
on-demand analytics job service that simplifies big data.
-
Instead of deploying, configuring, and tuning hardware, you write queries to transform your data and extract valuable insights.
-
You only pay for your job when it’s running, making it more cost-effective.
-
-
Azure Event Grid
-
allows reliable event delivery at massive scale
-
Simplify your event-based apps with Event Grid, a single service for managing routing of all events from any source to any destination.
Designed for high availability, consistent performance, and dynamic scale, Event Grid lets you focus on your app logic rather than infrastructure. -
For example, use Event Grid to instantly trigger a serverless function to run image analysis each time a new photo is added to a blob storage container.
-
Event Grid can distribute events from different sources like Azure Blob Storage or Azure Media Services to different handlers like Azure Function (Event Grid trigger function) or Webhook.
It is a pub-sub model (underlying concept of topics and subscriptions):
-
For additional resources, check Microsoft documentation: https://azure.microsoft.com/en-us/services/event-grid/ and this excellent article How To Build A Reactive Solution With Azure Event Grid
-
This last article also present Azure Service Bus and explains the differences between Event Grid and Service Bus.
-
-
Azure computing solutions works on the underlying services:
-
Virtual machines :
Virtual Machines provides infrastructure as a service (IaaS) and can be used in different ways. When you need total control over an operating system and environment, VMs are an ideal choice. -
Virtual machine scale sets :
Virtual machine scale sets are an Azure compute resource that you can use to deploy and manage a set of identical VMs. With all VMs configured the same, virtual machine scale sets are designed to support true autoscale. No pre-provisioning of VMs is required. For this reason, it’s easier to build large-scale services targeting big compute, big data, and containerized workloads. As demand goes up, more VM instances can be added. As demand goes down, VM instances can be removed. The process can be manual, automated, or a combination of both. -
Containers and Kubernetes
-
App Service :
App Service is a platform as a service (PaaS) offering. -
Functions (or serverless computing) :
Functions are ideal when you’re concerned only about the code running your service and not the underlying platform or infrastructure. They’re commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
-
Azure Batch enables large-scale parallel and high-performance computing (HPC) batch jobs with the ability to scale to tens, hundreds, or thousands of VMs.
When you-re ready to run a job, Batch does the following:-
starts a pool of compute VMs for you
-
installs applications and staging data
-
runs jobs with as many tasks as you have
-
identifies failures
-
requeues work
-
scales down the pool as work completes
-
More for details, see https://docs.microsoft.com/en-us/azure/virtual-machines/sizes
While virtual machines are an excellent way to reduce costs versus the investments that are necessary for physical hardware, they’re still limited to a single operating system per virtual machine. If you want to run multiple instances of an application on a single host machine, containers are an excellent choice.
-
it reminds us of a downside of VMs: 1 VM can only run 1 OS at a time
-
If you have multiple server apps require different runtime environments, they may also require multiple VMs to execute properly
-
-
Also, "short" tasks (like starting an App) are pretty slow with VMs, because creating and starting VMs is slow, as it requires to emulate a full computer
|
❗
|
Difference between VMs and Containers
VMs virtualize the hardware, while Containers virtualize the OS
|
As a conclusion, you choose a VM if you need high flexibility, complete control on the environment.
→ In all other cases, Containers should be preferred.
There are two ways to manage both Docker and Microsoft-based containers in Azure: Azure Container Instances and Azure Kubernetes Service (AKS).
A very good, short video to present Kubernetes: https://www.microsoft.com/videoplayer/embed/RE2yEuX
|
📎
|
Reminder
A microservice can be scaled independently of others.
|
A microservice architecture is more appropriate when:
-
you have a large application that requires high release velocity
-
you have complex application that needs to be highly scalable
-
you have applications with rich domains or many subdomains
-
you have an organisation that consists in small development teams
App Service enables you to build and host web apps, background jobs, mobile back-ends, and RESTful APIs in the programming language of your choice without managing infrastructure.
It offers automatic scaling and high availability. App Service supports Windows and Linux and enables automated deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.
This platform as a service (PaaS) environment allows you to focus on the website and API logic while Azure handles the infrastructure to run and scale your web applications.
API apps: Much like hosting a website, you can build REST-based web APIs by using your choice of language and framework. You get full Swagger support and the ability to package and publish your API in Azure Marketplace. The produced apps can be consumed from any HTTP or HTTPS-based client.
If, for a large amount of time, your application is waiting for a particular input before it performs any processing, then, to reduce your costs, you could want to avoid having to pay for the time that your application is waiting for input. Functions (serverless computing) could be a good option in that case.
-
With serverless computing, you pay only for the time your code runs.
-
Scaling and performance are handled automatically. You’re billed only for the exact resources you use. There’s no need to even reserve capacity.
Serverless computing includes the abstraction of servers (no infrastructure management), an event-driven scale, and micro-billing
-
Event-driven scale: Serverless computing is an excellent fit for workloads that respond to incoming events
Azure has two implementations of serverless compute:
-
Azure Functions: Functions can execute code in almost any modern language.
-
Azure Logic Apps: Logic apps are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.
-
For this reason, it’s ideal for a business analyst role.
-
Functions are commonly used when you need to perform work in response to an event (often via a REST request), timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
Where functions execute code, logic apps execute workflows that are designed to automate business scenarios and are built from predefined logic blocks.
Functions and Logic Apps can both create complex orchestrations, which are collections of functions or steps that are executed to accomplish a complex task.
-
with Functions, you write code to complete each step.
-
with Logic Apps, you use a GUI to define the actions and how they relate to one another.
Functions are normally stateless, but Durable Functions provide state.
Logic Apps are always stateful.
Windows Virtual Desktop on Azure is a desktop and application virtualization service that runs on the cloud. It enables your users to use a cloud-hosted version of Windows from any location. Windows Virtual Desktop works across devices like Windows, Mac, iOS, Android, and Linux.
Windows Virtual Desktop est une solution récente, pré-version publique annoncée en 2019/03.
User sign-in to Windows Virtual Desktop is fast because user profiles are containerized by using FSLogix. At sign-in, the user profile container is dynamically attached to the computing environment. The user profile is immediately available and appears in the system exactly like a native user profile.
Suppose your company, Tailwind Traders, has a number of product brochures, datasheets, product images, and other files that are related to marketing, sales, and support. In the past, your company has been hosting these files on standalone web servers in your datacenter.
-
Azure Storage is a service that you can use to store files, messages, tables, and other types of information.
-
An Azure Storage account is require to store your data objects.
|
📎
|
Azure VMs use Azure Disk Storage to store virtual disks. However, you can’t use Azure Disk Storage to store a disk outside of a virtual machine. |
Disk Storage provides disks for Azure virtual machines, and allows data to be persistently stored and accessed from an attached virtual hard disk.
Azure Blob Storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
Blob Storage is ideal for:
-
Serving images or documents directly to a browser.
-
Storing files for distributed access.
-
Streaming video and audio.
-
Storing data for backup and restore, disaster recovery, and archiving.
-
Storing data for analysis by an on-premises or Azure-hosted service.
-
Storing up to 8 TB of data for virtual machines.
|
📎
|
Azure Blob Storage is your best option for storing disaster recovery files and archives. For a comparison of Azure Blob storage vs Azure Data Lake, see : |
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) and Network File System (NFS) (preview) protocols.
-
Azure Files ensures the data is encrypted at rest, and the SMB protocol ensures the data is encrypted in transit.
-
Data contains in Azure Files can be mounted concurrently by cloud and on-premises deployments, using SMB protocol and NFS protocol.
Azure provides several access tiers which you can use to balance your storage costs with your access needs.
Those last can vary depending on frequency of access and planned retention period.
-
Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
-
Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
-
Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).
-
Only the hot and cool access tiers can be set at the account level. The archive access tier isn’t available at the account level.
-
Hot, cool, and archive tiers can be set at the blob level, during upload or after upload.
-
Data in the cool access tier can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool data, a slightly lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
-
Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data.
Azure virtual networks (or Azure VNet) enable Azure resources, such as VMs, web apps, and databases, to communicate with each other, with users on the internet, and with your on-premises client computers.
Virtual Network allows you to create multiple isolated virtual networks. When you set up a virtual network, you define a private IP address space by using either public or private IP address ranges.
For name resolution, you can use the name resolution service that’s built in to Azure. You also can configure the virtual network to use either an internal or an external DNS server.
Communicate between Azure resources can be done using one of the 2 following options:
-
Virtual networks
-
Service endpoints
Communicate with on-premises resources can be done using one of the 2 following mechanisms:
-
Point-to-site virtual private networks
-
the client computer initiates an encrypted VPN connection to Azure to connect that computer to the Azure virtual network.
-
-
Site-to-site virtual private networks
-
links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network.
-
The connection is encrypted and works over the internet.
-
-
Azure ExpressRoute
-
For environments where you need greater bandwidth and even higher levels of security.
-
provides dedicated private connectivity to Azure that doesn’t travel over the internet.
📎AVTDPour le trafic sur un réseau privé virtuel, il faut activer le ICMP (Internet Control Message Protocol) entre les machines virtuelles.
Durant sa démo, le formateur l’a activé via Powershell :
-
Route network traffic.
By default, Azure routes traffic between subnets on any connected virtual networks, on-premises networks, and the internet. You also can control routing and override those settings, as follows:
-
Route tables: A route table allows you to define rules about how traffic should be directed. You can create custom route tables that control how packets are routed between subnets.
-
Border Gateway Protocol: Border Gateway Protocol (BGP) works with Azure VPN gateways or ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
Azure virtual networks enable you to filter network traffic between subnets by using the following approaches:
-
Network security groups: A network security group is an Azure resource that can contain multiple inbound and outbound security rules.
-
Network virtual appliances: A network virtual appliance is a specialized VM that carries out a particular network function, such as running a firewall or performing wide area network (WAN) optimization.
Connect virtual networks
-
You can link virtual networks together by using virtual network peering.
-
UDR is user-defined Routing and allows network admins to control the routing tables between subnets, within a subnet as well as between VNets.
Settings to configure for the creation of a basic virtual network:
-
Network name
-
Address space
-
Subscription
-
Resource group
-
Location
-
Subnet
-
DDoS protection
-
Service endpoints
Once created, you can then configure:
-
Network security group
-
Route table
A virtual private network (VPN) is a type of private interconnected network.
VPNs use an encrypted tunnel within another network. So traffic is encrypted while traveling over the untrusted network to prevent eavesdropping or other attacks.
A VPN gateway is a type of virtual network gateway. Azure VPN Gateway instances are deployed in Azure Virtual Network instances and enable the following connectivity:
-
Connect on-premises datacenters to virtual networks through a site-to-site connection.
-
Connect individual devices to virtual networks through a point-to-site connection.
-
Connect virtual networks to other virtual networks through a network-to-network connection.
|
📎
|
You can deploy only 1 VPN gateway in each virtual network. |
A VPN gateway can be of 2 types, the difference of which being how traffic to be encrypted is specified.
-
policy-based:
-
Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel
This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.
-
-
route-based:
-
If defining which IP addresses are behind each tunnel is too cumbersome, route-based gateways can be used.
-
With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface. IP routing (either static routes or dynamic routing protocols) decides which one of these tunnel interfaces to use when sending each packet.
-
Can use dynamic routing protocols, where routing/forwarding tables direct traffic to different IPSec tunnels
-
|
📎
|
A Basic VPN gateway should only be used for Dev/Test workloads. In addition, it’s unsupported to migrate from Basic to the VpnGW1/2/3/Az SKUs at a later time without having to remove the gateway and redeploy. |
-
By default, VPN gateways are deployed as 2 instances in an active/standby configuration, even if you only see 1 VPN gateway resource in Azure.
-
But, with the introduction of BGP routing protocol, you can also deploy VPN gateways in an active/active configuration.
-
In this case, you assign a unique public IP address to each instance.You then create separate tunnels from the on-premises device to each IP address.
-
-
Another high-availability option is to configure a VPN gateway as a secure failover path for ExpressRoute connections.
-
In regions that support availability zones, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant configuration.
|
❗
|
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. |
ExpressRoute connections don’t go over the public Internet.
ExpressRoute does provide private connectivity, BUT it is NOT encrypted.
Dynamic routing: ExpressRoute uses the Border Gateway Protocol (BGP) routing protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.
3 models available to connect your on-premises network to the Microsoft Cloud:
-
Colocation at a Cloud Exchange
-
For example, if your datacenter is colocated at a cloud exchange such as an ISP, you can request a virtual cross-connection to the Microsoft cloud.
-
-
Point-to-point Ethernet connection
-
Any-to-any networks
Artificial Intelligence (AI) is a category of computing that adapts and improves its decision-making ability over time based on its successes and failures.
There are two basic approaches to AI:
-
deep learning system: modeled on the neural network of the human mind, enabling it to discover, learn, and grow through experience.
-
machine learning: a data science technique that uses existing data to train a model, test it, and then apply the model to new data to forecast future behaviors, outcomes, and trends.
3 primary product offerings from Microsoft:
-
Azure Machine Learning
-
It consists of tools and services that allow you to connect to data to train and test models to find one that will most accurately predict a future result. After you’ve run experiments to test the model, you can deploy and use it in real time via a web API endpoint.
-
Choose Azure Machine Learning when your data scientists need complete control over the design and training of an algorithm using your own data.
-
-
Azure Cognitive Services
-
provides prebuilt machine learning models that enable applications to see, hear, speak, understand, and even begin to reason.
You can perform sentiment analysis with Azure Cognitive Services.
You don’t need special machine learning or data science knowledge to use these services. -
While Azure Machine Learning requires you to bring your own data and train models over that data, Azure Cognitive Services, for the most part, provides pretrained models so that you can bring in your live data to get predictions on.
-
Azure Cognitive Services can be divided into the following categories: language, speech, vision, decision
-
-
Azure Bot Service
-
Azure Bot Service and Bot Framework are platforms for creating virtual agents that understand and reply to questions just like a human.
-
-
First, are you building a virtual agent that interfaces with humans via natural language?
In this case you can use:-
QnA Maker
-
Power Virtual Agents, Microsoft Power Platform, Power Automate
-
-
Second, do you need a service that can understand the content and meaning of images, video, or audio, or that can translate text into a different language?
-
Use Azure Cognitive Services when it comes to general purpose tasks, such as performing speech to text, integrating with search, or identifying the objects in an image.
-
-
Third, do you need to predict user behavior or provide users with personalized recommendations in your app?
-
The Azure Cognitive Services Personalizer service watches your users' actions within an application.
You can use Personalizer to predict their behavior and provide relevant experiences as it identifies usage patterns.
-
-
Fourth, will your app predict future outcomes based on private historical data?
-
Choose Azure Machine Learning when you need to analyze data to predict future outcomes.
-
-
Finally, do you need to build a model by using your own data or perform a different task than those listed above?
-
Use Azure Machine Learning for maximum flexibility.
-
A practical case is given to determine which MS products would be the best for the example needs.
Again, a practical use case.
|
❗
|
Decision criteria to choose the good IA product
The questions to ask oneself to determine the best AI services are always the same:
|
Here we talk about DevOps practices and develop solutions.
|
📎
|
What is DevOps?
DevOps is a new approach that helps to align technical teams as they work toward common goals. To accomplish this alignment, organizations employ practices and processes that seek to automate the ongoing development, maintenance, and deployment of software systems. Their aim is to expedite the release of software changes, ensure the ongoing deployability of the system, and ensure that all changes meet a high quality bar. |
Microsoft offers tools to enable source-code management, continuous integration and continuous delivery (CI/CD), and automating the creation of testing environments.
-
Azure DevOps Services (anciennement Microsoft TFS, Team Foundation Server)
Azure DevOps Services is a suite of services that address every stage of the software development lifecycle.-
Azure Repos is a centralized source-code repository where software development, DevOps engineering, and documentation professionals can publish their code for review and collaboration.
-
Azure Boards is an agile project management suite that includes Kanban boards, reporting, and tracking ideas and work from high-level epics to work items and issues.
-
Azure Pipelines is a CI/CD pipeline automation tool.
-
Azure Artifacts is a repository for hosting artifacts, such as compiled source code, which can be fed into testing or deployment pipeline steps.
-
Azure Test Plans is an automated test tool that can be used in a CI/CD pipeline to ensure quality before a software release.
-
-
GitHub and GitHub Actions
-
GitHub Actions enables workflow automation with triggers for many lifecycle events. One such example would be automating a CI/CD toolchain.
-
|
📎
|
Differences between Azure DevOps and GitHub
|
-
Azure DevTest Labs
-
Azure DevTest Labs provides an automated means of managing the process of building, setting up, and tearing down virtual machines (VMs) that contain builds of your software projects.
-
Anything you can deploy in Azure via an ARM template can be provisioned through DevTest Labs.
-
Provisioning pre-created lab environments with their required configurations and tools already installed is a huge time saver for quality assurance professionals and developers.
-
Suppose you need to test a new feature on an old version of an operating system. Azure DevTest Labs can set up everything automatically upon request.
-
-
-
First, do you need to automate and manage test-lab creation?
-
If your aim is to automate the creation and management of a test lab environment, Azure DevTest labs is the only matching option.
-
-
Second, are you building open-source software?
-
GitHub has long been the preferred host for open-source software
-
-
Third, regarding source-code management and DevOps tools, what level of granularity do you need for permissions?
-
GitHub works on a simple model of read/write permissions to every feature. Meanwhile, Azure DevOps has a much more granular set of permissions that allow organizations to refine who is able to perform most operations across the entire toolset.
-
-
Fourth, regarding source-code management and DevOps tools, how sophisticated does your project management and reporting need to be?
-
Azure DevOps is more adapted to complex needs
-
-
Finally, regarding source-code management and DevOps tools, how tightly do you need to integrate with third-party tools?
-
No silver bullet, you have to check how those 3rd party vendors tools integrate with Azure DevOps or GitHub (through hooks, APIs, etc.)
-
Practical use case study, to know how to choose the best DevOps solutions (based on previous questions)
-
Azure Advisor: evaluates your Azure resources and makes recommendations to help improve reliability, security, and performance, achieve operational excellence, and reduce costs.
-
Azure Monitor: is a platform for collecting, analyzing, visualizing, and potentially taking action based on the metric and logging data from your entire Azure and on-premises environment.
-
Azure Service Health: provides a personalized view of the health of the Azure services, regions, and resources you rely on.
The https://status.azure.com website, which displays only major issues that broadly affect Azure customers, doesn’t provide the full picture.
Service Health helps you keep an eye on several event types:-
Service issues: problems in Azure, such as outages
-
Planned maintenance
-
Health advisories are issues that require you to act to avoid service interruption, including service retirements and breaking changes
-
|
📎
|
Use Azure Service Health to set up alerts that are specific to Azure outages that affect all Azure customers. Use Azure Monitor to set up alerts for outages and other events that affect only your specific resources. |
-
Do you need to analyze how you’re using Azure to reduce costs? Improve resilience? Harden your security?
-
Choose Azure Advisor when you’re looking for an analysis of your deployed resources. Azure Advisor analyzes the configuration and usage of your resources and provides suggestions on how to optimize for reliability, security, performance, costs, and operations based on experts' best practices.
-
-
Do you want to monitor Azure services or your usage of Azure?
-
If you want to keep tabs on Azure itself, especially the services and regions you depend on, you want to choose Azure Service Health. You can view the current status of the Azure services you rely on, upcoming planned outages, and services that will be sunset. You can set up alerts that help you stay on top of incidents and upcoming downtime without having to visit the dashboard regularly.
However, if you want to keep track of the performance or issues related to your specific VM or container instances, databases, your applications, and so on, you want to visit Azure Monitor and create reports and notifications to help you understand how your services are performing or diagnose issues related to your Azure usage.
-
-
Do you want to measure custom events alongside other usage metrics?
-
Choose Azure Monitor when you want to measure custom events alongside other collected telemetry data. Custom events, such as those added in the source code of your software applications, could help identify and diagnose why your application is behaving a certain way.
-
-
Do you need to set up alerts for outages or when autoscaling is about to deploy new instances?
-
Here again, you would use Azure Monitor to set up alerts for key events that are related to your specific resources.
-
A practical use case to know how to choose the best Azure monitoring service.
Tailwind Traders wants to optimize its cloud spend. Also, the organization is concerned about security breaches, because it stores customer data and historical purchase data in cloud-based databases. As the organization ramps up its cloud expertise, it wants to better understand its use of the cloud, better understand best practices, and pinpoint "easy wins" where it can tighten up its cloud spend and security practices.
Which service should you choose?
-
First, in this scenario, does Tailwind Traders need to analyze its Azure usage for the sake of optimization?
-
Yes. Tailwind Traders understands that it might be spending too much, is concerned about its security practices, and wants to have its cloud usage analyzed against industry best practices. Therefore, Azure Advisor is the perfect option for this scenario.
Although you might have found the right product option, let’s continue evaluating the decision criteria for this scenario.
-
-
Second, in this scenario, does Tailwind Traders want to monitor the health of Azure services that affect all customers or the resources that are deployed on Azure?
-
This scenario isn’t concerned with operations. However, Azure Advisor does analyze and provide recommendations for achieving operational excellence.
-
-
Third, in this scenario, does Tailwind Traders want to measure custom events alongside other usage metrics?
-
No, measuring custom events isn’t mentioned as a requirement and isn’t a consideration in this scenario.
-
-
Fourth, in this scenario, does Tailwind Traders want to set up alerts for outages or when autoscaling is about to deploy new instances?
-
Again, this scenario isn’t concerned with operations. However, Azure Advisor does analyze and provide recommendations for achieving operational excellence.
-
2 categories of management tools:
-
visual tools
-
code-based tools, which allow infrastructure as a code.
There are also 2 approaches for infrastructure as a code:-
imperative code: imperative code details each individual step that should be performed to achieve a desired outcome
-
declarative code: declarative code details only a desired outcome, and it allows an interpreter to decide how to best achieve that outcome.
This distinction is important because tools that are based on declarative code can provide a more robust approach to deploying dozens or hundreds of resources simultaneously and reliably.
-
Your product options:
-
Azure portal
-
Azure mobile app
-
Azure PowerShell: a shell with which developers and DevOps and IT professionals can execute commands called cmdlets (pronounced command-lets)
These commands call the Azure Rest API to perform every possible management task in Azure. Cmdlets can be executed independently or combined into a script file and executed together to orchestrate:-
The routine setup, teardown, and maintenance of a single resource or multiple connected resources.
-
The deployment of an entire infrastructure, which might contain dozens or hundreds of resources, from imperative code.
Azure PowerShell can be accessed in a web browser via Azure Cloud Shell.
-
-
Azure CLI: nearly the same thing as Azure PowerShell BUT in Bash.
-
ARM templates: contrary to Azure PowerShell and CLI, which use imperative code, Azure Resource Manager templates can describe the resources you want to use in a declarative JSON format.
-
The benefit is that the entire ARM template is verified before any code is executed to ensure that the resources will be created and connected correctly.
-
The template then orchestrates the creation of those resources in parallel. That is, if you need 50 instances of the same resource, all 50 instances are created at the same time.
-
Ultimately, the developer, DevOps professional, or IT professional needs only to define the desired state and configuration of each resource in the ARM template, and the template does the rest.
-
Templates can even execute PowerShell and Bash scripts before or after the resource has been set up.
-
-
Do you need to perform one-off management, administrative, or reporting actions?
-
Use either Azure PowerShell or the Azure CLI for certain operations that you perform occasionally (quickly obtain the IP address of a virtual machine (VM) you’ve deployed, reboot a VM, or scale an app). With them, you can keep custom scripts handy on your local hard drive for quick use.
-
By contrast, Azure Resource Manager templates (ARM templates) express the infrastructure requirements for your application for a repeatable deployment. ARM templates aren’t intended for one-off scenarios (even if they could do it).
-
You could perform most, if not all, management and administrative actions via the Azure portal. But, for regular operations, it is more efficient to avoid visual checking and clicking, so prefer Azure Powershell or Azure CLI.
-
The last option is the Azure mobile app, in case a desktop is not available, or for on-call presence (out of office) when you need to keep an eye on the health of the cloud environment.
-
-
Do you need a way to repeatedly set up one or more resources and ensure that all the dependencies are created in the proper order?
-
ARM templates express your application’s infrastructure requirements for a repeatable deployment. A validation step ensures that all resources can be created, so that the resources are created in the proper order based on dependencies, in parallel, and idempotent.
-
By contrast, it’s entirely possible to use either PowerShell or the Azure CLI to set up all the resources for a deployment. However, there’s no validation step in these tools. If a script encounters an error, the dependency resources can’t be rolled back easily, deployments happen serially, and only some operations are idempotent.
-
-
When you’re scripting, do you come from a Windows administration or Linux administration background?
-
If you have Windows experience, use Azure Powershell, and if you have a Linux administration background, prefer Azure CLI.
-
You create an instance of the service, and you add your code. No infrastructure configuration or maintenance is required, or even allowed.
You configure your serverless apps to respond to events. An event could be a REST endpoint, a periodic timer, or even a message received from another Azure service. The serverless app runs only when it’s triggered by an event.
Scaling and performance are handled automatically, and you’re billed only for the resources you use. You don’t even need to reserve resources.
Serverless computing is ordinarily used to handle back-end scenarios. In other words, serverless computing is responsible for sending message from one system to another, or processing messages that were sent from other systems. It’s not used for user-facing systems but, rather, it works in the background.
-
Azure Functions
-
Azure Functions have an atomic nature, and can be written in many common programming languages
-
Azure Functions scales automatically, and charges accrue only when a function is triggered
-
An Azure function is a stateless environment. A function behaves as if it’s restarted every time it responds to an event. This feature is ideal for processing incoming data. And if state is required, the function can be connected to an Azure storage account.
-
Azure Functions can perform orchestration tasks by using an extension called Durable Functions, which allows developers to chain functions together while maintaining state.
-
The Azure Functions solution is ideal when you’re concerned only with the code that’s running your service and not the underlying platform or infrastructure. You use Functions most commonly when you need to perform work in response to an event. You do this often via a REST request, timer, or message from another Azure service, and when that work can be completed quickly, within seconds or less.
-
-
Azure Logic Apps
-
Logic Apps is a low-code/no-code development platform hosted as a cloud service
-
Logic Apps simplifies how you design and build scalable solutions, whether in the cloud, on-premises, or both. This solution covers app integration, data integration, system integration, enterprise application integration (EAI), and business-to-business (B2B) integration.
-
You build an app by linking triggers to actions with connectors.
-
A trigger is an event, such as a timer, that causes an app to execute, a new message to be sent to a queue, or an HTTP request.
-
An action is a task or step that can execute.
-
To build enterprise integration solutions with Azure Logic Apps, you can choose from a growing gallery of over 200 connectors. The gallery includes services such as Salesforce, SAP, Oracle DB, and file shares.
-
-
-
You can call Azure Functions from Azure Logic Apps, and vice versa.
-
The primary difference between the two services is their intent. Azure Functions is a serverless compute service, and Azure Logic Apps is intended to be a serverless orchestration service.
Although you can use Azure Functions to orchestrate a long-running business process that involves various connections, this was not its primary use case when it was designed.
-
Additionally, the two services are priced differently.
-
Azure Functions pricing is based on the number of executions and the running time of each execution.
-
Logic Apps pricing is based on the number of executions and the type of connectors that it utilizes.
-
-
Do you need to perform an orchestration across well-known APIs?
-
Azure Logic Apps was designed with orchestration in mind, and excels at connecting a large array of disparate services via their APIs to pass and process data through many steps in a workflow.
-
It’s possible to create the same workflow by using Azure Functions, but it might take a considerable amount of time to research which APIs to call and how to call them.
-
-
Do you need to execute custom algorithms or perform specialized data parsing and data lookups?
-
With Azure Functions, you can use the full expressiveness of a programming language in a compact form. This lets you concisely build complex algorithms, or data lookup and parsing operations. You would be responsible for maintaining the code, handling exceptions resiliently, and so on.
-
Although Azure Logic Apps can perform logic (loops, decisions, and so on), if you have a logic-intensive orchestration that requires a complex algorithm, implementing that algorithm might be more verbose and visually overwhelming.
-
-
Do you have existing automated tasks written in an imperative programming language?
-
It might then be easier to port your code into the body of an Azure Functions function app than to re-create it by using Azure Logic Apps.
-
-
Do you prefer a visual (declarative) workflow or writing (imperative) code?
-
Ultimately, your choice comes down to whether you prefer to work in a declarative environment or an imperative environment. Developers who have expertise in an imperative programming language might prefer to think about automation and orchestration from an imperative mindset. IT professionals and business analysts might prefer to work in a more visual low-code/no-code (declarative) environment.
-
IoT bridges the physical and digital worlds by enabling devices with sensors and an internet connection to communicate with cloud-based systems via the internet.
IoT enables devices to gather and then relay information for data analysis. Smart devices are equipped with sensors that collect data.
By using Azure IoT services, devices that are equipped with these kinds of sensors and that can connect to the internet could send their sensor readings to a specific endpoint in Azure via a message. The message’s data is then collected and aggregated, and it can be converted into reports and alerts.
Alternately, all devices could be updated with new firmware to fix issues or add new functionality by sending software updates from Azure IoT services to each device.
-
Azure IoT Hub
-
Azure IoT Hub is a managed service that’s hosted in the cloud and that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. You can use Azure IoT Hub to build IoT solutions with reliable and secure communications between millions of IoT devices and a cloud-hosted solution back end. You can connect virtually any device to your IoT hub.
-
The IoT Hub service supports communications both from the device to the cloud and from the cloud to the device. It also supports multiple messaging patterns, such as device-to-cloud telemetry, file upload from devices, and request-reply methods to control your devices from the cloud. After an IoT hub receives messages from a device, it can route that message to other Azure services.
-
From a cloud-to-device perspective, IoT Hub allows for "command and control". That is, you can have either manual or automated remote control of connected devices, so you can instruct the device to open valves, set target temperatures, restart stuck devices, and so on.
-
IoT Hub monitoring helps you maintain the health of your solution by tracking events such as device creation, device failures, and device connections.
-
-
Azure IoT Central
-
Azure IoT Central builds on top of IoT Hub by adding a dashboard that allows you to connect, monitor, and manage your IoT devices.
The visual user interface (UI) makes it easy to quickly connect new devices and watch as they begin sending telemetry or error messages. You can watch the overall performance across all devices in aggregate, and you can set up alerts that send notifications when a specific device needs maintenance. Finally, you can push firmware updates to the device. -
To help you get up and running quickly, IoT Central provides starter templates for common scenarios across various industries, such as retail, energy, healthcare, and government. You then customize the design starter templates directly in the UI by choosing from existing themes or creating your own custom theme, setting the logo, and so on. With IoT Central, you can tailor the starter templates for the specific data that’s sent from your devices, the reports you want to see, and the alerts you want to send.
Screenshot of the IoT Central graphical user interface displaying templates you can choose to create a new app.
-
You can use the UI to control your devices remotely. This feature allows you to push a software update or modify a property of the device. You can adjust the desired temperature for one or all of your refrigerated vending machines from directly inside of IoT Central.
-
A key part of IoT Central is the use of device templates. By using a device template, you can connect a device without any service-side coding. IoT Central uses the templates to construct the dashboards, alerts, and so on.
Device developers still need to create code to run on the devices, and that code must match the device template specification.
-
-
Azure Sphere
-
Azure Sphere creates an end-to-end, highly secure IoT solution for customers that encompasses everything from the hardware and operating system on the device to the secure method of sending messages from the device to the message hub. Azure Sphere has built-in communication and security features for internet-connected devices.
Azure Sphere comes in three parts:-
The first part is the Azure Sphere micro-controller unit (MCU), which is responsible for processing the operating system and signals from attached sensors. The following image displays the Seed Azure Sphere MT3620 Development Kit MCU, one of several different starter kits that are available for prototyping and developing Azure Sphere applications.
-
The second part is a customized Linux operating system (OS) that handles communication with the security service and can run the vendor’s software.
-
The third part is Azure Sphere Security Service, also known as AS3. Its job is to make sure that the device has not been maliciously compromised. When the device attempts to connect to Azure, it first must authenticate itself, per device, which it does by using certificate-based authentication. If it authenticates successfully, AS3 checks to ensure that the device hasn’t been tampered with. After it has established a secure channel of communication, AS3 pushes any OS or approved customer-developed software updates to the device.
-
-
After the Azure Sphere system has validated the authenticity of the device and authenticated it, the device can interact with other Azure IoT services by sending telemetry and error information.
-
-
Is it critical to ensure that the device is not compromised?
-
When security is a critical consideration in your product’s design, the best product option is Azure Sphere, which provides a comprehensive end-to-end solution for IoT devices.
As we mentioned in the previous unit, Azure Sphere ensures a secure channel of communication between the device and Azure by controlling everything from the hardware to the operating system and the authentication process. This ensures that the integrity of the device is uncompromised. After a secure channel is established, messages can be received from the device securely, and messages or software updates can be sent to the device remotely.
-
-
Do I need a dashboard for reporting and management?
-
Your next decision will be the level of services you require from your IoT solution. If you merely want to connect to your remote devices to receive telemetry and occasionally push updates, and you don’t need any reporting capabilities, you might prefer to implement Azure IoT Hub by itself. Your programmers can still create a customized set of management tools and reports by using the IoT Hub RESTful API.
-
However, if you want a pre-built customizable user interface with which you can view and control your devices remotely, you might prefer to start with IoT Central. With this solution, you can control a single device or all devices at once, and you can set up alerts for certain conditions, such as a device failure.
IoT Central integrates with many different Azure products, including IoT Hub, to create a dashboard with reports and management features. The dashboard is based on starter templates for common industry and usage scenarios. You can use the dashboard that’s generated by the starter template as is or customize it to suit your needs. You can have multiple dashboards and target them at a variety of users.
-
-
What’s Azure Security Center?
-
Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises. The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
❗Security Center can:
-
Monitor security settings across on-premises and cloud workloads.
-
Automatically apply required security settings to new resources as they come online.
-
Provide security recommendations that are based on your current configurations, resources, and networks.
-
Continuously monitor your resources and perform automatic security assessments to identify potential vulnerabilities before those vulnerabilities can be exploited.
-
Use machine learning to detect and block malware from being installed on your virtual machines (VMs) and other resources. You can also use adaptive application controls to define rules that list allowed applications to ensure that only applications you allow can run.
-
Detect and analyze potential inbound attacks and investigate threats and any post-breach activity that might have occurred.
-
Provide just-in-time access control for network ports. Doing so reduces your attack surface by ensuring that the network only allows traffic that you require at the time that you need it to.
-
-
Through Security Center, the company can view its overall regulatory compliance from a security perspective all from one place. With Security Center, the company’s resources can be analysed against the security controls of any governance policies it has assigned, so it can view its overall regulatory compliance from a security perspective all from one place.
-
Protect against threats
Security Center includes advanced cloud defense capabilities for virtual machines, network security, and file integrity. Let’s look at how some of these capabilities apply to Tailwind Traders.-
Just-in-time VM access
Tailwind Traders will configure just-in-time access to VMs. This access blocks traffic by default to specific network ports of virtual machines, but allows traffic for a specified time when an administrator requests and approves it. -
Adaptive application controls
Tailwind Traders can control which applications are allowed to run on its virtual machines. In the background, Security Center uses machine learning to look at the processes running on a virtual machine. It creates exception rules for each resource group that holds the virtual machines and provides recommendations. This process provides alerts that inform the company about unauthorized applications that are running on its VMs. -
Adaptive network hardening
Security Center can monitor the internet traffic patterns of the VMs and compare those patterns with the company’s current Network Security Group (NSG) settings. From there, Security Center can make recommendations on whether the NSGs should be locked down further and provide remediation steps. -
File integrity monitoring
Tailwind Traders can also configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.
-
-
Respond to security alerts
-
Tailwind Traders can use Security Center to get a centralized view of all of its security alerts. From there, the company can dismiss false alerts, investigate them further, remediate alerts manually, or use an automated response with a workflow automation.
-
Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity. You can then configure the logic app to run an action such as sending an email or posting a message to a Microsoft Teams channel.
-
AVTD - Azure Security Center : centre de surveillance offrant une protection contre les menaces dans tous vos centres de données, à la fois dans Azure et en local.
Azure Security Center va vous donner un score de sécurité.
Security management on a large scale can benefit from a dedicated Security Information and Event Management (SIEM) system. A SIEM system aggregates security data from many different sources (as long as those sources support an open-standard logging format). It also provides capabilities for threat detection and response.
Azure Sentinel is Microsoft’s cloud-based SIEM system. It uses intelligent security analytics and threat analysis.
-
Azure Sentinel capabilities
Azure Sentinel enables you to:-
Collect cloud data at scale
Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds. -
Detect previously undetected threats
Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence. -
Investigate threats with artificial intelligence
Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft. -
Respond to incidents rapidly
Utilize built-in orchestration and automation of common tasks.
-
-
Connect your data sources
Tailwind Traders decides to explore the capabilities of Azure Sentinel. First, the company identifies and connects its data sources.
Azure Sentinel supports a number of data sources, which it can analyze for security events. These connections are handled by built-in connectors or industry-standard log formats and APIs. -
Connect Microsoft solutions
Connectors provide real-time integration for services like Microsoft Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and Windows Defender Firewall. -
Connect other services and solutions
Connectors are available for common non-Microsoft services and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware Carbon Black Cloud, and Okta SSO. -
Connect industry-standard data sources
Azure Sentinel supports data from other sources that use the Common Event Format (CEF) messaging standard, Syslog, or REST API. -
Detect threats
Tailwind Traders needs to be notified when something suspicious occurs. It decides to use both built-in analytics and custom rules to detect threats.-
Built in analytics use templates designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and escalation chains for suspicious activity. These templates can be customized and search across the environment for any activity that looks suspicious. Some templates use machine learning behavioral analytics that are based on Microsoft proprietary algorithms.
-
Custom analytics are rules that you create to search for specific criteria within your environment. You can preview the number of results that the query would generate (based on past log events) and set a schedule for the query to run. You can also set an alert threshold.
-
-
Investigate and respond
When Azure Sentinel detects suspicious events, Tailwind Traders can investigate specific alerts or incidents (a group of related alerts). With the investigation graph, the company can review information from entities directly connected to the alert and see common exploration queries to help guide the investigation.Here’s an example that shows what an investigation graph looks like in Azure Sentinel
-
The company will also use Azure Monitor Workbooks to automate responses to threats. For example, it can set an alert that looks for malicious IP addresses that access the network and create a workbook that does the following steps:
-
When the alert is triggered, open a ticket in the IT ticketing system.
-
Send a message to the security operations channel in Microsoft Teams or Slack to make sure the security analysts are aware of the incident.
-
Send all of the information in the alert to the senior network admin and to the security admin. The email message includes two user option buttons: Block or Ignore.
-
-
When an admin chooses Block, the IP address is blocked in the firewall and the user is disabled in Azure Active Directory.
-
When an admin chooses Ignore, the alert is closed in Azure Sentinel and the incident is closed in the IT ticketing system.
-
The workbook continues to run after it receives a response from the admins.
Workbooks can be run manually or automatically when a rule triggers an alert.
-
AVTD - Azure Sentinel : solution SIEM (gestion des informations de sécurité, security information event management) et SOAR (réponse automatisée de sécurité, security orchestration automated response) fournissant des analyses de sécurité sur les menaces à l’échelle de l’entreprise
I found the differences between those 2 services a bit hard to clearly understand, and found this site that explains it very well:
https://medium.com/the-cloud-builders-guild/what-is-the-difference-between-azure-security-center-and-azure-sentinel-9d91eb801cd2
In a nutshell, it explains that:
-
Azure Security Center plays a vital role in "Collect" and "Detect" roles
-
While Azure Sentinel in addition to the first two roles also designed to perform "Investigate" and "Respond" roles.
Azure Sentinel performs more roles including hunting, automated playbooks and incident responses as well as assistance with manual incident investigations.
On the other hand, Azure Security Center is a great source of recommendations, alerts and diagnostics that can be utilised by Azure Sentinel to provide even better analytics and incident alerts.
Therefore, both products must be used in a well-architectured SOC (Security Operations Center). These products are highly complementary and can be easily enabled thanks to the great out-of-the-box integration.
Azure Key Vault is a centralized cloud service for storing an application’s secrets in a single, central location. It provides secure access to sensitive information by providing access control and logging capabilities.
Azure Key Vault can help you:
-
Manage secrets
You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. -
Manage encryption keys
You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data. -
Manage SSL/TLS certificates
Key Vault enables you to provision, manage, and deploy your public and private Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates for both your Azure resources and your internal resources. -
Store secrets backed by hardware security modules (HSMs)
These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
The benefits of using Key Vault include:
-
Centralized application secrets
Centralizing the storage for your application secrets enables you to control their distribution and reduces the chances that secrets are accidentally leaked. -
Securely stored secrets and keys
Azure uses industry-standard algorithms, key lengths, and HSMs. Access to Key Vault requires proper authentication and authorization. -
Access monitoring and access control
By using Key Vault, you can monitor and control access to your application secrets. -
Simplified administration of application secrets
Key Vault makes it easier to enroll and renew certificates from public certificate authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools. -
Integration with other Azure services
You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services. These services can then securely reference the secrets stored in Key Vault.
Once create, the secret can be accessed through the Azure Portal, or with Azure CLI in Azure Cloud Shell, or with Azure PowerShell.
ardemius@Azure:~$ az keyvault list --query [0]
{
"id": "/subscriptions/4db700a1-ce71-4523-b484-93f5d1306b32/resourceGroups/learn-8f554fa5-8dd4-4ada-ad60-062d819da102/providers/Microsoft.KeyVault/vaults/my-keyvault-tsc123",
"location": "eastus",
"name": "my-keyvault-tsc123",
"resourceGroup": "learn-8f554fa5-8dd4-4ada-ad60-062d819da102",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
ardemius@Azure:~$ az keyvault list --query [0].name --output tsv
my-keyvault-tsc123
ardemius@Azure:~$ az keyvault secret show \
> --name MyPassword \
> --vault-name $(az keyvault list --query [0].name --output tsv) \
> --query value \
> --output tsv
hVFkk96On Azure, virtual machines (VMs) run on shared hardware that Microsoft manages. Although the underlying hardware is shared, your VM workloads are isolated from workloads that other Azure customers run.
|
❗
|
Some organizations must follow regulatory compliance that requires them to be the only customer using the physical machine that hosts their virtual machines. Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux. |
A dedicated host is mapped to a physical server in an Azure datacenter. A host group is a collection of dedicated hosts.
What are the benefits of Azure Dedicated Host?
-
Gives you visibility into, and control over, the server infrastructure that’s running your Azure VMs.
-
Helps address compliance requirements by deploying your workloads on an isolated server.
-
Lets you choose the number of processors, server capabilities, VM series, and VM sizes within the same host.
After a dedicated host is provisioned, Azure assigns it to the physical server in Microsoft’s cloud datacenter.
For high availability, you can provision multiple hosts in a host group and deploy your virtual machines across this group. VMs on dedicated hosts can also take advantage of maintenance control. This feature enables you to control when regular maintenance updates occur, within a 35-day rolling window.
Pricing considerations
-
You’re charged per dedicated host, independent of how many virtual machines you deploy to it. The host price is based on the VM family, type (hardware size), and region.
-
Software licensing, storage, and network usage are billed separately from the host and VMs. For more information see Azure Dedicated Host pricing.
The objective of defense in depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it.
A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.
Layers of defense in depth
You can visualize defense in depth as a set of layers, with the data to be secured at the center:
Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. This approach removes reliance on any single layer of protection. It slows down an attack and provides alert telemetry that security teams can act upon, either automatically or manually.
Here’s a brief overview of the role of each layer:
-
The physical security layer is the first line of defense to protect computing hardware in the datacenter.
-
The identity and access layer controls access to infrastructure and change control.
-
The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
-
The network layer limits communication between resources through segmentation and access controls.
-
The compute layer secures access to virtual machines.
-
The application layer helps ensure that applications are secure and free of security vulnerabilities.
-
The data layer controls access to business and customer data that you need to protect.
Security posture
Your security posture is your organization’s ability to protect from and respond to security threats. The common principles used to define a security posture are confidentiality, integrity, and availability, known collectively as CIA.
-
Confidentiality
The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work. This information includes protection of user passwords, email content, and access levels to applications and underlying infrastructure. -
Integrity
Prevent unauthorized changes to information:-
At rest: when it’s stored.
-
In transit: when it’s being transferred from one place to another, including from a local computer to the cloud.
A common approach used in data transmission is for the sender to create a unique fingerprint of the data by using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The receiver recalculates the data’s hash and compares it to the original to ensure that the data wasn’t lost or modified in transit.
-
-
Availability
Ensure that services are functioning and can be accessed only by authorized users. Denial-of-service attacks are designed to degrade the availability of a system, affecting its users.
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
You can create firewall rules that specify ranges of IP addresses. Only clients granted IP addresses from within those ranges are allowed to access the destination server. Firewall rules can also include specific network protocol and port information.
Azure Firewall is a managed, cloud-based network security service that helps protect resources in your Azure Virtual Networks.
A virtual network is similar to a traditional network that you’d operate in your own datacenter. It’s a fundamental building block for your private network that enables virtual machines and other compute resources to securely communicate with each other, the internet, and on-premises networks.
Azure Firewall is a stateful firewall. A stateful firewall analyzes the complete context of a network connection, not just an individual packet of network traffic. Azure Firewall features high availability and unrestricted cloud scalability.
Azure Firewall provides a central location to create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static (unchanging) public IP address for your virtual network resources, which enables outside firewalls to identify traffic coming from your virtual network. The service is integrated with Azure Monitor to enable logging and analytics.
Azure Firewall provides many features, including:
-
Built-in high availability.
-
Unrestricted cloud scalability.
-
Inbound and outbound filtering rules.
-
Inbound Destination Network Address Translation (DNAT) support.
-
Azure Monitor logging.
You typically deploy Azure Firewall on a central virtual network to control general network access.
What can I configure with Azure Firewall?
-
Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
-
Network rules that define source address, protocol, destination port, and destination address.
-
Network Address Translation (NAT) rules that define destination IP addresses and ports to translate inbound requests.
Azure Application Gateway also provides a firewall that’s called the web application firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities. Azure Front Door and Azure Content Delivery Network also provide WAF services.
A distributed denial of service (DDoS) attack attempts to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can target any resource that’s publicly reachable through the internet, including websites.
-
Azure DDoS Protection identifies the attacker’s attempt to overwhelm the network and blocks further traffic from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from customers still flows into Azure without any interruption of service.
-
DDoS Protection can also help you manage your cloud consumption. When you run on-premises, you have a fixed number of compute resources. But in the cloud, elastic computing means that you can automatically scale out your deployment to meet demand. A cleverly designed DDoS attack can cause you to increase your resource allocation, which incurs unneeded expense. DDoS Protection Standard helps ensure that the network load you process reflects customer usage. You can also receive credit for any costs accrued for scaled-out resources during a DDoS attack.
What service tiers are available to DDoS Protection?
-
Basic
-
automatically enabled for free as part of your Azure subscription
-
-
Standard
-
provides additional mitigation capabilities that are tuned specifically to Azure Virtual Network resources.
Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms.
Some of the features available for Standard customers:-
Attack Mitigation Reports: Attack Mitigation Reports use aggregated network flow data to provide detailed information about attacks targeted at your resources.
-
Attack Mitigation Flow Logs: Attack Mitigation Flow Logs allow you to review the dropped traffic, forwarded traffic and other attack data in near real-time during an active DDoS attack.
-
DDoS Rapid Response: Standard customers now have access to Rapid Response team during an active attack. DRR can help with attack investigation, custom mitigations during an attack and post-attack analysis.
-
-
In all cases, the Azure global network is used to distribute and mitigate attack traffic across Azure regions.
What kinds of attacks can DDoS Protection help prevent?
-
Volumetric attacks
The goal of this attack is to flood the network layer with a substantial amount of seemingly legitimate traffic. -
Protocol attacks
These attacks render a target inaccessible by exploiting a weakness in the layer 3 (ex: IP) and layer 4 (ex: TCP) protocol stack. -
Resource-layer (application-layer) attacks (only with web application firewall) These attacks target web application packets to disrupt the transmission of data between hosts. You need a web application firewall (WAF) to protect against L7 attacks. DDoS Protection Standard protects the WAF from volumetric and protocol attacks.
|
📎
|
For the previous layer 3, 4 and L7, we are speaking about the OSI model. |
A network security group enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies these properties:
| Property | Description |
|---|---|
Name |
A unique name for the NSG. |
Priority |
A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. |
Source or Destination |
A single IP address or IP address range, service tag, or application security group. |
Protocol |
TCP, UDP, or Any. |
Direction |
Whether the rule applies to inbound or outbound traffic. |
Port Range |
A single port or range of ports. |
Action |
Allow or Deny. |
When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You can’t remove the default rules, but you can override them by creating new rules with higher priorities.
|
💡
|
Un NSG peut être rattaché à un subnet, et dès lors toutes les VMs du Subnet sont protégées. |
You start by creating a Linux VM and installing Nginx, a popular web server, on that VM. To make your web server accessible, you then create a network security group (NSG) rule that allows inbound access on port 80 (HTTP).
There are many ways to create and manage VMs, including their network settings. For example, you can use the Azure portal, the Azure CLI, Azure PowerShell, or an Azure Resource Manager (ARM) template.
Here, you use the Azure CLI. The Azure CLI enables you to connect to Azure and run administrative commands on Azure resources. As with other command-line interfaces, you can run commands directly from a terminal or you can add commands to a Bash script or a PowerShell script. The Azure CLI runs on Windows, macOS, or Linux.
Here, you access the Azure CLI from Azure Cloud Shell. Cloud Shell is a browser-based shell experience that you use to manage and develop Azure resources. Think of Cloud Shell as an interactive console that runs in the cloud.
Requesting a Cloud Shell.Succeeded.
Connecting terminal...
Welcome to Azure Cloud Shell
Type "az" to use Azure CLI
Type "help" to learn about Cloud Shell
# First, let's create a Linux VM
ardemius@Azure:~$ az vm create \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --name my-vm \
> --image UbuntuLTS \
> --admin-username azureuser \
> --generate-ssh-keys
SSH key files '/home/ardemius/.ssh/id_rsa' and '/home/ardemius/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.
{- Finished ..
"fqdns": "",
"id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Compute/virtualMachines/my-vm",
"location": "westus",
"macAddress": "00-0D-3A-32-97-2A",
"powerState": "VM running",
"privateIpAddress": "10.0.0.4",
"publicIpAddress": "104.42.185.11",
"resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6",
"zones": ""
}
# then we configure Nginx on our VM using the Custom Script Extension
ardemius@Azure:~$ az vm extension set \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --vm-name my-vm \
> --name customScript \
> --publisher Microsoft.Azure.Extensions \
> --version 2.1 \
> --settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
> --protected-settings '{"commandToExecute": "./configure-nginx.sh"}'
{- Finished ..
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": null,
"forceUpdateTag": null,
"id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Compute/virtualMachines/my-vm/extensions/customScript",
"instanceView": null,
"location": "westus",
"name": "customScript",
"protectedSettings": null,
"provisioningState": "Succeeded",
"publisher": "Microsoft.Azure.Extensions",
"resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6",
"settings": {
"fileUris": [
"https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"
]
},
"tags": null,
"type": "Microsoft.Compute/virtualMachines/extensions",
"typeHandlerVersion": "2.1",
"typePropertiesType": "customScript"
}
# get your VM's IP address and store the result as a Bash variable
ardemius@Azure:~$ IPADDRESS="$(az vm list-ip-addresses \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --name my-vm \
> --query "[].virtualMachine.network.publicIpAddresses[*].ipAddress" \
> --output tsv)"
ardemius@Azure:~$ echo $IPADDRESS
104.42.185.11
# Open a new browser tab and go to your web server.
# After a few moments, you see that the connection isn't happening.
# If you wait for the browser to time out, you'll see something like this:
# "Hmmm... can't reach this page. 104.42.185.11 took too long to respond"
# Same thing when using curl to download the home page
ardemius@Azure:~$ curl --connect-timeout 5 http://$IPADDRESS
# After five seconds, you see an error message that states that the connection timed out.
# This message means that the VM was not accessible within the timeout period.
curl: (28) Connection timed out after 5000 milliseconds
# list the network security groups that are associated with your VM
ardemius@Azure:~$ az network nsg list \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --query '[].name' \
> --output tsv
my-vmNSG
# Every VM on Azure is associated with at least one network security group.
# In this case, Azure created an NSG for you called my-vmNSG.
# list the rules associated with the NSG named my-vmNSG
ardemius@Azure:~$ az network nsg rule list \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --nsg-name my-vmNSG
[
{
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationApplicationSecurityGroups": null,
"destinationPortRange": "22",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"2a5921d9-0138-40ae-90cf-d4b5fa837018\"",
"id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/default-allow-ssh",
"name": "default-allow-ssh",
"priority": 1000,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6",
"sourceAddressPrefix": "*",
"sourceAddressPrefixes": [],
"sourceApplicationSecurityGroups": null,
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
]
# Let's customize the output with the "--query" argument
ardemius@Azure:~$ az network nsg rule list \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --nsg-name my-vmNSG \
> --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
> --output table
Name Priority Port Access
----------------- ---------- ------ --------
default-allow-ssh 1000 22 Allow
# You see the default rule, default-allow-ssh.
# This rule allows inbound connections over port 22 (SSH).
# SSH (Secure Shell) is a protocol that's used on Linux to allow administrators to access the system remotely.
# By default, a Linux VM's NSG allows network access only on port 22.
# This enables administrators to access the system.
# You need to also allow inbound connections on port 80, which allows access over HTTP.
# create a rule called allow-http that allows inbound access on port 80
ardemius@Azure:~$ az network nsg rule create \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --nsg-name my-vmNSG \
> --name allow-http \
> --protocol tcp \
> --priority 100 \
> --destination-port-range 80 \
> --access Allow
{- Finished ..
"access": "Allow",
"description": null,
"destinationAddressPrefix": "*",
"destinationAddressPrefixes": [],
"destinationApplicationSecurityGroups": null,
"destinationPortRange": "80",
"destinationPortRanges": [],
"direction": "Inbound",
"etag": "W/\"e5337a39-9e39-49fb-9606-a0e09241f1b4\"",
"id": "/subscriptions/24f6044d-738b-4d20-8eba-a9307e45b4b4/resourceGroups/learn-f86915b8-0c40-4a12-9524-7fcff6b051b6/providers/Microsoft.Network/networkSecurityGroups/my-vmNSG/securityRules/allow-http",
"name": "allow-http",
"priority": 100,
"protocol": "Tcp",
"provisioningState": "Succeeded",
"resourceGroup": "learn-f86915b8-0c40-4a12-9524-7fcff6b051b6",
"sourceAddressPrefix": "*",
"sourceAddressPrefixes": [],
"sourceApplicationSecurityGroups": null,
"sourcePortRange": "*",
"sourcePortRanges": [],
"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}
# For learning purposes, here you set the priority to 100. In this case, the priority doesn't matter.
# You would need to consider the priority if you had overlapping port ranges.
# verify the configuration
ardemius@Azure:~$ az network nsg rule list \
> --resource-group learn-f86915b8-0c40-4a12-9524-7fcff6b051b6 \
> --nsg-name my-vmNSG \
> --query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
> --output table
Name Priority Port Access
----------------- ---------- ------ --------
default-allow-ssh 1000 22 Allow
allow-http 100 80 Allow
# Check the result
ardemius@Azure:~$ echo $IPADDRESS
104.42.185.11
ardemius@Azure:~$ curl --connect-timeout 10 http://$IPADDRESS
<html><body><h2>Welcome to Azure! My name is my-vm.</h2></body></html>
# That's good !
# Same thing can be checked with the web server : "Welcome to Azure! My name is my-vm."#!/bin/bash
# Update apt cache.
sudo apt-get update
# Install Nginx.
sudo apt-get install -y nginx
# Set the home page.
echo "<html><body><h2>Welcome to Azure! My name is $(hostname).</h2></body></html>" | sudo tee -a /var/www/html/index.htmlHere are some recommendations on how to combine Azure services to create a complete network security solution:
-
Secure the perimeter layer.
The perimeter layer is about protecting your organization’s resources from network-based attacks.
Identifying these attacks, alerting the appropriate security teams, and eliminating their impact are important to keeping your network secure.
To do this:-
Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for users.
-
Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
-
-
Secure the network layer
The focus is on limiting network connectivity across all of your resources to allow only what’s required.
Use Network Security Groups to create rules that define allowed inbound and outbound communication at this layer:-
Limit communication between resources by segmenting your network and configuring access controls.
-
Deny by default.
-
Restrict inbound internet access and limit outbound where appropriate.
-
Implement secure connectivity to on-premises networks.
-
-
Combine services
You can combine Azure networking and security services to manage your network security and provide increased layered protection. Here are two ways you can combine services:-
Network security groups and Azure Firewall
Azure Firewall complements the functionality of network security groups.-
Network Security Groups provide distributed network-layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
-
Azure Firewall is a fully stateful, centralized network firewall as a service.
It provides network-level and application-level protection across different subscriptions and virtual networks.
-
-
Azure Application Gateway web application firewall (WAF) and Azure Firewall
Web application firewall (WAF) is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.
Azure Firewall provides:-
Inbound protection for non-HTTP/S protocols (for example, RDP, SSH, and FTP).
-
Outbound network-level protection for all ports and protocols.
-
Application-level protection for outbound HTTP/S.
-
-
AVTD - partage de la gestion de la sécurité entre client et Cloud provider :
-
De manière générale, il reste toujours la gestion des users (Access Management et RBAC) côté client, même en SaaS, ainsi que la gouvernance des data.
-
Protection contre les attaques DDoS : tous les services Azures ont par défaut une protection contre les attaques DDoS (activée par défaut).
Il s’agit de la même protection que celle utilisée par les infrastructures Microsoft
Learn how Azure Active Directory helps you manage and secure identities.
Also see how single sign-on, multifactor authentication (MFA), and Conditional Access enable your users to securely access resources and applications from your intranet and from public networks.
Learning objectives :
-
Explain the difference between authentication and authorization.
-
Describe how Azure Active Directory provides identity and access management (IAM).
-
Explain the role single sign-on (SSO), multifactor authentication, and Conditional Access play in managing user identity.
One needs to ensure that employees can access only authorized applications.
For example, all employees can access inventory and pricing software, but only store managers can access payroll and certain accounting software.
-
What is authentication (AuthN)?
-
Authentication is the process of establishing the identity of a person or service that wants to access a resource.
It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes whether the user is who they say they are.
-
|
📎
|
Security Principal
A security principal is a user account, computer account, or group account. |
-
What is authorization (AuthZ)?
-
Authentication establishes the user’s identity, but authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
-
The identification card represents credentials that the user has to prove their identity (you’ll learn more about the types of credentials later in this module.) Once authenticated, authorization defines what kinds of applications, resources, and data that user can access.
Azure Active Directory (Azure AD) is a cloud-based identity and access management service (IAM). Azure AD enables an organization to control access to apps and resources based on its business requirements.
What a classic question: how does one can integrate its existing Active Directory instance with cloud identity services to create a seamless experience for its users?
-
How does Azure AD compare to Active Directory?
-
Microsoft introduced Active Directory in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems by using a single identity per user.
-
When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign-in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost. For example, Azure AD can detect sign-in attempts from unexpected locations or unknown devices.
-
-
Who uses Azure AD?
-
IT administrators: Administrators can use Azure AD to control access to applications and resources based on their business requirements.
-
App developers: Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that they build, such as adding SSO functionality to an app or enabling an app to work with a user’s existing credentials.
-
Users: Users can manage their identities. For example, self-service password reset enables users to change or reset their password with no involvement from an IT administrator or help desk.
-
Online service subscribers: Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics CRM Online subscribers are already using Azure AD.
-
|
📎
|
A tenant is a representation of an organization. A tenant is typically separated from other tenants and has its own identity. |
-
What services does Azure AD provide?
-
Authentication
This includes verifying identity to access applications and resources. It also includes providing functionality such as self-service password reset, multifactor authentication, a custom list of banned passwords, and smart lockout services. -
Single sign-on
SSO enables you to remember only one username and one password to access multiple applications. A single identity is tied to a user, which simplifies the security model. As users change roles or leave an organization, access modifications are tied to that identity, which greatly reduces the effort needed to change or disable accounts. -
Application management
You can manage your cloud and on-premises apps by using Azure AD. Features like Application Proxy, SaaS apps, the My Apps portal (also called the access panel), and single-sign on provide a better user experience. -
Device management
Along with accounts for individual people, Azure AD supports the registration of devices. Registration enables devices to be managed through tools like Microsoft Intune. It also allows for device-based conditional access policies to restrict access attempts to only those coming from known devices, regardless of the requesting user account.
-
-
What’s single sign-on?
-
Single sign-on enables a user to sign in one time and use that credential to access multiple resources and applications from different providers.
-
With SSO, you need to remember only one ID and one password. Access across applications is granted to a single identity that’s tied to the user, which simplifies the security model. As users change roles or leave an organization, access is tied to a single identity.
-
-
How can I connect Active Directory with Azure AD?
-
Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users.
-
Azure AD Connect synchronizes user identities between on-premises Active Directory and Azure AD. Azure AD Connect synchronizes changes between both identity systems, so you can use features like SSO, multifactor authentication, and self-service password reset under both systems. Self-service password reset prevents users from using known compromised passwords.
-
-
What’s multifactor authentication? (MFA)
-
Multifactor authentication is a process where a user is prompted during the sign-in process for an additional form of identification. Examples include a code on their mobile phone or a fingerprint scan.
-
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate.
These elements fall into three categories:-
Something the user knows: This might be an email address and password.
-
Something the user has: This might be a code that’s sent to the user’s mobile phone.
-
Something the user is: This is typically some sort of biometric property, such as a fingerprint or face scan that’s used on many mobile devices.
-
-
AVTD - Authentification multi-facteurs Azure : fournit une sécurité supplémentaire à vos identités, en exigeant au moins 2 facteurs pour une authentification complète
-
le MFA combine quelque chose que l’on sait, avec quelque chose que l’on possède ou que l’on est.
-
le MFA est préconisé pour les admin
-
-
-
What’s Azure AD Multi-Factor Authentication?
-
Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities.
Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.
These services provide Azure AD Multi-Factor Authentication capabilities:-
Azure Active Directory
The Azure Active Directory free edition enables Azure AD Multi-Factor Authentication for administrators with the global admin level of access, via the Microsoft Authenticator app, phone call, or SMS code. You can also enforce Azure AD Multi-Factor Authentication for all users via the Microsoft Authenticator app only, by enabling security defaults in your Azure AD tenant.
Azure Active Directory Premium (P1 or P2 licenses) allows for comprehensive and granular configuration of Azure AD Multi-Factor Authentication through Conditional Access policies (explained below). -
Multifactor authentication for Office 365
Conditional Access is a tool that Azure Active Directory uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.
Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.
During sign-in, Conditional Access collects signals from the user, makes decisions based on those signals, and then enforces that decision by allowing or denying the access request or challenging for a multifactor authentication response.
So we have: signals → decisions → enforcement
-
-
Some use examples of Conditionnal Access:
-
You might want to allow users to access Office 365 services from a mobile device as long as they use approved client apps, like the Outlook mobile app.
-
You require users to access your application only from managed devices.
A managed device being a device that meets your standards for security and compliance.
-
-
Conditional Access comes with a "What If" tool, which helps you plan and troubleshoot your Conditional Access policies. You can use this tool to model your proposed Conditional Access policies across recent sign-in attempts from your users to see what the impact would have been if those policies had been enabled. The What If tool enables you to test your proposed Conditional Access policies before you implement them.
-
AVTD - Accès conditionnel : outil utilisé par AAD pour regrouper les signaux, prendre des décisions et appliquer les stratégies de l’organisation
Accès conditionnel
-
Exemple d’accès conditionnel : "si tu viens du réseau interne, pas besoin de MFA, mais si viens d’Internet, MFA obligatoire"
-
-
|
📎
|
The term governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced. |
When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. Maintaining control over your environment ensures that you stay compliant with:
-
Industry standards, like PCI DSS.
-
Corporate or organizational standards, such as ensuring that network data is encrypted.
One could enforce similar processes that prevent teams from directly creating or configuring resources on Azure, similar to its existing approach where central IT provisions infrastructure. But it is known that these restrictions reduce team agility and the ability to innovate. How can we enable innovation while still maintaining control?
The Cloud Adoption Framework consists of tools, documentation, proven practice and includes these stages:
-
Define your strategy.
-
Make a plan.
-
Ready your organization.
-
Adopt the cloud.
-
Govern and manage your cloud environments.
1) Define your strategy
Here, you answer why you’re moving to the cloud and what you want to get out of cloud migration. Do you need to scale to meet demand or reach new markets? Will it reduce costs or increase business agility?
-
Define and document your motivations: Meeting with stakeholders and leadership can help you answer why you’re moving to the cloud.
-
Document business outcomes: Meet with leadership from your finance, marketing, sales, and human resource groups to help you document your goals.
-
Develop a business case: Validate that moving to the cloud gives you the right return on investment (ROI) for your efforts.
-
Choose the right first project: Choose a project that’s achievable but also shows progress toward your cloud migration goals.
2) Make a plan
Here, you build a plan that maps your aspirational goals to specific actions. A good plan helps ensure that your efforts map to the desired business outcomes.
-
Digital estate: Create an inventory of the existing digital assets and workloads that you plan to migrate to the cloud.
-
Initial organizational alignment: Ensure that the right people are involved in your migration efforts, both from a technical standpoint as well as from a cloud governance standpoint.
-
Skills readiness plan: Build a plan that helps individuals build the skills they need to operate in the cloud.
-
Cloud adoption plan: Build a comprehensive plan that brings together the development, operations, and business teams toward a shared cloud adoption goal.
3) Ready your organization
Here, you create a landing zone, or an environment in the cloud to begin hosting your workloads.
-
Azure setup guide: Review the Azure setup guide to become familiar with the tools and approaches you need to use to create a landing zone.
-
Azure landing zone: Begin to build out the Azure subscriptions that support each of the major areas of your business. A landing zone includes cloud infrastructure as well as governance, accounting, and security capabilities.
-
Expand the landing zone: Refine your landing zone to ensure that it meets your operations, governance, and security needs.
-
Best practices: Start with recommended and proven practices to help ensure that your cloud migration efforts are scalable and maintainable.
4) Adopt the cloud
Here, you begin to migrate your applications to the cloud. Along the way, you might find ways to modernize your applications and build innovative solutions that use cloud services.
The Cloud Adoption Framework breaks this stage into two parts: migrate and innovate.
-
Migrate
-
Migrate your first workload: Use the Azure migration guide to deploy your first project to the cloud.
-
Migration scenarios: Use additional in-depth guides to explore more complex migration scenarios.
-
Best practices: Check in with the Azure cloud migration best practices checklist to verify that you’re following recommended practices.
-
Process improvements: Identify ways to make the migration process scale while requiring less effort.
-
-
Innovate
-
Business value consensus: Verify that investments in new innovations add value to the business and meet customer needs.
-
Azure innovation guide: Use this guide to accelerate development and build a minimum viable product (MVP) for your idea.
-
Best practices: Verify that your progress maps to recommended practices before you move forward.
-
Feedback loops: Check in frequently with your customers to verify that you’re building what they need.
-
5) Govern and manage your cloud environments
Here, you begin to form your cloud governance and cloud management strategies. As the cloud estate changes over time, so do cloud governance processes and policies. You need to create resilient solutions that are constantly optimized.
-
Govern
-
Methodology: Consider your end state solution. Then define a methodology that incrementally takes you from your first steps all the way to full cloud governance.
-
Benchmark: Use the governance benchmark tool to assess your current state and future state to establish a vision for applying the framework.
-
Initial governance foundation: Create an MVP that captures the first steps of your governance plan.
-
Improve the initial governance foundation: Iteratively add governance controls that address tangible risks as you progress toward your end state solution.
-
-
Manage
-
Establish a management baseline: Define your minimum commitment to operations management. A management baseline is the minimum set of tools and processes that should be applied to every asset in an environment.
-
Define business commitments: Document supported workloads to establish operational commitments with the business and agree on cloud management investments for each workload.
-
Expand the management baseline: Apply recommended best practices to iterate on your initial management baseline.
-
Advanced operations and design principles: For workloads that require a higher level of business commitment, perform a deeper architecture review to deliver on your resiliency and reliability commitments.
-
AVTD - Cloud Adoption Framework :
-
Bon pour savoir où commencer avec le Cloud
-
Très fortement recommandé quand on débute avec le Cloud
|
📎
|
Reminder about structure for Azure resources
The organizing structure for resources in Azure has four levels: management groups, subscriptions, resource groups, and resources.
|
At the beginning of any cloud governance implementation, you identify a cloud organization structure that meets your business needs. This step often involves forming a cloud center of excellence team (also called a cloud enablement team or a cloud custodian team). This team is empowered to implement governance practices from a centralized location for the entire organization.
Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions: billing, access control, and subscription limits.
Billing
-
You can create one billing report per subscription. If you have multiple departments and need to do a "chargeback" of cloud costs, one possible solution is to organize subscriptions by department or by project.
Access control
-
A subscription is a deployment boundary for Azure resources. Every subscription is associated with an Azure Active Directory tenant. Each tenant provides administrators the ability to set granular access through defined roles by using Azure role-based access control.
-
When you design your subscription architecture, consider the deployment boundary factor. For example, do you need separate subscriptions for development and for production environments? With separate subscriptions, you can control access to each one separately and isolate their resources from one another.
Subscription limits
-
Maximum number of network Azure ExpressRoute circuits per subscription is 10.
If you’ll need to exceed those limits, you might need to add more subscriptions. If you hit a hard limit maximum, there’s no flexibility to increase it.
|
❗
|
Reminder: ONLY what is really needed!
It’s a good security practice to grant users only the rights they need to perform their job, and only to the relevant resources.
|
Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created, Azure enables you to control access through Azure role-based access control (Azure RBAC).
Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all of the associated access permissions.
How is role-based access control applied to resources?
-
Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to:
management group, single subscription, resource group, single resource
-
When you grant access at a parent scope, those permissions are inherited by all child scopes
How is Azure RBAC enforced?
Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.
You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application.
RBAC uses an allow model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
|
📎
|
Azure supports up to 2000 role assignments per subscription |
Who does Azure RBAC apply to?
You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities. These identity types are used by applications and services to automate access to Azure resources.
How do I manage Azure RBAC permissions?
You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.
A resource lock (or Resource Manager lock) prevents resources from being accidentally deleted or changed.
Even with Azure role-based access control (Azure RBAC) policies in place, there’s still a risk that people with the right level of access could delete critical cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed.
You can manage resource locks from the Azure portal, PowerShell, the Azure CLI, or from an Azure Resource Manager template.
To view, add, or delete locks in the Azure portal, go to the Settings section of any resource’s Settings pane in the Azure portal.
You can apply locks to a subscription, a resource group, or an individual resource. You can set the lock level to CanNotDelete or ReadOnly.
Applying the "ReadOnly" lock level is like restricting all authorized users to the permissions granted by the Reader role in Azure RBAC.
Resource locks apply regardless of RBAC permissions. Even if you’re an owner of the resource, you must still remove the lock before you can perform the blocked activity.
Combine resource locks with Azure Blueprints: To make the protection process more robust, you can combine resource locks with Azure Blueprints.
Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist.
One way to organize related resources is to place them in their own subscriptions.
You can also use resource groups to manage related resources.
Resource tags are another way to organize resources.
Azure Tags are used to logically organized Azure resources, using name-value pairs.
How do I manage resource tags?
You can add, modify, or delete resource tags through PowerShell, the Azure CLI, Azure Resource Manager templates, the REST API, or the Azure portal.
You can also manage tags by using Azure Policy. For example, you can apply tags to a resource group, but those tags are NOT automatically applied to the resources within that resource group. You can use Azure Policy to ensure that a resource inherits the same tags as its parent resource group.
-
AVTD - Balises (tags) : meta-données, très utiles pour remonter les informations de facturation (entre autres).
How do you ensure that your resources stay compliant? How can you be alerted if a resource’s configuration has changed?
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.
How does Azure Policy define policies?
-
Azure Policy enables you to define both individual policies and groups of related policies (those last are known as initiatives). Azure Policy evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. Azure Policy can also prevent noncompliant resources from being created.
-
Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring.
For example, say you define a policy that allows only a certain stock-keeping unit (SKU) size of virtual machines (VMs) to be used in your environment. After you enable this policy, that policy is applied when you create new VMs or resize existing VMs. Azure Policy also evaluates any current VMs in your environment. -
In some cases, Azure Policy can automatically remediate noncompliant resources and configurations to ensure the integrity of the state of the resources. For example, if all resources in a certain resource group should be tagged with the AppName tag and a value of "SpecialOrders," Azure Policy can automatically reapply that tag if it has been removed.
-
Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment phases of your applications.
Azure Policy in action
Implementing a policy in Azure Policy involves these three steps:
-
Create a policy definition.
-
Assign the definition to resources.
-
Review the evaluation results.
Create a policy definition
A policy definition expresses what to evaluate and what action to take.
Every policy definition has conditions under which it’s enforced. A policy definition also has an accompanying effect that takes place when the conditions are met.
Examples:
-
Allowed virtual machine SKUs: This policy enables you to specify a set of VM SKUs that your organization can deploy.
-
Allowed locations: This policy enables you to restrict the locations that your organization can specify when it deploys resources. Its effect is used to enforce your geographic compliance requirements.
-
MFA should be enabled on accounts with write permissions on your subscription: This policy requires that multifactor authentication (MFA) be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
-
CORS should not allow every resource to access your web applications: Cross-origin resource sharing (CORS) is an HTTP feature that enables a web application running under one domain to access resources in another domain. For security reasons, modern web browsers restrict cross-site scripting by default. This policy allows only required domains to interact with your web app.
-
System updates should be installed on your machines: This policy enables Azure Security Center to recommend missing security system updates on your servers.
Assign the definition to resources
To implement your policy definitions, you assign definitions to resources. A policy assignment is a policy definition that takes place within a specific scope. This scope could be a management group (a collection of multiple subscriptions), a single subscription, or a resource group.
Policy assignments are inherited by all child resources within that scope. If a policy is applied to a resource group, that policy is applied to all resources within that resource group. You can exclude a subscope from the policy assignment if there are specific child resources you need to be exempt from the policy assignment.
Review the evaluation results
When a condition is evaluated against your existing resources, each resource is marked as compliant or noncompliant. You can review the noncompliant policy results and take any action that’s needed.
Policy evaluation happens about once per hour. If you make changes to your policy definition and create a policy assignment, that policy is evaluated over your resources within the hour.
An Azure Policy initiative is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal.
For example, Azure Policy includes an initiative named "Enable Monitoring in Azure Security Center". Its goal is to monitor all of the available security recommendations for all Azure resource types in Azure Security Center.
Under this initiative, the following policy definitions are included (among a total of over 100 policy definitions):
-
Monitor unencrypted SQL Database in Security Center: This policy monitors for unencrypted SQL databases and servers.
-
Monitor OS vulnerabilities in Security Center: This policy monitors servers that don’t satisfy the configured OS vulnerability baseline.
-
Monitor missing Endpoint Protection in Security Center: This policy monitors for servers that don’t have an installed endpoint protection agent.
-
AVTD - Azure Policy : vous aide à appliquer les normes de l’organisation et à évaluer la conformité à grande échelle. Assure la cohérence de la gouvernance et des ressources en termes de conformité réglementaire, de sécurité, de coûts et de gestion.
-
Ex : dans ce groupe de ressources, vous ne pouvez créer QUE des BDDs, pas de VMs
-
Ex : pour cette subscription, vous ne pouvez pas créer de VMs à 5000$ par mois…
-
What happens when your cloud environment starts to grow beyond just ONE subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions?
Instead of having to configure features like Azure Policy for each new subscription, with Azure Blueprints you can define a repeatable set of governance tools and standard Azure resources that your organization requires. In this way, development teams can rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed the development and deployment phases.
Azure Blueprints orchestrates the deployment of various resource templates and other artifacts, such as:
-
Role assignments
-
Policy assignments
-
Azure Resource Manager templates
-
Resource groups
When you form a cloud center of excellence team or a cloud custodian team, that team can use Azure Blueprints to scale their governance practices throughout the organization.
Implementing a blueprint in Azure Blueprints involves these three steps:
-
Create an Azure blueprint.
-
Assign the blueprint.
-
Track the blueprint assignments.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. In other words, Azure creates a record that associates a resource with the blueprint that defines it. This connection helps you track and audit your deployments.
Blueprints are also versioned. Versioning enables you to track and comment on changes to your blueprint.
What are blueprint artifacts?
Each component in the blueprint definition is known as an artifact.
-
Artifacts can have no parameters. An example is the "Deploy threat detection on SQL servers" policy, which requires no further configuration.
-
Artifacts can also contain one or more parameters that you can configure.
You can specify a parameter’s value when you create the blueprint definition or when you assign the blueprint definition to a scope. In this way, you can maintain one standard blueprint but have the flexibility to specify the relevant configuration parameters at each scope where the definition is assigned.
FYI, Azure Blueprints has several built-in blueprint definitions that relate to ISO 27001 (a standard that applies to the security of IT systems).
Here are the artifacts that are created when you run an ISO 27001 blueprint from a template:
You see that the blueprint template contains policy assignments, Resource Manager templates, and resource groups.
The blueprint deploys these artifacts to any existing subscriptions within the PROD-MG management group. The blueprint also deploys these artifacts to any new subscriptions as they’re created and added to the management group.
-
AVTD - Azure Blueprints : permet aux architectes de définir ce qui doit être déployé de manière scriptée.
Cloud governance requires good analysis and requirement gathering. Luckily, the Cloud Adoption Framework for Azure can help you define and implement your governance strategy. There are several services and features in Azure to support these efforts:
-
Azure role-based access control (Azure RBAC) enables you to create roles that define access permissions.
-
Resource locks prevent resources from being accidentally deleted or changed.
-
Resource tags provide extra information, or metadata, about your resources.
-
Azure Policy is a service in Azure that enables you to create, assign, and manage policies that control or audit your resources.
-
Azure Blueprints enables you to define a repeatable set of governance tools and standard Azure resources that your organization requires.
In general, compliance means to adhere to a law, standard, or set of guidelines.
Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws that governing bodies enforce.
|
📎
|
Data transfer to the US from companies established in the US
For some information on data transfer for companies established in the US and the CLOUD Act, see: Pour rappel, l’invalidation du "Privacy shield" par la Cour de Justice de l’UE date de juillet 2020. Un bon article, à jour (2021/02), faisant l’état des lieux du sujet : |
6.3.2. Access the Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum
Microsoft Privacy Statement, the Online Services Terms, and the Data Protection Addendum explain the personal data Microsoft collects, how Microsoft uses it, and for what purposes.
It is Microsoft responsability to handle your data securely and in compliance with privacy and legal requirements.
What’s in the Microsoft Privacy Statement?
-
The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it, and for what purposes.
-
It provides trust in how Microsoft collects, protects, and uses customer data.
What’s in the Online Services Terms?
-
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data.
What is the Data Protection Addendum?
-
The Data Protection Addendum (DPA) further defines the data processing and security terms for online services. These terms include:
-
Compliance with laws.
-
Disclosure of processed data.
-
Data Security, which includes security practices and policies, data encryption, data access, customer responsibilities, and compliance with auditing.
-
Data transfer, retention, and deletion.
-
-
To access the DPA, go to Licensing Terms and Documentation, then, in the search bar, enter "DPA"
The Trust Center showcases Microsoft’s principles for maintaining data integrity in the cloud and how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.
The Trust Center provides you with documentation about compliance standards and how Azure can support your business.
The Azure compliance documentation allows you to access detailed documentation about legal and regulatory standards and compliance on Azure.
The Azure compliance documentation includes detailed information about legal and regulatory standards and compliance on Azure.
Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel.
Azure China 21Vianet is operated by 21Vianet. It’s a physically separated instance of cloud services located in China. Azure China 21Vianet is independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.
According to the China Telecommunication Regulation, providers of cloud services, infrastructure as a service (IaaS) and platform as a service (PaaS), must have value-added telecom permits. Only locally registered companies with less than 50 percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft.
AVTD - Compliance Manager : va vous donner un score, une note relatif au niveau atteint par votre solution quant aux exigences demandées par telle ou telle réglementation.
-
Le Microsoft 365 Compliance Center est tout nouveau : en GA (General Availability) depuis 2021/01.
-
To visit the Microsoft 365 compliance center, https://compliance.microsoft.com, you need to be a global administrator, compliance administrator, or compliance data administrator.
Compliance Manager helps simplify the way you manage compliance.
It calculates a risk-based score measuring your progress toward completing recommended actions that help reduce risks around data protection and regulatory standards.
It also provides workflow capabilities and built-in control mapping to help you efficiently carry out improvement actions.
Compliance Manager is based on 3 tools:
-
Continuous assessments: automatically detects and monitors your system settings
-
Recommended actions: helps you to reduce risks with step-by-step guidance
-
Control mapping: helps you take 1 action, and satisfy multiple regulatory requirements
For more details, check:
-
It shows your score for data protection baseline, based on requirements from ISO, NIST and GDPR.
-
ISO: International Organization for Standardization
-
NIST: National Institute of Standards and Technology, est une agence du département du Commerce des États-Unis. Son but est de promouvoir l’économie en développant des technologies, la métrologie et des standards de concert avec l’industrie.
-
GDPR: General Data Protection Regulation
-
|
📎
|
Azure Service Trust Portal
The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. By comparison, the Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure. |
Module objectives:
-
Use the Total Cost of Ownership Calculator to compare your current datacenter costs to running the same workloads on Azure.
-
Describe the different ways you can purchase Azure products and services.
-
Use the Pricing calculator to estimate the monthly cost of running your cloud workloads.
-
Define some of the major factors that affect total cost, and apply recommended practices to minimize cost.
The TCO Calculator (Total Cost of Ownership calculator) helps you estimate the cost savings of operating your solution on Azure over time, instead of in your on-premises datacenter.
The term total cost of ownership is commonly used in finance. It can be hard to see all the hidden costs related to operating a technology capability on-premises. Software licenses and hardware are additional costs.
With the TCO Calculator, you enter the details of your on-premises workloads. Then you review the suggested industry average cost (which you can adjust) for related operational costs. These costs include electricity, network maintenance, and IT labor. You’re then presented with a side-by-side report. Using the report, you can compare those costs with the same workloads running on Azure.
Working with the TCO Calculator involves three steps:
-
Define your workloads
Enter the specifications of your on-premises infrastructure, based on these 4 categories:-
servers: This category includes operating systems, virtualization methods, CPU cores, and memory (RAM).
-
databases: This category includes database types, server hardware, and the Azure service you want to use, which includes the expected maximum concurrent user sign-ins.
-
storage: This category includes storage type and capacity, which includes any backup or archive storage.
-
networking: This category includes the amount of network bandwidth you currently consume in your on-premises environment.
-
|
📎
|
Backup vs archive
L’une des différences fondamentales à relever est que la sauvegarde est toujours une copie, alors que l’archive doit être le document original, supprimé de son emplacement initial et transféré ailleurs. |
-
Adjust assumptions
You specify whether your current on-premises licenses are enrolled for Software Assurance, which can save you money by reusing those licenses on Azure.
You also specify whether you need to replicate your storage to another Azure region for greater redundancy.
Then, you can see the key operating cost assumptions across several different areas, which vary among teams and organizations. These costs have been certified by Nucleus Research, an independent research company. For example, these costs include:-
Electricity price per kilowatt hour (KWh).
-
Hourly pay rate for IT administration.
-
Network maintenance cost as a percentage of network hardware and software costs.
📎Couverture Software Assurance (offre Azure Hybrid Benefit)L’offre Azure Hybrid Benefit vous permet de valoriser vos licences locales et d’économiser jusqu’à 40 % sur les machines virtuelles et jusqu’à 82 % avec les instances Azure Reserved Virtual Machines (VM).
Azure Hybrid Use Benefit (HUB) is a discount program for Microsoft Azure users that allows them to get more value from their Windows Server licenses by saving them up to 40 percent off the normal cost of running their virtual machines (VMs).
-
-
View the report
Choose a time frame between one and five years. the TCO Calculator generates a report that’s based on the information you’ve entered. Here’s an example:
For each category (compute, datacenter, networking, storage, and IT labor), you can also view a side-by-side comparison of the cost breakdown of operating those workloads on-premises versus operating them on Azure. Here’s an example:
Questions to be addressed to prepare Cloud migration:
-
What types of Azure subscriptions are available?
-
How do we purchase Azure services?
-
Does location or network traffic affect cost?
-
What other factors affect the final cost?
-
How can we get a more detailed estimate of the cost to run on Azure?
What types of Azure subscriptions can I use?
Azure offers both free and paid subscription options to fit your needs and requirements. They are:
-
Free trial: A free trial subscription provides you with 12 months of popular free services, a credit to explore any Azure service for 30 days, and more than 25 services that are always free. Your Azure services are disabled when the trial ends or when your credit expires for paid products, unless you upgrade to a paid subscription.
-
Pay-as-you-go: A pay-as-you-go subscription enables you to pay for what you use by attaching a credit or debit card to your account. Organizations can apply for volume discounts and prepaid invoicing.
-
Member offers: Your existing membership to certain Microsoft products and services might provide you with credits for your Azure account and reduced rates on Azure services. For example, member offers are available to Visual Studio subscribers, Microsoft Partner Network members, Microsoft for Startups members, and Microsoft Imagine members.
How do I purchase Azure services?
-
Through an Enterprise Agreement: Larger customers, known as enterprise customers, can sign an Enterprise Agreement with Microsoft. This agreement commits them to spending a predetermined amount on Azure services over a period of three years. The service fee is typically paid annually. As an Enterprise Agreement customer, you’ll receive the best customized pricing based on the kinds and amounts of services you plan on using.
-
Directly from the web: Here, you purchase Azure services directly from the Azure portal website and pay standard prices. You’re billed monthly, as a credit card payment or through an invoice. This purchasing method is known as Web Direct.
-
Through a Cloud Solution Provider: A Cloud Solution Provider (CSP) is a Microsoft Partner who helps you build solutions on top of Azure. Your CSP bills you for your Azure usage at a price they determine. They also answer your support questions and escalate them to Microsoft, as needed.
Your account is billed according to Azure’s "pay for what you use" model.
At the end of each month, you’re billed for what you’ve used. At any time, you can check the cost management and billing page in the Azure portal to get a summary of your current usage and review invoices from prior months.
What factors affect cost?
The way you use resources, your subscription type, and pricing from third-party vendors are common factors. Let’s take a quick look at each:
-
Resource type: such as blob storage or table storage, etc.
-
Usage meters:
When you provision a resource, Azure creates meters to track usage of that resource. Azure uses these meters to generate a usage record that’s later used to help calculate your bill.
Think of usage meters similar to how you use electricity or water in your home. You might pay a base price each month for electricity or water service, but your final bill is based on the total amount that you consumed.
Let’s look at a single VM as an example. The following kinds of meters are relevant to tracking its usage:-
Overall CPU time.
-
Time spent with a public IP address.
-
Incoming (ingress) and outgoing (egress) network traffic in and out of the VM.
-
Disk size and amount of disk read and disk write operations.
-
Each meter tracks a specific type of usage. For example, a meter might track bandwidth usage (ingress or egress network traffic in bits per second), number of operations, or its size (storage capacity in bytes).
The usage that a meter tracks correlates to a quantity of billable units. Those units are charged to your account for each billing period. The rate per billable unit depends on the resource type you’re using.
-
-
Resource usage
In Azure, you’re always charged based on what you use. As an example, let’s look at how this billing applies to deallocating a VM.
In Azure, you can delete or deallocate a VM. Deleting a VM means that you no longer need it. The VM is removed from your subscription, and then it’s prepared for another customer.
Deallocating a VM means that the VM is no longer running. But the associated hard disks and data are still kept in Azure. The VM isn’t assigned to a CPU or network in Azure’s datacenter, so it doesn’t generate the costs associated with compute time or the VM’s IP address. Because the disks and data are still stored, and the resource is present in your Azure subscription, you’re still billed for disk storage.
Deallocating a VM when you don’t plan on using it for some time is just one way to minimize costs. For example, you might deallocate the VMs you use for testing purposes on weekends when your testing team isn’t using them. -
Azure subscription types
Some Azure subscription types also include usage allowances, which affect costs.
For example, an Azure free trial subscription provides access to a number of Azure products that are free for 12 months. It also includes credit to spend within your first 30 days of sign-up. And you get access to more than 25 products that are always free (based on resource and region availability). -
Azure Marketplace
You can also purchase Azure-based solutions and services from third-party vendors through Azure Marketplace. Examples include managed network firewall appliances or connectors to third-party backup services. Billing structures are set by the vendor.
Does location or network traffic (and bandwith) affect cost?
Location is known as the Azure region.
Azure infrastructure is distributed globally, which enables you to deploy your services centrally or provision your services closest to where your customers use them.
Different regions can have different associated prices. Because geographic regions can impact where your network traffic flows, network traffic is a cost influence to consider as well.
Billing zones are a factor in determining the cost of some Azure services.
Bandwidth refers to data moving in and out of Azure datacenters. Some inbound data transfers (data going into Azure datacenters) are free. For outbound data transfers (data leaving Azure datacenters), data transfer pricing is based on zones.
Microsoft offers 4 paid Azure support plans and 1 free for customers who require technical and operational support.
-
Basic: free support plan included for all Azure customers
-
DEVELOPER: For trial, testing and development.
-
If you’re using Azure in a nonproduction environment or just trying it out, choose the Developer plan to get an initial response to your Azure technical support requests within one business day.
-
The Azure Developer offering is appropriate for companies or individuals using Microsoft Azure in a non-production environment or for trial and evaluation.
-
→ 29$ / month
-
-
STANDARD: Production workloads
-
When you’re running a production workload on Azure, get Azure technical support initial response times between one hour and one business day, based on case severity, with the Standard plan.
-
The Azure Standard offering is a good choice for small or mid-size companies with minimal business critical dependence on Microsoft Azure.
-
→ 100$ / month
-
-
PROFESSIONAL DIRECT ("ProDirect"): Business-critical functions
-
If you need faster response times, advisory services, and high-severity incident escalation management from a collaborative management pool, choose Professional Direct (ProDirect) support.
-
The Azure ProDirect offering is most appropriate for mid-size to large companies with substantial business critical utilization of Microsoft Azure.
-
→ 1000$ / month
-
-
enterprise support: Comprehensive Microsoft technology support
-
If you need company-wide support across Azure and other Microsoft technologies, consider enterprise support.
-
|
📎
|
For more details, check: |
The Azure Pricing calculator helps you in the process of taking all factors into account to get an accurate cost estimate.
It displays Azure products in categories: region, tier, billing options, support options, programs and offers, Azure Dev/Test pricing
Keep in mind that the Pricing calculator provides estimates and NOT actual price quotes. Actual prices can vary depending upon the date of purchase, the payment currency you’re using, and the type of Azure customer you are.
In the Azure Pricing calculator, in the "Example Scenarios" section, you can find templates for some reference architectures, or common cloud-based solutions that you can use as a starting point (like "Modern data warehouse")
Calculate your projected costs by using the Pricing calculator and the Total Cost of Ownership (TCO) Calculator. Only add the products, services, and resources that you need for your solution.
Use Azure Advisor to monitor your usage
-
Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. This information helps you configure your resources to match your actual workload.
Use spending limits to restrict your spending
-
If you have a free trial or a credit-based Azure subscription, you can use spending limits to prevent accidental overrun.
-
If you have a credit-based subscription and you reach your configured spending limit, Azure suspends your subscription until a new billing period begins.
Use Azure Reservations to prepay
-
Azure Reservations offers discounted prices on certain Azure services. Azure Reservations can save you up to 72 percent as compared to pay-as-you-go prices. To receive a discount, you reserve services and resources by paying in advance.
-
For example, you can prepay for one year or three years of use of VMs, database compute capacity, database throughput, and other Azure resources.
Choose low-cost locations and regions
-
The cost of Azure products, services, and resources can vary across locations and regions. If possible, you should use them in those locations and regions where they cost less.
-
But remember, some resources are metered and billed according to how much outgoing (egress) network bandwidth they consume. You should provision connected resources that are metered by bandwidth in the same Azure region to reduce egress traffic between them.
Research available cost-saving offers
-
Keep up to date with the latest Azure customer and subscription offers, and switch to offers that provide the greatest cost-saving benefit.
Use Azure Cost Management + Billing to control spending
-
Azure Cost Management + Billing is a free service that helps you understand your Azure bill, manage your account and subscriptions, monitor and control Azure spending, and optimize resource use.
-
This service includes:
-
Reporting: Use historical data to generate reports and forecast future usage and expenditure.
-
Data enrichment: Improve accountability by categorizing resources with tags that correspond to real-world business and organizational units.
-
Budgets: Create and manage cost and usage budgets by monitoring resource demand trends, consumption rates, and cost patterns.
-
Alerting: Get alerts based on your cost and usage budgets.
-
Recommendations: Receive recommendations to eliminate idle resources and to optimize the Azure resources you provision.
-
Apply tags to identify cost owners
-
Tags help you manage costs associated with the different groups of Azure products and resources. You can apply tags to groups of Azure resources to organize billing data.
Resize underutilized virtual machines
-
Virtual machine costs are linear and double for each size larger in the same series. So in this case, if you reduce the VM’s size from Standard_D4_v4 to Standard_D2_v4, which is the next size lower, you reduce your compute cost by 50 percent.
-
Keep in mind that resizing a VM requires it to be stopped, resized, and then restarted. This process might take a few minutes depending on how significant the size change is. Be sure to properly plan for an outage, or shift your traffic to another instance while you perform resize operations.
Deallocate virtual machines during off hours
-
Recall that to deallocate a VM means to no longer run the VM, but preserve the associated hard disks and data in Azure.
-
This approach is an excellent strategy for development and testing environments, where the VMs are needed only during business hours. Azure even provides a way to automatically start and stop your VMs on a schedule.
Delete unused resources
-
It’s not uncommon to find nonproduction or proof-of-concept systems that are no longer needed following the completion of a project.
Migrate from IaaS to PaaS services
-
One way to reduce costs is to gradually move IaaS workloads to run on platform as a service (PaaS) services.
Save on licensing costs
You can do it by:
-
Choosing cost-effective operating systems
-
Using Azure Hybrid Benefit to repurpose software licenses on Azure
-
If you’ve purchased licenses for Windows Server or SQL Server, and your licenses are covered by Software Assurance, you might be able to repurpose those licenses on VMs on Azure.
-
6 facteurs sur le coûts des services Azures :
-
type de ressource
-
services
-
emplacement : les mêmes ressources peuvent avoir un coût différent suivant la région où elles vont être déployées (faire tourner un centre de service coûte plus cher en Suisse et en Australie par exemple)
-
bande passante
-
instances réservées
-
avantage lié à l’utilisation d'Azure Hybrid : on amène nos propres licences, qui sont alors réutilisées dans le Cloud Azure.
-
Calculatrice de prix Azure (Azure Pricing calculator) : Attention, Cette calculatrice ne donne qu’une ESTIMATION.
-
Linux est généralement moins cher que Windows, car il n’y a pas de licence associée
-
-
Which is the best first step the team should take to compare the cost of running these environments on Azure versus in their datacenter?
-
Run the Total Cost of Ownership Calculator.
-
-
What’s the best way to ensure that the development team doesn’t provision too many virtual machines at the same time?
-
Apply spending limits to the development team’s Azure subscription.
-
-
Which is the most efficient way for the testing team to save costs on virtual machines on weekends, when testers are not at work?
-
Deallocate virtual machines when they’re not in use.
Indeed, Usage meters track not only CPU time but also network traffic and the number of disk operations.
Meaning Azure bills you NOT only for the CPU time that you use.
-
-
Resources in the Dev and Test environments are each paid for by different departments. What’s the best way to categorize costs by department?
-
Apply a tag to each virtual machine that identifies the appropriate billing department.
-
To sum it up, to have a clear picture of the total cost of running in the cloud:
-
Use the Total Cost of Ownership Calculator to estimate the cost savings of operating its solution on Azure instead of in its on-premises datacenter.
-
Then use the Pricing calculator to get a more detailed estimate for running a typical workload on Azure each month.
-
Create a check list of cost-saving measures
|
❗
|
What is a SLA?
A service-level agreement (SLA) is a formal agreement between a service company and the customer. AVTD - Un SLA décrit les engagements de Microsoft en termes de temps d’activité et de connectivité. |
Where can I access SLAs for Azure services?
-
You can access SLAs from Service Level Agreements
-
Each Azure service defines its own SLA.
-
SLA details: This section defines the specific guarantees for the service. Performance commitments are commonly measured as a percentage, which typically ranges from 99.9 percent ("three nines") to 99.99 percent ("four nines").
The primary performance commitment typically focuses on uptime, or the percentage of time that a product or service is successfully operational. Some SLAs focus on other factors as well, including latency, or how fast the service must respond to a request.
How do percentages relate to total downtime?
-
Downtime refers to the time duration that the service is unavailable.
-
Here’s a table to give you a sense of how total downtime decreases as the SLA percentage increases from 99 percent to 99.999 percent:
What are service credits?
|
❗
|
A service credit is the percentage of the fees you paid that are credited back to you according to the claim approval process. |
-
Here’s how credits are applied for Azure Database for MySQL according to uptime:
|
|
Free products typically don’t have an SLA. |
How do I know when there’s an outage?
-
Azure status provides a global view of the health of Azure services and regions. If you suspect there’s an outage, this is often a good place to start your investigation.
-
From the Azure status page, you can also access Azure Service Health. This provides a personalized view of the health of the Azure services and regions that you’re using, directly from the Azure portal.
How can I request a service credit from Microsoft?
-
Typically, you need to file a claim with Microsoft to receive a service credit.
-
Each SLA specifies the timeline by which you must submit your claim and when Microsoft processes your claim. For many services, you must submit your claim by the end of the calendar month following the month in which the incident occurred.
|
❗
|
An application SLA defines the SLA requirements for a specific application. This term typically refers to an application that you build on Azure. |
Usage patterns define when and how users access your application.
One question to consider is whether the availability requirement differs between critical and non-critical time periods. For example, a tax-filing application can’t fail during a filing deadline.
For Tailwind Traders, retail stores aren’t open 24 hours a day, so if the application were down in the middle of the night, the impact would be minimal. However, because Tailwind Traders has retail locations all over the world, it will need to ensure that each location has access to the service during its retail hours.
|
❗
|
A workload is a distinct capability or task that’s logically separated from other tasks, in terms of business logic and data storage requirements. Each workload defines a set of requirements for availability, scalability, data consistency, and disaster recovery. |
The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service.
Example with an application that requires 2 VMs, 1 Azure SQL database and 1 Azure Load Balancer:
Here the result is 99.78%, meaning NOT the 99.99% that you get from each service taken separately.
|
|
Be careful with composite SLA
Using multiple services adds an extra level of complexity and slightly increases the risk of failure.
|
To ensure high availability, you might plan for your application to have duplicate components across several regions, known as redundancy.
Conversely, to minimize costs during non-critical periods, you might run your application only in a single region.
Example for Tailwind Traders, its main website must be available as close to 100 percent of the time as possible. To accomplish that, Tailwind Traders might deploy extra instances of the same virtual machine across different availability zones in the same Azure region. Doing so helps ensure that if one zone is affected, virtual machine instances in the other zone can pick up the load.
|
|
Consider how critical high availability is to your requirements before you add redundancy. There may be simpler ways to meet your application SLA. |
|
📎
|
SLA above 99.99% (4 nines) is very difficult to achieve.
Performance targets above 99.99 percent are very difficult to achieve. An SLA of 99.99 percent means 1 minute of downtime per week. It’s difficult for humans to respond to failures quickly enough to meet SLA performance targets above 99.99 percent. Instead, your application must be able to self-diagnose and self-heal during an outage. |
|
📎
|
High availability through Azure Load Balancer
Azure Load Balancer supports inbound and outbound scenarios and allows you to scale applications and create high availability solutions. |
What is the service lifecycle?
-
The service lifecycle defines how every Azure service is released for public use.
-
Every Azure service starts in the development phase. In this phase, the Azure team collects and defines its requirements, and begins to build the service.
-
Next, the service is released to the public preview phase. During this phase, the public can access and experiment with it so that it can provide feedback.
-
After a new Azure service is validated and tested, it’s released to all customers as a production-ready service. This is known as general availability (GA).
Each Azure preview defines its own terms and conditions. All preview-specific terms and conditions supplement your existing Azure service agreement.
Some previews aren’t covered by customer support. Therefore, previews are not recommended for business-critical workloads.
You can access preview services from the Azure portal.
Select "Create a resource", and search for "preview" in the search box.
|
💡
|
You can access preview features that are specific to the Azure portal itself from Microsoft Azure (Preview). |
-
AVTD - Portail des previews Azure : permet aux clients de remonter des besoins à Microsoft, afin que ce dernier puisse développer des produits / fonctionnalités manquantes.
-
Via ces previews Azure, les clients peuvent bêta-tester de nouveaux services / fonctionnalités.
-
Pas de SLA pour ces services en Preview
-
|
|
Certaines notions abordées dans cet ancien contenu, comme les Availability sets et la définition de la fault tolerance, ne sont PAS reprises dans le nouveau cours de préparation Microsoft Learn à la certification AZ-900. |
-
"The exam is intended for candidates with non-technical backgrounds, such as candidates involved in selling or purchasing cloud-based solutions and services."
-
TODO : réfléchir si on ne peut pas intégrer cet examen dans les 1eres étapes du parcours, et être également adressé aux NON-IT, comme les commerciaux
-
-
4 modules dans ce cours (et pour l’exam AZ-900)
-
Explore Microsoft Azure cloud concepts
-
Distinguish Microsoft Azure core services
-
Examine Microsoft Azure security, privacy, compliance, and trust
-
Review Microsoft Azure pricing, Service Level Agreements, and lifecycles
-
Cloud Computing is the delivery of computing services—servers, storage, databases, networking, software, analytics, intelligence and more—over the internet (the cloud), enabling faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change.
Cloud providers offer a wide range of services, including:
-
Compute power - such as Linux servers or web applications.
-
Storage - such as files and databases.
-
Networking - such as secure connections between the cloud provider and your company.
-
Analytics - such as visualizing telemetry and performance data.
Key Cloud Concepts :
-
High availability. The ability to keep services up and running for long periods of time, with very little downtime, depending on the service in question.
-
Scalability. The ability to increase or decrease resources for any given workload. You can add additional resources to service a workload (known as scaling out), or add additional capabilities to manage an increase in demand to the existing resource (known as scaling up). Scalability doesn’t have to be done automatically.
-
Elasticity. The ability to automatically or dynamically increase or decrease resources as needed. Elastic resources match the current needs, and resources are added or removed automatically to meet future needs when it’s needed (and from the most advantageous geographic location). A distinction between scalability and elasticity is that elasticity is done automatically.
-
Agility. The ability to react quickly. Cloud services can allocate and deallocate resources quickly. They are provided on-demand via self-service, so vast amounts of computing resources can be provisioned in minutes. There is no manual intervention in provisioning or deprovisioning services.
Cloud agility is the ability to rapidly change an IT infrastructure to adapt to the evolving needs of the business. -
Fault tolerance. The ability to remain up and running even in the event of a component (or service) no longer functioning. Typically, redundancy is built into cloud services architecture, so if one component fails, a backup component takes its place. This type of service is said to be tolerant of faults.
-
Disaster recovery. The ability to recover from an event which has taken down a cloud service. Cloud services disaster recovery can happen very quickly, with automation and services being readily available to use.
-
Global reach. The ability to reach audiences around the globe. Cloud services can have a presence in various regions across the globe, which you and your customer can access, giving you a presence in those regions even though you may not have any infrastructure in that region.
-
Customer latency capabilities. If customers are experiencing slowness with a particular cloud service, they are said to be experiencing some latency. Even though modern fiber optics are fast, it can still take time for services to react to customer actions if the service is not local to the customer. Cloud services have the ability to deploy resources in datacenters around the globe, which addresses any customer latency issues.
-
Predictive cost considerations. The ability for users to predict the costs they will incur for a particular cloud service. Costs for individual services are made available, and tools are provided to allow you to predict the costs a service will incur. You can also perform analysis based on planned growth.
-
Technical skill requirements and considerations. Cloud services can provide and manage hardware and software for workloads. Getting a workload up and running with cloud services demands less technical resources than having IT teams build and maintain a physical infrastructure for handling the same workload. A user can be an expert in the application they want to run without requiring skills to build and maintain the underlying hardware and software infrastructure.
-
Increased productivity. On-site datacenters typically require a lot of hardware setup (otherwise known as racking and stacking), software patching, and other time-consuming IT management chores. Cloud computing eliminates the need for many of these tasks. This allows IT teams to spend time focusing on achieving more important business goals.
-
Security. Cloud providers offer a broad set of policies, technologies, controls, and expert technology skills that can provide better security than most organizations can otherwise achieve. The result is strengthened security, which helps to protect data, apps, and infrastructure from potential threats.
3 different cloud deployment models: Public Cloud, Private Cloud, and Hybrid Cloud.
An example of a hybrid cloud usage scenario would be hosting a website in the public cloud and linking it to a highly secure database hosted in a private cloud.
Hybrid cloud scenarios can be useful when organizations have some things that cannot be put in a public cloud, possibly for legal reasons. For example, you may have medical data that cannot be exposed publicly.
Another example is one or more applications that run on old hardware that can’t be updated. In this case, you can keep the old system running locally in your private cloud and connect it to the public cloud for authorization or storage.
-
Private cloud can be hosted on premise, OR managed by a Cloud provider.
-
le fait qu’un private Cloud puisse être hébergé chez un Cloud provider est expliqué dans la vidéo, mais les explications texte qui suivent semblent dire le contraire… (?)
-
je confirme que la vidéo dit bien "on premise OR managed by a Cloud provider"
-
-
Remember, the cloud deployment model you choose will depend on your budget, security, scalability, and maintenance needs. Azure provides all of the flexibility and capabilities to meet your specific needs.
The shared responsibility model ensures cloud workloads are run securely and in a well-managed way. Depending on the service you are using, the cloud provider is responsible for some aspects of the workload management, and the customer or end user is responsible for other aspects of the workload management, and in some cases, both share a responsibility.
Common examples of SaaS apps and software: email, calendars, office tools (such as Office 365)
IaaS, PaaS, and SaaS each contain different levels of managed services. You may easily use a combination of these types of infrastructure. You could use Microsoft 365 on your company’s computers (SaaS), and in Azure you could host your VMs (IaaS) and use Azure SQL Database (PaaS) to store your data. With the cloud’s flexibility, you can use any combination that provides you with the maximum result.
In this module, you will:
-
Explore the physical structure of Azure infrastructure
-
Understand the service level agreements provided by Azure
-
Learn how to provide your own service level agreements for your apps
2 Data Centers en France pour Azure, Paris et Marseille (correspond à 2 "regions", France Central and France South)
https://azure.microsoft.com/fr-fr/global-infrastructure/geographies/
A few examples of regions are West US, Canada Central, West Europe, Australia East, and Japan West. At the time of writing this, Azure is generally available in 60 regions and available in 140 countries.
Cf site de Microsoft, "Azure has more global regions than any other cloud provider"
Each Azure region is paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away, which together make a region pair.
Azure divides the world into geographies that are defined by geopolitical boundaries or country borders. An Azure geography is a discrete market typically containing two or more regions that preserves data residency and compliance boundaries.
|
❗
|
Data residency
Data residency refers to the physical or geographic location of an organization’s data or information. It defines the legal or regulatory requirements imposed on data based on the country or region in which it resides and is an important consideration when planning out your application data storage. |
Availability sets are made up of Update domains (UD) and Fault domains (FD):
-
Update domains. When a maintenance event occurs (such as a performance update or critical security patch applied to the host), the update is sequenced through update domains. Sequencing updates using update domains ensures that the entire datacenter isn’t unavailable during platform updates and patching. Update domains are a logical section of the datacenter, and they are implemented with software and logic.
-
Fault domains. Fault domains provide for the physical separation of your workload across different hardware in the datacenter. This includes power, cooling, and network hardware that supports the physical servers located in server racks. In the event the hardware that supports a server rack becomes unavailable, only that rack of servers would be affected by the outage.
Availability zones are physically separate locations within an Azure region that use availability sets to provide additional fault tolerance.
-
Availability zones are offered as a service within Azure, and to ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
-
Availability Zones are primarily for VMs, managed disks, load balancers, and SQL databases.
A resource group is a unit of management for your resources in Azure. You can think of your resource group as a container that allows you to aggregate and manage all the resources required for your application in a single manageable unit. This allows you to manage the application collectively over its lifecycle, rather than manage components individually. Before any resource can be provisioned, you need a resource group for it to be placed in.
|
❗
|
If you delete a resource group, all resources contained within are also deleted. |
|
💡
|
Consistent naming convention
Use an understandable naming convention. |
Resource groups help to organize resources, with several possible strategies:
-
Organize based on authorization needs: Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them
-
Organize for resource life cycle: Resource groups serve as the life cycle for the resources within it. If you delete a resource group, you delete all the resources in it.
-
Organize for usage in billing reports: placing resources in the same resource group is a way to group them for usage in billing reports
Azure Resource Manager is a management layer in which resource groups and all the resources within it are created, configured, managed, and deleted.
It provides a consistent management layer which allows you automate the deployment and configuration of resources using different automation and scripting tools, such as Microsoft Azure PowerShell, Azure Command-Line Interface (Azure CLI), Azure portal, REST API, and client SDKs.
With Azure Resource Manager, you can:
-
Deploy Application resources: Update, manage, and delete all the resources for your solution in a single, coordinated operation.
-
Organize resources: Manage your infrastructure through declarative templates rather than scripts. You can view which resources are linked by a dependency, and you can apply tags to resources to categorize them for management tasks, such as billing.
-
Control access and resources. You can control who in your organization can perform actions on the resources. You manage permissions by defining roles, adding users or groups to the roles, and applying policies at resource group level.
Examples of elements you may wish to control are: enforcing naming convention on resources, limiting which types and instances of resources can be deployed, or limiting which regions can host a type of resource.
Resource Manager templates are JSON files that define the resources you need to deploy your solution.
D’autres sites permettant de préparer la certification :
-
https://www.testpreptraining.com/tutorial/microsoft-azure-fundamentals-az-900/
-
Ce site contient également une très bonne "cheat sheet" (https://www.testpreptraining.com/blog/cheat-sheet-for-az-900-exam/), et une liste de questions / réponses pour s’entraîner (https://www.testpreptraining.com/microsoft-azure-fundamentals-az-900-free-practice-test)
-
-
Exam AZ-900: Microsoft Azure Fundamentals — Most Complete Preparation Guide Ever! : https://kyleake.medium.com/exam-az-900-microsoft-azure-fundamentals-most-complete-preparation-guide-ever-76614d31a59c
-
Java & Moi - Certification Microsoft Azure Fundamentals : https://javaetmoi.com/2020/02/certification-microsoft-azure-fondamentals/
-
Le cours Udemy de Thomas Mitchell (payant) : https://www.udemy.com/course/az-900-azure-exam-prep-understanding-cloud-concepts
Sites d’examens blancs (mock exams), questions / réponses pour s’entraîner :
-
https://www.testpreptraining.com/microsoft-azure-fundamentals-az-900-free-practice-test : very good, some challenging, profound questions
-
https://thomasmitchell.net/az-900-mock-exam/ : après avoir passé la certification, les questions de ce mock exam me semblent plus simples que celles de la vraie certification.
-
https://www.examtopics.com/exams/microsoft/az-900 : malgré l’interface un rien "spartiate", ce sont de vraies questions de l’AZ-900, avec des réponses commentées par la communauté. Donc une très bonne ressource.
10.1. Sample exam questions from testprep training "Microsoft Azure Fundamentals (AZ-900)"
Q1) You have plans to deploy several Azure virtual machines. You are required to ensure that the services running on the virtual machines are available, even if a single data center fails. Solution: You suggest deploy the virtual machines to two or more scale sets. Does the suggested solution meet the desired goal? ✅ No, the solution does not meet the desired goal ❌ Yes, the solutions meets the desired goal Q2) Jacob is working in an organization. He has been asked to migrate its SQL Database to Azure by ensuring that other users in the organization do not accidentally delete or modify critical resources. Which of the following Azure feature should Jacob use to meet the requirement? ✅ Azure Resource Manager Locks Azure role-based access control Azure Policy Azure Active Directory Q3) Let us suppose you plan to deploy several Azure virtual machines. You are required to ensure that the services running on the virtual machines are available if a single data centre fails. Solution: You suggest to deploy virtual machines to two or more availability zones. Does the suggested solution meet the desired goal? ✅ Correct Incorrect Q4) Peter is working in company that plans to migrate its website to Azure. The website is being accessed worldwide by users for video streaming services. Peter has been asked to suggest a solution to provide reduced load times and high transfer speeds. Which of the following Azure service should Peter suggest to meet the requirement? ✅ Azure Content Delivery Network Load Balancers Blob Storage Network Security Groups Q5) Which of the following Azure Service would you suggest when you are planning to create an application with an event-based architecture that has the feature to ingest events from Blob storage and create custom topics? ✅ Azure Event Grid Azure Logic Apps Azure Functions Azure Machine Learning Studio Q6) A company plans to migrate all of its servers and data to Azure. John has been asked to suggest a solution that allows to only use Software-as-a-Service Azure products that will support the planned migration. John suggests to deploy Azure virtual machines and Azure SQL Database. Does the solution suggested by John meet the requirement? Yes, it meets the requirement ✅ No, it does not meet the requirement Q7) Let us suppose you work for ABC Ltd. which has several business units. Each business unit requires 20 different Azure resources for daily operation. All the business units require the same type of Azure resources. Now, you are required to suggest a solution to automate the creation of Azure resources. Which of the following options would you suggest in this case? Virtual machine scale sets The Azure API Management service Management groups ✅ Azure Resource Manager templates Q8) Sam is working in an organization that plans to migrate its applications to Azure. He has been asked to suggest a solution that will maintain virtual machine connectivity to at least one instance with a guaranteed 99.95% uptime. Sam suggested to deploy one VM instance in one Availability Set. Does the suggested solution meet the goal? No, it does not meet the goal ✅ Yes, it meets the goal Q9) An organization plans to migrate its docker containers to Azure. You have been asked to suggest a solution that offers a set of version control tools to help developers manage the application code. Which amongst the following will you include in your recommendation? Azure Activity log Azure Pipelines ✅ Azure Repos Azure Monitor Q10) ________________ is used to explain the personal data that Microsoft processes, how Microsoft processes it, and for what purposes. Microsoft Online Services Level Agreement Microsoft Online Subscription Agreement Microsoft Cloud Agreement (MCA) ✅ Microsoft Privacy Statement Q1) Let us suppose ABC Ltd. plans to migrate all its data and resources to Azure. The company’s migration plan states that only platform as a service (PaaS) solutions must be used in Azure. Now you are required to deploy an Azure environment which supports the planned migration. Solution: In this case, you create an Azure App Service and Azure virtual machines that have Microsoft SQL Server installed. Does the solution meet the desired goal? Yes, the solution meets the desired goal. ✅ No, the solution does not meet the desired goal. Q2) What of the given Azure service permits a user to have a DNS-based traffic load balancer? Azure Private Load Balancer Azure Network Interface ✅ Azure Traffic Manager Azure Public Load Balancer Q3) You organization is planning to build a customized solution for uploading weather data to Azure using several million sensors. Which of the given service should the company use to connect, monitor, and control the sensors without managing the infrastructure? Azure App Service Azure Virtual Machine ✅ Azure IoT Hub Azure Files Q4) ________________ is used to explain the personal data that Microsoft processes, how Microsoft processes it, and for what purposes. Microsoft Online Services Level Agreement Microsoft Online Subscription Agreement Microsoft Cloud Agreement (MCA) ✅ Microsoft Privacy Statement Q5) Let us suppose a company wants to try out some services that are being offered by Azure in Public Preview. In this case, should the company deploy resources which are part of Public Preview in their production environment? ✅ No Yes Q6) A company plans to migrate its application servers hosted on-premises to Azure. Which of the following is the key advantage of using the public cloud for its servers? Public cloud is owned by the public and not a private organization or corporation. Public cloud is used exclusively by a single business or organization. Public cloud is a free shared entity that is crowdfunded by the public and is accessible by everyone. ✅ Public cloud is a shared entity operated by a third-party cloud service provider that various corporations can use. Q7) An organization plans to migrate its application named QuickApp1 to Azure. As per the observed pattern QuickApp1 has a low usage during the second and fourth weeks and high usage during the first and third weeks of the month Which amongst the following benefit of Azure Cloud Services will support cost management for this kind of usage pattern? High availability Fault tolerance Load balancing ✅ Elasticity Q8) Samuel is working in an organization that requires to secure its web applications from security vulnerabilities like volumetric, protocol, and resource layer attacks. Samuel has been asked to suggest a solution that has the capability of automatically generating post-attack mitigation reports for compliance purposes. Which of the following service should he use to satisfy this above requirement? Azure Firewall Azure Security Center Azure Advanced Threat Protection ✅ Azure DDoS Protection Standard 🔥 Azure Advanced Threat Protection (Azure ATP) est l'ancien nom de Microsoft Defender for Identity. 🔥 Une solution de sécurité cloud qui s’appuie sur vos signaux Active Directory locaux pour identifier, détecter et investiguer les menaces avancées, les identités compromises et les actions des utilisateurs internes malveillants dirigées contre votre entreprise. Cf l'exam blanc de Thomas Mitchell, the Azure Advanced Threat protection is Microsoft's security solution that is used to identify, detect, and investigate advanced threats and compromised IDENTITIES. Q9) ______________ offers real-time analytics and complex event-processing engine. Azure Event Hub Azure Data Lake Azure Logic Apps ✅ Azure Stream Analytics Q10) Let us suppose a company needs to create around 50 customized Virtual Machines every week. Out of which 20 are Windows-based Virtual machines and the remaining 30 are Ubuntu Machines. Which of the given options would assist in reducing the administrative effort needed to deploy the machines? Azure virtual machine scale sets ✅ Azure DevTest Labs Azure Reserved Virtual Machines (VM) Instances Microsoft Managed Desktop 🔥 I PERSONALLY DO NOT AGREE ON THIS LAST ONE. 🔥 Azure DevTest Labs ease the management (building, setting up, tearing down) of VMs focusing a LAB environment, which is not specified in the question
- ACU
-
Azure Compute Units. Ressources de calcul dédiées utilisées pour exécuter des applications déployées dans le plan App Service.
- ARM
-
Azure Resource Manager. Les modèles Azure Resource Manager sont des fichiers JSON (JavaScript Object Notation) qui définissent l’infrastructure et la configuration de votre projet.
- BGP
-
Border Gateway Protocol. BGP is used to exchange routes between on-premises networks and resources running in Azure. This protocol enables dynamic routing between your on-premises network and services running in the Microsoft cloud.
- BYOD
-
Bring Your Own Device
- CapEx
-
Capital Expenditure. This is the up front spending of money on physical infrastructure, and then deducting that up front expense over time. The up front cost from CapEx has a value that reduces over time.
- CCM
-
Cloud Controls Matrix
- CDN
-
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially relative to end users.
- CORS
-
Cross-Origin Resource Sharing
- CSA
-
Cloud Security Alliance
- CSP
-
Cloud Solution Provider, a Microsoft Partner who helps you build solutions on top of Azure.
- DLP
-
Data Loss Prevention
- FedRAMP
-
Federal Risk and Authorization Management Program. Microsoft cloud services have undergone independent, third-party FedRAMP Moderate and High Baseline audits. Microsoft cloud services certified according to the FedRAMP standards.
- FQDN
-
Fully Qualified Domain Names
- HIPAA
-
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI).
- Hosting provider
-
un synonyme pour "cloud services provider"
- HUB
-
Azure Hybrid Use Benefit
- IAM
-
Identity and Access Management
- IOPS
-
I/O operations per second
- ISO
-
International Organization for Standardization, le plus grand organisme de normalisation au monde, qui demeure une organisation non gouvernementale.
- ISP
-
Internet Service Provider
- MFA
-
Multi-Factor Authentication
- MTCS
-
Multi-Tier Cloud Security
- NFS
-
Network File System
- NIST / CSF
-
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks.
- NSG
-
Network Security Group, enables you to filter network traffic to and from Azure resources within an Azure virtual network. You can think of NSGs like an internal firewall.
- OpEx
-
This is spending money on services or products now and being billed for them now. You can deduct this expense in the same year you spend it. There is no up front cost, as you pay for a service or product as you use it.
- PCI / DSS
-
Payment Card Industry (PCI) / Data Security Standard (DSS)
- PHI
-
Protected Health Information
- RBAC
-
Role-Based Access Control
- RCA
-
Root Cause Analyse for Azure incidents
- SIEM
-
Security Information Event Management
- SMB
-
Server Message Block
- SOAR
-
Security Orchestration Automated Response
- SOC
-
Security Operations Center
- SKU
-
Stock-Keeping Unit (SKU) is a generic inventory term, that allows to represent the different shapes of the product.
- TCO
-
Total Cost of Ownership. The Total Cost of Ownership (TCO) Calculator can help you compare the cost of running in the datacenter versus running on Azure.
- UDR
-
User-Defined Routing, allows network admins to control the routing tables between subnets, within a subnet as well as between VNets.
- VPN
-
Virtual Private Network
- VXC
-
Virtual Cross-Connection. Virtual cross connects (VXC) are private, direct connections between a network and a cloud provider, content delivery network, or a carrier through an internet exchange point.
- WAF
-
Web Application Firewall is a feature of Azure Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.