Azure basics

In case of VMs there is a guestOS that provides isolation at the OS level.

In Containers this is done for multiple apps with in the SAME OS if needed through "an abstracted Container run time". Docker is an example.

In case of serverless OS this is seen at the "function" level and OS or containers or VMs are irrelevant and can run in any fashion that is desired.

Microsoft cloud security certifications are listed here

Link to the Azure fundamentals learning path

West US,

Canada Central,

West Europe,

Australia East,

and Japan West

Regions are what you use to identify the location for your resources, but there are two other terms you should also be aware of: geographies and availability zones.

One or more Georgraphies
   One or more regions
       one or more Availability zones

Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. It is set up to be an isolation boundary. If one zone goes down, the other continues working. Availability Zones are connected through high-speed, private fiber-optic networks.

Availability zones are documented here

You can pin your resources to a zone

Or have Azure automatically replicate

One or more Georgraphies
   One or more regions (paired when needed)
       one or more Availability zones
          One or more Data centers (connected through fiper optics)

For example, the SLA for the Azure Cosmos DB (Database) service SLA offers 99.999 percent uptime, which includes low-latency commitments of less than 10 milliseconds on DB read operations as well as on DB write operations.

6 minutes a year

10 msecs read/writes

When designing your architecture you need to design for resiliency, and you should perform a Failure Mode Analysis (FMA). The goal of an FMA is to identify possible points of failure and to define how the application will respond to those failures.

Regions that support Availability Zones include Central US, North Europe, and SouthEast Asia.

access control and billing occur at the subscription level, not the account level.

One bill is generated for every Azure subscription on a monthly basis.

The payment is charged automatically to the associated account

The line item would say MSFT Azure.

Subscriptions are billed independently, but the account owner is responsible for payment.

In the case of "Pay-as-you-go" subscriptions, the account credit card will be charged for all associated subscriptions.

You can analyze your bill in the Azure portal - this will provide access to all your invoices, as well as a cost analysis breakdown of what got charged each month.

Different from windows Active Directory

web based auth standards: OpenID and OAuth based

A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization.

Tenants can be owned by individuals, teams, companies, or any other group of people. Tenants are commonly associated with companies.

If you sign up for Azure with an email address that's not associated with an existing tenant, the sign-up process will walk you through creating a tenant, owned entirely by you.

Azure AD tenants and subscriptions have a many-to-one trust relationship: A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant.

This structure allows organizations to manage multiple subscriptions and set security rules across all the resources contained within them.

Azure support is documented here

Azure Power Shell:Search On Web

Azure CLI:Search On Web

Azure Cloud Shell:Search On Web

You can customize and name these dashboards

Links to Previews of Azure can be found here

New ones can be created

drag and drop

json format

shared and unshared

Need to understand Resource groups and locations

For example, if five containers are running on a server with a specific Linux kernel, all five containers and the apps within them share that same Linux kernel.

Azure App Service is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications. You can meet rigorous performance, scalability, security, and compliance requirements while using a fully managed platform to perform infrastructure maintenance.

Virtual machines


Azure App Service

Serverless computing

How does the compute option Azure Batch work?

Search for: How does the compute option Azure Batch work?

fault domains:Search On Web

update domains:Search On Web

availability sets:Search On Web

Virtual Machine Scale Sets:Search On Web

Azure Batch:Search On Web

Represents a rack where the hardware and software resides which needs to be upgraded, rebooted or fail at the same time due to dependencies.

For high availability you need to place your VMs on different fault domains for high availability, either planned or unplanned outages.

VMs can be further classified into groups where those VMs can be simultaneously recyled. This is a logical concept.

So unrelated VMs that don't depend on each other can be restarted at the same time even though they are on different racks.

where machines are placed across multiple racks for the same job to provide redundancy.

this is different need from scalability needs such as load balancing. this is done through scale sets. Scale sets could be dynamic (unlike in data centers of the enterprise where they are manually added with a certain down time)

Secure and isolated

Can run on the same VM host

ACI - Azure container instances. A way to manage containers

AKS - Kubernetes on azure. Another way to manage

Web Apps:Search On Web

API Apps:Search On Web

WebJobs:Search On Web

Mobile Apps:Search On Web

Azure Functions:Search On Web

Azure logic apps:Search On Web

Durable functions:Search On Web

Azure logic app workflows:Search On Web

work flows


through portal or visual studio

Persisted as JSON

200 diff connectors

Custom connectors


Runs only in the cloud

Wow, Azure is maturing fast. The site is well organized. The superiority and consistency of their web development tools seem to give an edge to the sophistication of the azure platform.

Compute options are compelling even now. there is the usual VMs load balanced and such.

Then there is the containers managed through Kerberos to run any type of work loads giving it a PAAS like capability rivaling openshift.

Then there is the PAAS that is specifically tailored for "web server" based sites, APIs, or post processing called "API apps".

Then there is the serverless functions like lambda functions for massively scaling mobile backends.

Then there is the work flows specialization of serverless functions called logic apps that has over 200 connectors which can be composed right out of their portal with custom connectors provisioned.

these offerings will mature further in the next year or so.

Add to this serverless options for processing big data with Spark and such.

Opportunity now, be it AWS or Azure, how to significantly, practically impact small and large IT to have a touch and feel, tangible transformation to become a seasoned organization that is efficient, meaningful, seriously innovative and a great place to work for communities.

Data storage options for Azure are documented here

Azure Cosmos DB

Search for: Azure Cosmos DB

Cosmos DB is a globally distributed NO SQL database

Azure Blob Storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blobs are highly scalable and apps work with blobs in much the same way as they would work with files on a disk, such as reading and writing data. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.

Blobs aren't limited to common file formats. A blob could contain gigabytes of binary data streamed from a scientific instrument, an encrypted message for another application, or data in a custom format for an app you're developing.

Azure Blob storage lets you stream large video or audio files directly to the user's browser from anywhere in the world. Blob storage is also used to store data for backup, disaster recovery, and archiving. It has the ability to store up to 8 TB of data for virtual machines. The following illustration shows an example usage of Azure blob storage.

What is the difference between Azure Data lake storage and Blob storage?

Search for: What is the difference between Azure Data lake storage and Blob storage?

SQL Server - you know what this is!

Cosmos DB - Azure Cosmos DB is Microsoft's globally distributed, multi-model database service. With a click of a button, Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide. You can elastically scale throughput and storage, and take advantage of fast, single-digit-millisecond data access using your favorite API including SQL, MongoDB, Cassandra, Tables, or Gremlin. Cosmos DB provides comprehensive service level agreements (SLAs) for throughput, latency, availability, and consistency guarantees, something no other database service offers.

Blob Storage - Supposedly equivalent to S3 providing input to Big data analytics engines. It is their unstructured storage. Falls under file storage.

Azure Data lake storage - combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities. I wonder if this is equivalent to S3 instead?

Azure Files - An SMB compatible mountable file system in the cloud.

Azure Queues - Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world.

Disk Storage - local disks for VMs

Hot Storage tier - to access frequently

Cool storage tier - 30 days

Archive storage tier - older data

Virtual networks can be segmented into one or more subnets. Subnets help you organize and secure your resources in discrete sections. The web, application, and data tiers each have a single VM. All three VMs are in the same virtual network but are in separate subnets

Users interact with the web tier directly, so that VM has a public IP address along with a private IP address. Users don't interact with the application or data tiers, so these VMs each have a private IP address only.

You can also keep your service or data tiers in your on-premises network, placing your web tier into the cloud, but keeping tight control over other aspects of your application. A VPN gateway (or virtual network gateway), enables this scenario. It can provide a secure connection between an Azure Virtual Network and an on-premises location over the internet.

A network security group, or NSG, allows or denies inbound network traffic to your Azure resource or resources.

Think of a network security group as a cloud-level firewall for your network. Each VM above has its own security group (perhaps)

You can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust.

Port 22 enables you to connect directly to Linux systems over SSH. Here we show port 22 open for learning purposes. In practice, you might configure VPN access to your virtual network to increase security.

Azure Network Security Group

Search for: Azure Network Security Group

Cookie affinity. Useful when you want to keep a user session on the same backend server.

SSL termination. Application Gateway can manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that.

Web application firewall. Application gateway supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.

URL rule-based routes. Application Gateway allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network.

Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.

Azure Traffic Manager to control distributed latency

Search for: Azure Traffic Manager to control distributed latency

Azure Event Hubs for ingesting telemetry data from drones and trucks ? as well as a web app with an Azure Cosmos DB back end with its mobile apps ? which are all examples of PaaS.

Azure Event Hubs

Search for: Azure Event Hubs

Something you know: password

Something you possess: a text received from a phone that you own

Something you are: finger print, face scan

Using MFA increases security of your identity by limiting the impact of credential exposure. An attacker who has a user's password would also need to have possession of their phone or their face in order to fully authenticate. Authentication with only a single factor verified is insufficient, and the attacker would be unable to use those credentials to authenticate. The benefits this brings to security are huge, and we can't emphasize enough the importance of enabling MFA wherever possible.

On Managed identities for Azure services

Search for: On Managed identities for Azure services

You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

Service - your code, client, that wants access to a resource (It is called a principal in the AD Directory, just like any other user one may define.)

Resource - A database, or a file that you want access to

A good article on

However, apps sometimes need access to resources within other AAD tenants, and in each of these other tenants it will need a different service principal.

First of all, I am not an expert. So faults are par below.

What is AD? Active Directory. It is a collection of identities. An identity provider in the security speak. You can see it as a "user" collection. User ids and their passwords. Now a user can get authenticated against this data and get access to such things as file systems, databases, websites etc. So you login once and you get access to a number of resources as long as they give permission to this user either directly or via a role. So you don't have to have a password for each of the resources. So SSO!!! I suppose.

Now when the entity that is trying to get access to a resource like database is a an application and NOT A USER. what do you do? Well you register that application in AD like any other user. And perhaps give a password. so that the application when wants to gain access to resources can use that password and get a token and pass it around to get access to the authorized resources. So this authorization is an additional step that the owner of that resource has to approve mainly via a role because a "role" can be flexible and catch future users.

When a service offered by Azure like the "serverless functions" or a "VM" or a "web app" this registration process can be automated where that application can automatically register as an entity in AD. And this is what a Managed Service Identity is.

Then of course that MSI must be given access to the resources that it wants to access by the owner of that resource. Or and admin can assign this MSI to a role which already has access to resources.

Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).

Bitlocker:Search On Web

dm-crypt:Search On Web

Azure Key Vault:Search On Web

Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.

Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.

Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.

Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.

Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.

Cmmunication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication.

Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets, and are fully customizable.

Azure ExpressRoute

Search for: Azure ExpressRoute

is used to setup a VPN for onpremise to cloud communication

One can think of these as "asserts" that must be true for infrastructure, services, resources etc.

These can be assigned at a number of granular levels. This is called policy assignment.

You can assign any of these policies through the Azure portal, PowerShell, or Azure CLI

A "policy initiative" is a collection of policies grouped

Individual Subscriptions are grouped into Management Groups for easier scale

Another scenario where you would use management groups is to provide user access to multi subscriptions. By moving many subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group, which will inherit that access to all the subscriptions. One assignment on the management group can enable users to have access to everything they need instead of scripting RBAC rules over different subscriptions.

Azure Blue Prints:Search On Web

Azure Resource Manager Templates:Search On Web

Microsoft Compliance Manager

Search for: Microsoft Compliance Manager

Microsoft Privacy Statement:Search On Web

Microsoft Trust Center:Search On Web

Service Trust Portal:Search On Web

Azure Service Health:Search On Web

Azure Monitor:Search On Web

Azure Status:Search On Web

Use resource groups to organize Azure resources:Search On Web

Use tags to organize resources:Search On Web

Apply policies to enforce standards in your Azure environments:Search On Web

Use resource locks to protect critical Azure resources from accidental deletion:Search On Web

Azure portal

Azure PowerShell

Azure CLI


Azure SDKs (like .NET, Java)

To manage them in a uniform way

to apply policies uniformly

To provide/deny access uniformly

etc: A group operation

Resource groups are explained here

Microsoft Virtual Network (Resource) is documented here

When creating resources, you usually have the option to create a new resource group as an alternative to using an existing resource group. This simplifies the process a bit, but as you see in your new organization, can lead to resources spread across resource groups with little thought as to how to organize them.

Since resource groups are a scope of RBAC, you can organize resources by who needs to administer them. If your database administration team is responsible for managing all of your Azure SQL Database instances, putting them in the same resource group would simplify administration. You could give them the proper permissions at the resource group level to administer the databases within the resource group. Similarly, the database administration team could be denied access to the resource group with virtual networks, so they don't inadvertently make changes to resources outside the scope of their responsibility.

You can reach this by
  choose the resource group
    on the left (blade) or pane you will see Access Control

Enterprise - Annual licenses for enterprises

web direct - Monthly billing for individuals and small companies

CSP - Cloud Solution provider, partner companies that sublets azure

If a resource is like a home, a meter is like the water, electricity etc. So is with memory, disk, network, etc.

De-allocating is different from deleting a VM

Azure marketplace may have billable services from other providers

zones are billing classification for a collection of geographical regions

first 5GB/month outbound data is free

Inbound data is usually free

What are azure tiers?

Search for: What are azure tiers?

Pricing calculator is pretty nice. It is here

Almost 100 dollars a month!!!

Access it on the public web

Choose the services that your solution need (VMs, Databases, Gateways, networks etc) [Products tab. the first tab]

How many of each you need is done in the "estimate" tab

The "samples" tab is nice as it lays out useful configuraitons you may be using in Azure

The "estimate" tab then linearly lists each service and allows you to select sub options for each service and gives a tally at the end.

Nicely done.

Azure Advisor - Set of recommendations on how each service should be used for best utility (reduce costs, right size it, utility)

Azure Cost Management - See where the money is going (VM, Disk, Network etc)

Cloudyn - Tracks cloud usage including Google, Amazon

Azure TCO (Total cost of owenership) calculator is here

to project total costs by taking into account purchase cost for onpremise and for cloud including personnel and maintenance costs.

Notice the "datacenter" slice.

Go for reserved instances for 1 to 3 years for production web sites that need 24X7

Perhaps play with locations

Rightsize the VM based on Azure advisor and seeing how busy it is. Resizing a VM requires it to be stopped, resized, and then restarted. This may take a few minutes depending on how significant the size change is. Plan for an outage, or shift your traffic to another instance while you perform this task.

Consider if going Azure SQL Server will be any cheaper

Move from dedicated VMs to container based PAAS solution

Microsoft discusses licensing costs for key services here

Various pricing details are documented here

Sorry here is that link

How to convert a VM to an RI - Reserved instance

windows virtual machine pricing is better elaborated here

Older generation VMs are documented here

I have one of these in my resource group. I don't see this in reservations as a VM option. looks like i have to migrate to the new VM. I need to figure out how that happens.

Here are some struggles and hopefully answers on how to migrate an older VM to a reservable VM