DEV Community: Sudha Chandran B C

Azure Hands-on: Create Virtual Machine Scale Set and Install App

Sudha Chandran B C — Tue, 25 Aug 2020 04:30:53 +0000

In Azure, A virtual machine scale set allows to deploy and manage a set of auto-scaling virtual machines. We can scale the number of VMs in the scale set manually, or define rules to auto-scale based on resource usage like CPU, memory demand, or network traffic. An Azure load balancer then distributes traffic to the VM instances in the scale set.

Let’s create VM Scale set as below.

Step 1: Create VM Scale Set

1.Let’s add basic information like

Resource group “gl_project_rg”
VMSS name “glProjectVMSS”
Region “Central US”
Availability Zone “Zone 3”
Image “Windows Server 2016-Datacenter – Gen 1”
Size “Standard_DS1_V2 – 1 vcpu, 3.5 GiB memory”
Credentials

Create Load Balancers with backend pool.

Auto Scale setup to have one instance max and min. And Scale out rule to increase instance count by 1 when CPU threshold is greater than 80%. And Scale in to decrease instance count by 1 when CPU threshold is less than 30%.

Final Review page.

After clicking on Create, deployment will start.

Deployment complete:

VMSS will have one instance created: “glProjectVMSS_1”

Scaling rules created as below:

Operating System information.

Following inbound rules created by default.

Load Balancer created.

Step 2: Modify Network configuration.

We need to allow incoming traffic through port 80. So will create a new inbound rule “port_80”

Also we need to allow port 3389 to connect to virtual machine through RDP.

Step 3: Setup IIS and run default website.

Let’s connect to our VM through RDP through load balancers public ip address.

Go to instance glProjectVMSS_2 and click on connect through RDP. Download RDP file.

The RDP file downloaded asks for username and password.

Asks for certificate validation. Click on continue.

On connecting successfully, it will open Windows Server app automatically.

Next, Open the PowerShell app in the remote VM and add the following command to install IIS.

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Installed successfully.

Next try to access Load balancers public IP address.

Now we are able to access IIS home page successfully through Load Balancer’s IP.

Finally we have created Virtual Machine Scale Set, Load Balancers, Scale rules.
Then we connected to Instance with RDP using Load Balancer's IP address.
Lastly we installed IIS and setup a default web server and accessed it from Load Balancer's IP address.

Thank you for Reading! 😊

AZ-900 Notes: Azure Policy and Monitoring.

Sudha Chandran B C — Fri, 07 Aug 2020 23:20:11 +0000

Azure Policy

Planning out a consistent cloud infrastructure starts with setting up policy. Your policies will enforce your rules for created resources, so your infrastructure stays compliant with your corporate standards, cost requirements, and any service-level agreements (SLAs) you have with your customers.

Azure Policy is an Azure service you use to create, assign and, manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements.

To apply a policy, you will:

Create a policy definition:
Assign a definition to a scope of resources
View policy evaluation results

Policy Definition

A policy definition expresses what to evaluate and what action to take.
common policy definition can apply to Allowed Storage Account SKUs, Allowed Resource Type, Allowed Locations, Allowed Virtual Machine SKUs
The policy definition itself is represented as a JSON file.
To apply a policy, we can use the Azure portal, or one of the command-line tools such as Azure PowerShell by adding the Microsoft.PolicyInsights extension.
Once we have registered the provider, we can create a policy assignment.
A policy assignment is a policy definition that has been assigned to take place within a specific scope.
We can use the applied policy definition to identify resources that aren't compliant with the policy assignment through the Azure portal
Azure Policy can allow a resource to be created even if it doesn't pass validation. In these cases, you can have it trigger an audit event that can be viewed in the Azure Policy portal, or through command-line tools.
Finally, you can delete policy requirements through the portal, or through the PowerShell command Remove-AzPolicyAssignment as shown below.

Organize policy with initiatives

Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That's where initiatives come in.
An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal.
an initiative assignment is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope.

Manage access, policies, and compliance across multiple Azure subscriptions

Azure Management Groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions.
You can manage your Azure subscriptions more effectively by using Azure Policy and Azure role-based access controls (RBACs).

Root Management Group

Create your first management group by entering a management group ID and display name.
A root management group is created in the Azure Active Directory (Azure AD) organization. By default, the root management group's display name is Tenant root group. The ID is the Azure AD ID.
After this group is created, all existing subscriptions in the Azure AD organization are made children of the root management group.
Create additional management groups by selecting Add management group.

Important facts about management groups

Any Azure AD user in the organization can create a management group. The creator is given an Owner role assignment.
A single Azure AD organization can support 10,000 management groups.
A management group tree can support up to six levels of depth not including the Root level or subscription level.
Each management group can have many children.
When your organization creates subscriptions, they are automatically added to the root management group.

Azure Blueprints

For auditing, traceability, and compliance of your deployments, use Azure Blueprint artifacts and tools.
Just as a blueprint allows an engineer or an architect to sketch a project's design parameters, Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements.

Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

Role assignments
Policy assignments
Azure Resource Manager templates
Resource groups

The process of implementing Azure Blueprint consists of the following high-level steps:

Create an Azure Blueprint
Assign the blueprint
Track the blueprint assignments

With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved deployment tracking and auditing.

The Azure Blueprints service is designed to help with environment setup. This setup often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint is a package to bring each of these artifact types together and allow you to compose and version that package—including through a CI/CD pipeline. Ultimately, each setup is assigned to a subscription in a single operation that can be audited and tracked.

Resource Manager template is a document that doesn't exist natively in Azure. Resource Manager templates are stored either locally or in source control.

Compliance Manager

You also have to understand how the provider manages the underlying resources you are building on.
Microsoft takes this management seriously and provides full transparency with four sources:

Microsoft Privacy Statement
Microsoft Trust Center
Service Trust Portal
Compliance Manager

Microsoft Privacy Statement
The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Microsoft Trust Center
Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
It Provides:

In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products.
Recommended resources
Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams.
Cross-company document search
Direct guidance and support

Service Trust Portal
The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft's cloud services.

STP also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:

ISO
SOC
NIST
FedRAMP
GDPR

Compliance Manager

Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.

Compliance Manager provides the following features:
Combines the following three items:

Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft 's cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST).
Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR).
An organization's self-assessment of their own compliance with these standards and regulations.

Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization's compliance goals.
Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization's exposure to risk.
Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.
Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.

Azure Monitor

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Azure Monitor can collect data from a variety of sources.

Application monitoring data
Guest OS monitoring data
Azure resource monitoring data
Azure subscription monitoring data
Azure tenant monitoring data

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.
Activity Logs record when resources are created or modified and
Metrics tell you how the resource is performing and the resources that it's consuming.

Data monitoring:

Application Insights
Azure Monitor for containers
Azure Monitor for VMs

Alerts. Azure Monitor proactively notifies you of critical conditions using alerts
Autoscale. Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics collected by Azure Monitor.
Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences.

Azure Service Health

provide personalized guidance and support when issues with Azure services affect you.
It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved.

Azure Status provides a global view of the health state of Azure services.
Service Health provides you with a customizable dashboard that tracks the state of your Azure services
Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources.

AZ-900 Notes: Security, responsibility, and trust in Azure

Sudha Chandran B C — Fri, 07 Aug 2020 07:22:47 +0000

In this note you'll understand:

Security responsibility is shared with Azure
Identity management provides protection, even outside your network
Encryption capabilities built into Azure can protect your data
To protect your network and virtual networks

Security is a shared responsibility

Infrastructure as a service (IaaS). With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. It's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure.

Platform as a service (PaaS) outsources several security concerns. Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. ou can "point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed.

Software as a service (SaaS), you outsource almost everything.
SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer.

For all cloud deployment types, you own your data and identities. You are responsible for helping secure your data and identities, your on-premises resources, and the cloud components you control (which vary by service type).

Regardless of the deployment type, you always retain responsibility for the following items:

Data
Endpoints
Accounts
Access management

A layered approach to security

In Defense in depth strategy, Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft applies a layered approach to security, both in physical data centers and across Azure services.
Defense in depth can be visualized as a set of concentric rings, with the data to be secured at the center.
Each ring adds an additional layer of security around the data. - This approach removes reliance on any single layer of protection and acts to slow down an attack and provide alert telemetry that can be acted upon, either automatically or manually. Let's take a look at each of the layers.

Data

In almost all cases, attackers are after data:

Stored in a database
Stored on disk inside virtual machines
Stored on a SaaS application such as Office 365
Stored in cloud storage

It's the responsibility of those storing and controlling access to data to ensure that it's properly secured.

Application

Ensure applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.

Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.

Compute

Secure access to virtual machines.
Implement endpoint protection and keep systems patched and current.

Malware, unpatched systems, and improperly secured systems open your environment to attacks. Make sure your compute resources are secure with proper controls in place to minimize security issues.

Networking

Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound, where appropriate.
Implement secure connectivity to on-premises networks.

Limiting the network connectivity across all your resources to allow only what is required.

Perimeter

Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.

At the network perimeter, it's about protecting from network-based attacks against your resources.

Identity and access

Control access to infrastructure and change control.
Use single sign-on and multi-factor authentication. Audit events and changes.

It is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.

Physical security

Physical building security and controlling access to computing hardware within the data center is the first line of defense.

The intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.

Azure helps alleviate your security concerns. But security is still a shared responsibility.

Azure Security Center

Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:

Provide security recommendations
Monitor security settings
Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
Use machine learning to detect and block malware
Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
Provide just-in-time access control for ports

Available tiers

Azure Security Center is available in two tiers:

Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

Usage scenarios

Use Security Center for incident response: You can use Security Center during the detect, assess, and diagnose stages
Use Security Center recommendations like security policy, Security Center analysis to enhance security.

Identity and access

Network perimeters, firewalls, and physical access controls used to be the primary protection of any data.

Authentication and authorization

Two fundamental concepts:

Authentication is the process of establishing the identity of a person or service looking to access a resource, It involves the act of challenging a party for legitimate credentials.
Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.

Azure Active Directory

Azure AD is a cloud-based identity service.

Azure AD provides services such as:

Authentication. Providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
Single-Sign-On (SSO). A single identity is tied to a user, simplifying the security model.
Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the
Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data.
Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
Device Management. Manage how your cloud or on-premises devices access your corporate data.

Single sign-on

SSO enables users to remember only one ID and one password to access multiple applications.

Access across applications is granted to a single identity tied to a user, simplifying the security model.
By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD.

Multi-factor authentication

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication.

Something you know would be a password or the answer to a security question.
Something you possess could be a mobile app that receives a notification or a token-generating device.
Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.

Providing identities to services

Service principals:
An identity is just a thing that can be authenticated.
A principal is an identity acting with certain roles or claims.
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.

Managed identities for Azure services
Managed identities for Azure services are much easier and will do most of the work for you to create Service principles.

Role-based access control

Roles are sets of permissions, like "Read-only" or "Contributor", that users can be granted to access an Azure service instance.

Identities are mapped to roles directly or through group membership
Roles can be granted at the individual service instance level,

Privileged Identity Management

Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.

Identity allows us to maintain a security perimeter, even outside our physical control. With single sign-on and appropriate role-based access configuration, we can always be sure who has the ability to see and manipulate our data and infrastructure.

Encryption

Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key.
There are two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption uses the same key to encrypt and decrypt the data.
Asymmetric encryption uses a public key and private key pair.

Encryption at rest

Data at rest is the data that has been stored on a physical medium. This data could be stored on the disk of a server, data stored in a database, or data stored in a storage account. Regardless of the storage mechanism, encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it.

Encryption in transit

Data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.

Encryption on Azure

Encrypt raw storage

Azure Storage Service Encryption

With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval.
The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services.

Encrypt virtual machine disks
Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks.
The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).

Encrypt databases
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity.

Encrypt secrets
In Azure, we can use Azure Key Vault to protect our secrets.
Azure Key Vault is a centralized cloud service for storing your application secrets.

It is useful for a variety of scenarios:

Secrets management.
Key management.
Certificate management.
Store secrets backed by hardware security modules (HSMs).

Benefits:

Centralized application secrets.
Securely stored secrets and keys.
Monitor access and use.
Simplified administration of application secrets.
Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services.

Azure certificates

Transport Layer Security (TLS) is the basis for encryption of website data in transit. TLS uses certificates to encrypt and decrypt data.

Types of certificates

Service certificates are used for cloud services
Management certificates are used for authenticating with the management API

Service certificates

Service certificates are attached to cloud services and enable secure communication to and from the service.
You can upload service certificates to Azure either using the Azure portal or by using the classic deployment model.
Service certificates are associated with a specific cloud service.
They are assigned to a deployment in the service definition file.

Management certificates

Management certificates allow you to authenticate with the classic deployment model.
Many programs and tools (such as - Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services.
However, these types of certificates are not related to cloud services.

Using Azure Key Vault with certificates

You can store your certificates in Azure Key Vault - much like any other secret.

However, Key Vault provides additional features above and beyond the typical certificate management.

You can create certificates in Key Vault, or import existing certificates
You can securely store and manage certificates without interaction with private key material.
You can create a policy that directs Key Vault to manage the life cycle of a certificate.
You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
You can automatically renew certificates with selected issuers - Key Vault partner x509 certificate providers / certificate authorities.

Network Security

Securing your network from attacks and unauthorized access is an important part of any architecture.

A layered approach to network security: A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.

Internet protection

Azure Security Center will identify internet-facing resources that don't have network security groups associated with them, as well as resources that are not secured behind a firewall.

Firewal

A firewall is a service that grants server access based on the originating IP address of each request.
Firewall rules, generally speaking, also include specific network protocol and port information.

To provide inbound protection at the perimeter, you have several choices.

Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources.
It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Azure Firewall provides inbound protection for non-HTTP/S protocols.
Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
Azure Application Gateway is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.
Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.

Azure DDoS Protection

Distributed Denial of Service (DDoS) attacks: Any resource exposed on the internet is at risk of being attacked by a denial of service attack. These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.
The Azure DDoS Protection service protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service's availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.

Azure DDoS Protection provides the following service tiers:

Basic - The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks. Azure's global network is used to distribute and mitigate attack traffic across regions.
Standard - The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS standard protection can mitigate the following types of attacks:
Volumetric attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

Controlling the traffic

Virtual network security:
Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol
You can completely remove public internet access to your services by restricting access to service endpoints. With service endpoints, Azure service access can be limited to your virtual network.

Network integration
Virtual private network (VPN) connections are a common way of establishing secure communication channels between networks. Connections between Azure Virtual Network and an on-premises VPN device are a great way to provide secure communication between your network and your VNet on Azure.
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.

A layered approach to network security helps reduce your risk of exposure through network-based attacks.

Protect your shared documents

Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Labels can be applied automatically based on rules and conditions. Labels can also be applied manually. You can also guide users to choose recommended labels with a combination of automatic and manual steps.

Azure Advanced Threat Protection

Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Azure ATP consists of several components:

Azure ATP portal: In this you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
Azure ATP sensor: Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
Azure ATP cloud service: Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.

Azure Advanced Threat Protection
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.

Microsoft Security Development Lifecycle (SDL)

The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations throughout all phases of the development process. It helps developers build highly secure software, address security compliance requirements, and reduce development costs.

It lets you:

Provide training
Define security requirements
Define metrics and compliance reporting
Perform threat modeling
Establish design requirements
Define and use cryptography standards
Manage security risks from using third-party components
Use approved tools
Perform Static Analysis Security Testing
Perform Dynamic Analysis Security Testing
Perform penetration testing
Establish a standard incident response process

Thank you for Reading 😊

AZ-900 Notes: Azure networking options

Sudha Chandran B C — Fri, 07 Aug 2020 04:53:49 +0000

Running your app or service in the cloud requires a fast and secure network.
Here are Azure networking basics we'll learn in this notes:

Learn how virtual networking helps you isolate network and compute resources
Learn how Azure Load Balancer helps improve resiliency, or the ability to recover when your service goes down
Learn how Traffic Manager can route traffic to different endpoints, including the endpoint with the lowest latency to the user

Using an N-tier architecture

An architectural pattern that can be used to build loosely coupled systems is N-tier.
Tiers help separate concerns and are ideally designed to be reusable.

Example: Three-tier refers to an n-tier application that has three tiers. Your e-commerce web application follows this three-tier architecture:

The web tier provides the web interface to your users through a browser.
The application tier runs business logic.
The data tier includes databases and other storage that hold product information and customer orders.

When the user clicks the button to place the order, the request is sent to the web tier, along with the user's address and payment information. The web tier passes this information to the application tier, which would validate payment information and check inventory. The application tier might then store the order in the data tier, to be picked up later for fulfillment.

Each tier can access services only from a lower tier. The VM running in the web tier has a public IP address because it receives traffic from the internet. The VMs in the lower tiers, the application and data tiers, each have private IP addresses because they don't communicate directly over the internet.

Virtual network

A virtual network is a logically isolated network on Azure
A virtual network allows Azure resources to securely communicate with each other, the internet, and on-premises networks.
A virtual network is scoped to a single region

A VPN gateway (or virtual network gateway) can provide a secure connection between an Azure Virtual Network and an on-premises location over the internet.

Network security group

A network security group, or NSG, allows or denies inbound network traffic to your Azure resources.

Azure Load Balancer

Availability

Availability refers to how long your service is up and running without interruption.
High availability, or highly available, refers to a service that's up and running for a long period of time.
"five nines availability." Five nines availability means that the service is guaranteed to be running 99.999 percent of the time.

Resiliency

Resiliency refers to a system's ability to stay operational during abnormal conditions like Natural disasters, System maintenance, Spikes in traffic to your site.

Load balancer

A load balancer distributes traffic evenly among each system in a pool. A load balancer can help you achieve both high availability and resiliency.
Load balancer to distribute traffic. The load balancer becomes the entry point to the user. The user doesn't know (or need to know) which system the load balancer chooses to receive the request.
Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) applications.
You can use Load Balancer with incoming internet traffic, internal traffic across Azure services, port forwarding for specific traffic, or outbound connectivity for VMs in your virtual network.

Azure Application Gateway

Application Gateway is a load balancer designed for web applications. It uses Azure Load Balancer at the transport level (TCP) and applies sophisticated URL-based routing rules to support several advanced scenarios.
This type of routing is known as application layer (OSI layer 7) load balancing since it understands the structure of the HTTP message.

Benefits of using Azure Application Gateway over a simple load balancer:

Cookie affinity. Useful when you want to keep a user session on the same backend server.
SSL termination. Application Gateway can manage your SSL certificates and pass unencrypted traffic to the backend servers to avoid encryption/decryption overhead. It also supports full end-to-end encryption for applications that require that.
Web application firewall. Application gateway supports a sophisticated firewall (WAF) with detailed monitoring and logging to detect malicious attacks against your network infrastructure.
URL rule-based routes. Application Gateway allows you to route traffic based on URL patterns, source IP address and port to destination IP address and port. This is helpful when setting up a content delivery network.
Rewrite HTTP headers. You can add or remove information from the inbound and outbound HTTP headers of each request to enable important security scenarios, or scrub sensitive information such as server names.

Content Delivery Network

A content delivery network (CDN) is a distributed network of servers that can efficiently deliver web content to users.
It is a way to get content to users in their local region to minimize latency.
CDN can be hosted in Azure or any other location. You can cache content at strategically placed physical nodes across the world and provide better performance to end users.

DNS:

DNS, or Domain Name System, is a way to map user-friendly names to their IP addresses. You can think of DNS as the phonebook of the internet.
You can bring your own DNS server or use Azure DNS, a hosting service for DNS domains that runs on Azure infrastructure.

Azure Traffic Manager

Latency refers to the time it takes for data to travel over the network. Latency is typically measured in milliseconds. One way to reduce latency is to provide exact copies of your service in more than one region.

How can you connect users to the service that's closest geographically, but under the contoso.com domain?
One answer is Azure Traffic Manager. Traffic Manager uses the DNS server that's closest to the user to direct user traffic to a globally distributed endpoint.
You can connect Traffic Manager to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud. The choice is yours.

Compare Load Balancer to Traffic Manager

Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient.
Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that's closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool.
Traffic Manager monitors the health of your endpoints. When Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

You learned just a few ways Azure networking can help reduce latency and make your apps and services more highly available.

Thank you for Reading! 😊

AWS Data Exchange, Subscribe and create Database using Glue

Sudha Chandran B C — Thu, 06 Aug 2020 12:20:13 +0000

Here is how explored on how we can do Covid Data Analysis using AWS cloud services.

Today I'll write about part 1: Data Setup.

Solution overview

The following diagram illustrates the architecture of the solution.

The workflow is comprised of the following steps:

Subscribe to a data set from AWS Data Exchange and export to Amazon S3
Run an AWS Glue crawler to load product data
Perform queries with Amazon Athena
Visualize the queries and tables with Amazon QuickSight
Run an ETL job with AWS Glue
Create a time series forecast with Amazon Forecast
Visualize the forecasted data with Amazon QuickSight

Step 1. AWS Data Exchange: Subscribe

Go to AWS Data Exchange from AWS Console.
Browse the Catalog and Search for Covid. You'll see few data sets are already available.
I have selected "Enigma U.S. & Global COVID-19 Aggregation" which has global data.
Subscribe to it, and after few minutes you'll see it listed under "My Subscriptions".
On selecting it, you'll see Revisions and when it is updated.

Step 2: AWS Data Exchange: Export to S3

You can click on the Revision ID.
Select the data set you want and click on export it to S3.
You will see a new Job created and will be shown as Completed after export is done.

Step 3: Amazon S3: Verify the data

Step 4: AWS Glue

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

Now that you have successfully exported the enigma covid data sets into an Amazon S3 bucket, you create and run an AWS Glue crawler to crawl your Amazon S3 bucket and populate the AWS Glue Data Catalog. Complete the following steps:

On the AWS Glue console, under Data Catalog, choose Crawlers.
Choose Add crawler.
For Crawler name, enter a name; for example, covid-data-exchange-crawler.
For Crawler source type, choose Data stores.
Choose Next.
For Choose a data store, choose S3.
For Crawl data in, select Specified path in my account.
The crawler points to the following path: s3:///.
Choose Next.
In the Choose an IAM role section, select Create an IAM role. This is the role that the AWS Glue crawler and AWS Glue jobs use to access the Amazon S3 bucket and its content.
For IAM role, enter the suffix demo-data-exchange.
Choose Next.
In the schedule section, leave the Frequency with the default Run on Demand.
Choose Next.
In the Output section, choose Add database.
Enter a name for the database; for example, covid-db.
Choose Next, then choose Finish.
This database contains the tables that the crawler discovers and populates. With these data sets separated into different tables, you join and relationalize the data.
In the Review all steps section, review the crawler settings and choose Finish.
Under Data Catalog, choose Crawlers.
Select the crawler you just created.
Choose Run crawler.
The AWS Glue crawler crawls the data sources and populates your AWS Glue Data Catalog. This process can take up to a few minutes. When the crawler is finished, you can one table added to your crawler details. See the following screenshot.
You can now view your new tables.
Under Databases, choose Tables.
Choose your database.
Choose View the tables. The table names correspond to the Amazon S3 folder directory you used to point your AWS Glue crawler. See the following screenshot.

Next Step: To Query data in Athena and Visualise in QuickSight!

Thank you for Reading 😊

AZ-900 Notes: Azure data storage options

Sudha Chandran B C — Wed, 05 Aug 2020 00:58:14 +0000

In this notes, we'll learn about:

Data storage options in Azure
Discover how Azure data storage can meet your business demands
Compare Azure data storage with on-premises storage

Benefits of using Azure to store data

Here are some of the important benefits of Azure data storage:

Automated backup and recovery: mitigates the risk of losing your data if there is any unforeseen failure or interruption.
Replication across the globe: copies your data to protect it against any planned or unplanned events, such as scheduled maintenance or hardware failures. You can choose to replicate your data at multiple locations across the globe.
Support for data analytics: supports performing analytics on your data consumption.
Encryption capabilities: data is encrypted to make it highly secure; you also have tight control over who can access the data.
Multiple data types: Azure can store almost any type of data you need. It can handle video files, text files, and even large binary files like virtual hard disks. It also has many options for your relational and NoSQL data.
Data storage in virtual disks: Azure also has the capability of storing up to 32 TB of data in its virtual disks. This capability is significant when you're storing heavy data such as videos and simulations.
Storage tiers: storage tiers to prioritize access to data based on frequently used versus rarely used information.

Types of data we can save:

Structured data.
Semi-structured data.
Unstructured data

Data Storage Options:

Azure SQL Database
Azure Cosmos DB
Azure Blob storage
Azure Data Lake Storage
Azure Files
Azure Queue
Disk Storage

Azure SQL Database

Azure SQL Database is a relational database as a service (DaaS)
SQL Database is a high-performance, reliable, fully managed and secure database.

Azure Cosmos DB

Azure Cosmos DB is a globally distributed database service.
It supports schema-less data that lets you build highly responsive and Always On applications to support constantly changing data.

Azure Blob storage

Azure Blob Storage is unstructured,
Blobs are highly scalable, can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files
Azure Blob storage lets you stream large video or audio files directly to the user's browser from anywhere in the world.
It has the ability to store up to 8 TB of data for virtual machines.

Azure Data Lake Storage

Can perform analytics on your data usage and prepare reports.
stores both structured and unstructured data.
Azure Data Lake Storage combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities.

Azure Files

offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol.
Azure file shares can be mounted concurrently by cloud or on-premises deployments of Windows, Linux, and macOS.
Share files anywhere in the world, diagnostic data, or application data sharing.

Azure Queue

service for storing large numbers of messages that can be accessed from anywhere in the world.
asynchronous message queueing for communication between application components, whether they are running in the cloud, on the desktop, on-premises, or on mobile devices.
You can use queue storage to:
Create a backlog of work and to pass messages between different Azure web servers.
Distribute load among different web servers/infrastructure and to manage bursts of traffic.
Build resilience against component failure when multiple users access your data at the same time.

Disk Storage

Provides disks for virtual machines, applications, and other services
Disk storage allows data to be persistently stored and accessed from an attached virtual hard disk.
Disks come in many different sizes and performance levels, from solid-state drives (SSDs) to traditional spinning hard disk drives (HDDs), with varying performance abilities.
When working with VMs, you can use standard SSD and HDD disks for less critical workloads, and premium SSD disks for mission-critical production applications.

Storage tiers

Storage tiers for blob object storage

Hot storage tier: optimized for storing data that is accessed frequently.
Cool storage tier: optimized for data that are infrequently accessed and stored for at least 30 days.
Archive storage tier: for data that are rarely accessed and stored for at least 180 days with flexible latency requirements.

Encryption and replication

Azure provides security and high availability to your data through encryption and replication features.
Encryption for storage services
The following encryption types are available for your resources:

Azure Storage Service Encryption (SSE): It encrypts the data before storing it and decrypts the data before returning it. The encryption and decryption are transparent to the user.
Client-side encryption is where the data is already encrypted by the client libraries. Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.

Replication for storage availability
The replication feature ensures that your data is durable and always available. Azure provides regional and geographic replications to protect your data against natural disasters and other local disasters like fire or flooding.

Advantages

Cost effectiveness:

on-premises storage has significant up-front expense (or capital cost). It may sit idle or be under-utilized in off-peak times
Azure data storage provides a pay-as-you-go pricing model, allowing you to scale up or scale out as demand dictates and scale back when demand is low.

Reliability

On-premises storage requires data backup, load balancing, and disaster recovery strategies. Which can be challenging and expensive
Azure data storage provides data backup, load balancing, disaster recovery, and data replication as services to ensure data safety and high availability.

Storage types

Sometimes multiple different storage types are required for a solution, such as file and database storage. An on-premises approach often requires numerous servers and administrative tools for each storage type.
Azure data storage provides a variety of different storage options including distributed access and tiered storage.

Agility

Requirements and technologies change. For an on-premises deployment, these changes may mean provisioning and deploying new servers and infrastructure pieces, which are a time consuming and expensive activity.
Azure data storage gives you the flexibility to create new services in minutes. This flexibility allows you to change storage back-ends quickly without needing a significant hardware investment.

**

omparison**

Summary

We explored the benefits of using Azure to store your data.

Azure provides the following features:

Storage of both structured and unstructured data
High security that supports global compliance standards
Load balancing, high availability, and redundancy capabilities
The ability to send large volumes of data directly to the browser using features such as Azure Blob storage

Thank you for Reading!😊

AZ-900 Notes: Azure Portal

Sudha Chandran B C — Wed, 05 Aug 2020 00:04:30 +0000

In this notes you'll:

Learn about Azure management options
Navigate the Azure portal
Customise the dashboard
Learn how to opt in to preview services and features

Azure management options

As a new user, the Azure portal is likely to be the primary way you will interact with Azure. The Azure portal lets you create and manage all your Azure resources.

Tools that are commonly used for day-to-day management and interaction include:

Azure portal for interacting with Azure via a Graphical User Interface (GUI)
Azure PowerShell and Azure Command-Line Interface (CLI) for command line and automation-based interactions with Azure
Azure Cloud Shell for a web-based command-line interface
Azure mobile app for monitoring and managing your resources from your mobile device

Azure portal

The Azure portal is a public website that you can access with any web browser. Once you sign in with your Azure account, you can create, manage, and monitor any available Azure services.
You can customize the dashboard by moving and resizing tiles, and displaying services you're interested in.

Azure PowerShell

Azure PowerShell is a module that you can install for Windows PowerShell or PowerShell Core, which is a cross-platform version of PowerShell that runs on Windows, Linux, or macOS.
Azure PowerShell enables you to connect to your Azure subscription and manage resources.

For example, Azure PowerShell provides the New-AzVM command that creates a virtual machine for you inside your Azure subscription.

Azure CLI

Azure CLI is a cross-platform command-line program that connects to Azure and executes administrative commands on Azure resources which can run on Windows, Linux, or macOS.

Example:

Azure Cloud Shell

Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources.
Cloud Shell has a suite of developer tools, text editors, and other tools available, including:

Developer Tools: .NET Core, Python, Java, Node.js, Go
Editors: code (Cloud Shell Editor), vim, nano, emacs
Other tools: git, maven, make, npm, and more....

Azure mobile app

The Microsoft Azure mobile app allows you to access, manage, and monitor all your Azure accounts and resources from your iOS or Android phone or tablet.
Once installed, you can:

Check the current status and important metrics of your services
Stay informed with notifications and alerts about important health issues
Quickly diagnose and fix issues anytime, anywhere
Review the latest Azure alerts
Start, stop, and restart virtual machines or web apps
Connect to your virtual machines
Manage permissions with role-based access control (RBAC)
Use the Azure Cloud Shell to run saved scripts or perform ad hoc administrative tasks

Other options

There are also Azure SDKs for a range of languages and frameworks, and REST APIs that you can use to manage and control Azure resources programmatically.

Azure Marketplace:

The Azure Marketplace is often where you start when creating new resources in Azure. The Marketplace allows customers to find, try, purchase, and provision applications and services from hundreds of leading service providers, all certified to run on Azure.
Using Azure Marketplace, you can provision end-to-end solutions quickly and reliably, hosted in your own Azure environment.

Navigate the Azure portal:

Resource panel: left-hand sidebar of the portal, which lists the main resource types.
Status bar: at the top-right of the screen contains
Cloud Shell: an interactive, browser-accessible shell for managing Azure resources.
Directory and subscription: you can change between subscriptions. or change to another directory.
Notifications: lists the last actions that have been carried out, along with their status.
Help pane: show the Help pane which can include: What's new, Azure roadmap, Launch guided tour,Keyboard shortcuts,Show diagnostics,Privacy statement.
Help and support options: opens the main help and support area for the Azure portal and includes documentation options for a variety of common questions.
Feedback pane: The smiley face icon opens the Send us feedback pane. Profile settings: Sign in with another account, or sign out entirely, View your account profile, where you can change your password. Settings: Select the gear icon to change the Azure portal settings. like
Inactivity sign out delay
Default view when you first sign in
Flyout or docked option for the portal menu
Color and contrast themes
Toast notifications (to a mobile device)
Language and regional format

Azure Advisor

Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. You can view recommendations in the portal or download them in PDF or CSV format.

With Azure Advisor, you can:

Get proactive, actionable, and personalized best practices recommendations.
Improve the performance, security, and high availability of your resources as you identify opportunities to reduce your overall Azure costs.
Get recommendations with proposed actions inline.

https://docs.microsoft.com/en-us/learn/modules/tour-azure-portal/media/5-help-icon.png

Azure Portal dashboards

A dashboard is a customizable collection of UI tiles displayed in the Azure portal. You add, remove, and position tiles to create the exact view you want, and then save that view as a dashboard.

Multiple dashboards are supported, and you can switch between them as needed.
You can even share your dashboards with other team members.
Dashboards are stored as JavaScript Object Notation (JSON) files.

The default web parts are

Dashboard controls
All resources tile
Quickstarts + tutorials tile
Service Health tile
Marketplace tile

At the top of the dashboard are the controls that enable you to create, upload, download, edit, and share a dashboard.

Also you can

Dashboard in edit mode:
You can Change tile sizes.
Change tile settings.
Edit a dashboard by changing the JSON file.
Reset a dashboard.
Share or unshare a dashboard.

You can even:

Switch to a shared dashboard
Display a dashboard as a full screen
Clone a dashboard
Delete a dashboard
Reset a dashboard

Access public and private preview features

With Azure Preview Features, you can test beta and other pre-release features, products, services, software, and regions.

Feature preview categories

There are two types of previews available:

Private Preview. An Azure feature marked "private preview" is available to specific Azure customers for evaluation purposes. This is typically by invite only and issued directly by the product team responsible for the feature or service.
Public Preview. An Azure feature marked "public preview" is available to all Azure customers for evaluation purposes. These previews can be turned on through the preview features page as detailed below.
You can find Azure preview features in the portal by selecting Create a resource in the - resource panel and searching preview.
You can Provide feedback on preview features
You can also Get notified about GA releases

AZ-900 Notes: Compute

Sudha Chandran B C — Tue, 04 Aug 2020 06:12:00 +0000

Core Compute products available in Azure

Azure compute is an on-demand computing service for running cloud-based applications.

There are four common techniques for performing compute in Azure:

1. Virtual machines

Virtual machines, or VMs, are software emulations of physical computers. They include a virtual processor, memory, storage, and networking resources. Azure Virtual Machines (VMs) let you create and use virtual machines in the cloud. They provide infrastructure as a service (IaaS)

Detailed Notes: Here

2. Containers

Containers are a virtualization environment for running applications. Just like virtual machines, containers run on top of a host operating system.

Detailed Notes: Here

3. Azure App Service:

Azure App Service is a platform-as-a-service (PaaS) offering in Azure that is designed to host enterprise-grade web-oriented applications.

Detailed Notes: Here

4. Serverless computing

Serverless computing is the abstraction of servers, infrastructure, and OSs.
Azure takes care of managing the server infrastructure and allocation/deallocation of resources based on demand.

Detailed Notes: Here

Azure Compute services.

Thank you for reading!

AZ-900 Notes: Serverless Computing

Sudha Chandran B C — Tue, 04 Aug 2020 05:54:01 +0000

Serverless computing is the abstraction of servers, infrastructure, and OSs.

Azure takes care of managing the server infrastructure and allocation/deallocation of resources based on demand.

Serverless computing implemented in 3 ways:

Abstraction of servers:

Serverless computing abstracts the servers you run on.
Deploy your code, which then runs with high availability.

Event-driven scale:

Serverless computing is an excellent fit for workloads that respond to incoming events.
Events include triggers by timers (for example, if a function needs to run every day at 10:00 AM UTC), HTTP (API and webhook scenarios), queues (for example, with order processing), and much more.
Instead of writing an entire application, the developer authors a function, which contains both code and metadata about its triggers and bindings.
The platform automatically schedules the function to run and scales the number of compute instances based on the rate of incoming events.
Triggers define how a function is invoked and bindings provide a declarative way to connect to services from within the code.

Micro-billing:

Pay only for the time their code runs.

Azure has two implementations of serverless compute:

Azure Functions, which can execute code in almost any modern language.
Azure Logic Apps, which are designed in a web-based designer and can execute logic triggered by Azure services without writing any code.

Azure Functions

They're commonly used when you need to perform work in response to an event, often via a REST request, timer, or message from another Azure service.
Azure Functions scale automatically based on demand
Azure Functions can be either stateless (the default), where they behave as if they're restarted every time they respond to an event, or stateful (called "Durable Functions"),

Azure Logic Apps

They are similar to Functions, both enable you to trigger logic based on an event.
Logic Apps execute workflows designed to automate business scenarios and built from predefined logic blocks.
You create Logic App workflows using a visual designer on the Azure portal or in Visual Studio. The workflows are persisted as a JSON file with a known workflow schema.

Differences between functions and logic apps.

AZ-900 Notes: Azure App Services

Sudha Chandran B C — Tue, 04 Aug 2020 05:03:45 +0000

Azure App Service enables:

To build and host web apps,
background jobs,
mobile backends,
RESTful APIs in the programming language of your choice without managing infrastructure.
It offers automatic scaling and high availability.
This platform as a service (PaaS) allows you to focus on the website and API logic while Azure handles the infrastructure to run and scale your web applications.

Costs

Pay for resources used by app based on App Service Plan.
free tier you can use to host small, low-traffic sites.

Types of app services

Web Apps: Includes full support for hosting web apps using ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python.
API Apps: you can build REST-based Web APIs using your choice of language and framework. You get full Swagger support, and the ability to package and publish your API in the Azure Marketplace.
WebJobs: WebJobs allows you to run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as a web app, API app, or mobile app.
Mobile Apps: quickly build a back-end for iOS and Android apps. Store mobile app data in a cloud-based SQL database. Authenticate customers against common social providers such as MSA, Google, Twitter, and Facebook. Send push notifications. Execute custom back-end logic in C# or Node.js.

AZ-900 Notes: Containers in Azure

Sudha Chandran B C — Tue, 04 Aug 2020 05:00:35 +0000

A container is a modified runtime environment built on top of a host OS that executes your application.

Azure supports Docker containers (a standardized container model), and there are several ways to manage containers in Azure.

Azure Container Instances (ACI)
Azure Kubernetes Service (AKS)

Azure Container Instances

offers the fastest and simplest way to run a container in Azure
It is a PaaS offering that allows you to upload your containers and execute them directly with automatic elastic scale.

Azure Kubernetes Service

The task of automating, managing, and interacting with a large number of containers is known as orchestration.
AKS is a complete orchestration service for containers with distributed architectures with multiple containers.

Containers are often used to create solutions using a microservice architecture.
This architecture is where you break solutions into smaller, independent pieces.

What is Microservice?

Imagine you may split a website into
a container hosting your front end,
another hosting your back end,
and a third for storage.
This split allows you to separate portions of your app into logical sections that can be maintained, scaled, or updated independently.

Migrating apps to containers

You can move existing applications to containers and run them within AKS. You can control access via integration with Azure Active Directory (Azure AD) and access Service Level Agreement (SLA)–backed Azure services, such as Azure Database for MySQL for any data needs, via Open Service Broker for Azure (OSBA).

AZ-900 Notes: Azure Virtual Machines

Sudha Chandran B C — Tue, 04 Aug 2020 04:55:40 +0000

Azure Virtual Machines (VMs) let you create and use virtual machines in the cloud.
They provide infrastructure as a service (IaaS).

You can create and provision a VM in minutes when you select a pre-configured VM image.

An image is a template used to create a VM. These templates already include an OS and often other software, like development tools or web hosting environments.

When to use virtual machines?

During testing and development
When running applications in the cloud.
When extending your datacenter to the cloud.
During disaster recovery.

Scaling VMs in Azure

Availability sets
Virtual Machine Scale Sets
Azure Batch

Availability sets

VMs are put into different update domains. Update domains indicate groups of VMs and underlying physical hardware that can be rebooted at the same time. Update domains are a logical part of each data center and are implemented with software and logic.

The group of virtual machines that share common hardware are in the same fault domain. A fault domain is essentially a rack of servers. It provides the physical separation of your workload across different power, cooling, and network hardware that support the physical servers in the data center server racks. In the event the hardware that supports a server rack becomes unavailable, only that rack of servers is affected by the outage.

The group of virtual machines that share common hardware are in the same fault domain.

A planned maintenance event is when the underlying Azure fabric that hosts VMs is updated by Microsoft. A planned maintenance event is done to patch security vulnerabilities, improve performance, and add or update features.

Unplanned maintenance events involve a hardware failure in the data center, such as a power outage or disk failure. VMs that are part of an availability set automatically switch to a working physical server so the VM continues to run.

With an availability set, you get:

Up to three fault domains that each have a server rack with dedicated power and network resources
Five logical update domains which then can be increased to a maximum of 20

Virtual machine scale sets

Azure Virtual Machine Scale Sets let you create and manage a group of identical, load balanced VMs.
Scale sets allow you to centrally manage, configure, and update a large number of VMs in minutes to provide highly available applications.
The number of VM instances can automatically increase or decrease in response to demand or a defined schedule

Azure Batch

Azure Batch enables large-scale job scheduling and compute management with the ability to scale to tens, hundreds, or thousands of VMs.

When you're ready to run a job, Batch does the following:

Starts a pool of compute VMs for you
Installs applications and staging data
Runs jobs with as many tasks as you have
Identifies failures
Requeues work
Scales down the pool as work completes