Azure Fundamentals — Almost all you need to know

An Azure Fundamentals summary — a start to your Azure journey or for exam preparation

Amulya Rattan Bhatia
Aug 2 · 20 min read

Important: This article is a 20-minute long read, but what should make it worth your while is the fact that it introduces a lot of important Azure / Cloud concepts for starters. So I hope you enjoy it, let’s begin!

Overview

Let’s start with the reason why any cloud is a cheaper option than others: Economies of Scale. Economy of scale is the ability to reduce costs and gain efficiency when operating at a larger scale in comparison to operating at a smaller scale. Cloud services offer high availability, fault tolerance, agility, scalability, elasticity, global reach, disaster recovery, security and lots more.

It involves moving away from CapEx (Capital expenditure — server / storage / network upfront costs) into OpEx ( Operational Expenditure — deductible expense on cloud services used). The following diagram shows how with CapEx you are always playing catch up and are either under-provisioned or over-provisioned most of the time, whereas with OpEx model you depend on a cloud service to autoscale (up or down) and then pay the appropriate costs for rendered services later (no upfront costs).

Image for post
Image for post

Azure subscription

You need an Azure subscription to start using Azure. An Azure subscription is a logical unit of Azure services that links to an Azure account, which is an identity in Azure Active Directory (Azure AD — will be discussed later) or in a directory that an Azure AD trusts. An account can have one subscription or multiple subscriptions that have different billing models and to which you apply different access-management policies. You usually create subscriptions for different environments, departments / organizational structure, billing models and because of the inherent limits of a subscription

Image for post
Image for post

Regions

A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. A region is where you deploy your workload. Azure has more global regions than any other cloud provider.

Image for post
Image for post
Azure Global regions as of Feb 2020

Each Azure region is always paired with another region within the same geography (such as US, Europe, or Asia) at least 300 miles away. If a region in a pair was affected by a natural disaster, for instance, services would automatically fail over to the other region in its region pair. Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.

Image for post
Image for post
Image for post
Image for post

Special Azure regions

Azure has specialized regions that you might want to use when building out your applications for compliance or legal purposes. These include:

Regions are what you use to identify the location for your resources, but there are two other terms you should also be aware of: geographies and availability zones.

Geography

An Azure geography is a discrete market typically containing two or more regions that preserve data residency and compliance boundaries. Geographies are broken up into the following areas:

Availability Zones

Availability Zones are physically separate datacenters within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. You can use Availability Zones to run mission-critical applications and build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating in other zones.

Image for post
Image for post

Azure services that support Availability Zones fall into two categories:

Not every region has support for Availability Zones.

Note: Some services or virtual machine features are only available in certain regions, such as specific virtual machine sizes or storage types. There are also some global Azure services that do not require you to select a particular region, such as Microsoft Azure Active Directory, Microsoft Azure Traffic Manager, and Azure DNS.

Azure management options

Tools that are commonly used for day-to-day management and interaction include:

Image for post
Image for post
New-AzVM `
-ResourceGroupName "MyResourceGroup" `
-Name "TestVm" `
-Image "UbuntuLTS" `
...

In Azure CLI, you can sign in to Azure using the command az login, create a resource group, then use a command such as:

Image for post
Image for post
Image for post
Image for post

Azure Advisor

Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, operational excellence, and cost. Advisor analyzes your deployed services and looks for ways to improve your environment across those areas. You can view recommendations in the portal or download them in PDF or CSV format.

Image for post
Image for post

SLAs for Azure products and services

There are three key characteristics of SLAs (Service Level Agreement) for Azure products and services:

Image for post
Image for post

3. Service credits — SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to its governing SLA’s specification. For example, customers may have a discount applied to their Azure bill, as compensation for an under-performing Azure product or service. For example, if the monthly uptime for Azure VMs go down below 95%, the customer is entitled to a 100% discount.

When combining SLAs across different service offerings, the resultant SLA is called a Composite SLA. Consider an App Service web app that writes to Azure SQL Database. These Azure services currently have the following SLAs:

Image for post
Image for post

The composite SLA value for this application is:

99.95 percent × 99.99 percent = 99.94 percent

This means the combined probability of failure is higher than the individual SLA values. You can improve the composite SLA by creating independent fallback paths. For example, if the SQL Database is unavailable, you can put transactions into a queue for processing at a later time.

Image for post
Image for post

If the expected percentage of time for a simultaneous failure of the Database and the Queue is 0.0001 × 0.001, the composite SLA for this combined path of a database or queue would be:

1.0 − (0.0001 × 0.001) = 99.99999 percent

Therefore, if we add the queue to our web app, the total composite SLA is:

99.95 percent × 99.99999 percent = ~99.95 percent

Important: You can use SLAs to evaluate how your Azure solutions meet business requirements and the needs of your clients and users. By creating your own SLAs, you can set performance targets to suit your specific Azure application. This approach is known as an Application SLA. When designing your architecture you need to design for resiliency, and you should perform a Failure Mode Analysis (FMA). The goal of an FMA is to identify possible points of failure and to define how the application will respond to those failures.

Services

Image for post
Image for post
Not all Azure Services are depicted here

Security

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts. Security of the operational environment is now a concern shared by both cloud providers and customers.

Image for post
Image for post

The shared responsibility is broken down on multiple aspects shown on the left and are shared between the cloud provider (Microsoft) and the customer as show below. Here IaaS stands for Infrastructure as a Service (Azure VM), PaaS stands for Platform as a Service (App Service) and Saas stands for Software as a Service (MS 365). Thus, more SaaS offerings that you use, lesser responsibility you have for the overall security posture of your system. This shows however that even with the adoption of cloud, you would continue to be responsible for the security of your data, endpoints, access and account management.

Image for post
Image for post

Another concept to be aware of in security is Defense in depth, which basically means that you employ security entities at each layer, from physical to logical. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.

Image for post
Image for post

To provide inbound protection at the perimeter, you have several choices.

A great place to start when examining the security of your Azure-based solutions is Azure Security Center. Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.

Azure provides services to manage both authentication and authorization through Azure Active Directory (Azure AD). Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. It also provides SSO (Single Sign-on), B2B and B2C identity services.

Important: For authentication and authorization, there are certain key terms you need to be aware of: Identity, Principal and Service principal. An identity is just a thing that can be authenticated, which can be a user or even an application or a service. A principal is an identity acting with certain roles or claims. A service principal is an identity that is used by a service or application and like other identities, it can be assigned roles.

Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance. Identities are mapped to roles directly or through group membership. Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances. This process of performing access control based on roles is called Role-Based Access Control (RBAC).

Image for post
Image for post
Image for post
Image for post

Azure Storage Service Encryption and Azure Disk Encryption are used for encryption of data at rest for physical and virtual hard disks respectively. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Synapse Analytics against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Azure Key Vault is used to protect secrets, passwords, certificates and perform key management. Because Azure AD identities can be granted access to use Azure Key Vault secrets, applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Goverance and Compliance

Azure Policy is the primary service used for IT Compliance. It is used to create, assign and, manage policies, that enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. For example, you might have a policy that allows virtual machines of only a certain size in your environment.

Requests to create or update a resource through Azure Resource Manager are evaluated by Azure Policy first. Azure Policy can audit all the existing resources in our organization to ensure our policy is enforced. It can audit non-compliant resources, alter the resource properties, or stop the resource from being created.

Image for post
Image for post

RBAC vs. Azure Policy: As mentioned earlier, RBAC focuses on user actions at different scopes. You might be added to the contributor role for a resource group, allowing you to make changes to anything in that resource group. Azure Policy focuses on resource properties during deployment and for already-existing resources. Azure Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

Example and common policy definitions:

Image for post
Image for post
Image for post
Image for post

Policy assignment — To apply a policy, we can use the Azure portal, Azure CLI or Azure PowerShell by first adding the Microsoft.PolicyInsights extension and then assign the policy defined to a particular scope. This scope could range from a full subscription down to a resource group.

Policy assignments are inherited by all child resources. This inheritance means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment. For example, we could enforce a policy for an entire subscription and then exclude a few select resource groups.

Each policy definition in Azure Policy has a single effect. That effect determines what happens when the associated policy rule is matched.

Image for post
Image for post

Initiatives — Managing a few policy definitions is easy, but once you have more than a few, you will want to organize them. That’s where initiatives come in. An initiative definition is a set or group of policy definitions to help track your compliance state for a larger goal. Similar to a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.

Image for post
Image for post

Azure Management Groups — They are logical containers for managing access, policies, and compliance across multiple Azure subscriptions. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification that is above the level of subscriptions. All subscriptions within a management group automatically inherit the conditions applied to the management group. For the first management group, a root management group is created in the Azure Active Directory (Azure AD) organization.

Image for post
Image for post

Any Azure AD user in the organization can create a management group. The creator is given an Owner role assignment. A single Azure AD organization can support 10,000 management groups.

Azure Blueprints — It enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. Azure Blueprints is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

With Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments.

Compute

Compute services are often one of the primary reasons why companies move to the Azure platform.

Image for post
Image for post

Scaling VMs in Azure — Azure provides multiple features to meet your scaling needs.

Image for post
Image for post
Image for post
Image for post

Migrating apps to containers

You can move existing applications to containers and run them within AKS. You can control access via integration with Azure Active Directory (Azure AD) and access Service Level Agreement (SLA)–backed Azure services, such as Azure Database for MySQL for any data needs, via Open Service Broker for Azure (OSBA).

Image for post
Image for post

The preceding figure depicts this process as follows:

Networking

Networking functionality in Azure includes a range of options to connect the outside world to services and features in the global Microsoft Azure datacenters.

Image for post
Image for post

Load Balancer vs. Traffic Manager

Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that’s closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. When Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

Storage

These services all share several common characteristics:

Image for post
Image for post

Database

Azure provides multiple database services to store a wide variety of data types and volumes.

Image for post
Image for post

Web

Azure includes first-class support to build and host web apps and HTTP-based web services.

Image for post
Image for post

IoT

There are a number of services that can assist and drive end-to-end solutions for IoT on Azure.

Image for post
Image for post

Big Data

Microsoft Azure supports a broad range of technologies and services to provide big data and analytic solutions.

Image for post
Image for post

AI

Cognitive Services are pre-built APIs you can leverage in your applications to solve complex problems like speech recognition etc.

Image for post
Image for post

There exists also the option to build your own models using the following products.

Image for post
Image for post

DevOps

Azure DevOps Services allows you to create build and release pipelines that provide continuous integration, delivery, and deployment for your applications.

Image for post
Image for post

Monitoring

Azure Monitor —It is a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. Azure Monitor can collect data from a variety of sources such as:

Image for post
Image for post

It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. It includes various features such as:

Azure Service Health — provides personalized guidance and support when issues with Azure services affect you. Azure Service Health is composed of Azure Status (global view of the health state of Azure services), Service Health (customizable dashboard that tracks the state of your Azure services in the regions where you use them) and Resource Health (diagnose and obtain support when an Azure service issue affects your resources).

Billing

Depending on your needs, you can set up multiple invoices within the same billing account. To do this, create additional billing profiles. Each billing profile has its own monthly invoice and payment method.

The following diagram shows an overview of how billing is structured. If you’ve previously signed up for Azure or if your organization has an Enterprise Agreement, your billing might be set up differently.

Image for post
Image for post

Azure support plans

All Azure customers can access billing, quota, and subscription-management support. The availability of support for other issues depends on the support plan you have.

Image for post
Image for post

Azure community support

Image for post
Image for post

You gotta know!

Image for post
Image for post

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store