Azure Devops

Virtual Machine Scale Sets

How do you simplify creation and management of multiple VMs?

● Allow you to create and manage a group of Azure VMs.

● Provides high availability to your applications
● Add a load balancer
● Distribute VM instances across Multiple AZS (where available)
● Supports Manual Scaling and Auto Scaling
● Supports up to 1,000 VM instances
 Azure Virtual Machines - More Features
Feature Explanation

Static IP Address Assign a fixed IP address to your VM Public IP

addresses are charged per IP per hour.

Azure Monitoring Monitoring for your Azure VMs.

Dedicated Hosts Physical servers dedicated to one customer

Create cheaper, temporary instances for Azure Spot instances

non critical workloads

Reserve compute instances ahead of Reserved VM Instances (1 or 3 years)

time
 Designing Good Solutions with VMs
Terminology Description Azure VMs

Availability Are the application available when your user need them Availability Sets and Scale Sets

Scalability Can we handle a growth in users,traffic, or data size VM Size, Scale Sets and Load
without any drop in performance Balancers

Resilience Ability of system to provide acceptable behavior even Scale Sets and Load Balancers
when one or more parts of the system fail

Geo- Distribute applications across regions and zones Scale Sets and Load Balancers
distribution

Disaster How to keep your systems running in face of disasters Site Recovery
Recovery

Managing You want to keep costs low Auto Scaling(Elasticity),

costs Reservation, Spot instances

Security Secure your VMs Dedicated Hosts,(More to come..)

Vertical Scaling
Small xlarge

● Deploying application/database to bigger instance:

➔ A larger hard drive
➔ A faster CPU
➔ More RAM, CPU, I/O, or networking capabilities
● In Azure: We can increase VM size
● There are limits to vertical scaling
Horizontal Scaling

● Deploying multiple instances of application/database

● (Typically but not always) Horizontal Scaling is preferred to Vertical Scaling
❏ Vertical scaling has limits
❏ Vertical scaling can be expensive
❏ Horizontal scaling increases availability
● (BUT) Horizontal Scaling needs additional infrastructure:
❏ Scaling Sets, Load Balancers etc.
 Azure Virtual Machines - Scenarios
Scenario Solution

How can you automatically scale up and scale down VMs ? VM Scale Sets

How can you protect VMs from datacenter failure ? Deploy them to multiple AZs(Scale Sets)

How much availability do you get by deploying two or more 99.99%

VM instances in two or more AZs in same region ?

How can you perform disaster recovery for your VMs Site Recovery

How can you reduce costs for your VMs AutoScaling(Elasticity),Reserved & Spot instances,
Right Region - Cost varies region to region

Will be billed if you stop a VM ? Yes, For Storage

Will two VMs of same size always cost the same ? No. Price changes with time. Price also is different
in different regions.

How can you know who performed a specific action on VM ? Activity Logs (kept for 90 days)
Managed Services

● Do you want to continue running application in the cloud, the

same way you run in your data center ?
● OR are there OTHER approaches ?
● You should understand some terminology used with cloud
services:
❏ LaaS (Infrastructure as a Service)
❏ PaaS (Platform as a Service)
❏ SaaS (Software as a Service)
● Let’s get on a quick journey these!
IAAS (Infrastructure as a Service)
Applications
● Use only infrastructure from cloud provider
● Example: Using VM to deploy your application or Application Runtime
databases
OS
● You are responsible for:
❏ Application Code and Runtime Virtualization
❏ Auto scaling
❏ OS upgrades and patches
Physical Hardware
❏ Availability
❏ etc..(and a lot of things!)
Networking
PAAS (Platform as a Service)
● Use a platform from provided by cloud
Applications
● Cloud provider is responsible for:
★ OS (incl. upgrades and patches)
★ Application Runtime Application Runtime
★ Auto scaling, Availability & Load balancing etc..
OS
● You are responsible for:
★ Configuration (of Application and Service)
Virtualization
★ Application code (if needed)
● Examples:
★ Azure App Services Physical Hardware
★ Databases - Relational & NoSQL (Amazon
RDS, Google, Azure SQL Database etc) Networking
★ Queues, AI, ML, Operation etc!
Azure App Services
● Fully managed platform for building, deploying and Applications
scaling your web apps
❏ Also supports REST APIs, and mobile back ends
Application Runtime
● Natively supports .NET, .NET Core, Node.js, Java,
Python and PHP
● Choose App Service plan: defines a set of compute OS
resources for a web app
● Features: Virtualization
❏ Automated Deployment and management
❏ Auto Scaling
❏ Built in Load Balancing Physical Hardware

Networking
Microservices
MovieService CostomerService ReviewService BookingService FareCalculationService

DB1 DB2 DB3 DB4 DB5

● Enterprises are heading towards microservices architecture

❏ Build small microservices
❏ Flexibility to innovate and build applications in different programming
languages(Go, Java, Python, etc..)
● But deployments become complex!
● How can we have one way of deploying Go, Java, Python or JavaScript
microservices
❏ Enter containers!
Container - Docker
● Create Docker images for each microservice
● Docker image has all needs of a microservices:
❏ Application Runtime(JDK or Python or NodeJS) Container1 Container2 Container3
❏ Application code and Dependencies
❏ VMs virtualize Hardware while containers
virtualize OS
❏ Runs the same way on any infrastructure
➔ Your local machine
➔ Corporate data center DockerEngine
➔ Cloud
HostOS
● Advantages
CloudInfrastructure
❏ Docker containers are light weight
➔ Compared to virtual machines as they do
not have a Guest OS
❏ Docker provides isolation for containers
❏ Docker is cloud neutral
Azure Container Instances

● Manage And run simple Container based application

● You DO NOT need to provision and manage VMs Container Service
● Start containers in seconds
● Azure App Service also supports deploying simple containers
 Container
Container Orchestration Images(s)
Configuration

● Requirement : I want 10 instances of

Microservie A container, 15 instances of Container Orchestration
Microservices B container and …
● Typical features :
Cluster
❏ Auto Scaling - Scale containers based on
demand
❏ Service Discovery - Help microservices
Virtual Server1 Virtual Server3
find one another
❏ Load Balancer - Distribute load among
multiple instances of a microservice Virtual Server2
❏ Self healing - Do health checks and
replace failing instances
❏ Zero Downtime Deployment - Release
new version without downtime
Container Orchestration - AKS and Service Fabric
Container
Configuration
● Using a Container Orchestrator : Images(s)
❏ 1: Create a Cluster
❏ 2: Deploy & Orchestrate Microservices
Container Orchestration
● Azure Services:
❏ Azure kubernetes Service : Managed
❏ Kubernetes Service Cluster
❏ Azure Service Fabric : Microsoft’s
container orchestrator
Virtual Server1 Virtual Server3

Virtual Server2
Serverless
● What do we think about when we develop an application?
❏ Where to deploy? What kind of server? What OS?
❏ How do we take care of scaling and availability of the application?
● What if you don't need to worry about servers and focus on your code?
❏ Enter Serverless
➔ Remember: Serverless does NOT mean "No Servers"
● Serverless for me:
❏ You don't worry about infrastructure (ZERO visibility into infrastructure)
➔ Flexible scaling and automated high availability
❏ Most Important: Pay for use
➔ Ideally ZERO REQUESTS => ZERO COST
● You focus on code and the cloud managed service takes care of all that is needed
to scale your code to serve millions of requests!
❏ And you pay for requests and NOT servers!
Azure Functions

Functions
● You don't worry about servers or scaling or availability
● You only worry about your code
● You pay for what you use
❏ Number of requests
❏ Duration of requests
❏ Memory consumed
● Supports C#, Python, JavaScript, Typescript and Java
 Logic Apps
● Serverless orchestration service:
❏ Recommended for orchestrating long-running processes and
workflows
❏ Low-code/no-code solution
➔ Provides web-based designer with easy to use GUI
● Link triggers to actions:
❏ Trigger: An event you want to react to:
➔ When there are more than x number of messages in the queue OR
➔ When you receive a Office 365 Outlook email OR
➔ At regular intervals (schedule)
❏ Action: What do you want to do?
➔ Send an email OR
➔ Send a message on the queue
SaaS (Software as a Service)
● Centrally hosted software (mostly on the cloud)
❏ Offered on a subscription basis (pay-as-you-go)
❏ Examples:
➔ Email, calendaring & office tools (such as Outlook 365, Microsoft Office 365,
Gmail, Google Docs)
➔ Customer relationship management (CRM), enterprise resource planning
(ERP) and document management tools
● Cloud provider is responsible for:
❏ OS (incl. upgrades and patches)
❏ Application Runtime
❏ Auto scaling, Availability & Load balancing etc..
❏ Application code and/or
❏ Application Configuration (How much memory? How many instances?..)
● Customer is responsible for:
❏ Configuring the software!
 Microsoft Customer
Shared responsibility model On-
Responsibility SaaS PaaS laaS prem
Information and data

Devices (Mobile and PCs) RESPONSIBILITY ALWAYS

RETAINED BY CUSTOMER
Account and identities

Identity and directory infrastructure

Application RESPONSIBILITY VARIES

Network controls
BY SERVICE TYPE

Operating system

Physical hosts
RESPONSIBILITY TRANSFERS
Physical network
TO CLOUD PROVIDER
Physical datacenter
 Azure Cloud Service Categories - Scenarios
Scenario Solution
laaS or PaaS or SaaS: Deploy Custom Application in Virtual Machines laaS

laaS or PaaS or SaaS: Using Gmail SaaS

laaS or PaaS or SaaS: Using Azure App Service to deploy your app Paas

True or False: Customer is responsible for OS updates when using PaaS False

True or False: Customer is responsible for Availability when using PaaS False

True or False: In PaaS, customer has access to VM instances False

True or False: In PaaS, customer can customize OS and install custom software False

True or False: In PaaS, customer can configure auto scaling needs True

True or False: In PaaS, customer can configure hardware needs (memory, cpu etc) True

rue True or False: PaaS services only offer Compute services False
 Review - Azure Services for Compute
Azure Service Name Description

Azure VMs
Windows or Linux VMs (IaaS)
Use VMs when you need control over OS OR you want to run custom software
You handle Availability, Scalability, Load Balancing, Software/OS Updates...
Azure App Service
PaaS. Deploy web apps, mobile back ends and RESTful APIs quickly. Built-in
Auto Scaling, Load Balancing
Azure Container Instances
PaaS (CaaS). Run isolated containers, without orchestration.
You DO NOT need to provision and manage VMs. Start containers in seconds.
Azure Kubernetes Service Azure
PaaS (CaaS). Managed Kubernetes Service. Provides container orchestration.

Service Fabric
PaaS (CaaS). Microsoft's container orchestrator.
Package, deploy, and manage scalable and reliable microservices Run anywhere
on premises and in the cloud
Azure Functions
Serverless (FaaS) compute for event-driven apps
 Azure Compute Services - Scenarios
Scenario Solution
You want to run function in response to events Azure Functions

You want to deploy a Python application using a Managed Service Azure App Service

You want to quickly deploy a container Azure Container Instances

You want to setup a complex microservices architecture in Azure AKS or Service Fabric

Your application needs customized OS and custom Software installed Azure VMs
Storage
Storage Types - Block, File, Objects,....

Virtual Server A

Virtual Server B

File Storage Host Computer Block Storage

● What is the type of storage of your hard disk?

❏ Block Storage
● You've created a file share to share a set of files with your colleagues in a
enterprise. What type of storage are you using?
❏ File Storage
● You want to be able to upload/download objects using a REST API without
mounting them onto your VM. What type of storage are you using?
❏ Object Storage
Azure Storage

● Managed Cloud Storage Solution

❏ Highly available, durable and massively scalable (upto few PetaBytes)
● Core Storage Services:
❏ Azure Disks: Block storage (hard disks) for Azure VMs
❏ Azure Files: File shares for cloud and on-premises
❏ Azure Blobs: Object store for text and binary data
❏ Azure Queues: Decouple applications using messaging
❏ Azure Tables: NoSQL store (Very Basic)
➔ Prefer Azure Cosmos DB for NoSQL
● (PRE-REQUISITE) Storage Account is needed for Azure Files, Azure Blobs,
Azure Queues and Azure Tables
 Azure Storage - Data Redundancy
Option Redundancy Discussion

Locally redundant storage Three synchronous copies in Least expensive and least
(LRS) same data center availability

Zone-redundant storage Three synchronous copies in

(ZRS) three AZS in the primary region

Geo-redundant storage LRS + Asynchronous copy to

(GRS) secondary region (three more
copies using LRS)

Geo-zone-redundant storage ZRS + Asynchronous copy to Most expensive and highest

(GZRS) secondary region (three more availability
copies using LRS)
Block Storage

● Use case: Hard-disks attached

to your computers
Virtual Server A
● Typically, ONE Block Storage
device can be connected to
ONE virtual server Virtual Server B
● HOWEVER, you can connect
multiple different block storage
Host Computer Block Storage
devices to one virtual server
 Azure Disks Storage
● Disk storage: Disks for Azure VMs
❏ Types:
➔ Standard HDD: Recommended for Backup, non-critical, infrequent access
➔ Standard SSD: Recommended for Web servers, lightly used enterprise
applications and dev/test environments
➔ Premium SSD disks: Recommended for production and performance sensitive
workloads
➔ Ultra disks (SSD): Recommended for 10-intensive workloads such as SAP HANA,
top tier databases (for example, SQL, Oracle), and other transaction-heavy
workloads
❏ Premium and Ultra provide very high availability
● Managed vs Unmanaged Disks:
❏ Managed Disks are easy to use:
➔ Azure handles storage
➔ High fault tolerance and availability
❏ Unmanaged Disks are old and tricky (Avoid them if you can)
➔ You need to manage storage and storage account
➔ Disks stored in Containers (NOT Docker containers. Completely unrelated.)
 Azure Files
● Media workflows need huge shared storage for
things like video editing Virtual Server A
● Enterprise users need a quick way to share files
in a secure & organized way
Virtual Server B
● Azure Files:
❏ Managed File Shares
❏ Connect from multiple devices concurrently:
File Storage Host Computer
➔ From cloud or on-premises
➔ From different OS: Windows, Linux, and
macOS
❏ Supports Server Message Block (SMB) and
Network File System (NFS) protocols
❏ Usecase: Shared files between multiple VMs
(example: configuration files)
Azure Blob Storage
● Azure Blob Storage: Object storage in Azure
● Structure: Storage Account > Container(s) > Blob(s)
● Store massive volumes of unstructured data
❏ Store all file types - text, binary, backup & archives:
➔ Media files and archives, Application packages and logs
➔ Backups of your databases or storage devices
● Three Types of Blobs
❏ Block Blobs: Store text or binary files (videos, archives etc)
❏ Append Blobs: Store log files (Ideal for append operations)
❏ Page Blobs: Foundation for Azure laaS Disks (512-byte pages up to 8
TB)
● Azure Data Lake Storage Gen2: Azure Blob Storage Enhanced
❏ Designed for enterprise big data analytics (exabytes, hierarchical)
❏ Low-cost, tiered storage, with high availability/disaster recovery
Azure Blob Storage - Access Tiers
● Different kinds of data can be stored in Blob Storage
❏ Media files, website static content
❏ Backups of your databases or storage devices
❏ Long term archives
● Huge variations in access patterns
● Can I pay a cheaper price for objects I access less frequently?
❏ Access tiers
➔ Hot: Store frequently accessed data
➔ Cool: Infrequently accessed data stored for min. 30 days
➔ Archive: Rarely accessed data stored for min. 180 days
➢ Lowest storage cost BUT Highest access cost
➢ Access latency: In hours
➢ To access: Rehydrate (Change access tier to hot or cool) OR
★ Copy to another blob with access tier hot or cool
➔ You can change access tiers of an object at any point in time
Azure Queues and Tables

● Azure Queues: Decouple applications using messaging

● Azure Tables: NoSQL store (Very Basic)
❏ Prefer Azure Cosmos DB for NoSQL
 Database
Fundamentals
Database Primer
● Databases provide organized and persistent storage for your
data
● To choose between different database types, we would need
to understand:
❏ Availability Database
❏ Durability
❏ RTO
❏ RPO
❏ Consistency
❏ Transactions etc
● Let's get started on a simple journey to understand these
Database - Getting Started

● Imagine a database deployed in a data center

in London
● Let's consider some challenges:
❏ Challenge 1: Your database will go down
if the data center crashes or the server
storage fails
❏ Challenge 2: You will lose data if the
database crashes
Database Snapshots
● Let's automate taking copy of the database (take a
snapshot) every hour to another data center in
London
● Let's consider some challenges:
❏ Challenge 1: Your database will go down if the
data center crashes
❏ Challenge 2 (PARTIALLY SOLVED): You will
lose data if the database crashes
➔ You can setup database from latest snapshot. But
depending on when failure occurs you can lose up
to an hour of data
❏ Challenge 3(NEW): Database will be slow when
you take snapshots
Database - Transaction Logs
● Let's add transaction logs to database and create a
process to copy it over to the second data center
● Let's consider some challenges:
❏ Challenge 1: Your database will go down if the
data center crashes
❏ Challenge 2 (SOLVED): You will lose data if the
database crashes
➔ You can setup database from latest snapshot
and apply transaction logs
❏ Challenge 3: Database will be slow when you
take snapshots
 Database - Add a Standby
● Let's add a standby database in the second data
center with replication
● Let's consider some challenges:
❏ Challenge 1 (SOLVED): Your database will go down if
the data center crashes
➔ You can switch to the standby database
❏ Challenge 2 (SOLVED): You will lose data if the
database crashes
❏ Challenge 3 (SOLVED): Database will be slow when
you take snapshots
➔ Take snapshots from standby.
➔ Applications connecting to master will get good
performance always
Availability and Durability
● Availability
❏ Will I be able to access my data now and when I need it?
❏ Percentage of time an application provides the operations expected of it
● Durability
❏ Will my data be available after 10 or 100 or 1000 years?
● Examples of measuring availability and durability:
❏ 49's -99.99
❏ 119's - 99.999999999
● Typically, an availability of four 9's is considered very good
● Typically, a durability of eleven 9's is considered very good
Availability

Availability Downtime (in a month) Comment

99.95% 22 minutes

99.99% (4 9's) 4 and 1/2 minutes Typically online apps aim for
99.99% (4 9's) availability

99.999% (5 9's) 26 seconds Achieving 5 9's availability is tough

 Durability

● What does a durability of 11 9's mean?

❏ If you store one million files for ten million years, you would expect to lose
one file
● Why should durability be high?
❏ Because we hate losing data
❏ Once we lose data, it is gone
Increasing Availability and Durability of Database
● Increasing Availability:
❏ Have multiple standbys available OR
distribute the database
➔ in multiple Zones
➔ in multiple Regions
● Increasing Durability:
❏ Multiple copies of data (standbys,
snapshots, transaction logs and
replicas)
➔ in multiple Zones
➔ in multiple Regions
● Replicating data comes with its own
challenges!
❏ We will talk about them a little later
Database Terminology : RTO and RPO
● Imagine a financial transaction being lost
● Imagine a trade being lost
● Imagine a stock exchange going down for an hour Database
● Typically businesses are fine with some downtime but they hate
losing data
● Availability and Durability are technical measures
● How do we measure how quickly we can recover from failure?
❏ RPO (Recovery Point Objective): Maximum acceptable period
of data loss
❏ RTO (Recovery Time Objective): Maximum acceptable
downtime
● Achieving minimum RTO and RPO is expensive
● Trade-off based on the criticality of the data
● You are running an application in VM instance storing its data on a persistent
data storage. You are taking snapshots every 48 hours. If the VM instance
crashes, you can manually bring it back up in 45 minutes from the snapshot.
What is your RTO and RPO?
❏ RTO - 45 minutes
❏ RPO - 48 hours
 Achieving RTO and RPO - Failure Example
Scenario Solution

Hot standby - Automatically synchronize data Have

Very small data loss (RPO - 1 minute) Very small
a standby ready to pick up load
downtime (RTO - 5 minutes)
Use automatic failover from master to standby

Warm standby - Automatically synchronize data

Very small data loss (RPO - 1 minute)
Have a standby with minimum infrastructure Scale it
BUT I can tolerate some downtimes (RTO - 15
up when a failure happens
minutes)

Create regular data snapshots and transaction logs

Data is critical (RPO - 1 minute) but I can tolerate
Create database from snapshots and transactions
downtime of a few hours (RTO - few hours)
logs when a failure happens

Data can be lost without a problem (for example:

Failover to a completely new server
cached data)
(New Scenario) Reporting and Analytics Application
● New reporting and analytics applications are being
launched using the same database
❏ These applications will ONLY read data
● Within a few days you see that the database
performance is impacted
● How can we fix the problem?
❏ Vertically scale the database - increase CPU and
memory
❏ Create a database cluster (Distribute the database)
- Typically database clusters are expensive to setup
❏ Create read replicas - Run read only applications
against read replicas
Consistency
● How do you ensure that data in multiple database instances (standbys and
replicas) is updated simultaneously?
● Strong consistency - Synchronous replication to all replicas
❏ Will be slow if you have multiple replicas or standbys
● Eventual consistency - Asynchronous replication. A little lag - few seconds -
before the change is available in all replicas
❏ In the intermediate period, different replicas might return different values
❏ Used when scalability is more important than data integrity
❏ Examples: Social Media Posts - Facebook status messages, Twitter
tweets, Linked in posts etc
Read-after-Write consistency -Inserts are immediately available
❏ However, updates would have eventual consistency
Database Categories
● There are several categories of databases:
❏ Relational (OLTP and OLAP), Document, Key Value, Graph,
In Memory among others
● Choosing type of database for your use case is not easy. A few
factors:
❏ Do you want a fixed schema?
➔ Do you want flexibility in defining and changing your schema?
(schemaless)
❏ What level of transaction properties do you need? (atomicity
and consistency)
❏ What kind of latency do you want? (seconds, milliseconds or
microseconds)
❏ How many transactions do you expect? (hundreds or
thousands or millions of transactions per second)
❏ How much data will be stored? (MBS or GBS or TBS or
Relational Databases
● This was the only option until a decade
back!
● Most popular (or unpopular) type of
databases
● Predefined schema with tables and
relationships
● Very strong transactional capabilities
● Used for
❏ OLTP (Online Transaction
Processing) use cases and
❏ OLAP (Online Analytics
Processing) usecases
Relational Database - OLTP

● Applications where large number of users make large

number of small transactions
❏ small data reads, updates and deletes SQL Database
● Use cases:Most traditional applications - ERP, CRM,
e-commerce, banking
● Popular databases:
❏ MySQL, Oracle, SQL Server etc
● Recommended Azure Managed Services:
❏ Azure SQL Database: Managed Microsoft SQL Server
❏ Azure Database for MySQL: Managed MySQL
❏ Azure Database for PostgreSQL: Managed
PostgreSQL Azure Database
PostgreSQL
Azure SQL Database

● Fully Managed Service for Microsoft SQL Server

● 99.99% availability
● Built-in high availability, automatic updates and
backups
● Flexible and responsive serverless compute
SQL Database
● Hyperscale (up to 100 TB) storage
Azure database for MySQL

● Fully managed, scalable MySQL database

● Supports 5.6, 5.7 and 8.0 community editions of MySQL
● 99.99% availability
❏ Choose single zone or zone redundant high Azure Database
availability MySQL
● Automatic updates and backups
● Typically used as part of LAMP (Linux, Apache, MySQL,
PHP/Perl/Python) stack
Azure Database for PostgreSQL

● Fully managed, intelligent and scalable PostgreSQL

● 99.99% availability
❏ Choose single zone or zone redundant high
availability
● Automatic updates and backups
● Single Server and Hyperscale Options Azure Database
❏ Hyperscale: Scale to hundreds of nodes and PostgreSQL
execute queries across multiple nodes
Relational Database - OLAP (Online Analytics Processing)
● Applications allowing users to analyze petabytes of data
❏ Examples: Reporting applications, Data ware houses,
Business intelligence applications, Analytics systems
❏ Sample application : Decide insurance premiums analyzing
data from last hundred years
❏ Data is consolidated from multiple (transactional) databases
● Recommended Azure Managed Service
❏ Azure Synapse Analytics: Petabyte-scale distributed data ware Synapse
house Analytics
➔ Provides a unified experience for developing end-to-end
analytics solutions - Data integration + Enterprise data
warehousing + Big data analytics
➔ Enables MPP (massively parallel processing)
➔ Run complex queries across petabytes of data
➔ Earlier called Azure SQL Data Warehouse
Relational Database OLAP vs OLTP
● OLAP and OLTP use similar data structures
● BUT very different approach in how data is
stored
● OLTP databases use row storage
❏ Each table row is stored together
❏ Efficient for processing small transactions
● OLAP databases use columnar storage
❏ Each table column is stored together
❏ High compression - store petabytes of
data efficiently
❏ Distribute data - one table in multiple
cluster nodes
❏ Execute single query across multiple
nodes Complex queries can be executed
efficiently
NoSQL Databases
● New approach (actually NOT so new!) to building your databases
❏ NoSQL = not only SQL
❏ Flexible schema
➔ Structure data the way your application needs it Cosmo DB
➔ Let the schema evolve with time
❏ Horizontally scale to petabytes of data with millions of TPS
● NOT a 100% accurate generalization but a great starting point:
❏ Typical NoSQL databases trade-off "Strong consistency and
SQL features" to achieve "scalability and high-performance"
● Azure Managed Service:
❏ Azure Cosmos DB
Azure Cosmo DB

● Fully managed NoSQL database service

● Global database: Automatically replicates data across
multiple Azure regions
Cosmo DB
❏ Schemaless
❏ Single-digit millisecond response times
❏ 99.999-percent availability
❏ Automatic scaling (serverless)
● Supports APIs for MongoDB (document), Cassandra
(key/value) and Gremlin (graph)
In - memory Databases

● Retrieving data from memory is much faster than retrieving

data from disk
● In-memory databases like Redis deliver microsecond latency by
storing persistent data in memory
● Recommended Azure Managed Service
❏ Azure Cache for Redis
● Use cases: Caching, session management, gaming leader
boards, geospatial applications
Databases - Summary
Database Type Azure Services Description

Relational OLTP Azure SQL Database, Azure Transactional usecases needing predefined
databases Database for MySQL, Azure schema and very strong transactional
Database for PostgreSQL etc. capabilities (Row storage)

Relational OLAP Azure Synapse Analytics Columnar storage with predefined schema.
databases Datawarehousing & BigData workloads

NoSQL Databases Azure Cosmos DB Apps needing quickly evolving structure

(schema-less)
MongoDB (document), Cassandra (key/value)
and Gremlin (graph)

In memory Azure Cache for Redis Applications needing microsecond responses

databases/caches
 Database Scenarios
Scenario Solution
A start up with quickly evolving schema (table structure) Cosmos DB

Single-digit millisecond response times for global application with

Cosmos DB
millions of users

Azure SQL Database OR Azure

Transactional local database processing thousands of transactions
Database for MySQL OR Azure
per second
Database for PostgreSQL etc.

Cache data (from database) for a web application Azure Cache for Redis

Azure Synapse Analytics

Database for analytics processing of petabytes of data
Networking
Need for Virtual Network
● In a corporate network or an on-premises data center:
❏ Can anyone on the internet see the data exchange
between the application and the database?
➔ No
❏ Can anyone from internet directly connect to your
database?
➔ Typically NO.
➔ You need to connect to your corporate network and then
access your applications or databases.
● Corporate network provides a provides a secure internal
network protecting your resources, your resources, data and
communication from external users
● How do you do create your own private network in the cloud?
❏ Enter Azure Virtual Network
Azure Virtual Network
● Your own isolated network in Azure
❏ Network traffic within a Virtual Network is isolated (not
visible) from all other Azure Virtual Networks
❏ Each Virtual Network is created in a Region
● You control all the traffic coming in and going outside a
Virtual Network
● (Best Practice) Create all your Azure resources (compute,
storage, databases etc) within a Virtual Network
❏ Secure resources from unauthorized access AND
❏ Enable secure communication between your cloud
resources
Need for Subnets
● Different resources are created on cloud
❏ Databases, Compute (VMs) etc
● Each type of resource has its own access needs
● Load Balancers are accessible from internet (public resources)
● Databases or VM instances should NOT be accessible from internet
❏ ONLY applications within your virtual network should be able to
access them (private resources)
● How do you separate public resources from private resources inside a
Virtual Network?
❏ (Solution) Create different subnets for public and private
resources
➔ Resources in a public subnet CAN be accessed from internet
➔ Resources in a private subnet CANNOT be accessed from internet
➔ BUT resources in public subnet can talk to resources in private
subnet
Things to Remember - virtual Network
● Every VM in a VNet is assigned a private IP address
❏ You can assign a public IP address and make it static as well!
● VMs in the same VNet can communicate using private IP
addresses
❏ Even if they are in different subnets
● Network peering can be use to connect resources in different
Virtual Networks
❏ Peered Virtual Networks can be in different regions
Azure network security
Azure DDoS
● (DDoS) attack: Large scale attacks to bring your apps down
❏ Result: App goes down or become slow. Huge bill because of unlimited auto
scaling.
● Two Azure DDoS offerings:
❏ DDOS Protection Basic: Protects against common network layer attacks
➔ Intelligently identifies and blocks DDoS attacks
➔ Enabled by default
➔ No extra cost
❏ DDOS Protection Standard:
➔ Mitigates 60 different DDoS attack types
➔ Provides attack analytics, metrics, alerting and reporting
➔ Get quick support from DDOS Protection Rapid Response (DRR) team
➔ Get a Cost guarantee (Receive service credit if DDoS attack results in
scale-out)
➔ Enable it on the Azure virtual network
➔ DDOS Protection Standard + Web Application Firewall Powerful
combination that protects at:
★ Network layer (Layer 3 and 4, Azure DDOS Protection Standard)
★ Application layer (Layer 7, WAF)
Azure Firewall
● Managed network security service to control traffic in and out of a Azure
Virtual Network
❏ Stateful: Once traffic in is allowed, traffic out is automatically allowed
❏ Centralized Configuration: With one Azure firewall, you can control
traffic to multiple virtual networks (having hundreds of resources)
across multiple subscriptions
➔ Example: If your enterprise has 10 virtual networks (across multiple
subscriptions) with 100 VMs, you can control traffic with one Azure
Firewall
❏ Integrates with Azure Monitor: Provides logging and analytics
● (REMEMBER) Web application firewall (WAF)
❏ Restrict traffic into web applications
➔ OWASP etc
❏ Supported by Azure Application Gateway, Azure Content Delivery
Network
Network Security Group (NSG)
● Azure Firewall is an external firewall- outside your Virtual Network
❏ Network Security Group (NSG) is like a internal firewall inside your
Virtual Network right before your resources
● Multiple inbound and outbound security rules:
❏ Allow or block traffic based on source/destination IP address, protocol
and port
❏ Restrict traffic between resources such as virtual machines and subnets
❏ Attached with subnets and network interfaces
● Usecases: Allow access to web server only on port 80 and port 443
(HTTP/HTTPS)
❏ Restrict database access only to web servers. Do NOT allow direct
access to database from outside world/other servers.
❏ Restrict outbound traffic from VMs to download software packages and
system updates
 Security Best Practice - Defense in depth
● "A chain is only as strong as its weakest link" - Secure at all levels:
❏ Physical security: Control access to physical infrastructure
(Responsibility of Microsoft)
❏ Perimeter: Azure DDoS Protection + Azure Firewall
❏ Network: Restrict internet access (inbound and outbound)
➔ Restrict communication between resources
❏ Compute:Secure access to virtual machines
➔ Implement endpoint protection
➔ Ensure that OS and software patches are applied
❏ Application: Think of security from day one!
➔ Implement security best practices depending on language and
framework
➔ Store secrets in Azure Key Vault
❏ Data: Encrypt data at rest and in transit
❏ Best Practice: Implement security at all levels!
Cloud Computing: Public vs Private vs Hybrid clouds
● Cloud Computing
❏ Public Cloud
➔ You host everything in the cloud (You DO NOT need a data center anymore)
➢ No Capital Expenditure required
➔ Hardware resources are owned by Azure (Microsoft)
➔ Hardware failures and security of the data center are managed by Azure
(Microsoft)
➔ Summary: Hardware owned by Azure and shared between multiple tenants
➢ Tenants: Customers who rent infrastructure (You, Me and other enterprises)
❏ Private Cloud
➔ You host everything in your own data center
➢ Needs Capital Expenditure
➢ Incur staffing and maintenance expenses for infrastructure
➔ Delivers higher level of security and privacy
❏ Hybrid Cloud:
➔ Combination of both (Public & Private)
➢ Use Public Cloud for some workloads and Private cloud for others
➢ Example: Connecting an on-premise app to Azure Cosmos DB
➔ Provides you with flexibility: Go on-premises or cloud based on specific
requirement
Hybrid Cloud: Connecting Azure with on-premises
● Options: VPN and Azure Express Route
❏ VPN: Encrypted connection from on- premises
to Azure over internet
➔ Needs VPN device or gateway on-premises
➔ Need Azure VPN gateway in the Azure Virtual
Network
➔ Encrypted communication over Internet
(public)
❏ Azure Express Route: Private connectivity to
Azure Virtual Network
➔ Provides very high bandwidth
➔ Very high security (private connection)
➔ Traffic does NOT go over internet
➔ Traffic is NOT encrypted by the connection
Organizing and Managing
Azure Resources
Azure Resource Hierarchy
● Hierarchy: Management Group(s) > Subscription (s)
> Resource Group (s) > Resources
❏ Resources: VMs, Storage, Databases
❏ Resource groups: Organize resources by
grouping them into Resource groups
❏ Subscriptions: Manage costs for resources
provisioned for diff erent teams or different projects
or different business units
❏ Management groups: Centralized management
for access, policy, and compliance across multiple
subscriptions
● Remember:
❏ No hierarchy in resource groups BUT
management groups can have a hierarchy
Resource Group
● Resource Group: Logical container for resources
❏ Associated with a single subscription
❏ Can have multiple resources
➔ (REMEMBER) A resource can be associated with
one and only one resource group
❏ Can have resources from multiple regions
❏ Deleting it deletes all resources under it
● Tags assigned to resource group are not
automatically applied to resources
❏ HOWEVER, Permissions/Roles assigned to user
at the resource group level are inherited by all
resources in the group
● Resource Groups (like Management Groups) are free
Subscriptions
● You need a Subscription to create resources in Azure
❏ Subscription links Azure Account to its resources
● An Azure Account can have multiple subscriptions and multiple
account administrators
● When do you create a new subscription?
❏ I want to manage different access-management policies for different
environments:
➔ Create different subscriptions for different environments
➔ Manage distinct Azure subscription policies for each environment
❏ I want to manage costs across different departments of an
organization:
➔ Create different subscriptions for different departments
➔ Create separate billing reports and invoices for each subscription (or
department) and manage costs
❏ I'm exceeding the limits available per subscription
➔ Example: VMs per subscription - 25,000 per region
 Subscriptions - Remember
● Two Subscriptions CANNOT be merged into one
❏ HOWEVER, you can move resources from one to another (ex: VMs)
❏ You can also transfer ownership of a subscription (Needs owner
role)
● If Subscription expires:
❏ You will NOT be able to create new resources in the subscription
❏ BUT you can continue to access the data stored
● Each subscription is associate with quotas:
❏ You can raise a support request to increase some of the quotas
● You can convert a Free Trial to a Pay as you go subscription
● Spending limit: Prevents spending over your credit amount
❏ Azure free account (spending limit: $200) or credit subscription types
have default spending limits
❏ You can't change spending limit BUT you can remove it
Management Groups

● Allows you to manage manage access, policies,

and compliance across multiple subscriptions
❏ Group subscriptions into Management
Groups
❏ All subscriptions & resources under a
Management Group inherit all constraints
applied to it
● (REMEMBER) You can create a hierarchy of
management groups
● (REMEMBER) All subscriptions in a management
group should be associated with the same Azure
AD tenant
Azure Security Features
Azure Security Center
● Security posture management & threat protection for hybrid cloud workloads
❏ Microsoft implements several types of controls to secure Azure
❏ HOWEVER, You need to take additional actions to secure your workloads
❏ How do you decide what actions to take?
● Two Main Goals:
❏ To help you understand your current security situation
➔ Centralized management of security policies
➔ Monitor your compliance against regulatory requirements (example:
Payment Card Industry's Data Security Standard (PCI DSS), ISO 27001)
★ Option to download regulatory compliance reports
➔ Provides a Azure Secure Score
★ To improve secure score, adhere to more security controls
❏ To help you efficiently and effectively improve your security
➔ Azure Security Center provides continuous assessment and security
recommendations
Azure Security Center - Continued
● Example Rules:
❏ Encrypt data in transit
❏ Enable auditing and logging
❏ Azure Backup should be enabled for virtual machines
● Basic Features (Continuous assessment and security
recommendations, Azure secure score) are free:
❏ ($$$) Enable Azure Defender for advanced features
➔ Just in time VM Access, Regulatory Compliance Dashboard,
Threat protection for VMs and PaaS services
➔ Provides 30-day free trial
● Just-in-time (JIT) VM access: Lock down inbound traffic to
Azure VMs
❏ Reduce exposure to attacks
❏ BUT provides easy access when needed
Azure Sentinel

● Intelligent security analytics for your entire

enterprise
● Security information and event management
(SIEM) solution
● Detect threats and respond fast using Al
❏ Behaviour analytics to stay ahead of evolving
threats
● Four phases:
❏ Collect
❏ Detect
❏ Investigate
❏ Respond
Azure Key Vault

● Securely store and access secrets

❏ Examples: API keys, passwords, certificates, or
cryptographic keys
● Provides access monitoring and access control for secrets
● (Best Practice) Do NOT store secrets or passwords
(example, database passwords) in your application code or
configuration
❏ Use Azure Key Vault
Core Azure identity service
Typical identity management in the cloud
● You have resources in the cloud (examples - a virtual
server, a database etc)
● You have identities (human and non-human) that need
to access those resources and perform actions
❏ For example: launch (stop, start or terminate) a
virtual server
● How do you identify users in the cloud?
● How do you configure resources they can access?
● How can you configure what actions to allow?
● In Azure, Azure Active Directory provides this service
Authentication vs authorization
● Authentication (is it the right user?) and
● Authorization (do they have the right access?)
● Each app and service need to authenticate and authorize users:
❏ Would it be a good solution for each app and service to store their own
user details (including credentials)?
❏ What if we can store the user details (including credentials) in a
centralized way and use it across multiple apps and services?
❏ Enter "Centralized identity provider"
❏ Enter "SSO"
Active Directory

● Active Directory: Very popular Microsoft's proprietary directory

service
● Define users, credentials and their access rights
❏ Provides authentication and authorization
❏ Supports groups
● Active Directory Federation Services (AD FS): Single sign-on
service
❏ Enables you to login to multiple apps and services with the
same credentials!
● Used in on-premises environments
 Azure Active Directory
● Azure Active Directory (Azure AD): Active Directory Service in Azure
❏ Control enterprise users and their access to applications and Azure resources
➔ Supports Azure and Microsoft 365
➔ 99.9% availability SLA (Premium edition)
❏ Build applications and enable them to use SSO
❏ Azure AD Connect: Synchronize on-premises Active Directory with Azure AD
➔ Synchronize all user details including passwords
❏ Azure AD MFA: Authenticate users in multiple ways
➔ MFA - Multi Factor Authentication
★ Use 2 of 3 authentication methods:
➢ Something you know, typically a password.
➢ Something you have, trusted device
➢ Something you are, fingerprint or face scan
★ Recommended for Administrative accounts
➔ Needs Azure Active Directory Identity Protection
❏ Azure AD self-service password reset: Global Administrators can enable the
feature to allow users to reset passwords by themselves
Conditional Access
● When a user tries to authenticate, there are three important signals:
❏ WHO is the user? (Administrator or Super User or User)
❏ WHERE is she? (Which location? Is that a normal location for that user?)
❏ WHAT device is she using? (Is this the device she usually logs in from?)
● Can we build intelligence based on this information?
❏ If the user is an administrator, mandate MFA
❏ If the user is logging in from unapproved devices, deny access
❏ If a user is logging in from a previously known location using a previously used
device, allow access without MFA
❏ If a user is logging in from an unknown or unexpected location (different
country, for example), mandate MFA or even deny access
● Conditional Access: granular MFA experience
● Only available with Azure AD Premium P1 or P2 licenses
Role-Based Access Control (RBAC)
● Configure Authorization: Which resources does a
user have access to and what can she do with them?
● Role assignment has 3 parts:
❏ Who? (principal)
❏ What Permissions? (role)
❏ What Scope? (resource OR resource group OR
subscription OR management group)
● Example: Apply same permissions across multiple
VMs
❏ Create VMs in the same resource group Assign
role to resource group
Azure Active Directory & Azure Subscription - Remember
● Subscription has a trust relationship with Azure Active
Directory (Azure AD)
❏ Trusts Azure AD to authenticate users, services, and
devices
❏ Multiple subscriptions can trust the same Azure AD
directory
❏ However, each subscription can only trust only one
directory
● You can transfer an Azure subscription to a different Azure AD
directory
● When an Azure subscription expires:
❏ Associated Azure AD tenant is not deleted You can link it
with a different subscription
Azure management tools
Azure Supports Plans
● Plans: Basic, Developer, Standard, Professional Direct (ProDirect)
❏ Earlier plans - Premier, Professional Direct, Standard and Basic
● Features supported for ALL plans
❏ Billing and subscription management support
❏ Ability to submit as many support tickets as you need
❏ Azure Advisor (Automated Azure best practices)
❏ Azure health status and notifications
❏ 24/7 self-help resources:
➔ Documentation and community support (Forums - MSDN,
StackOverflow)
● Supported by Professional Direct ONLY
❏ Support API (Create support tickets programmatically)
❏ ProDirect delivery managers: Get proactive guidance. Request for
service reviews and advisory consultation.
❏ Webinars led by Azure engineers
24 X 7

Azure Support Plans - Comparison

Feature Basic Developer Standard Professional Direct

Price FREE $ $$ $$$$$$

Scope All Trial and non- production Production Business-critical

environments environments applications

Email & Phone NOT During business hours by 24 X 7 24 X 7

support APPLICABLE email only

Response time NOT Sev C:8 hours Sev C:8 hours, Sev Sev C:8 hours, Sev B:4
SLA APPLICABLE B:4 hours, Sev A: 1 hours, Sev A: 1 hour
hour

Architecture NA General guidance General guidance Guidance from a pool of

Support ProDirect delivery
managers
Azure Advisor
● Automated recommendations to improve reliability, security & performance,
achieve operational excellence & reduce costs
❏ Take immediate actions or schedule or dismiss
❏ Supports notifications for new recommendations
❏ Filter recommendations by subscriptions, resource groups or service
❏ Step-by-step guidance and quick actions for fast remediation
❏ Gives you a total score: Score improves as you take remedial actions
❏ Example Recommendations:
➔ Reliability: Protect your VM data from accidental deletion (Identify VMs where backup
isn't enabled)
➔ Reliability: Create Azure Service Health alerts to be notified when Azure problems affect
you
➔ Cost optimization: Optimize VM spend by resizing or shutting down underutilized
instances
➔ Cost optimization: Optimize spend for MySQL, and PostgreSQL servers by right-sizing
➔ Cost optimization: Delete unassociated public IP addresses to save money
➔ Cost optimization: Use lifecycle management
 Azure Monitor
● Gather, analyze and visualize logs and metrics:
❏ From Azure and on premise resources
❏ Monitor resources across multiple subscriptions
❏ Proactively identify issues and trigger alerts/automated actions
❏ Things you can do with Azure Monitor:
➔ Application Insights: Detect & diagnose application issues
➔ VM insights: Monitor performance & health of your VMs and VM scale sets
➔ Container insights: Monitor performance of container workloads (AKS, ACI etc)
➔ Log Analytics: Trouble shoot issues using monitoring data extracted from logs
➔ Create smart alerts (SMS, emails etc) and attempt to automatically take corrective
action
★ Automatically send an alert if an Azure VM is stopped
★ Trigger alerts based on data in an Azure Log Analytics workspace
★ Auto scale based on thresholds
➔ Create visualizations with Azure dashboards
➔ Collect data from monitored resources using Azure Monitor Metrics
➔ Monitor Azure Active Directory logs
Azure Service Health
● Personalized alerts and guidance for Azure service issues
❏ Personalized based on your Azure usage - subscriptions, services and regions
❏ Notifies about Azure service incidents & planned maintenance
➔ Best place to know about outages, issues and planned maintenance
❏ Best Practice: Set up Service Health alerts
➔ Get notified about service issues
➔ Channels: email, SMS, push notification, webhook etc
● Hierarchy: Azure Status > Azure Service Health > Azure Resource Health
❏ Azure Status: Global view of the health of Azure services and regions
❏ Azure Service Health: Personalized dashboard based on your Azure usage
❏ Azure Resource Health Provides information about the health of your
individual cloud resources such as a specific virtual machine instance
● Azure service health can only inform (CANNOT prevent failure)
 Azure Management Service - Scenarios
Scenario Solution
Get details of upcoming planned outages for services you are making use of Azure Service Health

Get details of services which will be decommissioned Azure Service Health

Get alerts for new recommendations to improve reliability, security and

Azure Advisor
performance, achieve operational excellence and reduce costs

Set up alerts for incidents & planned outages for services you are making
Azure Service Health
use of

Set up alerts for issues specific to your resources - VM goes down or

Azure Monitor
Database goes down or Autoscaling is triggered

Azure Monitor
Solve your application related issues
(Application Insights)
Azure Management Service - Scenarios - 2
Scenario Solution
Get suggestions on how to reduce costs of your Azure resources Azure Advisor

Get suggestions on how to improve reliability of your Azure resources Azure Advisor

Get suggestions on how to improve security of your Azure resources Azure Advisor

You want to find out if you are adhering to recommended Azure best practices Azure Advisor

Track performance of a specific database or a VM instance Azure Advisor

Gather metrics that are tailored for your application Azure Advisor
Azure SLAs and Service
Lifecycle
 Azure Service Level Agreement (SLA)
● Service Level Agreements (SLA): "Formal
agreement between service provider and the
service customer (or consumer)"
❏ SLAs for individual Azure services
➔ https://azure.microsoft.com/en-gb/support/
legal/sla/
❏ (REMEMBER) Free Services do NOT have
an SLA
➔ ex: Azure Advisor
● Azure Status
(https://status.azure.com/status): Generic
health of Azure services & regions
● Azure Service Health: Health of Azure
services and regions you're using
Azure Service Level Agreement (SLA) - Remember
● If Azure is unable to meet SLA, you can
request for a "service credit"
● Modern Lifecycle Policy Covers
products and services that are serviced
and supported continuously
❏ Microsoft will provide a minimum of 12
months notification prior to ending
support if no successor product or
service is offered excluding free
services or preview releases
❏ For Security updates: 30 days
notification is give if an action on
customers part is required to prevent
significant degradation
 Identify actions that can impact an SLA
● You need to identify the right SLA for your app: 99.9% or 99.99% or..
❏ Enterprises can use Azure SLA to calculate SLAs for their offerings:
➔ If you have a database and VM with SLA's 99% each, combined SLA will be
0.99 * 0.99 = 0.9801 i.e. 98% (More services you need => Lesser SLA)
● How can you improve the SLA of your app?
❏ Do NOT use free tier products as they do NOT offer an SLA
❏ Choose the right product features:
➔ 99.9% - Single Instance VM using Premium SSD or Ultra Disk
➔ 95% - Single Instance VM using Standard HDD Managed Disks
➔ https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_9/
❏ Deploy to two or more Availability Zones:
➔ 99.99% - VM connectivity to at least one instance when you have two or more
instances deployed across two or more Availability Zones in the same Azure
region
❏ Increase Redundancy: deploy components across multiple regions • Add
redundancy at all layers
 Service lifecycle in Azure
● New services (and features) are frequently released
● Releases follow a pre-determined service lifecycle :
❏ Private Preview (OPTIONAL): Released for evaluation of a
subset of customers BUT WITH NO SLAS
❏ Public Preview: Available to all customers BUT WITH NO
SLAS
➔ You can experiment with the services and provide feedback to
Microsoft
➔ NOT recommended for business-critical workloads
★ Use the services or features in production at your own risk!
➔ Azure portal preview features - https://preview.portal.azure.com/
➔ Explore preview services - Create a resource > Search for "preview"
❏ General Availability: Available to all customers with SLAs
➔ Recommended for production use
● Stay Updated with New Features and Services
https://azure.microsoft.com/en-us/updates/?
status=inpreview
Azure governance features
Azure Policy
● How do you ensure that resources stay compliant with your policies?
❏ Create, assign, and manage policies
➔ Automatically ensure that resources stay compliant with defined standards
and SLAs
❏ Manage compliance of resources across multiple subscriptions
❏ Assigned to a management group, a single subscription, or a resource
group
● Initiatives: Group of policies
❏ Azure provides some predefined initiatives:
➔ Azure Security Benchmark, UK OFFICIAL and UK NHS, HIPAA etc
➔ View them under Policy> Authoring > Definitions
● Compliance dashboard: Aggregated view of the overall compliance with
options to drill down to specific resource/policy
● Use cases: Governance for resource consistency, regulatory compliance,
security, cost, and management
Azure POlicy - Example and more..
● Examples:
❏ Only allow creation of VMs of specific sizes
❏ Only allow creation of resources in a specific region
❏ Automatically tag all resources in a resource group with the same tags as that
of the resource group
❏ MFA should be mandatory for certain types of accounts
● Existing non-compliant resources will be marked as non-compliant
❏ But they will continue to work as is
● Policy evaluation is NOT immediate
❏ Approx: once every hour
Azure Blueprints
● Azure Blueprint = One or more of (Policy + Role + ARM template
+ Resource Group) configurations
❏ Different pre-built blueprints available
➔ Australian Government, UK OFFICIAL, Azure Security Benchmark,
Basic Networking, Common Policies (Set of popular policies to apply
to a subscription), FedRAMP, HIPAA etc
● Your architecture team can create blueprints adhering to your
organization's standards, patterns, and requirements
❏ And your teams use the blueprints to create Azure resources
➔ Blueprints can be assigned to individual subscriptions
➔ Blueprints can be used to set up resource groups within
subscriptions
❏ Helps teams to quickly set up environments adhering to
organizational standards
➔ You can even setup an automated CI/CD pipeline
Cloud Adoption Framework for Azure
 Resource Locks
● Prevent accidental deletion/modification of resources:
❏ Applicable at multiple levels: subscription, resource group, or
resource
➔ Azure Resource inherits locks from its resource group and subscriptions
❏ Two options: Can Not Delete and ReadOnly
❏ Locked resource should be unlocked before it can be changed (even
by owners)
● Two Options:
❏ ReadOnlyLock Authorized users can read BUT they can't delete or
update the resource
❏ CannotDelete : Authorized users can read and modify BUT they
can't delete the resource
● Example: If a Resource Group has a Delete Lock, then administrator
can first remove DELETE lock before she can delete the resources
● You can have multiple locks at different levels
Privacy and Compliance
 Azure - Privacy & Information Protection
Service/Documentation Description

Microsoft Privacy Explains the personal data Microsoft processes, how Microsoft processes it, and for
Statement what purposes.

Product Terms Site Terms and conditions for software and online services products.

Data Protection Your and Microsoft's obligations with respect to the processing and security of
Addendum Customer Data and Personal Data in connection with Azure
Search for DPA at
https://www.microsoftvolumelicensing.com/DocumentSearch.aspx. Covers Data
transfer, Data retention, Data deletion and Data Security

Azure Information Classify and protect your documents and emails

Protection Add labels indicating what kind of protection/encryption you want
Uses Azure Rights Management (Azure RMS) - Integrates with Office 365, Azure
Active Directory etc
Protection stays with the documents and emails independent of the location,
networks, file servers, and applications
 Compliance & Azure - Compliance Hub & more..
● What is Compliance?
❏ Depending on the domain of your enterprise, you need to adhere to several
industry and security standards (in addition to corporate and regulatory
policies)
● You are using services provided by Azure and storing data in Azure
● What standards & regulations does Azure services adhere to?
❏ Service Trust Portal: https://servicetrust.microsoft.com
● How does Azure help you with compliance?
❏ Azure Compliance Hub: https://docs.microsoft.com/en-us/azure/compliance/
➔ Azure Security and Compliance Blueprints - Easily create environments
compliant with different standards - ISO:27001, PCI DSS etc
❏ Azure Compliance Manager: Part of Service Trust Portal
➔ Automates complete compliance lifecycle: Manage Risks, Implement
Controls, Check compliance against regulations and standards, Reporting to
Auditors
 Compliance & Azure - Important Standard to Remember
● 90+ Azure compliance offerings can be grouped into four segments:
Global, US government, industry specific, and region/country specific
❏ 50+ compliance offerings specific to global regions and countries (the US,
the European Union, Germany, etc.)
❏ 35+ compliance offerings specific to the needs of key industries (health,
government, finance etc)
❏ Important Standards to Remember:
➔ International Organization for Standardization (ISO): ISO:27001 (Security
controls), ISO:27017(Security controls for use of cloud services), ISO:27701
(privacy standard), ISO:27018 (privacy on cloud)
➔ Service Organization Compliance (SOC): SOC-1 (Auditing standard), SOC-2
(Assessment of service provider controls)
➔ General Data Protection Regulation (GDPR): Strengthens personal data
protection in Europe
➔ Health Insurance Portability & Accountability Act (HIPAA): Data privacy &
security requirements for organizations handling PHI
➔ Payment Card Industry - Data Security Standards (PCI-DSS)
Azure & Compliance - A Quick Summary

Service Description

Service Trust Portal Independent audit reports for Microsoft's Cloud services
https://servicetrust.microsoft.com

Azure Compliance Hub Compliance offerings in Azure

https://docs.microsoft.com/en-us/azure/compliance/
Offers blueprints to simplify your compliance implementations

Azure Compliance Manager Manage your organization's compliance requirements Part of

Service Trust Portal
 Azure Sovereign Regions
Service Detail

Azure global What we are using until now!

Azure Cloud environment specifically built to meet compliance and security requirements for US
Government government
Examples: FedRAMP (Federal Risk and Authorization Management Program), NIST (National
Institute of Standards and Technology), ITAR (International Traffic in Arms Regulations), IRS
1075 (Internal Revenue Service), DoD (U.S. Department of Defense) L4, and CJIS (Criminal
Justice Information Services)
Uses physically isolated data centers and networks located in US
Only US government entities and contractors are eligible to use Azure Government services

Azure China Physically separated instance of cloud services located in China

Operated by 21Vianet (Azure China)
Complies with regulation in China (China Telecommunication Regulation)

Azure Physically isolated instance of Microsoft Azure in Germany. No longer accepting customers!
Germany
Azure cost management
planning and managing
costs
Consumption-based vs Fixed-price Pricing Models
● Consumption-based - You are billed for only what you use
❏ Example: Azure Functions - You pay for no of invocations!
● Fixed-price- You are billed for instances irrespective of
whether they are used or not
❏ Example: You provision a VM instance
➔ You pay for its lifetime irrespective of whether you use it
or NOT
❏ Example: App Service - You choose App Service plan
(Basic, Standard or Premium plans)
➔ You are billed irrespective of whether you use it or not
Expenditure Models: CapEx vs OpEx
● Capital Expenditure (CapEx): Money spent to buy
infrastructure
❏ Additional cost to maintain infrastructure with time
❏ You might need a team to manage the infrastructure
❏ Example: Deploying your own data center with physical
servers
❏ Example: Purchasing Azure Reserved VM Instances
❏ Example: Leasing Software
● Operational Expenditure (OpEx): Money spent to use a service
or a product
❏ Zero upfront costs
❏ You Pay for services as you use them (Pay-as-you-go model)
❏ Example: Provisioning VMs as you need them
❏ Example: Using Azure Functions and paying for invocations
Total Cost of Ownership (TCO) calculator

● Estimate the cost savings you get by migrating your workloads to Azure
● 1: Define your workloads: Enter the details of your on-premises workloads
❏ Servers, Databases, Storage, Networking details
● 2:Adjust assumptions: Customize Electricity costs, Storage costs, IT labour
costs, Hardware costs, Software costs etc
● 3:View report: Side-by-side comparison of the cost breakdown
Pricing calculator
● Estimate the costs for Azure services
● Example Services that you can estimate costs for:
❏ Virtual Machines
❏ Storage Accounts
❏ Azure SQL Database
❏ App Service
❏ Azure Cosmos DB
❏ Azure Kubernetes Service (AKS)
❏ Azure Functions
● Ideal place to explore and learn important factors about
different Azure services
 How is cost decided?
Factor Details

Resource type and How much memory? How much CPU? Which access tier?
configuration

Usage meters How long was your VM running for? How much ingress and How much egress?
How many invocations of an Azure function?

Azure subscription type Free trial vs Pay as you go vs Enterprise Agreement

Azure Marketplace Vendors decide pricing on Azure Marketplace

Which Region? Price varies from Region to Region

Data transfer Ingress and Egress

Inbound data from on-premises to Azure is free
Outbound data from Azure to On-Premises is NOT free
Data traffic between Azure Services in the same region/AZ is free

Reserved or Not Some services offer reservations ahead of time

Azure Cost Management
● Setup and manage your account
❏ Configure subscriptions, manage invoices and payment
methods
● Analyze and optimize cloud costs
❏ Break down and analyze costs to get a deeper understanding
of cost and usage patterns
● Control and optimize costs
❏ Setup Budget and Cost Alerts
Managing Costs - Best Practice
● Estimate costs before you deploy (Pricing Calculator)
❏ Calculate TCO
● Group resources based on cost ownership
❏ Subscriptions, Resource Groups, Tags
● Use Cost Management features
❏ Cost analysis
❏ Budgets and Cost alerts
❏ Advisor recommendations
● Stop Resources when you don't need them
❏ (Remember) You pay for active resources
➔ Even if you stop a VM, hard disks and data are still stored. You need to pay
for storage.
● Use Managed Services (PaaS >>> IaaS)
● Reserve VMs for 1 or 3 years (Azure Reservations)
More Azure
Tags
● Identify applications, environments or business units that a specific
resource is associated with
❏ Report and track costs for a group of resources by assigning
them with the same tag
❏ Group resources based on their SLA, security or compliance
requirements
● Best Practice: Identify mandatory tags that all resources should
have and enforce it using Azure Policy
❏ Example: Environment, BusinessUnit, Priority
● Tags for Resources are not inherited by default from their
Resource Group
Windows Virtual Desktop

● Your enterprise has remote developers. How do you

provide Desktops to them?
❏ One option to consider is "Windows Virtual Desktop"
● Connect with any device (Windows, Mac, iOS, Android, and
Linux) over the internet
● Centralized security with Azure Active Directory (Azure AD)
● Option to Bring your own licenses (BYOL)
❏ Bring in an eligible Microsoft 365 license
Azure Marketplace

● Discover, try, and deploy the cloud software you want

https://azuremarketplace.microsoft.com
● Customized and certified solutions optimized for Azure, provided by
Microsoft partners and other software vendors
● Provision end-to-end solutions (applications and services)
● Solutions under a variety of categories
❏ Compute, Containers, Databases, Developer Tools, DevOps etc
● Run Wordpress, RabbitMQ, CouchDB etc
● Flexible Hourly Billing
Core Azure Solution
Getting started with internet of Things (IoT)
● IoT devices: hardware with sensors to
❏ Capture temperature and humidity levels
❏ Detect smoke, gas etc
❏ Capture Geo-location and proximity
❏ Capture Device metrics
❏ etc...
● IoT devices are all around us:
❏ Smart Watches, Fitness Trackers, and other Wearables
❏ Health Monitoring
❏ Smart Homes (lighting, coffee maker, security devices)
❏ Autonomous and Connected Vehicles
● IoT devices generate huge volumes of time-series data
 Managing IoT Devices and Communication
● Typical lot use cases:
❏ Authenticate an IoT device
❏ Receive telemetry (data) from an IoT device
❏ Manage an IoT device from the cloud
● How do you manage and communicate with millions of IOT devices?
❏ Use Cloud loT services
● IoT in the Cloud - Typical Steps
❏ 0: Authenticate and Register IoT Device
❏ 1: Capture Data
❏ 2: Relay Data
➔ Cloud IoT services can relay data from sensors to your service end
points in the cloud
❏ 3: Analyze and get intelligence
➔ Using Cloud Al services, you can
➢ Predict if a machine needs maintenance
➢ Predict equipment failure ahead of time (and replace) and .....
 Internet of Things (IoT) in Azure - 3 Important Services
● Azure IoT Hub: Managed message hub for loT devices
❏ Programmatic reporting and loT device management
● Azure IoT Central: IoT Hub + Dashboard
❏ Reporting and management with a simple user interface
❏ Recommended to manage an IoT device with a simple user
interface OR
➔ When you need to be able to generate and access reports
from the Azure portal
● Azure Sphere: End-to-end IoT solution with device tampering
detection
❏ Hardware (Micro-controller unit) + Software + Communication +
End-to-end Security
❏ Recommended for high security usecases: ATMs, Point of Sale
devices
Internet of Things (IoT) in Azure - Azure IoT Hub
● Managed message hub for loT devices
❏ Enables bi-directional communication between loT devices
and IoT cloud services
● Things you can do:
❏ Send regular telemetry from lot device to cloud
❏ Upload files from IoT devices to cloud (For example - Azure
Blob Storage and Azure Data Lake Storage Gen 2)
❏ Manage your loT device by sending messages (command and
control)
Internet of Things (IoT) in Azure - Azure IoT Central
● IoT Hub + Dashboard (reporting and management)
● Connect, monitor, and manage your loT devices using a simple
user interface
❏ Perform maintenance (Push a software/firmware update) for
your loT devices
❏ Adjust loT device properties
● Provides starter templates for various loT usecases
● IoT Hub: Control Device and Generate Reports via REST API
● IoT Central: Starter templates + Visual Dashboards (reporting,
management of IoT devices)
Internet of Things (IoT) in Azure - Azure Sphere

● End-to-end IoT solution

❏ IoT Device
➔ Hardware: Micro-controller unit
➔ Linux operating system
❏ Security
➔ Azure Sphere Security Service - AS3
➔ Ensure that the device is not tampered
➔ Handles authentication
❏ Communication (with IoT Hub)
➔ Telemetry & Errors
● Highly secure IOT devices
❏ For use in ATMs, Point of sale devices etc
Modern Architecture in Azure
Azure Big Data - Synaps Analytics, HDInsight & Databricks
Service Description

Azure Synapse Provides a unified experience for developing end-to-end analytics solutions Data
Analytics integration + Enterprise data warehousing + Big data analytics Enables MPP
(massively parallel processing)
Run complex queries across petabytes of data
Earlier called Azure SQL Data Warehouse

Azure HDInsight Managed open-source analytics service based on Hadoop

Run open-source frameworks like Apache Hadoop, Spark, Hive, Kafka Used for
complex processing like ETL, data warehousing, machine learning

Azure Databricks Managed Apache Spark-based analytics service

Launch Apache Spark environment in minutes
Build artificial intelligence (AI) solutions using Python, Scala, R, Java and SQL
Supports popular data science frameworks and libraries including TensorFlow,
PyTorch and scikit-learn
 Machine Learning in Azure
Service Discussion

Azure Cognitive Pre-built machine learning models

Services Language Services: Process written text
Speech Services: Translation. Text to speech and vice-versa.
Vision Services: Intelligence around pictures and videos
Decision Services: Automatically moderate content. Identify anomalies.

Azure Bot Service Talk with humans like a human

Virtual agents (intelligent, enterprise-grade bots) that enhance customer experience
Provides natural language understanding and automatic translation features
Use cases: Handling reservations

Azure Machine Quickly build and deploy models programmatically & visually (End-to-end machine
learning learning life cycle)
Supports popular ML languages and frameworks - MLflow, Kubeflow, ONNX, PyTorch,
TensorFlow, Python, R and Jupyter notebooks
Features: Drag-and-drop machine learning & Automated machine learning
 Machine Learning Scenarios
Scenario Solutions
Virtual agent that talks with humans like a human Azure Bot Service

Azure Cognitive Services (Vision

Identify objects in a video
Services)

Automate creation of custom ML models Azure Machine learning

Help Data scientists and Al engineers create complex ML models Azure Machine learning
DevOps
DevOps

● Getting Better at "Three Elements of Great Software Teams"

❏ Communication - Get teams together
❏ Feedback - Earlier you find a problem, easier it is to fix
❏ Automation - Automate testing, infrastructure provisioning, deployment, and
monitoring
 DevOps - CI, CD
● Continuous Integration
❏ Continuously run your test and
packaging
● Continuous Deployment
❏ Continuously deploy to test
environment
● Continuous Delivery
❏ Continuously deploy to production
Azure DevOps - CI, CD Tools

● Azure Repos - Private source control (Git)

❏ Alternative: GitHub - Public and Private Source Control
● Azure Pipelines - Orchestrate CI/CD pipelines
❏ Alternative: GitHub Actions
● Azure Boards - Scrum, Agile and Kanban boards
● Azure Artifacts - Artifact repository to store artifacts
● Azure Test Plans - Automation Test tool to check software quality
❏ Integrate it into your CI/CD pipelines
DevOps - IAAC

● Treat infrastructure the same way as application code

❏ Track your infrastructure changes over time (version control)
❏ Bring repeatability into your infrastructure
❏ 1: Infrastructure Provisioning
➔ Provisioning compute, database, storage and networking
➔ Open source cloud neutral - Terraform
➔ Azure Service - Azure Resource Manager Templates (can also use Powershell
or Azure CLI automation)
❏ 2: Configuration Management
➔ Install right software and tools on the provisioned resources
➔ Open Source Tools - Chef, Puppet, Ansible
Azure Resource Manager(ARM) templates - Introduction

● Lets consider an example:

❏ I would want to create a new VNet with two subnets
❏ I want to provision a Load Balancer, Scale Set with 5 VM
instances and an Azure Cosmos DB database in the subnet
❏ I would want to setup the right network security groups
● AND I would want to create 4 environments
❏ Dev, QA, Stage and Production!
● Azure Resource Manager (ARM) templates can help you do
all these with a simple (actually NOT so simple) script!
Azure Resources MAnager (ARM) templates - Advantages
● Define resources in a JSON file - ARM template
● Advantages:
❏ Avoid configuration drift
❏ Avoid mistakes with manual configuration
❏ Think of it as version control for your environments
● Declarative approach to Infrastructure as Code:
❏ Understands dependencies and creates them in the right order
❏ Parallelizes creation of resources when possible
❏ Automatically rollback in case of failures
❏ PowerShell and Bash scripts can also be used for laaC
➔ But they need step by step instructions
➢ 1: Do this
➢ 2: Do that..
➔ And they don't handle failures very well
Azure Resource Manager

● Deployment and management service for Azure

● All actions to any resource in Azure go through ARM
❏ Irrespective of where you are performing it from
➔ Azure portal OR Powershell OR CLI OR ARM template or ….
 Azure Portal, PowerShell, CLI, Cloud shell, & Mobile App
Tool Details

Azure Portal Web-based user interface. Great to get started BUT NO automation possible. Runs in all
modern desktop and tablet browsers

Azure Mobile App iOS and Android Apps (subset of features). Convenience of managing from anywhere.

Azure PowerShell Execute cmdlets (sequence of commands) and create scripts (PowerShell script)
Recommended for teams familiar with Windows administration Cross-platform (Windows,
Linux, and macOS)

Azure CLI Similar to Azure PowerShell BUT uses a different syntax (Bash Scripts) Recommended
for teams familiar with Linux administration (and Bash Scripts) Cross-platform (Windows,
Linux, and macOS)

Azure Cloud Shell Free Browser based interactive shell (Access from Azure Portal)
Common Azure tools pre-installed and configured to use with your account Supports both
PowerShell and CLI (bash)
Runs in all modern desktop and tablet browsers
 Scenario - Azure Portal, PowerShell, CLI….
Solution
No. You can use either Azure Shell or Azure
Can you run PowerShell scripts using Azure CLI?
PowerShell.

Which OS can Azure CLI, PowerShell, Cloud Shell and

Windows, Linux and Mac
portal run on?
Browser-based shell - Access from desktops
Where can Azure Cloud shell be accessed from? (Windows, Mac, ChromeOS, Linux), mobile,
tablet
Tool to analyze costs and run reports during a cost review
Azure portal or Azure mobile app
meeting

Tool for one time testing, management, and administrative Azure PowerShell, Azure CLI, Azure portal or
actions (Ex: create a VM or create a group of resources) Azure mobile app

Repeatedly set up resources across multiple environments ARM templates

DevTest Labs
● Quickly provision development and test environments
❏ Build Windows and Linux environments
❏ Uses ARM templates: can be used to deploy anything in Azure
➔ Compute - VMs etc
➔ Storage
➔ Databases...
● Can be integrated into your CI/CD pipelines
❏ Set automated shutdowns to minimise costs
● Usecases:
❏ Quickly test your application with an old version of software or OS
❏ Setup a quick load test environment for your app
❏ Quickly provision 100 VMs for testing a specific scenario
❏ Quickly provision environments for training and demos
Quick Review
 Compute
Azure Service Name Description

Azure VMs Windows or Linux VMs (IaaS)

Use VMs when you need control over OS OR you want to run custom software

Azure VM Scale Sets Scaling for Azure VMs

Azure Load Balancer Balance load to multiple instances of an application or a service.

Typically listed in Networking category.

Azure App Service PaaS. Deploy web apps, mobile back ends and RESTful APIs quickly.

Azure Container Instances Run isolated containers, without orchestration.

You DO NOT need to provision and manage VMs. Start containers in seconds.

Azure Kubernetes Service Managed Kubernetes Service. Provides container orchestration.

Azure Service Fabric Microsoft's container orchestrator for cloud and on-premises. Package, deploy,
and manage scalable and reliable microservices

Azure Functions Serverless compute for event-driven apps

 Networking

Azure Service Name Description

Azure Virtual Network Create your own private network in the cloud

Azure Firewall Stateful firewall to protect resources in your Azure Virtual Network

Azure DDoS Protection Protects Azure-hosted applications from DDOS attacks

Azure ExpressRoute Dedicated private connection from Azure to on-premises

Azure VPN Gateway Encrypt traffic between virtual network & on-premises Traffic goes over Internet
(public)

Azure DNS Manage your DNS records

Map Domain Name to IP Address

Azure Content Delivery Cache content on edge servers (POPs) located around the world Minimize
Network latency to global users
 Storage
Service Description

Azure Disk storage Store disks attached to VMs.

Azure Blob storage Store unstructured data - video files, database archives etc.

Azure File storage Create file shares or file servers in the cloud

Azure Queue storage Decouple applications using a queue (asynchronous communication)

Azure Table storage Store structure data using NoSQL approach (NON-relational). Schemaless.
Key/attribute
store.
 Databases

Service Description

Azure Cosmo DB NoSQL database. Globally distributed.

Azure SQL Database Relational database

Azure Database for MySQL Fully managed MySQL database

Azure Database for PostgreSQL Fully managed PostgreSQL database

Azure Database Migration Service Migrate databases to the cloud

Azure Cache for Redis Managed service for Redis