Please enable JavaScript.

Coggle requires JavaScript to display documents.

Microsoft Azure Solution Architecture http://bit.ly/2hZC4w4…

- - - - AVAIL 1: Avoid any single point of failure
      - AVAIL 2: Decompose workload per different service-level agreement
      - AVAIL 3: Minimize and understand service dependencies
      - AVAIL 4: Design tasks and messages to be idempotent (safely repeatable) where possible
      - AVAIL 5: Use a message broker that implements high availability for critical transactions
      - AVAIL 6: Design applications to gracefully degrade
      - AVAIL 7: Gracefully handle rapid burst events
    - - AVAIL 8: Deploy multiple instances of roles for each service
      - AVAIL 9: Host applications in multiple datacenters
      - AVAIL 10:Automate and test deployment and maintenance tasks
      - AVAIL 11: Consider using staging and production features of the platform
      - AVAIL 12: Apply configuration changes without recycling
      - AVAIL 13: Use upgrade domains for zero downtime during updates
      - AVAIL 14: Configure availability sets for Azure virtual machines
    - - AVAIL 15: Geo-replicate data in Azure Storage
      - AVAIL 16: Geo-replicate databases
      - AVAIL 17: Use optimistic concurrency and eventual consistency
      - AVAIL 18: Use periodic backup and point-in-time restore
      - AVAIL 19: Enable the high availability option to maintain a secondary copy of an Azure Redis cache
    - - AVAIL 20: Introduce the concept of a timeout
      - AVAIL 21: Retry failed operations caused by transient faults
      - AVAIL 22: Stop sending requests to avoid cascading failures
      - AVAIL 23: Compose or fall back to multiple components
      - AVAIL 24: Fall back to a different service or workflow
    - - AVAIL 25: Provide rich instrumentation for likely failures and failure events
      - AVAIL 26: Monitor system health by implementing checking functions
      - AVAIL 27: Regularly test all failover and fallback systems
      - AVAIL 28: Test the monitoring systems
      - AVAIL 29: Track the progress of long-running workflows
      - AVAIL 30: Plan for disaster recovery
- - - - SEC 1: Use Role based access control (RBAC) to provide user-specific that used to assign permissions to users, groups, and applications at a certain scope.
    - - SEC 2: Use Management Plane Security to secure your Storage Account using Role-Based Access Control (RBAC).
      - SEC 3: Data Plane Security to Securing Access to your Data using Shared Access Signatures (SAS) and Stored Access Policies.
      - SEC 4: Use Transport-Level Encryption – Using HTTPS and the encryption used by SMB (Server message block protocols) 3.0 for Azure File Shares.
      - SEC 5: Use Client-side encryption to secure data that you send to storage accounts when you require sole control of encryption keys.
      - SEC 6: Use Storage Service Encryption (SSE) to automatically encrypt data in Azure Storage, and Azure Disk Encryption to encrypt virtual machine disk files for the OS and data disks.
      - SEC 7: Use Azure Storage Analytics to monitor authorization type; like with Blob Storage, you can see if users have used a Shared Access Signature or the storage account keys.
      - SEC 8: Use Cross-Origin Resource Sharing (CORS) to access storage resources from different domains.
    - - SEC 9: Use Azure Security Center to deploy endpoint solutions.
      - SEC 10: Add a web application firewall (WAF) to secure web applications.
      - SEC 11: Use a next generation firewall (NGFW) from a Microsoft partner to increase your security protections.
      - SEC 12: Apply security contact details for your Azure subscription; this the Microsoft Security Response Centre (MSRC) contacts you if it discovers that your customer data has been accessed by an unlawful or unauthorized party.
    - - SEC 13: Synchronize your on-premises directory with your cloud directory using Azure AD.
      - SEC 14: Use Single Sign-On to enable users to access their SaaS applications based on their organizational account in Azure AD.
      - SEC 15: Use the Password Reset Registration Activity report to monitor the users that are registering.
      - SEC 16: Enable multi-factor authentication (MFA) for users.
      - SEC 17: Developers to use secure identity capabilities for apps like Microsoft Security Development Lifecycle (SDL).
      - SEC 18: Actively monitor for suspicious activities by using Azure AD Premium anomaly reports and Azure AD identity protection capability.
    - - SEC 19: Use Malware Assessment Solution Log Analytics to report on the status of anti-malware protection in your infrastructure.
      - SEC 20: Use Update assessment to determine the overall exposure to potential security problems, and whether or how critical these updates are for your environment.
      - SEC 21: The Identity and Access provide you an overview of user
        
        user identity state,
        
        number of failed attempts to log on,
        
        the user’s account that were used during those attempts, accounts that were locked out
        
        accounts with changed or reset password
        
        Currently number of accounts that are logged in.
    - - SEC 22: Use detection capabilities, to identify active threats targeting your Microsoft Azure resources.
      - SEC 23: Use integrated threat intelligence that looks for known bad actors by leveraging global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds.
      - SEC 24: Use Behavioral analytics that applies known patterns to discover malicious behavior.
      - SEC 25: Use Anomaly detection that uses statistical profiling to build a historical baseline.
    - - SEC 26: Infrastructure as Code (IaC) is a practice, which enables the automation and validation of creation and teardown of networks and virtual machines to help with delivering secure, stable application hosting platforms.
      - SEC 27: Continuous Integration and Deployment drive the ongoing merging and testing of code, which leads to finding defects early.
      - SEC 28: Release Management - Manage automated deployments through each stage of your pipeline.
      - SEC 30: Using Load Testing & Auto-Scale we can find performance problems in our app to improve deployment quality and to make sure our app is always up or available to cater to the business needs.
      - SEC 29: App Performance Monitoring of running applications including production environments for application health as well as customer usage help organizations form a hypothesis and quickly validate or disprove strategies.
- - - - SCAL 1: Partition the workload
        Compute Partitioning Guidance
      - SCAL 2: Design for scaling
      - SCAL 3: Scale as a unit
      - SCAL 4: Avoid client affinity
      - SCAL 5: Take advantage of platform auto-scaling features
        Auto-scaling Guidance
      - SCAL 6: Offload intensive CPU/IO tasks as background tasks
        Background jobs Guidance
      - SCAL 7: Distribute the workload for background tasks
        Competing Consumers Pattern
      - SCAL 8: Consider moving towards a shared-nothing architecture
    - - SCAL 9: Use data partitioning
        Data partitioning Guidance
      - SCAL 10: Design for eventual consistency
        Data Consistency Primer
      - SCAL 11: Reduce chatty interactions between components and services
      - SCAL 12: Use queues to level the load for high velocity data writes
        Queue-based Load Leveling Pattern
      - SCAL 13: Minimize the load on the data store
      - SCAL 14: Minimize the volume of data retrieved
      - SCAL 15: Aggressively use caching
        Caching Guidance
      - SCAL 16: Handle data growth and retention
      - SCAL 17: Optimize Data Transfer Objects (DTOs) using an efficient binary format
      - SCAL 18: Set cache control
      - SCAL 19: Enable client side caching
      - SCAL 20: Use Azure blob storage and the Azure Content Delivery Network (CDN) to reduce the load on the application
        CDN Guidance
      - SCAL 21: Optimize and tune SQL queries and indexes
        Query Tuning
      - SCAL 22: Consider de-normalizing data
        Data partitioning Guidance
    - - SCAL 23: Use asynchronous calls
        Task-based Asynchronous Pattern
      - SCAL 24: Avoid locking resources, and use an optimistic approach instead
      - SCAL 25: Compress highly compressible data over high latency, low bandwidth networks
      - SCAL 26: Minimize the time that connections and resources are in use
      - SCAL 27: Minimize the number of connections required
      - SCAL 28: Send requests in batches to optimize network use
      - SCAL 29: Avoid a requirement to store server-side session state
      - SCAL 30: Optimize table storage schemas
      - SCAL 31: Use the Task Parallel Library (TPL) to perform asynchronous operations
      - SCAL 32: Create resource dependencies during deployment or at application startup
      - SCAL 33: Use lightweight frameworks
      - SCAL 34: Consider minimizing the number of service accounts
      - SCAL 35: Carry out performance profiling and load testing
- - - - RESL 1: Define your customer's availability requirements.
    - - RESL 2: Perform a failure mode analysis (FMA) for your application.
      - RESL 3: Deploy multiple instances of services.
      - RESL 4: Use autoscaling to respond to increases in load.
      - RESL 5: Use load balancing to distribute requests.
      - RESL 6: Configure Azure Application Gateways to use multiple instances.
      - RESL 7: Use Availability Sets for each application tier.
      - RESL 8: Consider deploying your application across multiple regions.
      - RESL 9: Use Azure Traffic Manager to route your application's traffic to different regions.
      - RESL 10: Configure and test health probes for your load balancers and traffic managers.
      - RESL 11: Monitor 3rd-party services.
      - RESL 12: Ensure that any third-party service you consume provides an SLA.
      - RESL 13: Implement resiliency patterns for remote operations where appropriate.
      - RESL 14: Implement asynchronous operations whenever possible.
    - - RESL 15: Understand the replication methods for your application's data sources.
      - RESL 16: Ensure that no single user account has access to both production and backup data.
      - RESL 17: Document your data source fail over and fail back process and test it.
      - RESL 18: Validate your data backups.
      - RESL 19: Consider using a storage account type that is geo-redundant.
    - - RESL 20: Implement application-level protection against distributed denial of service (DDoS) attacks.
      - RESL 21: Implement the principle of least privilege for access to the application's resources.
    - - RESL 22: Perform failover and failback testing for your application.
      - RESL 23: Perform fault-injection testing for your application.
      - RESL 24: Run tests in production using both synthetic and real user data.
    - - RESL 25: Document the release process for your application.
      - RESL 26: Automate your application's deployment process.
      - RESL 27: Design your release process to maximize application availability.
      - RESL 28: Log and audit your application's deployments.
      - RESL 29: Have a rollback plan for deployment.
    - - RESL 30: Implement best practices for monitoring and alerting in your application.
        Monitoring and Diagnostics guidance
      - RESL 31: Measure remote call statistics and make the information available to the application team.
      - RESL 32: Track the number of transient exceptions and retries over an appropriate timeframe.
        Retry service specific guidance
      - RESL 33: Implement an early warning system that alerts an operator.
      - RESL 34: Ensure that more than one person on the team is trained to monitor the application and perform any manual recovery steps.
      - RESL 35: Ensure that your application does not run up against Azure subscription limits.
      - RESL 36: Ensure that your application does not run up against per-service limits.
      - RESL 37: Design your application's storage requirements to fall within Azure storage scalability and performance targets.
      - RESL 38: Select the right VM size for your application.
        Sizes for virtual machines in Azure
      - RESL 39: Determine if your application's workload is stable or fluctuating over time.
      - RESL 40: Select the right service tier for Azure SQL Database.
      - RESL 41: Create a process for interacting with Azure support.
      - RESL 42: Ensure that your application doesn't use more than the maximum number of storage accounts per subscription.
        Azure subscription and service limits, quotas, and constraints
      - RESL 43: Ensure that your application doesn't exceed the scalability targets for virtual machine disks.
    - - RESL 44: Log telemetry data while the application is running in the production environment.
      - RESL 45: Implement logging using an asynchronous pattern.
      - RESL 46: Correlate log data across service boundaries.
    - - RESL 47: Use Azure Resource Manager templates to provision resources.
      - RESL 48: Give resources meaningful names.
        Naming conventions for Azure resources
      - RESL 49: Use role-based access control (RBAC).
      - RESL 50: Use resource locks for critical resources, such as VMs.
      - RESL 51: Choose regional pairs.
        Business continuity and Disaster Recovery (BCDR): Azure Paired Regions
      - RESL 52: Organize resource groups by function and life-cycle.
    - - App Service
        
        RESL 53: Use Standard or Premium tier.
        Azure App Service plans in-depth overview
        
        RESL 54: Avoid scaling up or down.
        
        RESL 55: Store configuration as app settings.
        Configure web apps in Azure App Service
        
        RESL 56: Create separate App Service plans for production and test.
        
        RESL 57: Separate web apps from web APIs.
        
        RESL 58: Avoid using the App Service backup feature to back up Azure SQL databases.
        
        RESL 59: Deploy to a staging slot.
        
        RESL 60: Create a deployment slot to hold the last-known-good (LKG) deployment.
        
        RESL 61: Enable diagnostics logging.
        
        RESL 62: Log to blob storage.
        
        RESL 63: Create a separate storage account for logs.
        
        RESL 64: Monitor performance.
      - Application
        Gateway
        
        RESL 65: Provision at least two instances.
      - Azure Search
        
        RESL 66: Provision more than one replica.
        
        RESL 67: Configure indexers for multi-region deployments.
        Azure Search performance and optimization considerations
      - Azure Storage
        
        RESL 68: For application data, use read-access geo-redundant storage (RA-GRS).
        Azure Storage Replication
        
        RESL 69: For VM disks, use Managed Disks.
        
        RESL 70: For Queue storage, create a backup queue in another region.
      - Cosmos DB
        
        RESL 71: Replicate the database across regions.
      - SQL Database (PaaS)
        
        RESL 72: Use Standard or Premium tier.
        SQL Database options and performance
        
        RESL 73: Enable SQL Database auditing.
        
        RESL 74: Use Active Geo-Replication.
        
        RESL 75: Use Sharding.
        Scaling out with Azure SQL Database
        
        RESL 76: Use point-in-time restore to recover from human error.
        Recover an Azure SQL database using automated database backups
        
        RESL 77: Use geo-restore to recover from a service outage.
      - SQL Server (IaaS)
        
        RESL 78: Replicate the database.
        
        RESL 79: Backup the database.
      - Traffic Manager
        
        RESL 80: Perform manual failback.
        
        RESL 81: Create a health probe endpoint.
        Traffic Manager endpoint monitoring and failover
      - Virtual Machines
        
        RESL 82: Avoid running a production workload on a single VM.
        
        RESL 83: Specify an availability set when you provision the VM.
        
        RESL 84: Put each application tier into a separate Availability Set.
        
        RESL 85: Choose the right VM size based on performance requirements.
        
        RESL 86: Use Managed Disks for VHDs.
        
        RESL 87: Install applications on a data disk, not the OS disk.
        
        RESL 88: Use Azure Backup to back up VMs.
        
        RESL 89: Enable diagnostic logs.
        
        RESL 90: Use the AzureLogCollector Extension.
      - Virtual Network
        
        RESL 91: To whitelist or block public IP addresses, add an NSG to the subnet.
        
        RESL 92: Create a custom health probe.
        Azure Load Balancer Overview
        
        RESL 93: Don't block the health probe.
        
        RESL 94: Enable Load Balancer logging.
        Log Analytics for Azure Load Balancer
- - - - MGMT 1: Ensure business alignment across organizations and teams
      - MGMT 2: Ensure the entire team understands the software lifecycle
      - MGMT 3: Reduce cycle time
      - MGMT 4: Review and improve processes
      - MGMT 5: Do proactive planning
      - MGMT 6: Learn from failures
      - MGMT 7: Optimize for speed and collect data
      - MGMT 8: Allow time for learning
      - MGMT 9: Document operations
      - MGMT 10: Share knowledge
    - - MGMT 11: Provide developers with production-like environments
      - MGMT 12: Ensure that all authorized team members can provision infrastructure and deploy the application
      - MGMT 13: Instrument the application for insight
      - MGMT 14: Track your technical debt
      - MGMT 15: Consider pushing updates directly to production
    - - MGMT 16: Automate testing
      - MGMT 17: Test for failures
      - MGMT 18: Test in production
      - MGMT 19: Automate performance testing to identify performance issues early
      - MGMT 20: Perform capacity testing
      - MGMT 21: Perform automated security penetration testing
      - MGMT 22: Perform automated business continuity testing
    - - MGMT 23: Automate deployments
      - MGMT 24: Use continuous integration
      - MGMT 25: Consider using continuous delivery
      - MGMT 26: Make small incremental changes
      - MGMT 27: Control exposure to changes
      - MGMT 28: Implement release management strategies to reduce deployment risk
      - MGMT 29: Document all changes
      - MGMT 30: Automate Deployments
      - MGMT 31: Consider making infrastructure immutable
    - - MGMT 32: Make systems observable
      - MGMT 33: Aggregate and correlate logs and metrics
      - MGMT 34: Implement automated alerts and notifications
      - MGMT 35: Monitor assets and resources for expirations
    - - MGMT 36: Automate operations tasks
      - MGMT 37: Take an infrastructure-as-code approach to provisioning
      - MGMT 38: Consider using containers
      - MGMT 39: Implement resiliency and self-healing
      - MGMT 40: Have an operations manual
      - MGMT 41: Document on-call procedures
      - MGMT 42: Document escalation procedures for third-party dependencies
      - MGMT 43: Use configuration management
      - MGMT 44: Get an Azure support plan and understand the process
      - MGMT 45: Follow least-privilege principles when granting access to resources
      - MGMT 46: Use role-based access control (RBAC)
      - MGMT 47: Use a bug tracking system to track issues
      - MGMT 48: Manage all resources in a change management system
      - MGMT 49: Use checklists