Please enable JavaScript.
Coggle requires JavaScript to display documents.
AZURE Architect - Coggle Diagram
AZURE Architect
-
COMPUTE
Virtual Machines
We do we pay for:
- CPU/RAM
- OS
- Disks
- IP addresses
- Backup or snapshots
- Egress traffic
Disks
- OS (managed)
- Temporary disk (dependend on chosen instance size) - data and public IP are lost during maintenance / start/stop - deallocation from Portal level. Restart(or start/stop from witin VM) do not delete data and public IP remains the same.
- Managed - better availability assured by MS
- UnManaged - on Storage Account - must be Premium for VM
- Ultradisk (SSD) - 160k IOPs
- Premium SSD (SSD) - 20k IOPs
- Standard SSD - 6k IOPs
- Standard HDD - 2k IOPs
-
SLA
- AvailabilitySet - 2 or more VMs - 99,95%
-- Update Domain - - group of VM on physical HW, that might be rebooted during updates - Azure maintenance period. It happens only on 1 Update Domain at once. - up to 20
-- Fault Domain -group of VM that shares single uderlying hardware (Host, power, network) - up to 3
- AvailabilityZones- 2 or move VMs in different zones 99,99%
Recommended: configure application tiers (app/web/bd) as different AvailabilitySetshttps://docs.microsoft.com/en-us/azure/virtual-machines/availability-set-overview
ScaleSets
- Horizontally (IN / OUT) - add more nodes
- Vertically (UP/DOWN) - add more resources to a single server
- Custom Script Extensions
- Create custom image
Dedicated Hosts
- HW isolation - no other VMs will be launched on the same physical host
- You control the timeframe of maintenance events
-
-
Azure Migrate Service
- for VMware/Hyper V or physical server migrations
- phases: 1) assesment (cost/sizes) 2) replication -> test -> final migration
- uses: SiteRecovery Provider for replication
- data is replicated into a storage account (test migration) and then VM is created from this image
-
Migrate Server Assessment
- check Azure readiness
- adjust size of VM
- Estimate costs
Supported systems
- Windows 2008 - 2019, Win7-10
- Linux RedHat/CentOS/Ubuntu/DebianSuse/Oracle
- OS disk - up to 2TB
- Data Disk - up to 8 TB (when replicating to managed disk) or up to 4 TB (when replicating to storage account)
- BitLocker must be disabled
Site Recovery Service
Continous Replication to a different region
- Site Recovery Vault is created in DEST region
- SRC: Storage Account is created for VMs cache (delta changes and continuous replication)
- DEST: VNET + ResourceGroup for VMs + Storage Account for UnManaged disks + Avialability Zone/SET if configured
- crash-consistent snapshots (disk data only) | application-consistent snapshots (disk + RAM)
Replication Policy
- Retention - up to 24 hrs
- App-consistent snapshot - every 4 hours
NETWORKING
-
LOAD BALANCERS ( :!:Layer 4**)
- 1) Create Scale set/Availabilityt Set
- 2) Create Public IP (FrontEnd IP)
- 3) Create LoadBlancer + Public IP
- 4) Create BackendPool from Scale/Availability SET
- 5) HealthProbe to VMs
- 7) Load Balancing Rule (route to VMs ports)
Traffic Manager
(DNS-based Load Balancer)
- Endpoints can be in Azure or not (may be On-Premise). -
- Endpoint must be internet facing service
Routing methods
- Priority (1,2,3) - use another if highest priority fails
- Weighted (20%, 20%, 60%) - distribute across
- Performance (direct to the closets endpoint - lowest latency)
Others:
- Geographic - based on GEO location
- Mutlivalue - all healhty endpoints are sent to client and client decides which is chosen
- Subnet - based on client source IP adddress
Backend Pool - can be:
- Availability Set
- Scale Set
-
Load Balancing Rules
- where to direct traffic to BackenPool VMs (exact port number)
Basic LB - old one
- Single VM / Scale Set / AvailabilitySet as target
Standard LB
- multiple VMs / Scale set / Availability Set as target in the same VNet
- SLA 99,99%
-
Azure Application Gateway [REGIONAL] ( :!:Layer 7**) for web applications
L7 LB for backend pool which is consisted of different endpoints (VM, App Service, ScaleSets, On-Premise Servers) - based on rules (url-based) - url-map like. There can be many backend pools for different purposes.
- supports SSL/TLS between clients and App Gateway
- App Gateway can scale up/down based on utilisation
- supports Session Affinity
- can be deployed across multiple zones
- resources attached to subnet
-
Supports Web Application Firewall (WAF)
- polices based on OWASP or custom
Listener - checks for incoming connection requests
- Basic - listens to a single domain site
- Multi-site - maps to multiple domain sites
Routing Rules
Routes traffic from listener to backend pool
- Basic -routers to backend pool diretcly
- Path-based - routes based on URL in request
-
Azure Front Door [GLOBAL] - combination of Traffic Manager and Application Gateway
- Routes traffic based on performance of endpoints
- works at Layer 7 OSI
- routes client to the fastest and most available backend
- backend / endpoint must be internet facing in Azure or not
- SSL termination
- Web Application Firewall
- Multiple Site hosting
- Session affinity
- You can mix Front Door and have Application gateways behind it
Routing methods
- URL based (/images - to one servers /videos - other server)
-
NSG - Network Security Group (firewall)
- can be applied to VM NIC or to the subnet
- INCOMING: first SUBNET NSG then NIC NSG
- OUTGOING: first NIC NSG then SUBNET NSG
- If DENY -> it will NOT be checked by next level NSG
- If ALLOW incoming on SUBNET then DENY (default DenyAllInbound) on NIC -> it will be DENIED for that specific NIC.
- if ALLOW on SUBNET NSG -> must be allowed at NIC NSG as well.
- SUBNET NSG affects VM-VM connectivity in this subnet
Recommended: use SUBNET NSG or NIC NSG but not both
ASG - Application Security Groups
- we assign group of VMS into ASG (like TAGs) to simplify ALCs
NSG Tags - Predefined, cannot be changed
- VirtualNetwork
- AzureCloud (can be even specific AzureCloud.WESTEU)
- AzureLoadBalancer
- Internet
-
Public IP
Basic SKU
- IP static or dynamic
- optional NSG -FW
- no support for Availability Zones
Standard SKU
- IP is static
- NSG by default
- Zone redundant by default
-
Managed BastionHost
Manage via Bastion Host from AZ Portal - we don't create it.
It's dedicated subnet mast be named: AzureBastionSubnet
Single BastionHost per VirtualNetwork in a dedicated subnet
Service Endpoint
- Secure connection to managed services via internal Azure backbone
UDR - User Defined Routes
- Create route table
- Add prefixes which affects selected subnets
Peerings - to connect VNETs via internal AZ backbone
- can connect from the same or different regions
- ip cannot overlap
- can peer to other subscriptions
- classic deployment cannot peer to another classic deployment can to resource)
VPN
Point-To-Site* (Remote Access)
- create Gateway Subnet in Azure
- create Virtual Network Gateway (always 2:active-standby)
- export public cert for Virtual Natework Gateway
- export private ceriticate for client
Site-To-Site
- create Gateway Subnet in Azure
- create Local Network Gateway - representation of on-premise network (public IP and subnet address)
- create Virtual Network Gateway (note: VPN gateways have different SKUs with different performance
)
- add new connection (ipsec) in Virtual Network Gateway (which uses Local Network Gateway
Scenario:
ONPremNet --ipsec-- Azure --(peering)--OtherVNET:
- on Azure peering: "allow gateway transit"
- on Test peering: "use remote gateways"
- add extra static route to TEST via ipsec
Azure Firewall - more advanced than NSG
- Managed Service
- Built-in High Availability - you can delpoy instances across availability zones
- Filter against FQDNs
- Statefull
- Built-in Threat intelligence (malicious IP addresses / domains)
- Allows NAT
Configuration:
- Spare Subnet called AzureFirewallSubnet (for infrastructure)
- Create Route Table to route via FW
- Associate Route with VMs Subnet
-
STORAGE
-
-
Azure Storage (objects in Storage Accounts)GENERAL-PURPOSE V2
- BLOB (object images, videos) - VM .VHD disks
-- block blobs - binary and text data
-- append blobs -logging data
-- page blobs - .vhd VM files
- TABLE (table data)
- QUEUE (queues for ending/receiving messages)
- FILE (file shares)
BlockBlobStorage - premium performance blockFileStorage - premium performance for file-storageUse: MS Azure Storage Explorer to access from PC
-
Storage Accounts - REPLICATION
- LRS (Locally Redundant Storage) - 3 copies in the same datacenter location - default
- ZRS (Zone Redundant Storage) - synchronic copy in 3 zones in 1 region
- GRS (Geo Redundant Storage) - 3 copies in the same zone of a region (LRS) and then copy in another region (LRS) (good for DR). We pay for storage in each location + transfers. Only primary region is acceessible at a time.
- RA-GRS - (Read Access GRS) - replica in another region is ReadOnly.
- GZRS (Geo-zone-redundant storage) - copy in 3 zones
and then LRS replica in other region
- RA-GZRS (Read Access Geo-zone-redundant storage) - copy in 3 zones and then ReadOnly replica in other region
All GEOs: asynchronous replicas in other region
Change Storage Replication Type
- manual (chnage storage type and copy)
- live migration - ask MS team
Access Tiers (default for storage account level):
- HOT - frequent
- COOL - at least 30 days - infrequent access
- ARCHIVE - at least 180 days (only for BLOB level). It's not easily available. You need to rehydrate (change type to hot or cool) it in order to access it.
Early deletion fee - extra cost for changing tier before default period (30 or 180)Note:
- storage costs in highest for HOT
- access costs in highest for ARCHIVE
Lifecycle Management Rules
- Change tier
- Delete after period
APPS Access to storage
- Access Keys (access to whole storage account and all data within) - least secure
- Shared Access Signature (like SignedURL in GCP) - granular access
- Azure Active Directory
-
CONTAINERS
Container contains:
- package of OS (lighweight)
- application
- libraries
It is easily portable
DOCKER - platform to run containers
- rather for a single host
- Dockerfile: file with instructions how to build custom image
DOCKER commands:
- sudo docker ps (list running containers)
- sudo docker pull nginx:1.17.0
- sudo docker run --name sampleapp -p 80:80 -d nginx
- docker build -t dotnetapp .
- docker push (push repository to ACR)
-
Azure Container Instance
- allows to run container as a service with no infrastructure (on the fly)
Azure WEB app - Containers
- allows web app run container form various sources
Kubernetes
Container Orchestration Software
- can provide DNS name to a container
- can load balance and distribute traffic across nodes
- can restart container thait fails
- can replace and kill containers
- manages security (passwords, OAuth tokens, keys)
Kubernetes Cluster
- Master + Nodes
- KubeCTL to manage cluster
- Deployment is application (set of PODs)
- POD - smallest cluster unit which runs 1 or more containers
- amount of PODs is specified by repclica number
- Healing - if POD fails, maser schedules a new one
-
Service Principal
- service -like identity to authorize in other services (ie AKS to Container Registry)
-
DATABASES
NOSLQ
- key/value pair patters
- documents or graphs
- no relationships
-
COMSOS DB
- Scalable
- Fast response
- High performance
- Fully managed
Different APIs
- SQL API (well known syntax of queries)
- Cassandra
- Apache
- Table (key/vaule pairs)
SQL
Managed instance
- best for On-premise migration =
- almost 100% compatible with on-prem SQL
- supports Agent jobs, AVGroups
- instance
- HA and automated backups
- system DBs
- native VNET (needs dedicated subnet)
- up to 8 TB storage
- up to 100 DBs per instance
- supports cross-database queries
- SQL logins or Azure AD
AutoFailover
- bulit on top of Active GeoReplication
- available at the server level
- Replicate and Failover groups of databases between servers
- manual or automatic
- supports SQL managed servers as well
- secondary server must be in a different region
- configure in SQL server settings - Failover Groups
Single
- single DB, no instance
- no system DBs
- up to 100 TB storage
- up to 500 DBs
- no cross-database queries
- scaling with interruptions
- DTU per datatabase
Elastic Pool
- collection of single databases
- shared pool resources (for not very intensive load)
- varying workloads
- up tp 100 TB storage
- up to 500 DBs
- no cross-database queries
- scaling based on load is automated
- scaling with no interruptions
- DTU for whole elastic pool (DB consumes DTU in elastic way) - min. 50 DTU
- moving DB into and out of elastic pool with interruptions
IaaS
- (VM + SQL server installation)
- full controler over SQL
- easy to migrate from on-prem
- private IP
- you need to manage backups and HA
Azure SQL Server
- 99,99% SLA
- built in backup / patching / recovery
- some SQL feature not available
- no ip addressing - access managed via firewall
DTU (Database Transaction Units) - CPU / MEM / RW rates
- different tiers (basic | standard | premium)
vCore based
- scalable
- different triers
- replica's for HA
- use existing licenses to get discount
SQL Databases (PaaS)
- built-in backups/recovery/patching
- latest stable DB engine (can set compatibility level down to 100)
- scale resources
- tuning available
- public resource (not connected to any VNET)
Active Geo-Replication
- creates READABLE secondary replica DB
- secondary may be on the same or different SQL server
- not supported for Azure SQL managed instances
- confgiuraton in GEO Replication section of DB settings (creates new SQL server and READ database in destination region)
Failover
- Replica to DB on server in another REGION
- If primary REGION fails, failover is MANUAL
Elastic Transactions/ ServerSide Transactions
- support for transactions on a multiple databases on same server / different servers or managed SQL instances
-
-
-
-
SECURITY + IDENTITY
-
-
-
Encryption
- On transit
- On Rest
- Azure KeyVault
RBAC
Role: JSON based definition
Scope: on which level permissions are applied (user /resource / resource group / subscription / management group)
Permission can define: Actions and DataActions
BuiltIn roles:
- Owner (all + manage access to resouces
- Contributor (all expect manage access to resources)
- Reader (read only)
Azure Policy
- define some constraints / limitations / enforcements (sizes of VMS, tagging, AntiMalware extensions installed)
- can be assigned on: Management Group | Subscription | Resource Group level
-
MANAGEMENT TOOLS
Azure CLI
- az login
- az storage account list
PowerShell
- Set-ExecutionPolicy RemoteSigned
- Install-Module AZ -AllowClobber -Scope AllUsers
- Import-Module AZ -verbose
- Connect-AZAccount
- Get-AZResourceGroup -Location XX
-
Azure BluePrints
Orchestrate deployment of artifacts to Azure:
- ARM Templates
- Azuie policies
- Resource Groups
- RBAC
Defines some processes to adhere to ORG standards and patterns (defines some mandatory settings for new objects). You just set some predefined settings to all new objects.
Assign only to:
- Management Group
- Subscription
Steps to implement:
- Define blueprint
- Publish
- Assign BluePrint
Blueprint resource Locks - protect resources deployed via Blueprint resource locks. Even owner is not able to remove the lock. Only unassignment of Blueprint can remove the lock.
Azure Resource ManagerJSON:
- names / variables in {}
- tables in [ ]
Azure Backup Service
- backups stored in Recovery Service Vault
- first backup full + incrementals
- backup policy - schedule + retention
- recovery points
- you can recover: file / disk / entire VM
Agent (on premise)
- extension must be installed in VM (agent?)
- agent accessing backup service needs storage credentials
- on client: 1) schedule backup 2) run backup
Snapshot types:
- Application consistent (memory and I/Os)
- Filesystem consistent - all FS i backep up at once
- Crash consistent - happens when VM shuts down during backup process
Azure AD
- Tenant is a dedicated instance of Azure AD
- Each Tenant has at least 1 dedicated Azure AD Directory (users, groups, objects)
- Each subsription trusts (maps to) a single AD Directory (can assign access to resources from this directory)
- Free up to 500k objects
**MFA
- SMS core
- Microsoft Authenticator APP**
- Get a call via registered phone number
MFA Status:
- Disabled - default
- Enabled: user is enrolled and in MFA registration process
- Enforced: Completed Registration process
-
Azure AD vs ADDS vs Azure ADDS
Azure AD
- OAuth, SAML,cloud based, redundant
Active Directory Domain Services:
- on-premise, all lgacy protocols like LDAP, Kerberos, NTLM, Group Policy support, schema, FSMO
Azure Active Directory Domain Services (managed)
- partially the same as ADDS on premise, readonly LDAP, GPO, cloud based, redundant, no schema extensions. For legacy systems and older protocols
-
Conditional Access
For Application (ex Office 365 OWA):
- allow/block/require MFA /etc if conditions are met
AZure IDentity protection
- detect anomalies in ID logons (location / behaviour) - sign risks and apply some policies (requie MFA / change password / block access)
Access Reviews (Identity Governance -> Access Review)
- verify users's groups / roles / assignr to apps / access to resource-groups
-
Dynamic Groups(require Preium AD license)
- assign computers or users dynamicaly to AD groups based on attributes
Solution for APPS
APP Service (PaaS)
Webapp must be linked to APP Service Plan (Free, Shared, Basic, Standard, Premium, Isolated...) with different limits
-
Integrations with
- Azure Front Door with WAF
- CDN
- Access Restrictions
- VNET integration
-
Azure Web Jobs
Running in a background as a part App Service
WebApp Dignostics
- App logs - from application
- Webserver logs - raw HTTP request data
- Detailed error messages - exact http error sent to client browser
- Failed request tracing - failed requests
- Deployment logging
To enable: in Monitoring i App section. Access logs via SFTP.
AutoScaling
- manual in Basic service plan (up to 3 instances)
- automated (scale -in and out) - in Standard service plan and higher
Deployment Slots (versioning)
- each slot has it's own DNS hostname
- you can easily swap between slots (staging -> prod)
- set in Webapp -> Deployment -> Slots
APP Insights
- monitor app
- detect anomalies
- diagnose issues
- app usage
- imporve performance and usability
-
Azure Functions
- serverless
- small piece of code
- billing
- for run time code runs
- uses AppService Plan
- Premium Plan - more powerfull, pre-warmed instances)
- supports C#, Python, Java, JavaScript, PowerShell
- function features depend on chosen billing plan (like backup, scaling...)
Invoking:
- HTTP trigger
- Scheduler
- From other service (Blob storage / Queue Storage / Event Hubs)
Azure LOGIC Apps
- To chedule, automate, orchestrate tasks, business processess and workflows
- first design workflow
- each workflow starts with TRIGGER
- The Triggers is fired by specific event
- When trigger is fired, Logic App engine creates app instance that runs the workflow
Azure Service Bus
- Messaging system (like Google Pub/Sub)
- 2 services: QUEUE and TOPIC
- start with creating NameSpace
QUEUE
- FIFO message delivery
- PUBLISHER send message
- CONSUMER receives message from the queue
- single message for a single CONSUMER 1:1
- We can:
- PEAK the message - only to see, but not delete it
- RECEIVE the message - to receive and delete from queue
TOPIC
- PUBLISHER punlishes
- SUBSCRIBERS listen to the TOPIC
- can have multiple subscribers
- requires at least Standard tier
- We can PEAK or RECEIVE the message