Please enable JavaScript.

Coggle requires JavaScript to display documents.

Azure Services - Coggle Diagram

- - - - Site-to-site
      - point-to-site
      - Azure network to azure network
      - Resource requires
        
        Virtual network
        1 VPN gatewway per VNet
        
        GatewaySubnet
        At least /27
        
        Public IP address
        basic SKU dynamic
        
        Local network gateway
        Define network and public IP on-premises
        
        Virtual network gateway
        route traffic between VNet and on-premises network
        
        Connection
        between VPN gateway and local network gateway
        Can create multiple connection
      - HA
        
        Active/standby
        
        By default
        
        Switch during maintanance or unplanned disruption
        
        Active/Active
        
        Use BGP
        
        Connect to each other
        
        Use as failover for Express route
        
        Zone redundant gateway
    - - Policy-based VPN
        
        IKEv1 only
        
        static routing
        
        Used on legacy VPN devices
        
        Define IP network behind tunnel
      - Route-based VPN
        
        Support IKEv2
        
        dynamic routing
        
        Point to site, multisite, between azure network
  - - - Layer 3 connection to Azure
      - Access Azure service
        
        MS 365
        
        MS Dynamic 365
        
        Azure compute service
        
        Azure cloud service
      - Use BGP
      - Support routing between DC
      - Models
        
        CloudExchange co-location
        
        Point to point
        
        Any to any
      - Architecture
  - - - Name
      - Priority
        Low then high
      - Source & Destination
        
        Any
        
        IP
        
        CIDR block
        
        Tag
        
        App security group
      - Protocol
      - Direction
        
        Inbound
        
        Outbound
      - Action
    - - Inbound
        
        Allow inbound coming from any VM to any VM within the subnet.
        
        Allow traffic from the default load balancer to any VM within the subnet.
        
        Deny traffic from any external source to any of the VMs.
      - Outbound
        
        Allow outbound going from any VM to any VM within the subnet.
        
        Allow outbound traffic going to the internet from any VM.
        
        Deny traffic from any internal VM to a system outside the virtual network.
  - - - Destination for application :!:
      - Azure endpoint :one:
        services hosted in Azure
      - External endpoint :two:
        IPv4/v6 outside Azure/On-premise/other providers
      - Nested endpoint :three:
        Combine Traffic Manager profile for flexible
        traffic-routing, complex deployment
    - - Weight
        
        Distrubute
        
        Distribute traffic across endpoint based on weight
      - Performance
        
        Routing based on performance. Like latency
      - Geographic
        
        User are directed to specific endpoints based on where DNS query originate
      - Multivalue
        
        :question:
      - Subnet
        
        :question:
      - Priority
        
        routing based order 1st, 2nd, 3rd...
  - - - 5 tuple hash
        Default :warning:
        
        Source Port
        
        Destination IP
        
        Destination port
        
        Protocol
        
        Source IP
      - 2/3 tuple hash (source IP affinity)
    - - Availability set
        
        99.95%
      - Availability Zone
        
        99.99%
    - - Basic LB
        
        Port forwarding
        
        Automatic reconfiguration
        
        Health probes
        
        Outbound connection source NAT
        
        Diagnostics through azure log analytic for public facing LB
        
        Can be used only with availability sets :warning:
      - Standard LB
        All basic +
        
        HTTPS probes
        
        Availability Zone
        
        Diagnostics through Azure monitor
        
        HA port
        
        Outbound rule
        
        SLA 99.99%
    - - Public load balancer
        
        Client :arrow_right: Web front end (Default)
      - Internal Load balancer
        
        Between internal service
  - - - Support Layer 7: HTTP(S),Websocket,HTTP/2
      - Use round-robin mechanism
        round-robin mechanism
    - - Path-based
        
        Based on path of URL
      - Multiple site
        
        Based on DNS names
      - Redirection
        
        Redirect to another site or HTTP(S)
      - Rewrite HTTP header
        
        Pass additional information with request or respond
      - Custom error pages
    - - Front-end IP
        
        Client access FE IP
        
        1 Public or private IP
      - Listeners
        
        Use to receive incoming request
        
        IP/Port/Host/IP
        
        Route to a backend pool
        
        Type
        
        Basic
        Based on URL
        
        Multiple site
        Based on hostname and URL
        
        SSL
      - Routingrules
        
        Protocol
        
        Session sticky
        
        Connection drain
        
        Request timeout
        
        Health probes
      - Back-end Pools
        
        Collection of web servers IP & Port
      - WAF
        
        Check incoming request before reach listener
      - Health probes
        
        Health check server
  - - - Internet
      - Virtual network
      - None
    - - Connect resource across regions/VNet
    - - VPN
    - - Expose resource via endpoint
    - - Route through network virtual appliance or firewall
      - Next hop
        
        Virtual appliance: firewall appliance or network inspection
        
        Virtual network gateway: Specify route for address to VPN.
        
        Virtual network: override the default system route
        
        Internet: use to route traffic to internet
        
        None: Drop traffic
    - - User defined routes :one:
      - BGP routes :two:
      - System route :three:
  - - - Monitoring
        
        Network Performance Monitor tool
        Track and alert on latency/packet drop
        
        Between branch and datacenter
        
        Connection between on-premise and cloud
        
        Azure ExpressRoute
        
        Between VNet
        
        Connection monitor tool
        Check connection between 2 Azure resource
        Latency, connection, FQDN
        
        Topology tool
        Generate a graphical Azure VNet,
        resources, interconnection and relationship
      - Diagnostic
        
        IP flow verify
        Check packets are denied or allowed
        Show name of NSG denied
        
        Next hop
        Check next hop of the VM when route to destination
        
        Effective security rule
        List all NSG applied to NIC
        
        Packet capture tool
        Capture all packets to/from VM
        Limit 100 packet capture sessions per region.
        Use Network watcher agent VM ext on VM
        
        Connection troubleshoot
        Test connection between VM by FQDN, URI or IP
        Result: Latency, number of packets, hop and failed reason
        
        VPN Troubleshoot
        diagnose problems with VNet gateway
      - Use case
        
        Check port open
        If denied by NSG
        
        Connection between 2 VM
        
        VPN connection
      - Usage and Quota
        All Services > Networking > Network Watcher ->Usage and quotas
      - Logging
        
        Flow log
        Show ingress & egress traffic on NSG
        Out put JSON : Src IP, Des IP, Src port, Des port, Protocol
        
        Diagnostic logs
        Enable on Azure resource: NSG, Public IP, LB & App Gateway
        
        Traffic analytics
        Investigate user and app activities
        Log analytic workspace must exist
      - Troubleshoot step
- - - - Resource must be in RG
      - Resource can only be member of 1 RG
      - Many resource can be moved between RG
      - Managed and organized
      - Container of resource
    - - Authorization (RBAC)
      - Naming convention
      - Life cycle
      - Organizing principles
        
        Kind of resource
        
        Environment
        
        Department
        
        Department mix Environment
      - Billing
  - - - Name/Value pair
      - Applied to resource and RG
      - Use cases
        
        Department
        
        Environment
        
        Cost
        
        Life cycle and automation
        
        Alert can view tag
        
        Security
        Public/private
        
        Impact
        
        Owner
      - Max 50 tags per resource
  - - - What is :question:
        
        Apply on resource/RG
        
        Create, assign & manage policies
      - Use case
        
        Enforce resource on specific region
        
        Specify type of resource to be created
        
        Enforce naming convention
        
        Enforce tag to resource when create
        
        Prevent noncompliant resource created or modified
        
        Integrate with Azure DevOps apply CI delivery policies apply pre-deployment and post-deployment
      - Policy initiative
        
        Group related policies into one set
    - - What is :question:
        
        Artifact contain 1 or more parameters
        
        Each component is artifact
      - Use case
    - - Billing
      - Access control
      - Subscription limits
  - - - Provide access management for resources
      - Allow granted user the right they need
      - Applied to a scope
      - Scope
        
        Management group :one:
        
        Single subscription :two:
        
        RG :three:
        
        Resource :four:
      - When grant access to parent scope
        Permissions are inherited by all child scope
    - - Allow user to manage VM in specific subscription
      - Allow DBA group to manage SQL database
      - Allow application access all resource in RG
    - - Grant specific actions at particular scope
      - Always grant users the lowest privilege level
      - Use resource locks to ensure critical resource are not modified or deleted
    - - Use allow model
        If 1 role has read permission other has write on resource
        Result: have both read & write
      - Apply on individual or group
      - Apply on special identity : service principals or managed identities
  - - - What is :question:
        
        Collecting metric
      - Alert
        
        Trigger
        
        Metric Alert
        
        Activity log
        
        Log
        
        Target resource
        
        Rule
        
        Resource
        
        Condition
        
        Static
        
        dynamic
        
        Action
        
        Alert detail
        
        Log
        
        Search rule
        
        Log query
        Query run
        
        Time period
        Time range
        
        Frequency
        
        Threshold
        
        Metric
        
        aggregate
        
        Group field
        
        Interval
        
        Threshold
        
        Attribute
        
        Category
        
        scope
        
        RG
        
        Resource type
        
        Operation name
        
        Level
        
        Status
        
        Event initiated by
        
        Action
        
        Email
        
        SMS
        
        Azure app push notification
        
        Voice call
        
        Azure Function
        
        Trigger logic app
        
        Send nofication to webhook
        
        Create ITSM ticket
        
        Runbook
        
        Smartgroup
        
        use ML to group alert
      - Service health
- - - - Support: VMWare, Hyper-V, baremetal
      - Discover, assesses & migrate on-premise to Azure
      - Agent for VM relationship (Windows & Linux)
      - Migrate VM to Azure
    - - Standard
        
        Offline only
      - Premium
        
        Offline and online
        
        No charge first 6 months
      - Method
        
        Offline
        Shutdown the server
        
        Online
        Continuous synchrnozation
      - Destination
        
        Azure SQL database instance
        
        Azure SQL database managed instance
        
        SQL server on Azure VM
        
        Azure Database for MySQL
        
        Azure database for PostgresSQL
        
        Azure Cosmos DB
- - - - Central MGT
        Replication can be set up and managed
        Failover and failback
      - On premises VM replication
        On-premise can be replicate to Azure or other on-premise DC
      - Azure VM replication
        Azure VM can be replicated from one region to another
      - App consistency
        Use recovery points and application-consistent snapshot
      - Flexible failover
        Run as test or trigger during actual disaster
      - Network integration
        Can manage network during replication and disaster recovery
    - - Networking :one:
      - Recovery service vault :two:
        A vault in your Azure subscription stores the migrated VMs when a failover is run
      - Credential :three:
        Virtual Machine Contributor and Site Recovery Contributor roles to allow permission to modify both the VM and the storage
      - Configuration server :four:
        An on-premises VMware server fulfills several roles during the failover and replication process
        
        Process server
        This server acts as a gateway for the replication traffic. It caches, compresses, and encrypts the traffic before sending it over the WAN to Azure.
        
        Master target server
        handles the replication process during a failback from Azure
    - - Infastructure
        
        Hyper-V
        
        Physical server
        
        VMWare
        
        Azure VM
      - Application
        
        SAP
        
        IIS
        
        CItrix XenAPP XenDesktop
        
        Dynamic AX
        
        Remote desktop service
        
        Exchange
        
        SQL server
        
        AD & DNS
    - - Failover
        Invoke the BCDR plan
      - Failback
        Switch back to original role
    - - Can only replicate back to your on-premises configuration server
      - Recovery point objective is 15 mins
      - Recovery point retention is 24 hours
      - App-consistent snapshots are every hour
  - - - Evaluate what kind of business impact
      - Consider automate the process as much as possible
      - Natural disaster, technical nature delete database
      - Document the process
    - - How much data loss is acceptable RPO
      - Maximum duration of acceptable downtime for your application RTO
    - - Uptime
      - recovery plan
      - Identify and inventory the service you depend on.
        Incorporate their recovery capabilities
    - - Region pairing
      - Availability sets
        
        Fault domain
        
        Update domain
      - Availability zone
    - - On-premise
        
        VPN site to site
        Replicate on-premises to Azure
        
        Traffic manager
        Forward and health check on-premises
      - Azure
        
        VNet peering
        
        Traffic manager
    - - Active-Active
      - Active-Passive
    - - SQL database
        
        Failover
        
        Backup
        
        Use GRS to store backup
        
        Encrypted by default
        
        Primary & secondary replication
      - Azure cosmost
        
        Containers are partitioned
        Partition
    - - SQL database
        
        Full backup
        
        Increamental
        
        Differental
        
        Transactional
        
        Retention tier
        
        Basic 7days
        
        Standard 35 days
        
        Premium 35 days
    - - App service
        
        OS
        
        Linux
        
        Windows
        
        Hardawre
        
        CPU
        
        Memory
        
        Disk
        
        Availability
        
        Backup & Restore
        
        Tier
        
        Free tier
        
        1G disk space
        
        Up to 10 apps
        
        1 single shared instance
        
        No SLA
        
        Testing purpose
        
        60 mins computing per day
        
        Shared tier
        
        Up to 100 apps
        
        240 mins computing per day
        
        No availability SAL
        
        Basic tier
        
        Unlimited apps
        
        Multiple disk space options
        
        Scale up to 3 dedicated instance
        
        SLA 99.95%
        
        Premium tier
        
        Up to 20 dedicated instances
        
        SLA 99.96%
        
        Multiple level of hardware
        
        Isolated tier
        
        Dedicated instances
        Isolate network and computing
        
        Up to 100 instances
        
        SLA 99.95%
        
        Scale up
      - VM scale set
        
        Limit 1000 VM on scale set
        
        Horizon scaling
        
        Vertical scaling
        
        Type
        
        Scheduled scaling
        Proactively schedule the scale set
        
        Autoscaling
        Scale based on metric threshold
        
        Low-priority scale set
        
        Save cost up to 80%
        
        Temporary
        
        Use Azure scheduled Event to react to the notification
        Clean up or gracefully exit code
        
        Remove
        
        Delete
        Everything is removed
        
        Deallocate
        VM is stopped, Disks are left intact and data is kept
        
        Define
        
        Maximum & minimum
        
        Scale rules
        
        Can contain many rules
        
        Default scale condition is alway active
- - - - Page blob
      - Append Blob
      - Block blob
  - - - location
      - performance
      - Replication
        
        Locally redundant storage LRS :one:
        
        3 copy same DC
        Different hardware
        
        Cheapest
        
        Geo redundant storage GRZ :three:
        
        Same as ZRS but have secondary region
        Secondary in inaccessible until primary fail
        3 copy in primary and secondary by LRS
        
        Zone redundant storage ZRS :two:
        
        2-3 copy same Region
        Different Availability Zone
        
        Geo Zone redundant storage GZRS :five:
        
        3 copy using ZRS in primary region
        3 copy using LRS in secondary region
        
        Read-access Geo redundant storage RA-GRS :four:
        
        Same as GRS but allow read access from secondary
        Have "-secondary"
        
        Read access Geo Zone redundant storage RA-GZRS :six:
        
        Same as GZRS but allow read access from secondary
        Have "-secondary"
      - Access tier
      - Secure transfer
      - Virtual network
      - subscription
    - - Data
      - Cost
      - Management
    - - Name
      - deployment model
        
        Resource manager :+1:
        
        classic
      - Account kind
        
        StorageV2
        
        Storage
        
        Blob :+1:
    - - Access key
        
        2 key
      - Rest API endpoint
      - Shared access signatures (SAS)
    - - HA
        
        lab
      - Security
        
        Network access rule
        
        Advanced threat protection
        
        Blob
        
        Azure files
        
        Azure data lake
  - - - Azure CLI
      - AzurePower Shell
      - Client libraries
      - Azure Portal
    - - Azure storage explorer
        
        Features
        
        Support
        
        Queue storage
        
        Files
        
        Data lake storage
        
        Multiple storage account in multiple sub
        
        table storage
        
        Blob storage
        
        Local emulator
        
        Azure storage emulator
        
        azurite
        
        Metric and logging
      - Azure portal
        
        Metric & logging
        
        Chart and graph
        
        Alert
      - AzCopy
- - - - Virtual disk
        
        Role
        
        OS disk
        
        Max 4Tb
        
        1 per VM
        Contain OS
        
        Data disk
        
        Max 32Tb
        
        1 to many per VM depend size
        
        Temporary disk
        
        Lost data after maintenance/reboot
        
        1 per VM
        
        Type
        
        Ephemeral OS disks
        
        Disk on local host
        
        Faster than managed disk
        
        Use for stateless workload
        
        Managed disks
        
        Scalability: 50000 managed disk
        
        High availability: 99.999%
        
        Replication: LRS, ZRS, GRS
        
        Support Azure backup
        
        Ganular access control: RBAC
        
        Support encryption: Azure storage Service Encryption
        Azure disk encryption
        
        Unmanaged disks
        
        Like managed disk except: availability, encryption
        
        Performance
        
        Ultra disks :one:
        
        4G - 64Tb
        
        Limit to VM in availability zone
        
        Data disk only
        
        Do no support snapshot, ADE,
        Azure backup or Azure site recovery
        
        Premium SSD :two:
        
        Dont have limitation like Ultra disk
        
        Limit to large VM size
        
        Depend on size
        
        Standard SSD :three:
        
        Up time 99%
        
        Standard hdd :four:
        
        Cheapest
    - - Fault Domain
      - Update Domain