Please enable JavaScript.
Coggle requires JavaScript to display documents.
Azure, Describe Azure Architecture and Services(35-40%), Describe Azure…
Azure
Identity Services
Microsoft Entra ID
- is a cloud based Active Directory
Who uses?
- IT Admins: control acces to res
- App Devs: provide stadandard-based approach
- Users: manage their identities
- Online Service Subs: Office 365, Microsoft 365 are already using Entra Id
What does?
- Authentication
- SSO Single sing-on
- App Management
- Device Management- allow only devices coming from x network , using Microsoft Intune
Microsoft Entra Connect
- sync user identities between on-premises Active Directory and Entra ID
Active Directory
- provides an identity and access management service
Microsoft Entra Domain
- provides managed domain services such as domain join, group policy., LDAP and Kerberos/NTLM auth
- let's you run legacy apps in the cloud that can't use modern auth methods, or you don't want directory lookups to always go back to an on-remises AD DS env.
- is configured to perform one-way sync from Entra ID to Entra Domain Service
Auth Methods
SSO Single sign-in
- enables users to sign in one time and use that credential to access multiple resources and apps from diff providers
- you need to remember only one ID and one password.
- Access across apps is granted to a single identity that is tied to the user.
- reduces the effort needed to change or disable accounts.
MFA Multifactor auth
- prompting user for a extra form of identification during the sing-in process
Passwordless auth
- Password is removed and replaces with something you have + something you are , or something you know
- ex: Biometrics PIN, gestures
- ex: Authenticator App
FIDO Fast identity online
- promote open auth standards and reduce the use of pass
FIDO2 incorporates the web auth standard.
- unpshishable standard-based passwordless auth
- ex: USB devicem BlueTooth, NFC
-
Azure Conditional Access
- Uses to allow (or deny) access to resources based on identity signals.
- These signals include who the user is, where the user is(location), and what device the user is requesting access from
Signal => Decision => Enforcement
RBAC Role Based Auth Control
- is applied to a scope, which is a resource or set of res
Zero Trust model
- security model that assumes the worst-case scenario.
- Verify Explicitly
- Use least privilege access Just-in-time and Just-Enough-Access
- Assume Breach
- instead of assuming that a device is safe because it's within the corporate network it requires everyone to authenticate.
Security
Defence-in-depth
- uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data
Layers of Defense:
- Physical
- Identity & Access
- Perimeter
- Network
- Compute
- Application
- Date
Defender for Cloud
- monitoring tool for security posture management and threat protection
- Azure services are already protected by default
Helps you detect threats across:
- Azure PaaS services
- Azure Data Centers
- Networks
Defend Hybrid resources
- to extend protection to on-remises machines, deploy Azure Arc and enable Defender for Cloud's enhanced security features
Defend resources running on other clouds AWS, GCP
3 Vital Needs
- Assess: Know your security posture. Identity and track vulnerabilities.
- Secure: Azure Security Benchmark
- Defend: Detect and resolve threats to resources.
Storage Services
Storage types
Data Lake
- Optimized for analytics workloads
- Built on top of Blob Storage
- Supports big data tools like HDInsight, Azure Synapse ...
-
Queue/Message Queue
- Messaging system for decoupling applications
- Enables async processing
- Ideal for BG Tasks and job pipelines
- Storing large number of messages
Table storage NO SQL
- Key-Value
- Structured, non-relational data
- Fast and cheap
- Great for large-scale datasets, logging...
-
Blob
- Used to store unstructured massive amount of data
- Ideal for: binary datata, documents, streaming audio/video, big files
- Accessed through HTTP/HTTPS
Tiers:
- Hot: freq accessed
- Cool: up to 30 days accessed
- Cold: up to 90 days accessed
- Archive: rarely accessed up to 180 days, as they are stored offline
Data Redundancy
Redundancy in Primary Region
- Data is always replicated 3 times
LRS Locally redundant storagePRO:
- Provides durability of 99.99...(11)% of over a year
- It protects data against server rack and drive failures.
CONS:
- Doesn't protect against flooding, fire .... basically data can be lost or unrecoverable.
ZRS Zone redundant storagePRO:
- Replicates sync data across availability zones in the primary region
- Provides durability of 99.99...(12)% of over a year
CONS:
- Higher cost
- Only available in regions that support Availability zones
Redundancy in Secondary Region
- Secondary region that is hundreds of miles away from the primary region
GRS Geo-redundant storage
- Copies data using LRS in primary Region then using LRS to Secondary Region.
- Durability of 99.99...(16)% over a given year
GZRS Geo-zone-redundant storage
- Copied across 3 Availability Zones in the primary region similar to ZRS and also replicates to secondary region using LRS
- Durability of 99.99...(16)% over a given year
Data Migration Options
Azure Migrate
- migrate from an on-premises environment to the cloud
Azure Data Box
- physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way.
- For Huge amount of data, like TB or PB
File Movement
AzCopy
- Command-line utility that you can use to copy blobs or files to or from your storage account
Azure Storage Explorer
- Standalone app that provides a graphical interface to manage files and blobs in your Azure Storage Account, uses AzCopy in back
File Sync
- Tool that lets you centralize your file shares in Azure Files and keep the flexibility, performance, and compatibility of a Windows file server.
- Automatically stay bi-directionally synced with your files in Azure
-
-
-
-
-