Reading Time: 12 minutes

Azure Fundamentals

Part 1/4 – Concepts, Introduction to Azure, Architecture and SLAs, Accounts and Subscriptions

Material source:

Microsoft documentation

Concepts

Microsoft’s view on the benefits of Cloud Computing;

  • Cost-effective
  • Scalable
  • Elastic
  • Current
  • Reliable
  • Global
  • Secure

Azure is NIST CSF, ISO/IEC 27018, SOC 1/2/3, HIPPA and GDPR compliant

Management responsibility across different types of cloud services

Management responsibility across different types of cloud services

In azure, one server in each rack of servers runs a special piece of software called a Fabric Controller. Fabric Controllers are connected to the Orchestrator. Orchestrators are responsible for everything that happens in Azure, including user requests. Users make requests using Orchestrator’s web API.

Azure: the big picture

Azure services are divided into ten main categories

Compute services

  • Virtual Machines: Windows or Linux VMs
  • Virtual Machine Scale Sets: Scaling for windows or Linux VMs
  • Kubernetes Service: Enables management of a cluster of VMs that run containerised services
  • Service Fabric: Distributed systems platform. Runs in Azure or on-premises
  • Batch: Managed service for parallel and high-performance computing applications
  • Container Instances: Provides containers without requiring VM provision or higher services
  • Functions: An event-driven serverless compute service

Networking

  • Virtual Network: connects VMs to incoming VPN connections
  • Load Balancer: Balances inbound and outbound connections to applications or service endpoints
  • Application Gateway: optimises app server farm delivery while increasing application security
  • VPN gateway: accesses azure virtual networks through high-performance VPN gatways
  • DNS
  • Content Delivery Network
  • DDoS Protection
  • Traffic Manager: distributes network traffic across Azure regions worldwide
  • ExpressRoute: Connects to Azure over high-bandwidth dedicated secure connections
  • Network Watcher: monitors and diagnoses network issues using scenario-based analysis
  • Firewall
  • Virtual WAN: Creates a unified WAN, connecting local and remote sites

Storage services

  • Blob storage: storage service for very large objects, such as video files or bitmaps
  • File Storage: file shares that you can access and manage like a file server
  • Queue Storage: a data store for queuing and reliably delivering messages between applications
  • Table Storage: A NoSQL store that hosts unstructured data independent of any schema

DevOps

  • DevOps: provides development collaboration tools including high-performance pipelines, free private Git repositories, configurable Kanban boards, and extensive automated and cloud-based load testing
  • DevTest Labs: create on-demand Windows and Linux environments you can use to test or demo your applications directly from your deployment pipelines

Mobile

enables developers to create mobile backend services for iOS, Android and Windows apps. Offers offline data synchronisation, connectivity to on-premises data, broadcasting push notifications and autoscaling to match business needs

Databases

  • Cosmos DB: Globally distributed database that supports NoSQL options
  • SQL Database: Fully managed relational database with auto-scale, integral intelligence, and robust security
  • Database for MySQL
  • Database for PostgreSQL
  • Database for MariaDB
  • SQL Server on VMs
  • SQL Data warehouse
  • Database migration service: Migrates your databases to the cloud with no application code changes
  • Cache for Redis: Caches frequently used and static data to reduce data and application latency

Web

  • App Service: Quickly create powerful cloud web-based apps
  • Notification hubs: Send push notifications to any platform from any back end
  • API Management: Publish APIs to developers, partners, and employees securely and at scale.
  • Search: Fully managed search as a service
  • Web Apps feature of Azure App Service: Create and deploy mission-critical web apps at scale
  • SignalR Service: Add real-time web functionalities easily

Internet of Things

  • IoT Central: Fully-managed global IoT software as a service (SaaS) solution that makes it easy to connect, monitor, and manage your IoT assets at scale
  • IoT Hub: Messaging hub that provides secure communications and monitoring between millions of IoT devices
  • IoT Edge: Push your data analysis onto your IoT devices instead of in the cloud allowing them to react more quickly to state changes

Big Data

  • SQL Data Warehouse: leverages MPP
  • HDInsight: Process massive amounts of data with managed clusters of Hadoop clusters in the cloud
  • Data Lake Analytics: On-demand scalable analytics service that allows you to write queries to transform your data and extract valuable insights

Artificial Intelligence

  • Machine Learning Service: develop, train, test, deploy, manage, and track machine learning models. It can auto-generate a model and auto-tune it for you. It will let you start training on your local machine, and then scale out to the cloud
  • Machine Learning Studio: Collaborative, drag-and-drop visual workspace where you can build, test, and deploy machine learning solutions using pre-built machine learning algorithms and data-handling modules
  • Cognitive Services: pre-built APIs you can leverage in your applications to solve complex problems

Azure Cloud Shell: a browser-based command-line experience for managing and developing Azure resources. Think of Cloud Shell as an interactive console that you run in the cloud. Cloud Shell provides two experiences to choose from: Bash and PowerShell. Both include access to the Azure CLI, the command-line interface for Azure

Azure Resource Group: Virtual machines and other cloud resources are grouped into logical containers called resource groups. Groups are typically used to organize sets of resources that are deployed together as part of an application or service. You refer to a resource group by its name.

Normally, the first thing we’d do is to create a resource group to hold all the things that we need to create. This allows us to administer all the VMs, disks, network interfaces, and other elements that make up our solution as a unit.

By default, Azure assigns a public IP address to your VM. You can configure a VM to be accessible from the Internet or only from the internal network

Tools that are commonly used for day-to-day management and interaction include:

  • Azure portal for interacting with Azure via a Graphical User Interface (GUI)
  • Azure PowerShell and Azure Command-Line Interface (CLI) for command line and automation-based interactions with Azure
  • Azure Cloud Shell for a web-based command-line interface

Both Azure CLI and PowerShell can be leveraged to build automated scripts that work against the Azure Resource Manager and these scripts are considered as Infrastructure as Code (IaC)

ARM Templates, Terraform, Ansible, Jenkins and Cloud-init are also some of the tools available to deploy and manage your work environment in Azure

Custom Script Extension: An easy way to download and run scripts on your Azure VMs. You can store your scripts in Azure storage or in a public location such as GitHub.

Azure Advisor and Azure Cost Management are two services that help you optimize cloud spend. You can use these services to identify where you’re using more than you need, and then scale back to the capacity you’re actually using.

Azure architecture and service guarantees

A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that are nearby and networked together with a low-latency network. Azure intelligently assigns and controls the resources within each region to ensure workloads are appropriately balanced. There are some global Azure services that do not require you to select a particular region, such as Microsoft Azure Active Directory, Microsoft Azure Traffic Manager, and Azure DNS.

Azure divides the world into geographies that are defined by geopolitical boundaries or country borders. An Azure geography is a discrete market typically containing two or more regions that preserve data residency and compliance boundaries. Geographies are fault-tolerant to withstand complete region failure through their connection to dedicated high-capacity networking infrastructure.

Geographies are broken up into the following areas:

  • Americas
  • Europe
  • Asia Pacific
  • Middle East and Africa
  • Brazil

Availability Zones are physically separate datacenters within an Azure region. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. AZs are connected through high-speed, private fiber-optic networks.

Azure services that support Availability Zones fall into two categories:

  • Zonal services – you pin the resource to a specific zone (for example, virtual machines, managed disks, IP addresses)
  • Zone-redundant services – platform replicates automatically across zones (for example, zone-redundant storage, SQL Database).

Availability zones are created using two datacenters within a single region. However, it’s possible that a large enough disaster could cause an outage big enough to affect even two datacenters. That’s why Azure also creates region pairs.

Region Pairs: Each Azure region is always paired with another region within the same geography at least 300 miles away. This approach allows for the replication of resources (such as virtual machine storage) across a geography that helps reduce the likelihood of interruptions.

Additional advantages of region pairs include:

  • If there’s an extensive Azure outage, one region out of every pair is prioritized to help reduce the time it takes to restore them for applications.
  • Planned Azure updates are rolled out to paired regions one region at a time to minimize downtime and risk of application outage.
  • Data continues to reside within the same geography as its pair (except for Brazil South) for tax and law enforcement jurisdiction purposes.

There are three key characteristics of SLAs for Azure products and services:

  1. Performance Targets
  2. Uptime and Connectivity Guarantees
  3. Service credits

Service Credits: SLAs also describe how Microsoft will respond if an Azure product or service fails to perform to its governing SLA’s specification. For example, customers may have a discount applied to their Azure bill, as compensation for an under-performing Azure product or service.

When combining SLAs across different service offerings, the resultant SLA is a called a Composite SLA. The resulting composite SLA can provide higher or lower uptime values, depending on your application architecture.

By creating your own SLAs, you can set performance targets to suit your specific Azure application. This approach is known as an Application SLA.

Azure accounts and subscriptions

An Azure account is what you use to sign in to the Azure website and administer or deploy services. Every Azure account is associated with one or more subscriptions and is a globally unique entity. Authentication for your account is performed using Azure Active Directory (Azure AD).

An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, etc. You can create multiple subscriptions under a single Azure account. This is particularly useful for businesses because access control and billing occur at the subscription level, not the account level.

Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered as you create subscriptions on your account.

Azure offers free and paid subscription options. The most commonly used subscriptions are:

  • Free: An Azure free subscription includes a $200 credit to spend on any service for the first 30 days, free access to the most popular Azure products for 12 months, and access to more than 25 products that are always free.
  • Pay-As-You-Go
  • Enterprise Agreement: provides flexibility to buy cloud services and software licenses under one agreement, with discounts for new licenses and Software Assurance.
  • Student: includes $100 in Azure credits to be used within the first 12 months plus select free services without requiring a credit card at sign-up.

Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organisation. When you sign up for a Microsoft cloud service subscription such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of Azure AD is automatically created for your organisation. The email address you use to sign in to Azure can be associated with more than one tenant.

Azure AD tenants and subscriptions have a many-to-one trust relationship: A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant. This structure allows organisations to manage multiple subscriptions and set security rules across all the resources contained within them.

Notice that each Azure AD tenant has an account owner. This is the original Azure account that is responsible for billing. You can add additional users to the tenant, and even invite guests from other Azure AD tenants to access resources in subscriptions

Microsoft offers four paid Azure support plans for customers who require technical and operational support:

  1. Developer
  2. Standard
  3. Professional Direct
  4. Premier (you get your own TAM)