Shards
Elastic Clusters
Containers
SQL Database elastic pools are a simple, cost-effective solution for managing and scaling multiple databases that have varying and unpredictable usage demands. The databases in an elastic pool are on a single Azure SQL Database server and share a set number of resources (elastic Database Transaction Units (eDTUs)) at a set price. Elastic pools in Azure SQL Database enable SaaS developers to optimize the price performance for a group of databases within a prescribed budget while delivering performance elasticity for each database.
There are five categories of Azure VM Scale Set implementations. General purpose VM Scale Sets work well for implementations requiring small to medium databases and low to medium traffic Web servers.
In Access control (IAM), you can Add permissions to the resources. To assign a role to a user, you simply select the desired Role, Assign access to an Azure AD user, group, or application, Select the user from the list, and click Save.
There are several factors to keep in mind here related to requirements for a VM restore through Azure Backup.
- The storage tier of the staging location determines the storage tier of the restored VM.
- The VM in question is premium, and the only storage tier that offers premium is Local Redundant Storage.
- When your VM uses managed disks, the storage account acting as the staging location cannot have Azure Storage Service Encryption enabled at any time.
The Web Apps service in Azure App Service allows you to create deployment slots to have a separate staging environment for testing updates before they get rolled out to production. The deployment slot creates a new environment which can then be swapped with the production environment after all testing is complete.
Azure to Hyper-V site is not supported during a test failover.
One storage account for each virtual machine in a scale set.
One storage account for every two virtual machines in a scale set.
Two storage accounts for every virtual machine in a scale set.
Two storage accounts for every three virtual machines in a scale set.
If at all possible, Microsoft would like to see a one to one ratio and have a storage account for each virtual machine created in a scale set. If this is not possible, Microsoft recommends using no more than 20 VMs per storage account.
Provide the accountant with read-only access to the specific Azure Blob and File storage services with a service-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob and File services in the Azure Storage account.
Assign the accountant a contributor role access to the entire storage account using Azure AD role-based access control (RBAC).
Provide the accountant with read-only access to the specific Azure Blob and File storage services with an account-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
In this case, an account-level SAS is required because the accountant needs access to two separate services in the account. You do not have the necessary information to create a guest or contributor account to control the accountant's access, but you can add controls to require requests are sent via an HTTPS protocol, and also control the specific read/write actions.
Active-passive with a hot standby
Active-passive with a cold standby
When it comes to multi-region deployments, there are different options for how you might configure things depending on your availability requirements and your budget.
If you need an extremely high level of availability, then you can use an active/passive model with hot standby. With this approach, you have another version of your solution running in a second region, and it doesn't serve up any traffic unless there's a failure in the primary region.
A variation on that is the active/active model with geo-location based request routing. This is similar to the previous option, but the solution that's running in the second region is actively serving up requests to the users who are closer to that region than the primary.
Then there's the active/passive model with cold standby, which means that there's not a solution running in a second region. Instead, it's dynamically created when the first region is unavailable. This is a great option if you want to balance the cost versus the SLA. The switchover is not going to be immediate, but with a well-defined automation plan, this is a viable option.
One the timeout has elapsed, the load balancer marks the VM as unhealthy and stops sending requests to it.
The types of failovers that are supported depend on your deployment scenario.
Azure to VMM site:
- Test failover: Unsupported
- Planned failover: Supported
- Unplanned failover: Unsupported
Connection Troubleshoot
IP Flow Verify
Connection Monitor
Traffic Analytics
The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint. For example, you might have a web server VM that communicates with a database server VM. Someone in your organization may, unknown to you, apply a custom route or network security rule to the web server or database server VM or subnet.
The App Service plan provides dedicated VM resources on which your function app will reside and execute. This plan works well for function apps that will execute continuously or at least very frequently, and/or in situations where you have existing, under-utilized App Service VMs on which you could deploy a new function app.
It is important to understand the pros and cons of the various available operating systems that can run on a VM. For Microsoft Windows VMs, the license is built-in and included as part of the cost of the VM saving money. For deployment, there are slight differences between Windows and Linux VMs primarily concerning how the connection to the VM itself is made. Also, Linux authentication is slightly different in that there are two options for the Authentication type, whereas Windows offers just one authentication method.
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
When you have multiple forests, there can be users in each forest with the same attributes. The recommendation is to consolidate the information and use Azure AD Connect. When carrying out the synchronization, it can be done by matching the email addresses and consolidating the information.
The Active Directory Federation Services agent shows alerts, monitoring, and usage analytics of AD Federation Service. An Azure Active Directory Domain Services agent shows all of the AD Domain Services forests and the Azure AD Connect Sync agent shows the Azure AD Connect servers that are being monitored.
Pricing Calculator
Total Cost of Ownership (TCO) Calculator
Azure Advisor
Azure Cost Management Tool
The Pricing Calculator tool is an excellent online tool to assist in estimating your Azure costs. This tool allows you to select and estimate the costs of deploying resources to Azure. Of course, to generate the best cost estimate, you’ll need to know exactly what resources you plan to deploy to Azure and their compute and storage requirements.
If at all possible, Microsoft would like to see a one to one ratio and have a storage account for each virtual machine created in a scale set. If this is not possible, Microsoft recommends using no more than 20 VMs per storage account.
First and foremost, scale-out operations always have priority over scale-in operations. Anytime that multiple scale-out operations conflict with one another, the rule that takes precedence will be the one that initiates the largest increase in the number of instances. When it comes to scale-in conflicts, the rule that initiates the smallest decrease in the number of instances will take precedence.
A recovery service vault with Azure Backup
A vault with Azure Key Vault
An alarm in Azure Monitor
A resource policy with Azure Policy
If you use snapshots on blobs, monitor the snapshots and delete those which are outdated or no longer needed. An even better way to avoid the costs associated with snapshots is to implement a comprehensive backup solution by deploying an Azure Recovery Vault.
Azure Function provides many types of triggers. Some examples include: The EventHubTrigger responds to events delivered to an Azure Event Hub. Particularly useful in application instrumentation, user experience or workflow processing, and Internet of Things (IoT) scenarios. The HTTPTrigger triggers the execution of your code by using an HTTP request. The QueueTrigger respond to messages as they arrive in an Azure Storage queue. The BlobTrigger processes Azure Storage blobs when they are added to containers. You might use this function for image resizing.
The Azure Cosmos DB SQL API database implementation differs from traditional relational database or SQL techniques. NoSQL databases that enable storing unstructured and heterogeneous data at scale, and therefore, they are often utilized in modern cloud applications.
Azure AD Connect Health allows you monitor both Azure and On-Premises resources by deploying specialized agents. MFA is responsible for ensuring secure user login. RBAC controls users access to resources, and there is no such thing as Azure AD Health Monitor.
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a web app, API app, or mobile app, but as a separate process. And using App Services will minimize management, and web apps support deployment slots, allowing for deployment promotion.
The Azure Site Recovery can replicate the data on the Virtual machines to another environment to emulate a failover environment that can be switched to immediately. For Azure backup, it can take time to restore the backup and get an available solution in case of a disaster.
Azure Status
Azure Service Health
Azure Resource Health
Azure Monitor
Azure Status is a global view of the health of all Azure services across all Azure regions. The status page is a good reference for incidents with widespread impact, but we strongly recommend that current Azure users leverage Azure Service Health to stay informed about Azure incidents and maintenance.
Provide the accountant with read-only access to the specific Azure Blob container with a service-level shared access signature token to expire at the end of the business day. Specify the HTTPS protocol is required to accept requests.
Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob storage service in the Azure Storage account.
Provide the accountant with read-only access to the specific Azure Blob container with a user-delegation shared access signature token to expire at the end of the business day. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
In this case, Azure Storage's Shared Access Signature (SAS) is the best tool to provide limited, authorized access to the necessary blob resources. Remember, SAS allows two levels of access: service-level, which limits access to one type of storage within the Azure storage account, such as Blob, Table, Queue or File storage, and account level, which provides access to all storage types in a single account. The service level also allows you to limit access to specific containers, or even specific blobs, and control the actions that can be performed on the blobs by selecting approved common permission types such as read, write, list, or process.
You cannot provide a user-delegated SAS in this case because you do not know if the accountant has Azure AD credentials, which are required for this type of SAS.
Availability zones are physically separate locations within a region. They are not available in all regions, but in regions where they are available, deploying VM replicas to separate regions will ensure your system will remain available in the event a data center fails.
Recovery plans can be used to define groups of machines that failover together, and then start up together; model dependencies between machines; run a failover.
Queries return multiple entities in PartitionKey and RowKey order. To avoid resorting entities choose a RowKey that defines the most common sort order.
For premium storage accounts the only replication option that is available is LRS. The significance of this is that you need to look for other means of replicating your data to protect for the site outage.
If you want to set up a routing policy so that different endpoints work as an active-passive failover scenario, then you can use the Priority based routing. Here you would define the US endpoint having a priority of 1 and the endpoint in Europe having a priority of 2.
Conditional Access allows you to restrict access to devices and applications based on predefined rules. RBAC only controls user access to resources. MFA deals with authenticating user sign-in, and Azure AD Connect is a tool for Synchronizing On-premises Identity with Azure AD and monitoring.
Identity Protection and Privileged Identity Management requires Azure AD Premium P2 Edition. Azure AD Connect Health is an Azure AD Premium P1 feature while Group-based access management and provisioning is a feature enabled at the Basic tier.
Merge is not supported because encryption may have occurred with different keys. Simply merging the new properties will result in data loss.
Inbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 20 Action: Deny
Inbound Rule Source: 10.0.1.0/16 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 0.0.0.0/0 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 20 Action: Deny
The correct NSG rule configuration is:
- Inbound Rule
- Source: 0.0.0.0/0
- Source Port: *
- Destination: 10.0.3.4
- Destination Port: *
- Protocol: ANY
- Priority: 4096
- Action: Deny
Azure Status
Azure Service Health
Azure Resource Health
Azure Policy
Azure Service Health provides a personalized view of the health of the Azure services and regions you're using. This is the best place to look for service impacting communications about outages, planned maintenance activities, and other health advisories because the authenticated Azure Service Health experience knows which services and resources you currently use. The best way to use Service Health is to set up Service Health alerts to notify you via your preferred communication channels when service issues, planned maintenance, or other changes may affect the Azure services and regions you use.
Read-access geo-redundant storage replicates your data to a second geographic location and also provides read access to your data in the secondary location. Read-access geo-redundant storage allows you to access your data from either the primary or the secondary location, in the event that one location becomes unavailable. Read-access geo-redundant storage is the default option for your storage account by default when you create it.
Blob storage consists of three types of blob accounts: block blobs, append blobs, and page blobs. Append blobs are optimized for append operations, in which data updates occur by adding a new block to the end. A log data entry is one such example.
The Activity Log provides insight into the operations that were performed on resources in your subscription using Resource Manager, for example, creating a virtual machine or deleting a logic app. The Activity Log is a subscription-level log. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault.
Azure Disk encryption can be used to encrypt the data at rest for Windows and Linux based virtual machines. This service can be used along with the Azure Key Vault which can be used to maintain the keys used for encryption purposes
With role-based access controls (RBAC), the permissions applied at a certain scope apply to all child resources within that scope. This means a subscription owner also has owner permissions for all resource groups and resources within the subscription.
As such, both Guy and Thomas could complete the task required in the question below.
Network security group (NSG) flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through an NSG.
Inbound Rule Source: 10.0.1.6 Source Port: * Destination: 10.0.2.5 Destination Port: 443 Protocol: TCP Priority: 100 Action: Allow
Inbound RuleSource: 10.0.2.5Source Port: 80Destination:172.16.50.35Destination Port: *Protocol: UDPPriority: 100Action: Allow
Inbound Rule Source: 10.0.1.6 Source Port: * Destination: 10.0.3.4 Destination Port: 8080 Protocol: TCP Priority 5000 Action: Allow
Inbound Rule Source: 10.0.2.5 Source Port: * Destination: 10.0.3.4 Destination Port: 443 Protocol: HTTPS Priority: 9999 Action: Allow
The correct rule parameters are:
- Inbound Rule
- Source: 10.0.1.6
- Source Port: *
- Destination: 10.0.2.5
- Destination Port: 443
- Protocol: TCP
- Priority 100
- Action: Allow
Each of these steps is required for a VNet-to-VNet connection via virtual network gateway except enabling "Allow VNet access," which is required for VNet peering configurations.
Notification Hub takes away most of that pain. It lets you broadcast to all platforms with a single interface. It can work both in the cloud or on-premises and includes security features like SAS, shared access secrets, and federated authentication. See the “How To” guide link for more details.
Code and test the functions locally
Testing can be tricky. The first place to go for function testing is of course the Azure portal itself. Functions that use manual or HTTP triggering are good candidates for ad hoc manual testing using the tools in the portal. If you prefer, for HTTP triggered functions you can also use external tools like Postman or Fiddler to send the HTTP request to your function URLs.
Azure Backup relies on the framework which can execute pre and post which will ensure that the application is consistent during every backup.
If you find yourself in a situation where you need to run a WebJob on a single instance, instead of all instances, you can create a file called settings.job that contains the line you see on your screen.
{ "is_singleton": true }
After adding the line you see on your screen to the settings.job file, save the file to the root folder for the continuous WebJob. What this will do is get your WebJob running as a single instance despite being installed on multiple instances.
Azure Status
Azure Service Health
Azure Resource Health
Azure Security Center
Azure Resource Health helps you diagnose and get support when an Azure service problem affects your resources. It informs you about the current and past health of your resources. And it provides technical support to help you mitigate problems.
The Geographic Traffic Manager routing method allows users to be directed to specific endpoints (Azure, External or Nested) based on which geographic location from which their DNS query originates.
Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud.
Allow or deny inbound and outbound traffic to or from specific IP addresses
Allow or deny inbound and outbound traffic to or from IP address ranges
Allow or deny inbound traffic to or from specific domain names
Control traffic in and out of an entire virtual network
Network security groups, or NSGs for short, are an Azure firewall technology that implements a stateful packet inspection with some simple inbound and outbound rules to deny or allow connections, based on a few properties. These include the source IP address and port, the destine IP address and port, and the protocol, whether it's TCP or UDP. The source IPs and destination IPs can either be individual IPs, or they can be ranges of IPs. You can attach a network security group to a virtual network, or to a NIC card, a network interface card.
The advantage of using Azure Firewall is that it’s more feature-rich. For example, you can tell it to allow outbound traffic only to certain domain names. NSGs can’t do that. They only allow you to specify IP addresses, not entire domains. An Azure Firewall is centralized, so it works across virtual networks and even across subscriptions.
WebJobs is a feature of Azure App Service that enables you to run a program or script in the same context as a web app, API app, or mobile app, but as a separate process. And using App Services will minimize management, and web apps support deployment slots, allowing for deployment promotion.
Low-priority VMs are cheaper, but can be terminated at any time by Azure. They are ideal for this type of use case, but not to support applications that must persist reliably and be highly available.
Use Azure AD Connect's password hash synchronization (PHS).
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
This feature is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead.
- The OS disk should be basic, and not dynamic. The data disk can be dynamic.
- One can't replicate virtual machines with encrypted disks, or virtual machines with UEFI/EFI boot.
- Storage and network accounts must be in the same region as the vault
- The host name should be 15 characters or less
Azure AD Connect Health for sync can generate a report that will help identify the duplicates.
Azure App Service consists of several app types: Web Apps, Mobile Apps, API Apps and Logic Apps. If you need to automate business processes, select the Logic Apps type.
The Azure Site Recovery can replicate the data on the Virtual machines to another environment to emulate a failover environment that can be switched to immediately. For Azure backup, it can take time to restore the backup and get an available solution in case of a disaster.
When fraud alerts are enabled in Azure MFA, Azure blocks access to any user accounts involved in any reported fraud alert. Administrators can unblock the account with a specific reason for the unblock request, but cannot unblock multiple accounts programmatically and then prevent accounts from being blocked in the future.
The designated approver role is related to role elevation requests within the scope of the Privileged Identity Management feature of Azure Active Directory, and would have no authorization to unblock accounts in the event of a fraud alert.
Azure Advisor
Azure Cost Management tool
Azure Price Calculator
Azure Resource Tags
Another way to track Azure costs is by using tags. Tags can be applied to Azure resources as a means of grouping them for things like cost tracking. Tags can be applied based on department, project, environment, or any other purpose.
Each tag is a name/value pair where the name defines the type, or category of tag, and the value identifies a specific instance of that type. For example, a tag name could be a department, and values could then be IT and Development.
$Query.SelectColumns = $Columns
$Query.FilterString = $Columns
$Query.FilterTable = $Columns
$Query.SelectColumns = $list
Using the SelectColumns query property is especially useful when dealing with large entities. If you don't require all of the entity data this can be a significant bandwidth savings. The PartitionKey, RowKey, and Timestamp are always returned, regardless of the selected columns.
Application rules
Network rules
Network Security Group rules
Application Security Group rules
Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.
There are three types of rule collections:
Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
NAT rules: Configure DNAT rules to allow incoming connections.
The System Center Data Protection Manager helps in business continuity and disaster recovery. It can store backup data to:
Disk - For short-term storage Data Protection Manager backs up data to disk pools.
Azure - For both short-term and long-term storage off-premises, Data Protection Manager data stored in disk pools can be backed up to the Microsoft Azure cloud using the Azure Backup service.
Tape - For long-term storage you can back up data to tape, which can then be stored offsite.
Single Region
Single Region with Availability Zones
Multi-region with a single-write region
Multi-region with multiple write regions
If your Cosmos DB database has a multi-region configuration with a single-write region, and that write region experiences a regional outage, enabling failover to a secondary region to then serve as the primary would minimize the damage. Enabling failover would not be possible in either single region configuration, and would not be necessary in a multi-region configuration with multiple write regions.
Reporting to help remove/reduce security risks
Automated detection of compromised user IDs
Enforce multi-factor authentication policy
Enable "just-in-time" role assignments
Identity Protection allows you to enforce MFA policy, automate detection of potentially compromised user credentials, and can create reports to help you identify and remove or mitigate security risks. However, identity project does not include 'just-in-time' role assignments. This is a feature of privileged identity management, a separate service offered through Azure Active Directory.
System-assigned Managed Identity
User-Assigned Managed Identity
A user-assigned managed Identity is a managed identity type that is a standalone resource that can be used with multiple resources, and is independent of any resource lifecycle.
When you clone configuration from another deployment slot, the cloned configuration is editable. Furthermore, some configuration elements will follow the content across a swap (not slot specific) while other configuration elements will stay in the same slot after a swap (slot specific). The following lists show the configuration that will change when you swap slots -
- General settings - such as framework version, 32/64-bit, Web sockets
- App settings (can be configured to stick to a slot)
- Connection strings (can be configured to stick to a slot)
- Handler mappings
- Monitoring and diagnostic settings
- WebJobs content
This service makes it easy to provide APIs that can be used by both internal developers and external partners and customers. It acts as a gateway between clients and your backend microservices. Not only does it provide an easily accessible front-end to your application, but it also handles important management tasks, such as security, monitoring, analytics, and rate limiting.
It’s easy to add an existing API to the API Management service. You only need to supply a few details, such as its name and URL. Then you can secure it and manage it.
Inheritance factor
There are three types of factors used to authenticate a user request via multi-factor authentication (MFA):
- A knowledge factor - something the user knows.
- A possession factor - something the user owns, such as an email address or mobile device.
- An inheritance factor - something that confirms identity via a physical characteristic, such as a fingerprint or other biometric.
The correct order of execution is:
- Assign a resource group and location.
- Configure replication redundancy level.
- Configure the backup policy.
- Assign a backup policy to the VM.
- Manually initiate the first backup.
Table API
Graph API
SQL API
Mongo API
Both Mongo API and SQL API in Cosmos DB allow you to store JSON documents in a non-relational database. SQL API is a bit tricky of a misnomer because it is a non-relational database. It is called SQL API because it allows you to query JSON documents in a SQL-like language.
#2
If you implement the model with virtual network gateways, all VNets must be in the same region. If you implement the model with VNet peering connections, the VNets can be within different regions.
Whether the connections are made with virtual network gateways or VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.
If you implement the model with virtual network gateways, all VNets can be in different regions. If you implement the model with VNet peering connections, the VNets must be within the same region.
If you implement the model with virtual network gateways, the VNets can be within different Azure subscriptions that are associated with the same Azure tenant. If you implement the VNets with VNet peering connections, the VNets can be within different Azure subscriptions and associated with separate Azure AD tenants.
You could accomplish this network topology using VNet peering or virtual network gateways (VNG), but each option has its requirements and limitations.
- Connecting via VNet peering would require a router to be deployed in the central hub VNet, but this is not required for VNG connections.
- VNet peering works both across separate tenants and subscriptions.
- Hostname resolution is not possible for VMs connecting from different VNets through a peering connection. Azure DNS is required for these VMs to connect. However, name resolution is possible through a VNG connection.
- This type of network topology cannot span regions. All VNets must be in the same region.
Encrypt the columns using a symmetric encryption key
Use row-level security (RLS)
Use dynamic data masking (DDM)
Use transparent data encryption
The Azure SQL Database option to obfuscate data is to use dynamic data masking (DDM). Symmetric encryption would not obfuscate the data for some users, it would encrypt for all. The row-level security determines row to be shown not columns. Always encrypted would encrypt the data throughout the system, and transparent data encryption (TDE) would encrypt data at rest but would deliver in plain text to the end user.
The types of failovers that are supported depend on your deployment scenario.
Physical server to Azure:
Test failover: Unsupported
Planned failover: This scenario uses continuous replication so there's no distinction between planned and unplanned failover. You select Failover
Unplanned failover: NA
Limiting access to a specific IP address or address range
Specifying when access via SAS token starts and ends
Limiting access to specific Azure storage containers or objects
Modifying existing SAS token permissions
Shared access signatures allow you to:
- Define the scope of access - account level (multiple Azure Storage services like queue, blob, etc) or resource level (limited to service, container, or blob)
- Define allowed actions (read, write, and delete, for example)
- Specify start and expiration time
- Specify approved IP address or address range that may use the URI
- Set approved protocols: HTTP or HTTPS
Stored Access Policies allow you to:
- Set at container level
- Modify start and expiration time
- Revoke a SAS token after it is issued
- Modify existing SAS permissions
The Web Apps service in Azure App Service allows you to create deployment slots to have a separate staging environment for testing updates before they get rolled out to production. The deployment slot creates a new environment which can then be swapped with the production environment after all testing is complete.
Identity Protection and Privileged Identity Management requires Azure AD Premium P2 Edition. Azure AD Connect Health is an Azure AD Premium P1 feature while Group-based access management and provisioning is a feature enabled at the Basic tier.
Conditional Access allows you to restrict access to devices and applications based on predefined rules. RBAC only controls user access to resources. MFA deals with authenticating user sign-in, and Azure AD Connect is a tool for Synchronizing On-premises Identity with Azure AD and monitoring.
Inbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 10.0.2.0/24 Source Port: 0-65535 Destination: 10.0.3.4 Destination Port: 0-65535 Protocol: ANY Priority: 20 Action: Deny
Inbound Rule Source: 10.0.1.0/16 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 4096 Action: Deny
Outbound Rule Source: 0.0.0.0/0 Source Port: * Destination: 10.0.3.4 Destination Port: * Protocol: ANY Priority: 20 Action: Deny
The correct NSG rule configuration is:
- Inbound Rule
- Source: 0.0.0.0/0
- Source Port: *
- Destination: 10.0.3.4
- Destination Port: *
- Protocol: ANY
- Priority: 4096
- Action: Deny
For premium storage accounts the only replication option that is available is LRS. The significance of this is that you need to look for other means of replicating your data to protect for the site outage.
/26
/24
/28
/22
Azure Firewall must provision more virtual machine instances as it scales. A /26 address space ensures that the firewall has enough IP addresses available to accommodate the scaling.
Blob storage consists of three types of blob accounts: block blobs, append blobs, and page blobs. Block blobs are optimized for streaming and storing cloud objects such as documents, media files, and backups.
Active-passive with a hot standby
Active-passive with a cold standby
When it comes to multi-region deployments, there are different options for how you might configure things depending on your availability requirements and your budget.
If you need an extremely high level of availability, then you can use an active/passive model with hot standby. With this approach, you have another version of your solution running in a second region, and it doesn't serve up any traffic unless there's a failure in the primary region.
A variation on that is the active/active model with geo-location based request routing. This is similar to the previous option, but the solution that's running in the second region is actively serving up requests to the users who are closer to that region than the primary.
Then there's the active/passive model with cold standby, which means that there's not a solution running in a second region. Instead, it's dynamically created when the first region is unavailable. This is a great option if you want to balance the cost versus the SLA. The switchover is not going to be immediate, but with a well-defined automation plan, this is a viable option.
Tags can be used in templates to differentiate resources. For example, you can add a tag with a name of “Environment.” You can then assign values of “Production” to production-based instances and “Development” to development-based instances
Azure Status
Azure Service Health
Azure Resource Health
Azure Monitor
Azure Status is a global view of the health of all Azure services across all Azure regions. The status page is a good reference for incidents with widespread impact, but we strongly recommend that current Azure users leverage Azure Service Health to stay informed about Azure incidents and maintenance.
Provide the accountant with read-only access to the specific Azure Blob and File storage services with a service-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
Assign the accountant a guest role in Azure Active Directory with read-only access to the specific Azure Blob and File services in the Azure Storage account.
Assign the accountant a contributor role access to the entire storage account using Azure AD role-based access control (RBAC).
Provide the accountant with read-only access to the specific Azure Blob and File storage services with an account-level shared access signature token. Allow all read requests but limit write requests to LIST and GET. Specify the HTTPS protocol is required to accept requests.
In this case, an account-level SAS is required because the accountant needs access to two separate services in the account. You do not have the necessary information to create a guest or contributor account to control the accountant's access, but you can add controls to require requests are sent via an HTTPS protocol, and also control the specific read/write actions.
Enable Azure AD Identity Protection. Configure an Azure MFA registration policy requiring all users to register and enable MFA. Configure all office IP addresses as trusted IP addresses that can skip MFA.
With Azure Active Directory's Identity Protection service, you can set up registration policies that enforce your MFA requirements for all directory users. You can also setup all office IP addresses as federated (not managed) Trusted IP addresses, which will not require MFA, or administrative updates as your office IP addresses change.
The master target server is installed on-premise and handles replication data during failback from Azure. The management server you created on-premises has a master target server installed by default. However, depending on the volume of failed back traffic you might need to create a separate master target server for failback.
The Trusted IP address feature only works when users sign in through an organization's company intranet. Users that sign in via the internet cannot bypass MFA through the Trusted IP address feature.
Azure Functions provides two pricing plans: App Service plan and Consumption plan. The Azure Functions consumption plan is billed based on resource consumption and executions. The Consumption plan is good if compute needs are intermittent or your job times tend to be very short as it allows you to only pay for compute resources when they are actually in use.
Geo-Restore allows you to restore a SQL database on any server in any Azure region from the most recent geo-replicated automated daily backup. Point-In-Time restore allows you to restore an existing database as a new database to an earlier point in time on the same logical server using SQL Database automated backups.
One storage account for each virtual machine in a scale set.
One storage account for every two virtual machines in a scale set.
Two storage accounts for every virtual machine in a scale set.
Two storage accounts for every three virtual machines in a scale set.
If at all possible, Microsoft would like to see a one to one ratio and have a storage account for each virtual machine created in a scale set. If this is not possible, Microsoft recommends using no more than 20 VMs per storage account.
A recovery service vault with Azure Backup
A vault with Azure Key Vault
An alarm in Azure Monitor
A resource policy with Azure Policy
If you use snapshots on blobs, monitor the snapshots and delete those which are outdated or no longer needed. An even better way to avoid the costs associated with snapshots is to implement a comprehensive backup solution by deploying an Azure Recovery Vault.
There are five categories of Azure VM Scale Set implementations. Memory optimized VM scale sets work well for implementations requiring high memory to core ratios such as those utilizing relational database servers, medium to large caches, and in-memory analytics.
Logic Apps provide a way to simplify and implement scalable integrations and workflows in the cloud. It provides a visual designer to model and automate your process as a series of steps known as a workflow. There are many connectors across the cloud and on-premises to quickly integrate across services and protocols. A logic app begins with a trigger (like 'When an account is added to Dynamics CRM') and after firing can begin many combinations of actions, conversions, and condition logic.
First and foremost, scale-out operations always have priority over scale-in operations. Anytime that multiple scale-out operations conflict with one another, the rule that takes precedence will be the one that initiates the largest increase in the number of instances. When it comes to scale-in conflicts, the rule that initiates the smallest decrease in the number of instances will take precedence.
Network Performance Monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute.
Availability zones are physically separate locations within a region. They are not available in all regions, but in regions where they are available, deploying VM replicas to separate regions will ensure your system will remain available in the event a data center fails.
The App Service plan provides dedicated VM resources on which your function app will reside and execute. This plan works well for function apps that will execute continuously or at least very frequently, and/or in situations where you have existing, under-utilized App Service VMs on which you could deploy a new function app.
Due to the fact that this client desires the highest level of availability, it is clear they need multi-regional deployment and not multi-zone. Then there is the issue of the customers on distant parts of the globe, which raises the issue of latency. The two best options in terms of minimal downtime are active/active and active/passive with hot standby, and since the client needs to serve two distinct locations, minimizing service latency is the reason to choose active/active with geo-location based request routing.
If you want to set up a routing policy so that different endpoints work as an active-passive failover scenario, then you can use the Priority based routing. Here you would define the US endpoint having a priority of 1 and the endpoint in Europe having a priority of 2.
No comments:
Post a Comment