Graduate Program KB

Table of Contents

• Table of Contents
  • Cloud Concepts
    • Shared Responsibility Model
    • Cloud Models
    • High Availability
    • Scalability
    • Reliability
    • Predictability
    • Manageability
    • IaaS
    • PaaS
    • SaaS
  • Management and Governance
    • Factors that Affect Cost
    • Cost Management
      • Calculators
      • Cost Analysis
      • Cost Alerts
    • Tags
    • Governance
      • Microsoft Purview
      • Azure Policy
      • Resource Locks
    • Azure Arc
    • Azure Resource Manager
      • Infrastructure as Code
        • ARM Templates
        • Bicep
    • Azure Advisor
    • Azure Service Health
    • Azure Monitor
  • Architecture and Services
    • Virtual Machines
    • Containers
    • Azure Functions
    • Azure App Service
    • Azure Virtual Networking
    • VPN
    • Storage
      • Services
      • Migration
    • Directory Services
      • Microsoft Entra ID
      • Microsoft Entra Domain Services
      • External Identities
    • Roles
    • Security

Cloud Concepts

Cloud Computing: Delivering computing services over the internet.

Shared Responsibility Model

Responsibility of the Provider: Physical security, power, cooling, physical network, physical host and network connectivity.
Responsibility of the Consumer: Data and information stored in the cloud, devices that are allowed to connect to the cloud, and the identities and accounts that are in your organisation.

• Identity and directory infrastructure, applications, network controls, and the operating system all vary in who has responsibility depending on the cloud service type (IaaS, PaaS or SaaS).

Cloud Models

• Private Cloud: Org has complete control over resources and security. Data is not collocated with other organisation's data. Hardware must be purchased for startup and maintenance. Organisations are responsible for hardware maintenance and updates.
• Public Cloud: No capital expense to scale up. Applications can be quickly provisioned and deprovisioned. Organisations pay only for what they use. Organisations don't have complete control over resources and security.
• Hybrid Cloud: Provides the most flexibility. Organisations determine where to run their applications. Organisations control security, compliance, or legal requirements.
• Multi-cloud: Use multiple public cloud providers. Or maybe you are migrating from service provider to another. You essentially deal with more than one cloud provider.
• Azure Arc: Is a set of tech that helps manage your cloud environment, regardless of the model.
• Azure VMware Solution: Lets you run your VMware workloads in Azure with seamless integration and scalability.

High Availability

• Focuses on the resources being available whenever needed.
• Ensuring maximum availability regardless of disruptions or events that may occur.

Scalability

• The ability to adjust resources to meet demand.
• Allows you to add and remove resources as traffic changes.
• Can benefit majorly in terms of cost savings.
• Vertical Scaling: Changing the capabilities of a resource.
• Horizontal Scaling: Changing the number of resources.

Reliability

• Ability for a system to recover from failures and continue to function.
• The cloud by nature of its decentralised design supports a reliable and resilient infrastructure.
• You can design applications to shift to different regions on failure.

Predictability

• Can focus on performance predictability or cost predictability.
• Either way it lets you move forward with confidence.
• Performance: focuses on predicting the resources needed to deliver a positive customer experience (auto scaling, load balancing, high availability, etc.).
• Cost: focuses on forecasting the cost of the cloud spend (tracking resources in real time, monitoring resources to ensure efficiency).

Manageability

• Management of the cloud: managing your resources in the cloud (scaling resources, deployment based off template or config, monitor and act on health of resources, and receive alerts based on configured metrics.)
• Management in the cloud: how you're able to manage your cloud environment and resources (through a web portal, using CLI, using APIs, using powershell).

IaaS

• Most flexible cloud computing service.
• The cloud provider is responsible for maintaining hardware, physical security, and connection to the internet. That's it.
• Scenarios: Lift-and-shift migration, and testing and development.

PaaS

• A middle ground between renting space in a data center (IaaS) and paying for a complete and deployed solution (SaaS).
• The cloud provider maintains the physical infrastructure, physical security, connection to the internet, operating systems, middleware, development tools, and business intelligent services.
• You don't have to worry about licensing or patching for operating systems and databases.
• It is well suited to provide a complete development environment without the headache of maintaining all the development infrastructure.
• Scenarios: Development framework, analytics or business intelligence.

SaaS

• Is the most complete cloud service model from a product perspective.
• You are essentially using a fully developed application.
• It is less flexible but easier to get up and running.
• Scenarios: Email, messaging, business productivity apps, or finance and expense tracking.

Management and Governance

Factors that Affect Cost

Impacting factors that influence operational costs:

• Resource type.
• Consumption.
• Maintenance.
• Geography.
• Subscription type.
• Azure Marketplace.

Cost Management

Calculators

• Pricing Calculator: Gives an estimated cost for provisioning resources in Azure (prices are only estimates).
  • You can estimate the cost of any provisional resources like compute, storage, and associated network costs.
• TCO Calculator: Used to compare the cost of running your on-premise infrastructure to running it on the cloud.

Cost Analysis

• Allows us to view total cost in the cloud by billing cycle, region, resource, and more.
• You can view aggregate costs by organisation to understand where costs are coming from.
• You van also view accumulated costs over time to estimate monthly, quarterly, and yearly cost trends against a budget.

Cost Alerts

• Budget Alerts: Notify you when spending, based on usage or cost, reaches or exceeds the amount defined iin the alert condition of the budget. (Budgets can be created using the Azure portal or Azure Consumption API.)
• Credit Alerts: Notify you when your Azure credit monetary commitments are consumed. Monetary commitments are for organisations with Enterprise Agreements (EAs). Credit alerts are generated at 90% and 100% of your Azure credit balance.
• Department spending quota alerts: Notify you when department spending reaches a fixed threshold of the quota. Spending quotas are configured in the EA portal.

Tags

• Are a way to organise resources, provide metadata about your resources.
• This metadata can be useful for resource management, cost management, operations management, security, compliance, and workload optimisations.
• You can manage tags through powershell, Azure CLI, Azure Resource Manager Templates, the REST API, or the Azure portal (aka the console... gross).
• We can enforce tagging rules via Azure Policy.

Governance

Microsoft Purview

• Is a family of data governance, risk, and compliance solutions that help you get a view into your data.
• Provides automated data discovery, sensitive data classification, and end-to-end data lineage.
• The two main ares that this is targetted for are Risk and Compliance, and Unified Data Governance.
• Purview's unified data governance helps organisations:
  • Create an up-to-date map of your entire data estate that includes data classification and end-to-end lineage.
  • Identify where sensitive data is stored in your estate.
  • Create a secure environment for data consumers to find valuable data.
  • Generate insights about how your data is stored and used.
  • Manage access to the data in your estate securely and at scale.

Azure Policy

• A service that enables you to create, assign, and manage policies that control or audit your resources.
• Enables you to define individual policies and groups of related policies called initiatives.
• Will highlight policies that aren't compliant and can also prevent noncompliant resources from being created.
• If you set a policy at a high-level, all of that parents children will inherit the policy.
• Initiatives: A way of grouping related policies together.

Resource Locks

• Prevents resources from being accident deleted or changed.
• They can be applied to individual resources, resource groups, or entire subscriptions.
• They are inherited.
• There are 2 types, one for deletion (Delete) and one that prevents both deletion and change (ReadOnly).
• To view and manage locks in the portal, look in the "locks" section under any resource's settings.
• You can still perform the locked activity. It just takes 2 steps, remove the lock before performing the action.

Azure Arc

• Used for managing multi-cloud set ups.
• It provides a centralised way to:
  • Manage entire environments together by projecting existing non-Azure resources into ARM.
  • Manage multi-cloud and hybrid VMs, Kubernetes clusters, and databases as if they were running in Azure.
  • Use Azure services and management tools regardless of where they live.
  • Continue using ITOps while introducing DevOps practices to support new cloud and native patterns in your environment.
  • Configure custom locations as an abstraction layer on top of Azure Arc-enabled Kubernetes clusters and cluster extensions.
• Currently Azure Arc is capable of managing the following outside of Azure:
  • Servers.
  • Kubernetes clusters.
  • Azure data services.
  • SQL Server.
  • VMs.

Azure Resource Manager

• Enables you to create, update and delete resources.
• ARM receives any request to do with resources.
• It authenticates and authorises the request, then sends it to the appropriate service.
• With this service you can:
  • Manage infrastructure through JSON templates rather than scripts.
  • Deploy, manage, and monitor all the resources for your solution as a group.
  • Re-deploy your solution throughout the development life cycle with confidence that your resources will be consistent.
  • Define dependencies between resources.
  • Apply access control to all services because RBAC is natively integrated into the management platform.
  • Apply tags to resources to logically organize all the resources in your subscription.
  • Clarify billing by viewing costs for a group of resources that share a tag.

Infrastructure as Code

• You manage your infrastructure as lines of code.

ARM Templates

• Describe the resources you want in JSON format.
• Benefits:
  • Declarative syntax.
  • Repeatable results.
  • Orchestration.
  • Modular files.
  • Extensibility.

Bicep

• Language that uses declarative language to deploy Azure resources.
• Tend to be more simple and concise when compared to ARM templates.
• Benefits:
  • Support for all resource types and API versions.
  • Simple syntax.
  • Repeatable results.
  • Orchestration.
  • Modularity.

Azure Advisor

• Evaluates your Azure resources and makes recommendations to help improve reliability, security, performance, operational excellence, and reduce cost.
• The recommendations that it provides are grouped into 5 categories: Reliability, Security, Performance, Operational Excellence, and Cost.

Azure Service Health

• Helps keep check of services, both the general health of the Azure service and your specific resources.
• It's able to do this by combining 3 services:
  • Azure Status: A global view of all Azure services and their health.
  • Service Health: A narrower view of Azure services and regions, with a focus on the ones that you are using. You can set up alerts to notify when service issues, planned maintenance, or any other changes may happen.
  • Resource Health: A tailored view of your actual resources.

Azure Monitor

• Platform for collecting data on your resources, analysing that data, visualising the information, and acting on the results.
• Can monitor your Azure resources, on-premise resources, and multi-cloud resources.
• Azure Log Analytics: A tool where you can write and run log queries on the data gathered by Azure Monitor.
• Azure Monitor Alerts: An automated way to stay informed when Azure Monitor detects a threshold being crossed (if configured to, they can also attempt corrective action.)

Architecture and Services

• Resource Groups: Are simply groupings of resources (a resource is anything you create, provision or deploy within Azure.)
  • A Resource can only be in one Resource Group and a Resource Group can have many Resources.
  • Resource Groups can't be nested.
  • A resource group is similar to a Stack in AWS.
• Subscriptions: are a unit of management, billing, and scale that allow us to organise resource groups and facilitate billing.
  • An Azure subscription links to an Azure account which is an identity in Microsoft Entra ID or in a directory that Microsoft Entra ID trusts.
  • An account can have multiple subscriptions (it's required to have at least one).
  • Subscriptions can be used to set subscription boundaries:
    • Billing Boundary: This type determines how much an Azure account is billed for using Azure.
    • Access Control Boundary: This type applies access-management policies at the subscription level.
• Management Groups: Used for effectively managing and organising subscriptions.
  • Allow you to apply governance conditions and everything within a management group inherits these conditions.
  • Management groups can be nested.
  • 10,000 management groups can be supported in a single directory.
  • A management group tree can support up to 6 levels of depth, this limit doesn't include the root level or the subscription level.
  • Each management group and subscription can support only one parent.

Virtual Machines

• Provide IaaS and are an ideal choice if you need: total control over the OS, the ability to run custom software, to use custom hosting configurations.
• You can run different VMs for testing, development, or minor tasks.
• You can manage the grouping of VMs with features like scale sets and availability sets.
  • Scale sets let you create and manage a group of identical, load-balanced VMs. Saving a lot of manual work.
  • Availability sets are designed to ensure that VMs stagger updates and have varied power and network connectivity, preventing you from losing all tour VMs with a single network or power failure.
    • Availability sets accomplish this by grouping VMs in 2 ways:
      • Update domain: groups VMs that can be rebooted at the same time, allowing you to apply updates while knowing that only one update domain grouping is offline at a time.
      • Fault domain: groups VMs by common power source and network switch, availability sets defaults to splitting your VMs across up to 3 fault domains.
• VMs are an excellent choice when you move from a physical server to the cloud (lift and shift).
  • You can make an image of the physical server and host it within a VM.
  • You must maintain the VM just like you would with a physical server.
• You need to pick the resources that are associated with the VM when provisioning one: size (number of processor cores and RAM), storage disks, networking (virtual network, public IP, port config).
• To see your VMs: az vm list
• Get VM IP addresses: az vm list-ip-addresses

Containers

• Are a great choice if you want to run multiple instances of an application on a single host machine.
• Containers are a virtualisation environment, you can run multiple containers on a single physical or virtual host.
• Containers are a lighter and more agile way to manage this sort of infrastructure.
• Azure container instances are a PaaS allowing you to upload your containers and then the service runs them for you.
• Azure container apps allow you to get up and running straight away, they remove the container management piece, and they're a PaaS offering.
  • Container apps have extra benefits such as the ability to incorporate load balancing and scaling.
• Azure kubernetes service is a container orchestration service that manages the lifecycle of containers (coming in handy when deploying a fleet of containers.)

Azure Functions

• Are an event-driven, serverless compute option that doesn't require maintaining VMs or containers.
• You don't need anything running for these to work, they "wake up" when an event is fired.
• No infrastructure management, can focus on developer concerns.
• Very scalable when building serverless apps.
• Only pay for what you use (each time function executes).

Azure App Service

• Allows you to build and host web apps, background jobs, mobile back-ends, RESTful APIs in the language of your choice without managing infrastructure.
• Offers automatic scaling and high availability.
• Supports windows and linux.
• Enables automatic deployments from GitHub, Azure DevOps, or any Git repo to support a continuous deployment model.
• Is a HTTP-based service.
• You can host (for example): Web apps, API apps, WebJobs, Mobile apps.

Azure Virtual Networking

• Allow azure resources to communicate with each other, with users on the internet, and with your on-premises client computers.
• Azure virtual networks provide:
  • Isolation and segmentation.
  • Internet communications.
  • Communicate between azure resources.
  • Communicate with on-premises resources.
  • Route network traffic.
  • Filter network traffic.
  • Connect virtual networks.
• Public endpoints have a public IP address and can be accessed from anywhere in the world.
• Private endpoints exist within a virtual network and have a private IP address from within the address space of that virtual network.
• Communication between Azure resources can happen one of two ways:
  • Virtual networks can connect not only VMs but other Azure resources.
  • Service endpoints can connect to other Azure resource types, such as Azure SQL databases and storage accounts. This approach enables you to link multiple Azure resources to virtual networks to improve security and provide optimal routing between resources.
• You can create a network that spans both your local and cloud environments, there are 3 mechanisms to achieve this:
  • Point-to-site virtual private network connections are from a computer outside your organisation back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect to the Azure virtual network.
  • Site-to-site virtual private networks link your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. Essentially, the devices in Azure can appear as being on the local network.
  • Azure ExpressRoute provides a dedicated private connection to Azure that doesn't travel over the internet. ExpressRoute is useful for environments where you need greater bandwidth and high levels of security.
• You can direct traffic with Route Tables.
• Border Gateway Protocol (BGP) works with Azure VPN gateways, Azure Route Server, or Azure ExpressRoute to propagate on-premises BGP routes to Azure virtual networks.
• Filter traffic with network security groups.
• Network virtual appliances carry out a particular network function for you, like setting up a firewall.
• You can connect virtual networks through peering, network traffic between peered networks is private and never enters public internet.
• User defined routes (UDR) allow you to control the routing tables between subnets within a virtual network or between virtual networks.
• See current network security groups: az network nsg list.
• To see the rules associated with a security group: az network nsg rule list --resource-group "[resource group name]" --nsg-name <name from previous command>.
• We can use the --query flag with previous command to get specific items.
• Create a rule with: az network nsg rule create, with appropriate flags.

VPN

• A virtual private network uses an encrypted tunnel within another network.
• Traffic is encrypted whilst travelling over untrusted networks to prevent eavesdropping.
• VPN Gateway: is a type of virtual network gateway that is deployed in a dedicated subnet of the virtual network and enable the following connectivity:
  • On-premise data-centers to virtual networks through a site-to-site connections.
  • Individual devices to virtual networks through a point-to-site connection.
  • Virtual networks to other virtual networks through a network-to-network connection.
• You can only deploy one VPN gateway in each virtual network.
• You can use a gateway to connect to multiple locations, which includes other virtual networks or on-premises data-centers.
• A VPN gateway can either be policy-based or route-based.
  • Policy-based gateways specify statically the IP address of packets that should be encrypted through each tunnel.
  • Route-based gateways, IPSec tunnels are modelled as a network interface or virtual tunnel interface. IP routing decides which one of these tunnel interfaces to use when sending each packet. Route-based VPNs are preferred for on-premise connections as they're more resilient to topology changes, such as the creation of new subnets.
• Use route-based if you need any of the following types of connectivity: connections between virtual networks, point-to-site connections, multisite connections, coexistence with an Azure ExpressRoute gateway.
• To maximise the resiliency of your VPN gateway they are deployed in a active/standby configuration by default, or you can change to an active-active configuration or configure the gateway as a secure failover path for ExpressRoute connections.
  • Active/standby: VPN gateways are deployed as 2 instances, which involves the standby dealing with connections when the active instance is undergoing maintenance or is distrusted.
  • Active/active: You assign a unique public IP address to each instance and then create tunnels from the on-premises device to each IP address.
  • ExpressRoute Failover: If you are using ExpressRoute, stuff can still go wrong, so you can setup a VPN gateway to deal with connections as a backup.
  • Zone-redundant gateways: In regions that support AZs, VPN gateways and ExpressRoute gateways can be deployed in a zone-redundant config. It involves deploying gateways in Azure availability zones which will physically and logically separate gateways within a region whilst protecting your on-premise network connectivity to Azure from zone-level failures.
• ExpressRoute allows you to have a private and secure connection for your on-premises connections to be connected to Microsoft services.

Storage

• There are multiple redundancy options for your storage account: locally redundant storage (LRS), geo-redundant storage (GRS), read-access geo-redundant storage (RA-GRS), zone-redundant storage (ZRS), geo-zone-redundant storage (GZRS), and read-access geo-zone-redundant storage (RA-GZRS).
• Storage account types:
  • Standard general-purpose v2 (LRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRS): for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure storage.
  • Premium block blobs (LRS, ZRS): for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.
  • Premium file shares (LRS, ZRS): for file shares only. Recommended for enterprise or high-performance scale apps, use this account type if you want a storage account that supports both Server message Block (SMB) and NFS file shares.
  • Premium page blobs (LRS): for page blobs only
• Having an Azure Storage account gives your data a unique namespace.
• Endpoints formats:
  • Blob storage: https://<storage-account-name>.blob.core.windows.net
  • Data lake storage gen2: https://<storage-account-name>.dfs.core.windows.net
  • Azure files: https://<storage-account-name>.file.core.windows.net
  • Queue storage: https://<storage-account-name>.queue.core.windows.net
  • Table storage: https://<storage-account-name>.table.core.windows.net
• Azure always stores multiple copies (3 copies) of your data so that its protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters.
• When picking a redundancy option you have to toss up between low cost and high availability, the factors to consider are:
  • How your data is replicated in the primary region.
  • Whether your data is replicated to a second region that is geographically distant to the primary region, to protect against regional disasters.
  • Whether your app requires read access to the replicated data in the secondary region if the primary region becomes unavailable.
• Locally redundant storage: replicates your data 3 times within a single data center in the primary region, provides 99.999999999% durability of objects over a given year.
  • The lowest-cost redundancy option and offers the least durability when compared to the other options.
  • Protects data against server rack and drive failures, however data can be lost of some physical event occurs at the data center.
• Zone-redundant storage: replicates data synchronously across 3 availability zones in the primary region, provides 99.999999999999% durability of objects over a given year.
  • Data is still accessible for read and write operations even if a zone becomes unavailable, no remounting of Azure file shares from the connected clients is required.
  • If a zone becomes unavailable, Azure undertakes networking updates, such as DNS repointing. These updates only affect the app if you access data before the updates have completed.
  • It is recommended to use ZRS in the primary region for scenarios that require a high-availability and for restricting replication of data within a country or region to meet data governance requirements.
• Redundancy in a second region involves having copies of your data in another region, the second region is determined by Azure through their Azure Pairs and can't be changed. By default data in the secondary region isn't available for read or write access unless there's a failover to the secondary region.
  • Because data is replicated to the secondary region asynchronously, a failure that affects the primary region may result in data loss if the primary region can't be recovered.
  • The interval between the most recent writes to the primary region and the last write to the secondary region is known as the recovery point objective (RPO).
  • The RPO indicates the point in time to which the data can be recovered.
  • Azure storage typically has an RPO of less than 15 minutes, although there's currently no SLA on how long it takes to replicate data to the secondary region.
• Geo-redundant storage is essentially running LRS in both primary and secondary region.
• Geo-zone-redundant storage is running ZRS in the primary region and LRS in the secondary region.
  • Is recommended for apps requiring maximum consistency, durability, and availability, excellent performance, and resilience for data recovery.
• In the case of an outage and your data is replicated to your secondary region, the data will be available for read only if the customer or Microsoft initiate a failover from the primary to the secondary. You can make the data always read accessible in the secondary region by enabling read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).
• Also keep in mind the data in the secondary region may not always be up to date due to RPO.

Services

• Azure Blobs: A scalable object store for the text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.
  • There are no restrictions, meaning Blob storage can store anything.
  • Azure takes care of physical storage needs so the developer doesn't need to worry about disks.
  • Blob storage is ideal for:
    • Serving images or documents directly to a browser.
    • Storing files for distributed access.
    • Streaming video and audio.
    • Storing data for backup and restore, data recovery, and archiving.
    • Storing data for analysis by an on-premises or Azure-hosted service.
  • Blob Access Tiers:
    • Hot access tier: Optimised for storing data that is accessed frequently (eg. images for a website).
    • Cool access tier: Optimised for data that is infrequently accessed and stored for at least 30 days (eg. invoices).
    • Cold access tier: Optimised for storing data that is infrequently accessed and stored for at least 90 days.
    • Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (eg. long term backups).
    • The archive tier isn't available at the account level.
    • All tiers can be set at the blob level during or after upload.
    • Data in the cool and cold tiers can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. A lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
    • Archive storage stores data offline and offers the lowest storage costs, but also highest costs to rehydrate and access data.
• Azure Files: Managed file shares for cloud or on-premise deployments.
  • Fully managed file shares in the cloud that are accessible via industry standard Server Message Block (SMB) or Network File System (NFS) protocols.
  • SMB file shares are accessible from Windows, macOS, or Linux clients and can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.
  • NFS file shares are accessible from Linux or macOS clients.
  • Benefits: Shared access, fully managed, scripting, tooling, resiliency, and familiar programmability.
• Azure Queues: A messaging store for reliable messaging between application components.
  • Each message can be up to 64KB in size.
  • Commonly used to create a backlog of work to process asynchronously.
  • Can be combined with compute functions like Azure functions to take an action when a message is received.
• Azure Disks: Block-level storage volumes for Azure VMs.
  • Virtualised disks in the cloud.
  • Offers resiliency and availability.
  • All you need to do is provision the disk, Azure will do the best.
• Azure Tables: NoSQL table option for structured, non-relational data.
  • Accepts authenticated calls from inside and outside the Azure cloud.
  • Ideal for storing structured, non-relational data.

Migration

• Azure Migrate: helps you migrate from an on-premises environment to the cloud.
  • Azure migrate functions as a hub to help you manage the assessment and migration of your on-premises datacenter to Azure.
  • It provides:
    • Unified Migration Platform: A single portal to start, run, and track your migration to Azure.
    • Range of tools: Including discovery and assessment, and server migration.
    • Assessment and migration: You can assess and migrate your on-premises infrastructure to Azure.
• Integrated Tools:
  • Azure Migrate: Discovery and assessment. Discover and assess on-premises servers running on VMware, Hyper-V, and physical servers in preparation for migration to Azure.
  • Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.
  • Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers. It helps pinpoint potential problems blocking migration. It identifies unsupported features, new features that can benefit you after migration, and the right path for database migration.
  • Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.
  • Azure App Service migration assistant. Azure App Service migration assistant is a standalone tool to assess on-premises websites for migration to Azure App Service. Use Migration Assistant to migrate .NET and PHP web apps to Azure.
  • Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.
• AzCopy is a one-direction synchronisation CLI tool to copy blobs or files from your storage account.
• Azure Storage Explorer is a standalone app that provides a GUI to manage files and blobs in your Azure storage account, it uses AzCopy on the backend to performs all the management tasks of the blobs or files.
• Azure File Sync ks a tools that lets you centralise your file shares in Azure Files and keep flexibility, performance, and compatibility of a Windows file server.
  • Once you install Azure File Sync on your local Windows server, it automatically stays bi-directionally synced with your files in Azure.
  • With Azure File Sync you can:
    • Use any protocol that's available on Windows Server to access your data locally, including SMB, NFS, and FTPS.
    • Have as many caches as you need across the world.
    • Replace a failed local server by installing Azure File Sync on a new server in the same datacenter.
    • Configure cloud tiering so the most frequently accessed files are replicated locally, while infrequently accessed files are kept in the cloud until requested.

Directory Services

Microsoft Entra ID

• Microsoft Entra ID is a directory service that enables you to sign in and access Microsoft cloud apps and cloud apps that you develop.
• In other words Microsoft Entra ID is Microsoft's cloud-based identity and access management system.
• It is for IT admins, app developers, users, and online service subscribers.
• Provides services such as:
  • Authentication: Verifying identity for access,self-service password reset, MFA, custom list of banned passwords, and smart lockout services.
  • Single sign-on: SSO enables you to remember only one username and one password to access multiple apps. A single identity is tied to a user, simplifying the security model.
  • Application management: Manage your apps with Entra with features like application proxy, SaaS apps, my apps portal, and SSO.
  • Device Management: You can register devices, enabling us to use tools like Microsoft Intune. It also enables device-based conditional access policies to restrict access attempts to only those coming from known devices, regardless of the account.
• To connect an on-premise Active Directory with Microsoft Entra ID you can use Microsoft Entra Connect to synchronize user identities. Allowing us to use features like SSO, MFA, and self-service password reset under both systems.

Microsoft Entra Domain Services

• Provides managed domain services such as domain join, group policy, lightweight directory access protocol (LADP).
• Integrates with existing Microsoft Entra tenant.
• When you make one, you define a unique namespace, this is the domain name.
• Two window server domain controllers are then deployed into your selected Azure region, this deployment of DCs is known as a replica set.

External Identities

• Capabilities that make up external identities:
  • Business to business (B2B) collaboration: Collaborate with external users by letting them user their preferred identity to sign-in to your Microsoft applications or other enterprise apps, typically represented in your directory as guest users.
  • B2B direct connect: Establish a mutual, two-way trust with another Microsoft Entra org for seamless collaboration. B2B direct connect users aren't represented in your directory but are visible within the teams shared channel and can be monitored in Teams admin center reports.
  • Microsoft Azure Active Directory business to customer (B2C): Publish modern SaaS apps or custom-developed apps to consumers and customers, while using Azure AD B2c for identity and access management.

Roles

• Roles have scopes.
• Scopes include: A management group, a single subscription, a resource group, or a single resource.

Security

• The layers that help us protect our apps are as follows:
  • The physical security layer is the first line of defence to protect computing hardware in the datacenter.
  • The identity and access layer controls access to infrastructure and change control.
  • The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  • The network layer limits communication between resources through segmentation and access controls.
  • The compute layer secures access to virtual machines.
  • The application layer helps ensure that applications are secure and free of security vulnerabilities.
  • The data layer controls access to business and customer data that you need to protect.
• Microsoft Defender is a monitoring tool for security posture management and threat protection.
  • It monitors your cloud, on-premises, hybrid, and multi-cloud environments.
  • It provides guidance and notifications aimed at strengthening your security posture.