• Overview
  • Concepts
• Compute
  • VM
  • Container Instances
  • Kubernetes
  • App
  • Functions
  • Logic Apps
  • Event Grid
  • Virtual Desktop
• Networking
  • VNet
    • Security Group
  • Load Balancer
  • Application Gateway
  • VPN Gateway
  • DNS
  • CDN
  • Traffic Manager
  • ExpressRoute
  • Network Watcher
  • Firewall
  • Virtual WAN
• Storage
  • Disk
  • Blob
  • File
  • Queue
  • Table
• Databases
  • Cosmos
  • SQL Database
  • SQL Managed Instance
  • MySQL
  • PostgreSQL
  • DMS
  • Redis
• Data
  • Synapse Analytics
  • HDInsights
  • Databricks
  • Data Lake Analytics
• IoT
  • IoT Hub
  • IoT Central
  • Sphere
• AI
  • Machine Learning
  • Cognitive Services
  • Bot Service
• Monitoring
  • Advisor
  • Monitor
  • Service Health
• Security
  • IAM
  • Security Center
  • Sentinel
  • Monitor Workbooks
  • Key Vault
  • Firewall
  • DDoS Protection
• Management
  • Blueprints
  • Policy
  • Azure Portal
  • PowerShell
  • CLI
  • Resource Manager
  • Active Directory
• Compliance
  • Trust Center
• Cost Management

SKU - stock-keeping unit

Cloud Adoption Framework

• Azure updates (new products and features lifecycle).
• Azure announcements

Azure Stack allows running private and hybrid cloud models.

Geography is a discrete market, typically containing at least one or more regions. Addresses data residency requirements.

Region is a geographical area that contains at least one physical data center. Not all regions have support for availability zones; if it does, there is a minimum of 3 zones within a region. Not all services save data in the selected region (more info on data residency). Currently 60+ regions in 10 geographies (December of 2021).

Special regions (require separate accounts for access):

• US DoD Central, US Gov Virginia, US Gov Iowa, etc - physically and logically network-isolated regions for US government and agencies
• China East, China North, etc - partnership with 21Vianet, where Microsoft doesn't directly maintain data centers
• German Central, German Northeast - available through a data trustee model (data resides only in Germany to comply with German regulations), data is under control of T-System

Each region is always paired with another region at least 300 miles away. F.e. West US is paired with East US. If one region goes down, services automatically fail over to its region pair. Some services offer automatic geo-redundant storage. Service updates are performed sequentially in region pair. In outage event at least one region in a pair is prioritized.

Availability Zone - physically separate data center(s) within a region that are set up to be an isolation boundary. Connected through high-speed, private fiber-optic networks.

• zonal services - specify zone on launch (VMs, managed disks, etc)
• zone-redundant services - replication done by platform (storage, SQL database, etc)
• non-regional services

Logical container for related resources that are combined to be managed and deployed as a unit. Can not be nested. All resources must be in a resource group; a single resource can be a member of only one group. Resources can communicate across resource groups, and can be deployed in different regions (even different than a region specified for a resource group). Deleting a resource group also deletes all resources within it. Authorization (RBAC) can be applied to a resource group.

Supports Linux, Windows Server, SQL Server, Oracle, IBM, and SAP.

Virtual Machine Scale Sets - resource to deploy and manage a set of identical, load-balanced VMs. Scaling can be done manually or automatically (based on demand or on schedule).

Batch - manage large-scale parallel and HPC batch jobs with ability to scale to tens, hundreds, or thousands of VMs. Starts pool of VMs, installs applications and data, queues jobs, identifies failures, scales down as jobs complete.

Dedicated Host runs VM on dedicated hardware (can be multiple VMs to the limit of hardware). Provides visibility into server infrastructure, allows to choose number of processors, server capabilities, VM series and sizes within same host. Host group is a collection of dedicated hosts. Maintenance control allows to control when regular maintenance occurs with 35-day rolling window. Charged per host, independent of number of VMs on it.

Each VM has Resource Health Blade (monitoring).

Custom Script Extention

Availability set

1 or 3 year Azure Reserved Virtual Machine Instances, up front or monthly payment. Up to 72% savings.

# Create VM
$ az vm create \
	--resource-group <group_name> \
	--name <vm_name> \
	--image UbuntuLTS \
	--admin-username <username> \
	--generate-ssh-keys

# Install Nginx
$ az vm extension set \
	--resource-group <group_name> \
	--vm-name <vm_name> \
	--name customScript \
	--publisher Microsoft.Azure.Extensions \
	--version 2.1 \
	--settings '{"fileUris":["https://raw.githubusercontent.com/MicrosoftDocs/mslearn-welcome-to-azure/master/configure-nginx.sh"]}' \
	--protected-settings '{"commandToExecute": "./configure-nginx.sh"}'

Container orchestration service (without provisioning VMs).

Intended for simple, small web apps, dev setups, and small scale batch processing.

Managed Kubernetes service.

Azure image repository.

Deploy and manage web, mobile, API apps without infrastructure (PaaS).

Provides automatic scaling and HA. Supports Windows and Linux deployments from GitHub, Azure DevOps, or any other Git repo for continuous deployment.

App service styles:

• Web - ASP.NET, ASP.NET Core, Java, Ruby, Node.js, PHP, or Python
• API - any language or framework, Swagger support and the ability to package and publish in Azure Marketplace
• WebJobs - run a program (.exe, Java, PHP, Python, or Node.js) or script (.cmd, .bat, PowerShell, or Bash) in the same context as Web, API, or mobile app. Can be scheduled or run by a trigger. Often used to run background tasks as part of application logic
• Mobile - backend for iOS or Android. Storage, authentication (common providers MSA, Google, Facebook), push notifications, custom backend-logic in C# or Node.js. SDK support for iOS, Android, Xamarin, React
• Containers -

App Service Plan defines the underlying infrastructure; no patching or maintenance is needed. Multiple App Services can run on a single App Service Plan. Plan type or pricing tier determines underlying VM properties and additional features such as auto-scaling, custom domain, etc. Payment is based on compute resources used based on chosen plan. Free tier is available for small, low-traffic sites.

Kudu (Development Tools -> Advanced Tools) is a web site with easy access to environment variables, running processes, log file, console access, etc.

Event-driven serverless compute service.

Runs custom code, and is triggered by event (API call), timer or message from another Azure service. Supports .NET Core, Java, Node.js, Python, Powershell and Custom Handler.

Can be stateless (default) or stateful (Durable Functions). Can run locally or in the cloud.

Low-code/no-code development platform (stateful). Works as web-based designer portal that provides triggers and actions with connectors. Mostly used as orchestration (or workflow) service.

Similar to Functions, but executes workflows built from predefined logic blocks. Workflows contain actions, which can include data conversions and flow controls (conditional statements, loops, etc). Actions are created and connected in GUI; resulting workflows are persisted as JSON files (workflow schema).

Connectors offer integrations with other services such as Salesforce, SAP, Oracle DB, etc. Custom connectors can also be added.

Pricing is based on number of executions and connector types being used.

Connects data sources with event handlers. Works in a subscription model. Functions and Logic Apps are among available handlers. Custom handler can be added as well. Data sources are various events inside Azure services.

Desktop and application virtualization service. Uses reverse connect technology (safer than Remote Desktop Protocol). Client is supported on Windows, Mac, Android, HTML5 browser. Image for VM can be customized by choosing one from Marketplace or uploading new one.

Session host VMs can be set up to run near apps and services that are being used. Personal desktops can be provided for persistent desktops.

Provides centralized security management through Azure AD. Can assign RBAC and MFA.

Users are load balanced to host pool, which is a collection of VMs with similar configurations.

• breadth mode - users are allocated sequentially
• depth mode - users are fully allocated on one VM before moving to the next

Free of cost, if Microsoft 365 is already present - just pay for allocated resources. VM reservations can be applied to resources.

A VM in Azure is able to connect to the internet by default. To enable incoming internet connections define a public IP or public load balancer. Connect to VM via CLI, Remote Desktop Protocol or Secure Shell.

Service Endpoints - connect VMs to other Azure services via private connections.

By default, traffic is routed between subnets on any connected virtual networks, on-prem networks, and internet. Can be managed with Route Tables, or Border Gateway Protocol (works with Azure VPN gateways or ExpressRoute to propagate on-prem BGP to virtual networks).

Network virtual appliances - specialized VM, running a firewall or performing wide area network optimizations.

VNets can be linked via VNet peering, even from different regions.

Default system routes are enabled by default - allow routing between subnets and to the internet. UDR (user-defined routing) is usually used to filter traffic - f.e. outbound direct traffic from all subnets to virtual appliance subnet.

Network security groups contain multiple inbound and outbound rules that can allow or block traffic based on various factors, such as source and destination IP, port, protocol. Can be attached at subnet or network card level, and be linked to multiple resources simultaneously. Stateful.

Rule properties:

• name
• priority - between 100 and 4096
• source or destination - single IP, IP range, service tag or application security group
• protocol
• direction - inbound or outbound
• port range - single or range
• action - allow or deny

New NSG has a set of default rules that can not be removed, but can be overwritten by setting new rules with higher priorities.

Every VM is associated with at least one NSG. Implicit deny is enforced. VM is accessible from the internet, if no NSG is defined and public IP is set.

# List security groups
$ az network nsg list \
	--resource-group <group_name> \
	--query '[].name' \
	--output tsv

# List rules in security group
$ az network nsg rule list \
	--resource-group <group_name> \
	--nsg-name <security_group_name>

# List rules in security group (pretty format)
$ az network nsg rule list \
	--resource-group <group_name> \
	--nsg-name <security_group_name> \
	--query '[].{Name:name, Priority:priority, Port:destinationPortRange, Access:access}' \
	--output table

# Add new rule to security group
$ az network nsg rule create \
	--resource-group <group_name> \
	--nsg-name <security_group_name> \
	--name allow-http \
	--protocol tcp \
	--priority 100 \
	--destination-port-ranges 80 \
	--access Allow

A group entity that can be used as a source or destination in NSG. Groups multiple resources into single entity allowing NSG to take effect on a group of resources instead of individual resources.

Web traffic load balancer (exposes public IP)

Features:

• SSL termination
• Auto-scaling
• Session affinity
• HTTP header rewriting
• Advanced routing (based on host headers, part of the URL path, etc)
• WAF (Web Application Firewall)

Only one VPN gateway is allowed per VNet.

Connection types:

• site-to-site - on-prem to VNet
• point-to-site - individual device to VNet
• network-to-network - VNet to VNet

IKE - Internet Key Exchange.

Types:

• policy-based - statically specify IP address of packets that should be encrypted through each tunnel. Supports only IKEv1, uses static routing, where both source and destination networks are specified. Mostly used with legacy on-prem VPN devices.
• route-based - IP routing (either static or dynamic routing protocols) decide which tunnel interface to use when sending packet. Supports IKEv2, uses any-to-any (wildcard) traffic selectors. Traffic is encrypted based on routing tables that are created dynamically using routing protocols such as BGP.

Basic gateway should only be used for dev/test purposes. Doesn't support BGP and migration to VpnGw1/Az, VpnGw2/Az, VpnGw3/Az sizes. Supports maximum 10 tunnels. VpnGws provide maximum 30 tunnels, support BGP and aggregate throughput as 650 Mbps, 1 and 1.25 Gbps.

Deployment requirements in Azure:

• VNet with enough addresses for VPN gateway; VNet CIDR can not overlap with on-prem network
• GatewaySubnet with at least /27 mask for future growth; other resources can be deployed here as well
• public IP if using non-zone-aware gateway; address is dynamic, but won't change unless gateway is re-created
• Local network gateway defines on-prem network configurations, such as on-prem VPN device public IP and routable networks -prem gateway with network configurations
• Virtual network gateway - route traffic from VNet to on-prem or other VNets; can be VPN or ExpressRoute gateway
• Connection resource, which is a logical connection between local and VPN gateways (associated public IPs); multiple connections can be created

On-prem requirements include VPN device that supports policy-based or route-based VPN gateways and public IP.

Active/standby configuration (two instances) is used by default. During planned maintenance and in the event of disruption active node connection fails over to standby. BGP allows configuring active/active setup by assigning unique IP to each VPN gateway instance and creating separate tunnels from on-prem device to each IP. Multiple on-prem devices can also extend HA. Can also be used as ExpressRoute failover.

Zone-redundant option can be deployed in regions that support AZs, and requires different SKU and Standard public IP (instead of Basic).

Load balancer, CDN and firewall all-in-one.

Typically static content (any file that does not change, such as PDF, video, etc). Dynamic data is cached using Dynamic Site Acceleration (DSA).

Origins:

• App Service Web App
• Blob Storage
• Custom origin

Edge Server (also called Point-of-presence) is serving the content to users. Multiple POPs are grouped into CDN region.

CDN Endpoint is a URL - either custom or default provided by Azure *.azureedge.net. CDN Profile is a collection of CDN Endpoints. Pricing is done on profile level.

DSA optimizes content delivery by leveraging the following techniques:

• Route optimization (fastest route to origin, health checks)
• TCP optimization (avoid "TCP slow start", persistent connections)
• Object prefetch (edge server parses HTML and serves embedded images and scripts at the same time)
• Adaptive image compression (monitors network quality and uses JPEG compression to send smaller images when network speed is slower)

Traffic distribution across regions.

Dedicated high-bandwidth secure private connection to Azure (uses BGP). DNS queries, certificate revocation list checking and Azure CDN requests are still performed over public internet.

Bandwidth options from 50 Mbps to 10 Gbps; ExpressRoute offers 100Gbps.

Provides direct access in all regions:

• Microsoft Office 365 (accessed securely and reliably over internet, thus, ExpressRoute option is for specific scenarios)
• Microsoft Dynamics 365
• Azure compute services
• Azure cloud services

Connection options:

• CloudExchange colocation - can request virtual cross-connection to Microsoft cloud
• point-to-point Ethernet connection
• any-to-any connection - integrate with WAN

Global Reach allows exchanging data between on-prem sites by connection ExpressRoute circuits.

Scenario-based network monitoring and diagnoses.

Managed stateful firewall service.

Features:

• threat intelligence
• outbound and inbound NAT support
• Monitor integration
• traffic filtering

Usually deployed in a separate subnet with NAT rules that direct all inbound traffic.

Unified wide area network (connect on-prem with cloud).

Azure Storage account needs to be created first in order to be able to use storage services. Acts as a unique namespace for all resources within it. General Purpose v2 (gpv2) is the most common type, while Azure Data Lake Storage Gen2 is the cheapest type.

Any storage type is redundant and HA. Replication options (some options can be combined, f.e. GZRS - Geo Zone Redundant Storage):

• (default) LRS (Locally Redundant Storage) - data is stored 3 times in a primary data center
• ZRS - Zone Redundant Storage - data is stored in different AZs
• GRS - Geo Redundant Storage - data is stored across regions

Data can be reached via HTTPS; each storage service (blob, file, table, queue) has its own endpoint - https://<storage_account_name>.<service>.core.windows.net.

Authorization can be set up via RBAC in Azure AD (for identities in AD), Storage Account Keys (for access to entire account), or Shared Access Signatures. SAS is a security token string, which can be scoped to whole account, particular service, container or folder. It has validity period and contains set of permissions, such as read, write, update, delete, etc. SAS can be appended to the URL.

Microsoft Azure Storage Explorer - free tool to access all storage services and individual data from local machine.

Provides disks for VMs. Can be accessed only through attached VM.

SSD and HDD options available.

Object storage solution. Can be used for storing images, video and audio streaming, distributed file access, backup storage, archiving.

Store up to 8TB of data for VMs.

Blobs are stored in containers (mainly for organizing data).

Blob types:

• Block - text and binary data. Single blob is made of multiple blocks, which optimizes uploading
• Append - similar to block type, but for appending only - ideal for logs
• Page - random access files, 8TB max size, used for VM disks and databases, frequent random read/write apps

Access tiers:

• hot - frequently accessed data
• cool - infrequently accessed data, stored at least for 30 days
• archive - rarely access data, stored at least for 180 days

Archive access tier isn't available at account level. Tier setting can be set at blob level during or after upload.

Other features:

• snapshots
• leases
• soft delete (basically enabling recycle bin)
• static website hosting
• CDN, Search integrations

File share service (can be used as file server). Supports SMB and NFS protocols. Can be concurrently mounted by cloud VMs or on-prem.

Files can be accessed via URL. Shared Access Signatures (SAS) can be used to grant temporary access to private assets.

Cache can be set up on-prem using File Sync. Storage tiering can be used to cache frequently accessed data, while moving old data to Azure (leverages sync agent).

Data store for queuing and reliably delivering messages between applications.

NoSQL data storage.

Relational database based on latest stable version of Microsoft SQL Server database engine.

Fully managed and serverless service with built-in availability, backups, upgrading, patching and monitoring. Can be used for relational and non-relational data, such as graphs, JSON, spatial, and XML.

Pricing models:

• vCPU
• DTU (Database Transaction Unit)

Deployment options include single isolated instance or elastic pool (collection of databases with shared resources). Elastic pool allows deploying multiple databases on shared resources for better utilization for unpredictable load.

Offers similar features to SQL Database such as automatic provisioning, upgrading, scaling, HA and so on. But also offers some additional features, such as collation.

List of differences

Point-in-time restore up to 35 days back.

Features:

• HA
• Dynamic scalability
• Encryption
• Automated patching and backup

Better support for clusters and complex server setups.

Deployment options:

• Single server
• Hyperscale (citus)

Pricing tiers:

• Basic
• General Purpose
• Memory Optimized

Scales queries horizontally using sharding. Generally used for workloads around or exceeding 100GB. Supports multi-tenancy, real-time operational analytics, high throughput transactional workloads.

Globally distributed database with NoSQL support.

Stores data in ARS (atom-record-sequence) format, which is then abstracted and exposed in a chosen API - SQL, MongoDB, Cassandra, Azure Table Storage, or Gremlin.

Throughput and storage can be elastically scaled in any number of regions. It is also possible to add or remove regions.

CORS can be enabled for application requests.

Different set of keys are available for read/write or read only access.

Offline migration means taking source database offline, while online migration means continuous synchronization.

Supported sources:

• on-prem
• Azure
• AWS

Data Migration Assistant (DMA) is a tool that outlines compatibility issues and feature parity.

Data warehouse and analytics service (formerly SQL Data Warehouse).

Storage component provides on-demand SQL servers (data warehouse).

Brings together SQL technologies, Spark analytics, and orchestration pipelines. Provides serverless or provisioned options. Supports Spark languages and T-SQL.

Fully managed open-source analytics service that can run Spark, Hadoop, Kafka, Hbase, Storm and machine learning services. Also supports ETL, data warehousing, machine learning and IoT.

Provides clusters of compute nodes with on-demand scalability and auto-scale.

Hosted Databricks platform (Darabricks is based on Spark).

Provides managed Spark clusters (also serverless option), workspace for data visualization (also interactive dashboards).

Used for Building artificial intelligence solutions. Supports Python, Scala, R, Java, and SQL, as well as TensorFlow, PyTorch, and scikit-learn.

On-demand analytics job service.

Write queries to transform data and extract insights, while infrastructure is fully managed.

Platform service - central messaging hub for bi-directional communication between IoT application and devices. Also provides monitoring.

Supports multiple messaging patterns: device-to-cloud telemetry, file upload from device, request-reply methods. Received messages can be then routed to other Azure services. Provides manual or automatic remote control of connected devices. Supports automatic provisioning of connected devices.

Provides SDKs and API, authentication (X.509 certificates, SAS); can simulate devices for development.

Managed App Platform. Built on top of IoT Hub by adding dashboards that allow to connect, monitor, and manage IoT devices.

Provides alerts and notifications, and allows pushing firmware updates. Also provides industry-specific starter templates for common scenarios, and built-in device profiles.

Application platform.

End-to-end solution that includes hardware, device OS and secure message delivery to message hub.

• Micro-controller unit (MCU) - processes the OS and signals from attached sensors
• Customized Linux OS - handles communications with security service and can run vendor's software
• Security Service (AS3) - provides device authentication (certificate-based); ensures device has not been tampered or compromised

Platform for making decisions. Consists of tools and services for training and testing models to generate most accurate algorithms, which can be then be deployed and used in real time data via web API.

Pre-built machine learning models that enable apps to see, hear, speak, understand and more.

• language - Language Understanding API (LUIS, predict overall meaning and pull out relevant info from natural input, mostly used in chat bots), sentiment analysis, translator service
• speech - speech-to-text/text-to-speech, speaker recognition
• vision - process and catalog images, generate image captions, character recognition, Video indexer, Face API, Form Recognizer
• decision - anomaly API (pattern analysis), content moderator, personalizer
• web search - Bing APIs (image, news, video, etc)

Cognitive Services Personalizer

Bot Service and Bot Framework are platforms for creating virtual agents (natural language chatbot service). Used to interact with humans, and uses Cognitive Services behind the scenes. Bot Framework provides SDK and visual Composer (installable desktop app). Solution can be deployed to App Service or Function App.

QnA Maker - pre-packed virtual assistant solution, available in Marketplace.

Subscription groups together user account and resources created by it. Acts as a billing unit. Each subscription has limits and usage quotas on various services - allows to separate billing and apply different access control in different subscriptions. A subscription has a trust relationship with Active Directory. New subscription is generally needed if there is a concern with exceeding limits, trust with existing subscription owners, resource provider (each Azure service has its own resource provider) scope, or if administration can be delegated using RBAC. Account is used for contact information and billing. New subscription is associated with an account.

Management group is used to manage access, policy and compliance of multiple subscriptions. All subscriptions within a single management group must trust the same Azure AD tenant. Conditions applied to a group are inherited by all subscriptions. Management groups can be nested.

Single directory can support 10,000 management groups. Maximum 6 levels of depth, excluding root and subscription levels. Management group or subscription can only have one parent.

One billing report can be created per subscription. Subscription is a deployment boundary. Every subscription is associated with Azure AD tenant.

Resource lock prevents accidental deletion. Can be applied to individual resources or resource groups. Available types:

• CanNotDelete - authorized users can view and modify resource, but can not delete it without first removing the lock
• ReadOnly - authorized users can read resource, but not modify or delete; same as applying Reader role

Deployment and management service. All client requests (Portal, CLI, SDK, etc) are made to Resource Manager, which then forwards them to corresponding service within Azure.

Receives any request related to resources from all sources, authenticates and authorizes the request, then sends it to Azure service to take action. Provides monitoring of deployed groups. Resources can be organized using tags.

Azure Resource Management template (ARM template) - JSON file (declarative templates) that contains a definition of resources to be created. Can include PowerShell and CLI scripts. Saved templates are located in Templates service (library).

New functionality presented through API is available in portal within 180 days.

Deployment orchestration of resource templates and artifacts. Maintains relationship with deployed resources (immediately takes effect when changes are applied). Acts as a subscription template with roles and policies already defined. Supports versioning.

Artifact - each component in blueprint definition; can have 0, 1 or more parameters (configurations).

• role assignments
• policy assignments
• ARM templates
• resource groups

Can be used to define a set of required resources in a subscription (f.e. certain resource lock must exist).

Policy management service (create, assign, manage).

A policy is a collection of rules; initiative is a group of policies. Policy or initiative is assigned to a specific scope (management group, single subscription or resource group), and is inherited by all children within that scope; specific subscope or even individual resources can be excluded.

A policy can highlight already existing resources as non-compliant and/or also prevent creating them. In some cases can automatically remediate non-compliant resources. Integrates with Azure DevOps.

Home page

Available in Cloud Shell.

cmdlets (command-lets) - commands in PowerShell.

Available in Cloud Shell.

Same functionality as in PowerShell, but in Bash.

# Opens browser session
$ az login

# Print in table format
$ az <command_with_parameters> --out table
# Specify desired columns
$ az resource list --resource-group <group_name> --out table --query "[].{name:name, Type:type}"

Licenses:

• Azure Active Directory Free
• "Pay as you go"
• Premium P1
• Premium P2

Features:

• Authentication - identity verification and additional features, such as MFA, self-service password reset, smart lockout, custom banned password list, etc
• SSO
• Application management - Application Proxy, SaaS apps, My Apps portal
• Device management - register devices to be management by Intune
• other features

Azure AD Connect can be used to link and synchronize identities between on-prem and Azure ADs.

Azure AD Multi-Factor Authentication is enabled for administrators (with global admin level of access) in Azure AD free edition. Enabling security defaults in Azure AD tenant enforces MFA for all users via Microsoft Authentication app only. Premium (P1 and P2) licences provide comprehensive and more granular configuration of AD MFA through Conditional Access policies.

Conditional Access allows or denies access to resources based on identity signals (who the user is, where the user is, and what device the user is using). Certain attempts are, therefore, categorized as "routine", while the rest is viewed as "not normal".

• IP location info
• Risk analysis
• Device info
• Application being accessed

Separate service within Azure AD.

Can require MFA only for administrators.

Provides more features from Active Directory Domain Services on-prem, such as NTLM and Kerberos support, group policies, trust relationships, etc.

Status of services globally

Evaluates all resources and subscriptions and provides recommendations in the following areas:

• reliability
• security
• performance
• cost
• operational excellence

Can set up notifications to alert on new recommendations.

Platform for collecting, analyzing, visualizing, and taking actions based on metrics and logs. Works with Azure and on-prem resources.

Log Analytics workspace is a container that includes data and configuration information that is reguired to collect logs and metrics.

Personalized view of the health of Azure services, regions and resource that client uses.

After an outage, official incident reports are issued, root cause analysis (RSAs).

Event types:

• service issues - affect immediately
• planned maintenance - possible impacts, in rare cases schedule maintenance
• health advisories - service retirements, breaking changes; announced beforehand

Alerts can be created to inform on specified service issue, security or health advisory, maintenance event. Alerts are sent to action group, which among other things configures target - email, sms, push notification (Mobile App).

RBAC is applied to a scope (management group, subscription, resource group, resource). Role applied at a parent scope is inherited by all children scopes. Union of permissions is granted to the actor, when multiple roles are assigned.

Role is applied to a single user, group or special identity types used by serviced applications - service principal and managed identity.

Built-in roles (can grand access at subscription, resource group or individual resource level):

• Owner - full control over resource
• Contributor - everything except managing permissions
• Reader - view everything, but can't make any changes

Security monitoring service that provides visibility across all services, both on Azure and on-prem.

Features:

• security settings monitoring and continuous assessment
• automatic enforcement of required settings on new resources
• machine learning used to detect malware; adaptive application controls define allowed applications
• potential inbound attack detection and analysis
• just-in-time network port access

Pricing tiers:

• Free
• Standard (all features)

PaaS products already include Security Center monitoring. For non-Azure services (including VMs) deploy monitoring agent.

Workflow automation is an automatic response to security alert or recommendation, which uses Logic Apps and Security Center connectors.

SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automated Response) system. Uses intelligent security analysis and threat analysis.

Capabilities:

• collect data (logs) at scale - users, devices, apps, infrastructure
• analyze and detect previously undetected threats - minimize false positives
• run ad hoc query on logs
• investigate threats with AI
• orchestrate and automate common tasks

Microsoft and 3rd party tools can be connected through available connectors. Other sources that use the Common Event Format (CEF) messaging standard, syslog or REST API are also supported.

Built in analytics uses templates designed by Microsoft that can also be customized. Some templates use machine learning behaviour analytics.

Custom analytics are rules created by client to search for specific criteria in environment.

Monitors and analyzes user activity to identify suspicious activity and events. Works with both cloud and on-prem.

• Reconnaissance attacks
• Compromised credentials
• Lateral movements
• Domain dominance

Can be used to automate responses to threats detected by Sentinel. Runs manually or automatically when a rule triggers an alert.

Centralized secrets, certificates and keys storage.

Capabilities:

• manage various secrets such as tokens, passwords, certificates, API keys, etc
• encryption key management - create and controls keys
• manage SSL/TLS certificates both for cloud and on-prem
• store secrets backed by HSMs

Tiers:

• Standard
• Premium (includes support for HSM backed keys)

Network security service that helps protect resource in VNets - between each other, the internet and on-prem networks (stateful).

Integrates with Monitor to enable logging and analytics.

Typically deployed on in central VNet to control general network access. Must be attached to a subnet named AzureFirewallSubnet.

Configurations:

• apps rules that define FQDNs that can be accessed from a subnet
• network rules that define source address, port and protocol and destination address
• NAT rules that define destination addresses and ports to translate inbound traffic

DDoS mitigation for networks and apps. Always on.

Provides Basic and Standard tiers. Basic tier is automatically enabled for free, and provides always-on traffic monitoring and real-time mitigation of common network-level attacks. Standard tier provides real time metrics, post attack reports, logging, alerting, telemetry and other additional capabilities related to VNet resources - comes with a monthly fee and usage based.

Standard tier can prevent the following types of attacks:

• volumetric - flooding network layer with seemingly legitimate traffic
• protocol - exploiting vulnerabilities in the layers 3 and 4
• resource-layer (app layer) - works with WAF

Used to classify documents and emails. Applies labels to documents - can be done automatically, manually or be recommended to users.

Azure Compliance Documentation provides detailed documentation about legal and regulatory standards and compliance on Azure across Global, US government, Financial services, Health, Media and manufacturing, and Regional categories.

Azure Government is a separate instance of Azure to be used by US government agencies and partners. Data centers and networks are physically isolated and located in US.

Azure China 21Vianet is operated by 21Vianet, physically separated instance of cloud services in China.

Compliance Manager tracks client's own compliance with various standards and laws.

What personal data Microsoft collect, how it is used and for what purposes. Includes absolutely all services offered by Microsoft including devices.

Privacy home page.

Legal agreement between Microsoft and customer. Outlines obligations by both parties with respect to processing and security of customer and personal data. Applies specifically to the subscription - Azure, 365, or Bing Maps.

Further defines data processing and security of online services, including:

• compliance with laws
• discloser of processed data
• data security - best practices, policies, data encryption, access, customer responsibilities, compliance with auditing
• data transfer, retention, deletion

Home page.

Provides in-depth information about security, privacy, policies, features, and practices across Microsoft cloud products. Also contains links to blogs and upcoming events.

SLAs. Composite SLA for a set of services is calculated by multiplying SLA of each service.

Examples:

• VMs in different AZs in the same region - 99.99%

Azure subscription is a logical container for provisioning resources. Each resource created in Azure account belongs to a subscription. Subscription is the first billing aggregation level. Multiple subscriptions can be used to organize multiple environments, follow organizational structure, etc. Subscriptions also have limits with particular services.

• free trial - 12 months popular services for free, $200 for first 30 days for other services, 25 services always free
• pay-as-you-go - attach debit/credit card; apply volume discounts and prepaid invoicing
• member offers - Visual Studio, Microsoft Partner Network, Microsoft for Startup, Microsoft Imagine members and subscribers could be eligible for for credits and reduced rates on Azure
• student - $100 to use in 12 months

Multiple subscriptions can be organized into invoice sections, which appear as a line item in the final monthly invoice. Billing profiles can include multiple invoices and each have their own payment method and monthly invoice.

Purchase options:

• Enterprise agreement - predetermined amount on Azure over a period of 3 years (typically paid annually)
• Web Direct (Azure Portal) - standard pricing, monthly payment
• Cloud Solution Provider - helps building solutions on top of Azure, bills for Azure usage at the price they determine

Inbound data is always free, first 5 GB of outbound is free.

Spending limits.

Support plans:

• Basic - available to all Azure accounts, free
• Developer - non-critical workloads, 1 business day response time
• Standard - production workloads, 1 hour repose for critical cases
• Professional Direct - business-critical workloads, 1 hour response + priority, proactive technical support
• Premier - customer specific architectural support, TAM, Azure Event Management (for additional fee)

TCO Calculator

Pricing Calculator

Advisor provides personalized recommendations how to optimize costs and performance.

Reservations offer discounts by providing prepay options over 1 or 3 years use of VMs, database compute, database throughput, and other services. Available for customers with Enterprise Agreement, Cloud Solutions Provider, and pay-as-you-go subscriptions.

Cost Management + Billing - free service to manage account and subscriptions, monitor and control spending, and optimize use of resources. Spending limit can be set to stop incurrring costs above certain level.