Azure Container Instances (ACI)

 

• Run containers without managing servers.
• For event-driven applications, quickly deploy from your container development pipelines, run data processing, and build jobs.
• Azure Container Instances is a regional service.

Features

• Containers have less overhead than VMs and can be deployed consistently.
• All the dependencies for an application are included in the container image.
• Applications running in containers can be deployed easily to multiple operating systems and hardware platforms.
• Select an image source using Quickstart images, Azure Container Registry, and Docker Hub.
• Create a container image only when you need it and process data on-demand.
• You can choose to always restart the container regardless of how it stopped, to only restart if it failed, to exit successfully, or to never restart.
• Enables you to set a command to be executed first when running the container.
• Resources can be tagged with values that you define, to help you organize and identify them.
• By default, Azure Container Instances are stateless.
• You can’t deploy an image from an on-premises registry to ACI.

Storage

• You can mount Azure Files shares in your ACI for persistent storage.
• To mount an Azure file share as a volume in Azure Container Instances, you need: Storage account name, Share name, and Storage account key.

Networking

• Choose between three networking options: Public, Private, and None.
• Private IP is not yet available for Windows Containers.
• None IP containers (logs) can still be accessed using the CLI.
• DNS name label: <tutorialsdojo>.<region>.azurecontainer.io

Security.

• Deploy Azure WAF in front of critical web applications hosted in ACI for additional inspection of incoming traffic.
• Use Azure Key Vault to safeguard encryption keys and secrets for containerized applications.

Pricing

• You pay based on what you need and get billed by the second.
• The assigned public IP addresses to your container group are billed.
• You are billed for each GB and vCPU your container group consumes.

Azure App Service

 

• A fully managed platform (PaaS) for building, deploying, and scaling your web apps.
• Different types of App Services: Web Apps, Web Apps for Containers, and API Apps
• Automatically patches and maintains the OS and language frameworks.
• App Service can scale up or out manually or automatically.
• App Service supports the following languages:
  • .NET
  • .NET Core
  • Java
  • Ruby
  • Node.js
  • PHP
  • Python

• An App Service plan is a collection of compute resources needed for a web app to run.
• Each App Service plan consists of a region, number & size of virtual machines and pricing tier.
• App Service plan pricing tier: 
  • Shared Compute – Free and Shared are the two base tiers. These tiers allocate CPU quotas to every app running on the shared resources, but the resources cannot scale-out.
  • Dedicated Compute – It is composed of Basic, Standard, Premium, and PremiumV2 tiers. As the tier gets higher, you will have more VMs to scale-out.
  • Isolated – A dedicated virtual machine that provides maximum scale-out capabilities.

App Services Types

• Web Apps
  • Website and online applications hosted on Azure’s managed platform.
  • Build and deploy mission-critical web applications that scale with your business.
  • It supports auto-scaling and load balancing for resilience and high availability.
• Web Apps for Containers
  • Deploy and run containerized applications in Azure.
  • All dependencies are shipped inside the container.
• API Apps
  • Expose and connect your backend data.
  • Connect other applications programmatically.

Deployment

• Deployment components in App Service:
  • Deployment Source – it is where the application code is stored.
  • Build Pipeline – reads your code and takes the application in a running state
  • Deployment Mechanism – enables you to put your application in the /wwwroot directory. It also supports Kudu endpoints, FTP, and WebDeploy.
• Deployment Center lets you choose the location of your code, as well as build and deploy to the cloud. It also has built-in continuous delivery for containers.
• When creating an App Service plan, there are runtime stacks that will only run on Windows or Linux but not on both operating systems. For example, ASP.NET (Windows), Ruby (Linux), and Java (Windows & LDeploymentinux).
• Swap app content and configuration elements with deployment slots.
  • The deployment slots allow you to create a staging slot for your application.
  • When you perform the swap operation, the following settings are swapped: General settings, App settings, Connection strings, Handler mappings, Public certificates, and WebJobs content.
• App Service supports the continuous deployment of code and containers.
• You can use local cache and deployment slots to prevent downtime.
• App Service diagnostics will help you in troubleshooting your application.

Monitoring

• Diagnostics logging helps you access the information logged by Azure.
  • Application logging 
    • The generated log messages by your application. Each message has the following level and categories:
      • Disabled: None
      • Error: Error, Critical
      • Warning: Warning, Error, Critical
      • Information: Info, Warning, Error, Critical
      • Verbose: Trace, Debug, Info, Warning, Error, Critical
    • You can also specify the disk quota (MB) and retention period (days) for the application logs.
    • The logs can be found on the App Service file system or Azure Storage blobs.
  • Web server logging
    • This log message contains an HTTP method, resource URI, client IP, client port, user agent, and response code.
    • You can set the retention period (days) for the web server logs.
    • The logs are stored in Azure Storage blobs or App Service file system.
  • Detailed Error Messages
    • A copy of the .htm error page. The page contains the information on why the server returns an error code (HTTP code 400 or greater).
    • The logs are stored in the App Service file system.
  • Failed request tracing
    • Detailed information on failed requests. The information you can find here helps you improve the site performance and isolate a specific HTTP error.
    • For each failed request, one folder is generated which contains the XML log file and XSL stylesheet.
    • The logs can be found on the App Service file system.
  • Deployment logging
    • This log is created when you publish content to your app.
    • You can also use this log to determine why the deployment failed. For example, if you use a custom deployment script and it fails, you can determine why the script is failing through deployment logs.
    • Like Detailed Error Messages and Failed request tracing, the logs are also stored in the App Service file system only.

Security

• App Service protocols: HTTPS, TLS 1.1/1.2 and FTPS
• The default domain name is using HTTPs. You can also secure your custom domain using an SSL/TLS certificate.
• Service endpoints allow you to restrict access from a virtual network.
• The first IP restriction rule has an explicit Deny all rule with a priority of 2147483647.
• Service-to-service authentication:
  • Service Identity – you can use the identity of the app to access the remote resource.
  • On-behalf-of (OBO) – allows you to access a remote service using a delegated sign-in.

VNet Integration

• It allows your app to access resources in your virtual network.
  • Regional VNet Integration 
    • You need to have a dedicated subnet to the services that you integrate with.
    • Block outbound traffic using network security groups.
    • Route table allows you to send outbound traffic.
  • Gateway-required VNet Integration 
    • Allows access to resources in the target virtual network.
    • Sync network allows you to sync certificates and network information.
    • You can also add routes for outbound traffic.

Hybrid Connections

• Uses host:port combination.
• It provides network access to your application using a TCP endpoint.
• Supports access to multi-networks from a single app.
• Host your hybrid connection endpoint using a relay agent or Hybrid Connection Manager (HCM).
• You can run multiple HCMs on a separate machine to achieve high availability.

Pricing

• You are charged on a per-second basis in the App Service plan.
• You are charged for the applications while they are in a stopped state.
• You are charged for data egress when using VNet Integration.
• You are charged for each listener in a Hybrid Connection

Azure Virtual Machines

 

• Linux-based and Windows-based virtual machines

Features

• Server environments are called virtual machines.
• A package OS and additional installations in a reusable template are called VM Images.
• Supports various configurations of CPU, memory, storage, and networking capacity for your virtual machines, known as virtual machine series.
  • A, Bs, D, and DC-Series for general purpose
  • F-Series for compute optimized
  • E and M-Series for memory optimized
  • Ls-Series for storage optimized
  • G-series for memory and storage optimized
  • H-series for high-performance computing
  • N-series for GPU optimized
• Contain the virtual machines using a resource group.
• Secure login information for your virtual machines using key pairs.
• Persistent storage volumes for your data using Azure Disk.
• Multiple physical locations for deploying your resources, such as virtual machines and Azure disk, known as Regions and Availability Zones. 
• You can replicate your data in Availability Zones or Availability Sets
• Azure VMs have one operating system disk and a temporary disk for short-term storage
• Metadata, known as tags, that you can create and assign to your VM resources.
• Virtual networks that you can create are logically isolated from the rest of the Azure environment and can optionally connect to your own network, known as Azure Virtual Network or VNet.
• Add a script that will be run into the virtual machine while it is being provisioned called custom data.
• A firewall allows you to specify the protocols, ports, and source IP ranges that can reach your virtual machines using network security groups.
• You can create an automation runbook that automatically starts/stops virtual machines based on user-defined schedules for cost efficiency.

VM Status

• Start – run your virtual machines. You are continuously billed while your VM is running.
• Restart – some updates do require a reboot. In such cases, the VMs are shut down while Azure patches the infrastructure, and then the VMs are restarted.
• Stop – is just a normal shutdown. If the VM is in a deallocated status, you will continue to be charged for the storage needed for the operating system disk.
• You can also directly delete the virtual machines/resources. Deleting the selected virtual machines is irreversible. 
• You can redeploy a VM if you’re having difficulties connecting to your Linux/Windows server. When the redeployment is in progress, the VM will be unavailable because the status of the VM changes to Updating (as the VM prepares to redeploy).
• If the VM is currently running, changing its size will cause it to be restarted and will result in system downtime.

Disks

• Select an OS disk type using Standard HDD, Standard SSD, and Premium SSD
• Every virtual machine has one attached operating system disk
• The OS disk has a maximum capacity of 4,095 GiB.
• Every VM contains a temporary disk that provides short-term storage only for page or swap files.
• Data on the temporary disk may be lost during a maintenance event or when you redeploy a VM
• You can enable ultra disk compatibility for high throughput, high IOPS, and consistent low latency disk storage
• A VM with an enabled Ultra Disk capability will result in a reservation charge even without attaching an Ultra Disk
• An Availability zone supports managed disks.
• You get lower read/write latency to the OS disk with Ephemeral OS disk, and faster reimage of VM. You incur no storage cost with ephemeral OS disks.

Dedicated Host

• Provide physical servers that can host multiple virtual machines.
• Allows you to achieve compliance and regulatory requirements that require you to be the only customer to use the physical server that will host your virtual machines.
• You have control of the scheduled maintenance events of Azure, wherein you can opt-in to maintenance windows.
• Bring your existing Windows licenses with Software Assurance to reduce costs.
• A Host group consists of one or more dedicated hosts.
• When you create a host, it will automatically be mapped to a physical server and is created within a host group. A host can consist of multiple virtual machines.

Pricing

• Pay as you go – pay for the instances that you use by the second, with no long-term commitments or upfront payments.
• Reserved – make a low, one-time up-front payment for an instance, reserve it for a one-or three-year term.
• Spot – request unused compute capacity, which can lower your costs significantly. Spot pricing gives you up to 90 percent compared to pay as you go prices.

Backup and Recovery

• A snapshot is a full copy of a virtual machine’s OS or data disk. Snapshots are useful for backup, disaster recovery, and troubleshooting.
• To store the backups and recovery points, you need to create a Recovery Services vault.
• With the enabled backup option, your VM will be backed up to Recovery Services vault with default backup policy, or your custom backup policy and will be charged as per backup pricing.
• A backup policy allows you to create a backup schedule with a retention period of daily, weekly, monthly, and yearly backup points.
• Azure Site Recovery allows organizations to meet their business continuity and disaster recovery (BCDR) requirements by having your virtual machines’ data replicated to a secondary region and failover in the event of a downtime.
• You can set up disaster recovery of Azure VMs from a primary region to a secondary region using Azure Site Recovery.

Concepts

• To protect your resources from an entire data center failure, you need to deploy the VMs to a minimum of three Availability Zones to ensure resiliency.
• To protect from hardware failures within a data center, you can deploy the virtual machine to an availability set. Each VM in an availability set is assigned to an update domain and fault domain.
• Update domains (planned maintenance)
  • A logical group of virtual machines that can undergo maintenance at the same time.
  • By default, it has five non-user-configurable update domains. It can be increased up to 20 update domains.
  • Given 30 minutes to recover before maintenance is initiated on a different update domain.
• Fault domains (unplanned maintenance)
  • A logical group of virtual machines that share a common power source and network switch.
  • By default, VMs within an availability set are separated up to three fault domains.
• Quota is based on the total number of cores used in both allocated and deallocated.
  • vCPU quotas tiers: 
    • Total Regional vCPUs
    • VM size family cores
  • You can’t deploy a VM if the quotas exceeded the limit for each region.
• You can move a virtual machine to a new subscription or resource group that is under the same subscription.
• When you move a virtual machine to a new resource group or subscription, the location of the VM will not change.

Scale Sets

• Create and manage a group of load-balanced VMs to provide high availability to your applications.
• Automatically scale your application as demand changes.
• Orchestration modes:
  • ScaleSetVM – virtual machines are implicitly created and added to the scale set.
  • VM – virtual machines are explicitly added to the scale set.
• Support up to 1,000 VM instances. But if you create and upload your own custom VM images, the limit is 600.
• You can use a custom script extension if you need to download and execute scripts on multiple virtual machines. The extension is used for post-deployment configuration, software installation, or any management tasks.
• Use Azure Monitor to automate the collection of information from the VMs in your scale set.
• No additional cost to scale sets. You only pay for the underlying computing services, such as virtual machines, load balancers, or managed disk storage.

Scenario	Manual group of VMs	Virtual Machine Scale Set
Add additional VM instances	To create, configure, and ensure compliance with the manual process.	Create automatically from a central configuration.
Traffic balancing and distribution	Manual process in creating and configuring the Load Balancer or Application Gateway.	Automatically create and integrate the Load Balancer or Application Gateway.
High availability and redundancy	Create Availability Set or distribute and track virtual machines across Availability Zones manually.	Distribute virtual machines across Availability Zones or Availability Sets automatically.
Scaling of VMs	Manual monitoring and Azure Automation.	Autoscale based on metrics, Application Insights, or by schedule.

 

Monitoring

• Azure Resource Health helps you diagnose problems that affect your resources
• Capture serial console output and screenshots of the virtual machine with boot diagnostics
• Enable OS guest diagnostics to get the metrics every minute
• You can configure your virtual machine to automatically shutdown with enable auto-shutdown option
• With Linux Diagnostic Extension, you can collect system performance metrics and log events.

Network

          You can provision a virtual machine that has a static public IP address.

• Enable accelerated networking for low latency and high throughput on the network interface
• Distribute traffic among virtual machines using Load Balancer

Security

• By default, access to the VM is restricted to sources in the same virtual network
• You can control ports, inbound and outbound connectivity with security group rules
• With system assigned managed identity, all necessary permissions can be granted via Azure role-based access control
• Encrypt your data at rest with a platform-managed key or customer-managed key
• By default, encryption at-rest uses a platform-managed key
• Encrypt the OS and Data disks with Azure Disk Encryption.
• The temporary disk is not encrypted by server-side encryption unless you enable encryption at the host

Azure Pricing

 

• Azure offers pay-as-you-go and reserved instances for pricing.
• Azure Pricing Factors:
  • Resource size and resource type.
  • Different Azure locations have different prices for services.
  • The bandwidth of your services.
  • Any data transfer between two different billing zones is charged.
    • Ingress (data in) = free
    • Egress (data out) = charged based on data going out of Azure datacenters
• Factors that can reduce costs:
  • By purchasing a reserved instance (one-year or three-year terms), you can significantly reduce costs up to 72 percent compared to pay-as-you-go pricing.
  • A reserved capacity is a commitment for a period of one or three years for SQL Database and SQL Managed Instance.
  • Hybrid Benefit allows you to use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure.
  • If you purchase an unused compute capacity, you can get deep discounts up to 90 percent compared to pay-as-you-go pricing. A spot virtual machine is for workloads that can tolerate interruptions.
• All resources belong to a subscription.
  • An Azure account can have multiple subscriptions.
  • Organize your resources and subscriptions using Azure management groups.
• Azure Cost Management gives you a detailed view of current and projected costs.
• For new accounts, the Azure Free Tier is available.

• • • Free Tier offers limited usage of Azure products at no charge for 12 months.
    • You also get $200 credit that you can spend during the first 30 days.
    • More details at https://azure.microsoft.com/en-us/free/
  • Estimate your expected monthly costs using Azure Pricing Calculator.
• Total Cost of Ownership (TCO) Calculator
  • Estimate total savings over a period of time by using Azure.
  • Compares costs and savings against on-premises and co-location environments.

• Azure Support Plans:
  • Basic – included for all Azure customers.
  • Developer – recommended for non-production environments. Limited access to technical support during business hours by email only.
  • Standard – appropriate for production workload environments. Has 24/7 access to Azure’s technical support engineers by phone or email.
  • Professional Direct – suitable for business-critical workloads. Has 24/7 access to Azure’s technical support engineers by phone or email. Provides access to Operations Support, ProDirect delivery managers, and Support APIs.

Service Level Agreement (SLA)

• It is the commitment of Microsoft for the uptime and connectivity of a service.
• You could obtain a service credit if the service level agreement is not met by Microsoft.
• Composite SLAs include several resources (with different availability levels) to support an application.
• SLAs for multi-region deployments distribute the application in more than one region for high availability and use Azure Traffic Manager for failover if one region fails.

Service Lifecycle

• Private Preview is only available to a few customers for early access to new technologies and features.
• Public Preview makes the service in the public phase and can be used by any customers to evaluate the new features but SLA does not apply.
• General Availability is the release of service to the general public and is fully supported by SLAs.
• Azure updates allow you to get the latest updates on any Azure products and features.

Azure Active Directory (AD) vs Role-Based Access Control (RBAC)

 

Azure AD	Azure RBAC
Description	An identity and access management service that helps you access internal and external resources.	An authorization system that manages user’s access to Azure resources including what they can do with those resources and what areas they can access.
Focus	Grants permissions to manage access to Azure Active Directory resources.	Grants permissions to manage access to Azure resources.
Scope	Tenant level	Specify at multiple levels (management group, subscription, resource group, and resource)
Roles	Important Azure AD built-in roles:  Global Administrator – manage access to all the administrative features in Azure AD.  User Administrator – create and manage different types of users and groups in Azure. Billing Administrator – it can manage subscriptions, support tickets, make purchases, and monitor service health.  Supports custom roles.  You can assign multiple roles on a user.	Fundamental Azure RBAC built-in roles: Owner – full access to all Azure resources. Contributor – create and manage all types of resources in Azure. Reader – a user with this role can only view Azure resources User Access Administrator – it has permissions to manage user access to all types of resources.  Supports custom roles in P1 and P2 licenses.  You can assign multiple roles on a user.
Role information	You can access the role information in the Azure Portal, Microsoft 365 admin center, Microsoft Graph, and AzureAD PowerShell.	You can access the role information in the Azure Portal, CLI, PowerShell, Resource Manager templates, and REST API.
Pricing	Azure AD has three editions: Free, Premium P1, and Premium P2. For the P1 and P2 licenses, you are charged on a monthly basis.	Azure RBAC is free and included in your Azure subscription.

Azure Policy vs Azure Role-Based Access Control (RBAC)

 

Azure Policy	Role-based Access Control (RBAC)
Description	Ensure resources are compliant with a set of rules.	Authorization system to provide fine-grained access controls.
Focus	Policy is focused on the properties of resources.	RBAC focuses on what resources the users can access.
Implementation	You specify a set of rules to prevent over-provisioning of resources.	You grant permission on what users can create.
Default access	By default, rules are set to Allow.	By default, all access is denied.
Scope	Policy within the resource group or subscription.	Grant access to users or groups within a subscription.
Integration	Both services work hand-in-hand to provide governance around your environment.

Microsoft Defender for Cloud vs Microsoft Sentinel

 

Microsoft Defender for Cloud	Microsoft Sentinel
Description	Unified infrastructure security management system	Intelligent security analytics and threat intelligence service.
Category	Cloud Security Posture Management (CSPM) / Cloud Workload Protection Platform (CWPP)	Security Information Event Management (SIEM) / Security Orchestration Automated Response (SOAR)
Function	Provides security alerts, scores, vulnerability assessment, recommendations, and security posture management.	Provides alert detection, threat visibility, proactive hunting, and threat response.
Features	Microsoft Defender ATP Integration Network map Virtual Machine Behavioral Analytics Adaptive network hardening Regulatory Compliance dashboard & reports Missing OS patches assessment Security misconfigurations assessment Endpoint protection assessment Disk encryption assessment Third-party vulnerability assessment Network security assessment	Custom analytics rules Multiple Workspace View Azure Monitor Workbooks Integration Security playbook Investigation Graph Hunting search and query tools
Provides Security Recommendation?	Yes	No
Threat Response Management	Manual	Automated
Integration	You may use the Microsoft Defender for Cloud to provide Microsoft Sentinel with more information to identify, investigate, and remediate threats.