Azure Content Delivery Network

 

• A distributed network of servers that delivers web content closer to users.
• CDNs store cache content on edge servers to minimize end-user latency.

Features

• Improves the performance of dynamic web pages using dynamic site acceleration.
• You can set two types of caching rules in Azure CDN:
  • Global caching rule – overrides any HTTP cache-directive headers.
  • Custom caching rule – you can set a rule to match specific paths and file extensions.
• Types of origin:
  • Storage
  • Storage Static website
  • Cloud service
  • Web App
  • Custom Origin
• Enable HTTPS to mitigate security threats on the content distribution network.
• Export basic usage metrics from your CDN by using diagnostic logs.
• With geo-filtering, you can set rules for different paths to allow or block content in selected countries/regions.
• CDN endpoint: <tutorialsdojo>.azureedge.net

How Caching Works

• Access the data quickly by storing the data in an origin server.
• If the file on the origin server has been updated, the cache must update its resource version.
• Azure CDN HTTP cache-directive headers:
  • Cache-Control – caching behavior of a browser.
  • Expires – a date based expiration time.
• Azure CDN HTTP cache validators:
  • ETag – a string that is unique to every file.
  • Last-Modified – the origin server compares the date with the last-modified resource header. 
    • Status code 200 = Modified
    • Status code 304 = Not Modified
• Default caching behavior:
  • Honor origin – honor the HTTP response cache-directive headers, if they exist.
  • CDN cache duration – how long a resource is cached on the Azure CDN.

Pricing

• You are charged based on the number of rules.
• You are charged for outbound data transfers.

Limits

• The limit for the following resources is 25:
  • CDN profiles
  • CDN endpoints per profile
  • Custom domains per endpoint

Azure Application Gateway

 

• A web traffic load balancer.
• It allows you to distribute incoming traffic based on HTTP request properties such as URL and host headers.
• Application gateway has four tiers: Standard, Standard V2, WAF, and WAF v2
• You can use the same application gateway for up to 100+ websites with multi-site hosting.
• Set the minimum and maximum scale units based on your needs.
• Azure Application Gateway vs Azure Load Balancer
  • An application gateway operates at layer 7.
  • A load balancer functions at layer 4.
• You can use both public and private IP on the frontend.

Features

• Secure your data with end-to-end SSL.
• Route traffic based on URL path or host header-based.
• Protect your applications from common web vulnerabilities using WAF.
• Scales automatically based on your web application traffic load.
• With gateway-managed cookies, you can direct subsequent traffic from a user session to the same server.

Pricing

• You are charged per instance, per GB, and per gateway-hour.
• You are also charged with capacity units (computed hourly or partial hourly).

Azure VPN Gateway

 

• A secured hybrid cloud architecture.
• It is composed of gateway subnet, tunnel, and on-premises gateway.
• Protocols: Internet Protocol Security (IPsec) and Internet Key Exchange (IKE)
• VPN gateway connections: VNet-to-VNet, Site-to-Site, and Point-to-Site
  • Create a secure connection from your on-premises network to an Azure virtual network with a site-to-site VPN.
  • VNet-to-VNet connection automatically routes to the updated address space, if you updated the address space on the other VNet.
  • If you need to establish a connection to your virtual network from a remote location, you can use a point-to-site (P2S) VPN.
• You can also have one VPN gateway with more than one on-premises network using a Multi-Site connection.

Routing

• Policy-based gateway

• • Implements a policy-based VPN.
  • Policy-based VPNs are used to encrypt and direct packets to IPsec tunnels. 
  • The policy or traffic selector is defined as an access list in the VPN configuration.
  • You cannot change a policy-based VPN to a route-based VPN, and vice versa. 
• Route-based gateway

• • Implements a route-based VPN.
  • Route-based VPNs use routes in the routing table to direct packets to tunnel interfaces.
  • Tunnel interfaces can encrypt and decrypt packets.
  • The policy or traffic selector are configured as wild cards (any-to-any).

Connection Resiliency

• In an active-active configuration, each Azure VPN gateway instance will establish S2S VPN tunnels and the traffic will be routed to multiple tunnels.
• For active-passive configuration, the standby instance would only take over if a disruption happens on the active instance.

Details	Site-to-Site	Point-to-Site
Supported Services	Cloud Services and Virtual Machines	Cloud Services and Virtual Machines
Bandwidths	Typically < 1 Gbps aggregate	Based on the gateway SKU
Protocols	IPsec	Secure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec
Routing	We support PolicyBased (static routing) and RouteBased (dynamic routing VPN)	RouteBased (dynamic)
Connection resiliency	active-passive or active-active	active-passive
Use case	Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines	Prototyping, dev / test / lab scenarios for cloud services and virtual machines

Pricing

• You are billed hourly for the compute costs of the VNet gateway.
• You are charged for the egress data transfer from the virtual network gateway.
• You are only charged by the VPN Gateway when you transfer data between two different regions, except with Point-to-Site VPN.

Azure Load Balancer

 

• Distributes incoming network traffic across multiple targets.
• Allows you to route traffic based on source IP address and port to a destination IP address and port.

Features

• The load balancer supports TCP/UDP-based protocols.
• Scales automatically as traffic increases.
• The load-balancing decision is based on the following tuple connection:
  • Source IP address and port
  • Destination IP address and port
  • Protocol
• NAT allows you to control the inbound and outbound network traffic.
  • Inbound rules –  traffic allowed to a specific virtual machine or instance in the backend pool.
  • Outbound rules – enable all resources to communicate to the Internet.
• Control the flow of traffic inside your private virtual network using an internal load balancer.
• You can use a public load balancer to allow outbound connections for your virtual machines.
• Azure Load Balancer supports IPv6.
• Load balancer tiers: Basic and Standard

Concepts

• A group of VMs or instances in a VM scale set serving the incoming request is called backend pool.
• Determine the health status of backend pool instances with health probes. 
  • Health probe down behavior – if the probes in a backend pool fail, it will stop receiving traffic until it starts passing health probes again.
• Standard load balancer availability zones:
  • Zonal = single zone
  • Zone-redundant = multiple zones
• Use Azure Monitor to check the metrics, alerts, and resource health of Azure Load Balancer.
• High Availability (HA) ports enable load balancing on all ports of TCP and UDP protocols.
• With multiple frontends, you can load balance services on multiple ports and multiple IP addresses.
• SLA guarantees that two or more healthy VMS will always be available.

Details	Basic Load Balancer	Standard Load Balancer
Backend pool size	Supports up to 300 instances.	Supports up to 1000 instances.
Backend pool endpoints	A single availability set for VMs or VM scale set.	A single virtual network for any VMs or VM scale sets.
Health probes	TCP, HTTP	TCP, HTTP, HTTPS
Health probe down behavior	TCP connections stay alive on an instance probe down. All TCP connections terminate when all probes are down.	TCP connections stay alive on an instance probe down and on all probes down.
Availability Zones	Not available	Zone-redundant and zonal frontends for inbound and outbound traffic.
Diagnostics	Azure Monitor logs	Azure Monitor multi-dimensional metrics
HA Ports	Not available	Available for Internal Load Balancer
Secure by default	Open by default. Network security group optional.	Closed to inbound flows unless allowed by a network security group. Please note that internal traffic from the VNet to the internal load balancer is allowed.
Outbound Rules	Not available	Declarative outbound NAT configuration
TCP Reset on Idle	Not available	Available on any rule
Multiple frontends	Inbound only	Inbound and outbound
Management Operations	60-90+ seconds typical	Most operations < 30 seconds
SLA	Not available	99.99%

• Frontend IP configuration
  • Public load balancer = public IP address
  • Internal load balancer = private IP address
• Backend pools
  • The resources in the backend pool come from a single virtual network.
  • You can associate the backend pool to a VM or VM scale set.
• Load Balancing Rules
  • A load balancing rule distributes the incoming traffic to the resources in the backend pool.
  • The IP version you can select is between IPv4 and IPv6.
  • You can only assign a frontend IP address that has one public IP address.
  • Select between TCP and UDP protocols.
  • Health probes can determine which VMs in the backend pool can receive the load-balanced traffic.
  • Session persistence maintains the traffic from a client to the same virtual machine.
    • None – any virtual machine can handle successive requests from the same client.
    • Client IP – the same virtual machine will handle successive requests from the same client IP address.
    • Client IP and protocol – the same virtual machine will handle successive requests from the same client IP address and protocol combination.
  • Idle timeout keeps a TCP or HTTP connection open without depending on the clients to send keep-alive messages.
  • If the connection is idle, you can use a TCP reset.
  • Floating IP changes the IP address mapping to the frontend IP of the load balancer.

Pricing

• You are charged based on the number of outbound rules.
• You are billed for the first five rules of load balancing.
• You are not charged for the NAT rules.

Azure Virtual Network (VNet)

 

• You can create a virtual network in the cloud dedicated to your Azure account. It is the fundamental building block where you can launch Azure resources.
• Azure VNet is the networking layer of Azure VMs.
• A VNet spans all the Availability Zones in the region. After creating a VNet, you can add one or more subnets in each Availability Zone.

Key Concepts

• A virtual network (VNet) allows you to specify an IP address range for the VNet, add subnets, associate network security groups, and configure route tables.
• A subnet is a range of IP addresses in your VNet. You can launch Azure resources into a specified subnet. Use a public subnet for resources that need to connect to the Internet and a private subnet for resources that won’t be connected to the Internet.
• To protect the Azure resources in each subnet, use network security groups.

VNet Use Case

• VNet with a single public subnet.
• VNet with public and private subnets (NAT).

Subnets

• When you create a VNet, you must specify a range of IPv4 addresses for the VNet in the form of a CIDR block (example: 10.0.0.0/16).
• A CIDR block must not overlap with any existing CIDR block that’s associated with your VNet.
• You can add multiple subnets in each Availability Zone of your VNet’s region.
• Types of subnets:
  • Public subnet
  • Private subnet
  • Gateway subnet
• The CIDR block size of an IPv4 address is between a /16 netmask (65,536 IP addresses) and /29 netmask (8 IP addresses).
• The 5 reserved addresses in each CIDR block is not available for you to use, and cannot be assigned to any virtual machines.
• You can delegate a subnet to be used by a dedicated service.

Security

• Network Security Groups – controls the inbound and outbound traffic of Azure resources.
  • The rules are processed from lowest to highest numbers. 
  • You can set a number between 100 and 4096. 
  • The rules can be applied to both inbound or outbound traffic.
  • You can allow or deny incoming or outgoing traffic.
  • When you create a network security group, Azure assigns default security rules for inbound and outbound traffic.
  • Can be attached to a subnet or a network interface. Refrain from attaching a network security group to both subnet and network interface.
• You may use service tags on network security rules to minimize the complexity of frequent updates.
• Augmented security rules allow you to create a single rule with multiple source and destination IPs.
• Application Security Group – allows you to define a VMs group network security policy.
• You can use IP flow verify of Azure Network Watcher to check which network security rule allows or denies the traffic.
• With VNet service endpoint policy, you can filter the egress VNet traffic to Azure Storage.

VNet Components

• NAT Gateway 
  • Allows your virtual network resources to have an outbound-only connection.
  • A NAT gateway resource can use up to 16 static IP addresses.
  • You can use multiple subnets in a NAT gateway.
• Route tables are used to determine where network traffic is directed.
  • A subnet can only be associated with one route table.
  • If multiple routes contain the same address prefix, the selection will be based on the following priority: User-defined route, BGP route, and System route.
• You can connect VNets to each other using VNet peering.
• If you need to connect privately to a service, you can use Azure Private Endpoint powered by Azure Private Link.

VNet Peering

• Allows you to connect two virtual networks seamlessly. You can: 
  • Connect virtual networks in the same Azure region known as virtual network peering.
  • Connect virtual networks across different Azure regions known as global virtual network peering.
• Ensure that your VNet address ranges do not overlap with one another. Plan accordingly before initiating the peer.

Pricing

• You are charged for the public IP address and reserved IP address inside your VNet.
• You are charged for the ingress and egress data of VNet Peering.
• You are charged for the NAT gateway resource hours and data processed (per GB).

Azure Database for MySQL and PostgreSQL

 

• PaaS relational database services
• Mitigate database downtime with high availability, redundancy, and resiliency capabilities.
• Enables you to scale vertically when needed.
• Receive alerts based on the metrics of your servers.
• Protect sensitive data at rest and in transit.
• Automated backups, up to 35 days.
• PostgreSQL deployment options: Single Server and Hyperscale (Citus)
• Single server pricing tiers: Basic, General Purpose, and Memory Optimized.
  • Basic – light compute and I/O performance workloads.
  • General Purpose – a balanced compute and memory with scalable I/O throughput workloads.
  • Memory Optimized – for high performance database workloads requiring in-memory performance.

PostgreSQL – Hyperscale (Citus)

• Sharding – scales horizontally across multiple machines.
• Supports query parallelization for faster responses on large datasets.
• Primarily used for multi-tenant applications, real-time operational analytics, and high throughput transactional workloads.

Azure Database Migration Service

 

• Accelerates the migration of your data to Azure.
• Enables seamless migrations from multiple database sources.
• To perform an online migration, you need to create an instance based on the premium pricing tier.

Features

• Migrates your database and server objects with minimal downtime.
• Supports Microsoft SQL Server, MySQL, PostgreSQL, MongoDB, and Oracle migration to Azure from on-premises and other cloud providers.
• You can use DMS for both operational database and data warehouse migrations.
• Automate the migration of data with Azure PowerShell.
• Use Azure Migrate to discover your on-premises data estate and assess migration readiness.
• You can create up to 2 DMS services per subscription.

Pricing

• Offline migrations of the DMS Standard tier are free to use.
• DMS premium tier is billed at an hourly rate based on the provisioned compute capacity.