Microsoft Azure

Microsoft AzureAzure is a cloud computing platform from Microsoft that provides more than 100 different services. These include virtualised computer and networking resources, remote storage, and database hosting, along with identity and access management. There are also services centred around artificial intelligence (AI) and Internet of things (IoT).

These services are available on a pay as you go basis, allowing customers to only pay for the resources that they use. There are also various options available to monitor the resources that are in use.

Cloud Computing and Microsoft Azure Glossary

Azure API Management is a service that allows APIs to be securely exposed to both internet and external customers. It includes a set of tools for creating, managing and publishing APIs, as well as features to secure, scale and monitor API usage.

Azure API Management integrates with a number of other Azure services, including Azure Functions, Azure Logic Apps, and Azure Virtual Machines, along with on-premises and third-party systems.

Useful Links

Azure App Service provides a means to host web apps, API apps, WebJobs and the back end for mobile apps, written in a language of your choosing, without having to manage any infrastructure. Both Windows and Linux environments are supported, and automatic scaling, as well as high availability is also provided.

Web App

A type of App Service for hosting web applications built using any one of a variety of different technologies and hosted on either Windows or Linux based machines.

API App

A type of App Service for hosting REST-based APIs, written in a language of your choosing, which can be consumed from HTTP or HTTPS based clients. API apps can also be packaged and published in the Azure Marketplace.

WebJob

A type of App Service that can be used to run a program or script, either on a schedule, or triggered by a particular event, such as a background task as part of application logic.

Mobile App

A type of App Service that can be used to host the back end of a mobile app, such as a database for app data.

There are three different types of service in cloud computing, where the responsibilities are shared by differing amounts between the cloud provider and the customer.

Infrastructure as a Service (IaaS)

Infrastructure as a Service provides the most flexibility from a customer perspective, but also the greatest responsibility. The cloud provider is responsible for maintaining the physical hardware and security, as well as network connectivity to the internet. Everything else is the responsibility of the customer.

Platform as a Service (PaaS)

With Platform as a Service, the cloud provider is responsible for the same things as Infrastructure as a Service, plus items such as the operating systems, databases, and development tools. Here, a complete development environment is provided without the need to maintain the infrastructure. The customer is still responsible for the information and data in the solution, as well as the devices and users that can connect to it. Items such as network controls, applications and the directory infrastructure may have shared responsibility between the cloud provider and the customer.

Software as a Service (SaaS)

Software as a Service attributes the least amount of responsibility with the customer. Here, whole applications are provided as a service, such as email and productivity tools, with the customer only being responsible for things such as the information and data within, as well as the devices and accounts that have access.

Cloud Shell

Azure Cloud Shell is a browser-based command line environment that allows for the creation, configuration, and management of Azure resources. It supports both Azure PowerShell and the Azure Command Line Interface (CLI), which utilises Bash commands. Both are functionally equivalent, so it is down to personal choice as to which language is preferred. In addition to being available through Cloud Shell, both Azure PowerShell and Azure CLI are installable on Windows, Linux, and Mac platforms.

Cloud Shell Useful Links

Scripting

In addition to providing scripting capabilities with Azure PowerShell and Azure CLI, Azure also supports many other languages including but not limited to .NET, Java, Node.js, Python, PHP, Ruby and Go. Microsoft, for example, provides client libraries in these languages for Azure Storage.

Scripting Useful Links

Infrastructure-as-Code

Infrastructure-as-Code refers to the ability to manage infrastructure through lines of code. At its most basic level this can be achieved through Azure Cloud Shell with either Azure PowerShell or Azure CLI, however, entire deployments can be managed through repeatable templates and configurations. Two options in Azure are Azure Resource Manager (ARM) templates and Bicep files. ARM templates use a declarative JSON format to describe resources, whilst Bicep files are said to use a simpler, more concise style. The latter is trans piled into an ARM template when used.

Infrastructure-as-Code Useful Links

A container is a form of virtualisation, which doesn't include the operating system. Multiple containers can run on a single physical or virtual machine at the same time. Each container incorporates the necessary code and dependencies for an application or service to run in isolation.

Azure Container Instances

Azure container instances provide a means to run containers that are uploaded to the service. No management of virtual machines or other services is necessary on the user’s part.

Azure Container Apps

Azure container apps are similar to container instances but remove the need for container management from the user. They also provide the ability to include load balancing and scaling.

Azure Kubernetes Service

The Azure Kubernetes Service provides a means to manage the deployment of a fleet of containers.

The hierarchical management infrastructure within Azure consists of resources, resource groups, subscriptions, and management groups, which are outlined below.

Resources

All items that are created within Azure are referred to as a resource, whether that be a virtual machine, virtual network, database, web app, or any other item.

Resource Groups

When a resource is created, it must be placed into a resource group. Resource groups can be used to group related resources together, that are, for example, used in the same project. Access to a resource can be assigned at the group level. A resource can only be in one resource group at any one time but can be moved between groups if desired.

Subscription

When an account is created in Azure, a subscription is automatically created for that account. Subscriptions provide a means of managing the resource groups within an account, as well as the billing. An account must contain at least one subscription, but can contain more, as a means to separate out the billing between departments, for example. When a resource is created, it must be assigned to a subscription, as well as a resource group within that subscription.

Management Group

If an account contains more than one subscription, then a management group can be used to manage those subscriptions. Conditions can be applied to a management group that are inherited by the subscriptions it contains. A management group can contain other management groups to further subdivide subscriptions and resource groups to form a hierarchy.

Azure Advisor

Azure Advisor evaluates your resources to make recommendations for improvement. These recommendations are split into five categories, reliability, security, performance, operational excellence, and cost.

Azure Service Health

Azure Service Health combines three different Azure services to help you keep track of the overall status of Azure, as well as the specific services that you utilise.

  • Azure Status provides an overall status of Azure globally.
  • Services Health narrows this status of Azure down to the regions and services that you utilise.
  • Resource Health goes further still by tailoring the status information to the specific resources that you have.

If there are issues, links for support are provided.

Azure Monitor

Azure Monitor provides a platform for collecting data about your resources. It then analyses the data and provides a visual representation of it for you to view. It is also possible for Azure Monitor to act on the results that it finds. As well as doing this for Azure resources, it can also monitor both on-premises resources and those from other cloud providers.

Azure Log Analytics can be used to write and run log queries on the data collected by Azure Monitor.

Azure Monitor Alerts can be used to alert those responsible when certain pre-defined conditions are met. In some instances, these alerts can be configured to attempt corrective action.

Applications Insights, which is part of Azure Monitor, can be used to monitor web applications running in Azure, on-premises and even in other cloud environments.

Azure ExpressRoute

Azure ExpressRoute allows an organisation to extend its on-premises network into the Microsoft cloud over a private connection. This is achieved with the help of a connectivity provider, creating a connection called an ExpressRoute Circuit. Connectivity can be from an any-to-any network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility.

If an organisation has geographically separated offices, they can be connected via the Microsoft backbone network if each of the offices have an ExpressRoute Circuit, using ExpressRoute Global Reach. This allows the office to communicate and transfer data without going over the public internet.

Azure's physical infrastructure is made up of regions, availability zones, region pairs and sovereign regions.

Regions

A region in Azure is a geographical area that contains one or more datacentres, which are networked together using a low-latency network. When resources are deployed within a region, the workload is automatically balanced between the available datacentres. A number of the services available in Azure require a region to be selected, whilst others are global and therefore this is not necessary.

Availability Zones

Azure availability zones are physically separate datacentres, or groups of datacentres, within an Azure Region. Each datacentre within the zone is set up with independent power, cooling, and networking, meaning that if one zone goes down, others can continue operating. Availability zones within a region are connected via high-speed, private fibre networks. It should be noted that not all Azure regions are availability zone enabled. Where they are, there are a minimum of three availability zones to provide resiliency.

Region Pairs

The majority of Azure regions are paired up with another in the same Geography, to form a region pair, for example, West United States is paired with East United States. If a region is affected by a natural disaster, services within that region would fail over to the other region in the pair. It should be noted that not all services automatically replicate between region pairs. Where this is the case, it is down to the customer to set this up.

Sovereign Regions

Sovereign regions within Azure are instances of Azure that are isolated from the main publicly available occurrence of Azure. Examples of sovereign regions include a number of instances for the United States government, as well as China. For the Chinese sovereign regions, Microsoft partners with 21Vianet to maintain the datacentres, with Microsoft having no direct involvement in their maintenance.

Azure Role-Based Access Control (Azure RBAC)

Within Azure built-in roles are provided that include common access rules for cloud resources. In addition, it is also possible to add user defined roles. Each role has a set of permissions assigned. One or more roles can be assigned to individuals or groups in order to give them the related permissions.

Microsoft Defender for Cloud

Defender for Cloud is a monitoring tool for security posture management and threat protection. It can monitor Azure resources, on-premises, hybrid, and multi-cloud environments to provide guidance for the purposes of strengthening security posture.

Microsoft Entra ID

Entra ID is a cloud-based identity and access management service. It can be synchronised with an on-premises Active Directory using Microsoft Entra Connect. This allows for features such as SSO, MFA, and self-service password reset to be carried out under both systems. Entra ID can help protect an organisation by detecting suspicious sign-in attempts, which on-premises Active Directory is not able to do.

Rather than there being no servers involed in serverless computing, as the name might suggest, this refers to services where the servers and other underlying infrastructure are abstracted away by the cloud provider.

Azure Functions

Azure functions can be used to perform an action, such as running some code, in response to an event occurring. There is no continuous charge for resources, only for things like CPU time when the function runs. Azure function can either be stateless, where each run of the function occurs in isolation, or stateful, where prior activity of the function is tracked.

Storage redundancy refers to the fact that Azure stores multiple copies of data to protect it from planned and unplanned events such as hardware failures, power outages, and natural disasters. Various levels of redundancy are available depending on the datacentre and resource in question.

Locally Redundant Storage (LRS)

A method of storage redundancy in which data is replicated synchronously three times within a single datacentre in the primary region. It provides 11 nines (99.999999999%) of durability of objects in a given year.

Zone Redundant Storage (ZRS)

A method of storage redundancy in Availability Zone enabled regions, where data is replicated synchronously across three Azure availability zones in the primary region. It provides 12 nines (99.9999999999%) of durability of objects in a given year.

Geo-Redundant Storage (GRS)

A method of storage redundancy in which data is replicated synchronously three times within a single datacentre in the primary region using Locally Redundant Storage (LRS). The data is then copied asynchronously to a single datacentre in the secondary region of the region pair, again using Locally Redundant Storage (LRS). It provides 16 nines (99.99999999999999%) of durability over a given year.

Geo-Zone Redundant Storage (GZRS)

A method of storage redundancy in Availability Zone enabled regions, where data is replicated synchronously across three Azure availability zones in the primary region. The data is then copied asynchronously to a single datacentre in the secondary region of the region pair using Locally Redundant Storage (LRS).

Read-Access Geo-Redundant Storage (RA-GRS)

A method of storage redundancy similar to Geo-Redundant Storage (GRS), but with read only access.

Read-Access Geo-Zone Redundant Storage (RA-GZRS)

A method of storage redundancy similar to Geo-Zone Redundant Storage (GZRS), but with read only access.

Azure provides a number of different storage solutions that are accessible over HTTP or HTTPS. Client libraries are also provided for numerous programming language to enable easy interaction with the storage.

The storage services provided include Azure Blobs, Files, Queues, Disks and Tables.

Azure Blobs

Azure Blob storage provides a means of storing large amounts of unstructured text or binary data. It is ideally suited for storing files for distributed access and serving up those files, such as images and documents, directly through a browser. It can also be used for the streaming of video and audio, as well as facilitating the backing up and restoring of data for critical systems.

To help manage the cost of this storage, different access tiers are provided.

  • Hot access tier - Ideal for the storage of data that is accessed most frequently, such as images for a website, or documents that are used on a daily basis. This is the most expensive storage option to facilitate the frequent access.
  • Cool access tier - This tier is good for data that is accessed relatively infrequently and requires storing for at least 30 days.
  • Cold access tier - The cold tier is most suited to data that is accessed very infrequently and is required to be stored for at least 90 days.
  • Archive access tier - Suitable for the storage of data that is rarely accessed but is required to be stored for a period of time, for example, for regulatory compliance, for at least 180 days. This data is stored offline and, if needed, must be rehydrated into one of the other access tiers. This offers the lowest cost in terms of storage but incurs a relatively high cost to rehydrate.

Azure Files

Azure Files provides a means to create file shares in the cloud. These are accessible via Server Message Block (SMB), from Windows, Linux and macOS based devices, or Network File System (NFS), from Linux and macOS based systems. The shares are also accessible programmatically via the provided client libraries.

Azure Queues

Azure Queues allow for the storage of large numbers of messages, which are accessible via HTTP or HTTPS. Queues can be used, for example, to create a backlog of work that needs processing asynchronously, with each message having a maximum size of up to 64 Kilobytes.

Azure Disks

Azure Disks are virtualised storage volumes, that are managed by Azure, for use with Azure Virtual Machines.

Azure Tables

Azure Tables facilitate the storage of large amounts of structured data. They are a NoSQL datastore, ideal for storing structured, non-relational data, that can accept authentication calls from both within and outside of Azure. This makes them ideal for building hybrid and multi-cloud solutions.

Azure Virtual Desktop

An Azure virtual desktop provides a means of creating virtual desktops and applications in the cloud, using a cloud-hosted version of Windows. These are accessible using numerous different devices and platforms.

Azure Virtual Machines

Azure virtual machines allow for the creation of virtual servers in the cloud. These are useful where total control is required over the operating system, together with the software that runs on it. Virtual machines are a form of Infrastructure-as-a-Service (IaaS), where the user is responsible for keeping the operating system and all the software that runs on it, up to date.

Virtual Machine Scale Set

Where multiple identical virtual machines are required for the same purpose, virtual machine scale sets can be used for the creation and management of these. A number of virtual machines can be centrally managed, and set to scale automatically, up or down, either on demand or via a set schedule. Scale sets are also automatically load balanced to share out the workload.

Virtual Machine Availability Set

Availability sets of virtual machines help to provide both resilience and high availability. These sets group virtual machines in two ways, update domains and fault domains. Update domains group virtual machines together that can undergo maintenance at the same time, without taking a service completely offline. Each domain is given a 30-minute window for maintenance, before the next domain is updated. Fault domains group virtual machines by common power source and network switch. Availability sets split virtual machines across up to three fault domains to spread the risk of power or network failure.

Virtual Machine Useful Links

Useful Links