Microsoft Azure

https://portal.azure.com/#home

Userid: manishgarg201520@gmail.com/manish.g11

1
2
3
Elasticity

4
Resources belongs to single resource group. Resource groups sets boundaries for permissions and
reporting.

Within an Azure subscription, there are three key administrator roles available for
managing the subscription. These administrators have full access to the Azure
subscription. 
 account administrator,
 service administrator
 co-administrator.

The account that was used to sign up for Azure originally is automatically

both the account administrator and the service administrator. 

5
The account administrator can:
 create new subscriptions and cancel existing ones. 
 has access to the Azure Account Center
 manage all subscriptions in an Azure account.
 can change the billing for a subscription

There is one service administrator per Azure subscription. The service

administrator manages services in the Azure Portal. The service
administrator is granted full access to the Azure Portal and has the same
access as a user who is assigned the owner role. It can also create a service
ticket to the Azure.

To change the account admin, sign in to the Azure account center as an

account admin. The Azure account center is located at
account.windowsazure.com/Subscriptions 

only an owner can be added as a co-administrator.

6
Resources can also be tagged for billing grouping or scripting.

We can use both below tools to work with Azure platform:

 Windows Powershell

7
  Azure CLI

$ brew update && brew install azure-cli

$ az login

8
Management groups: These groups are containers that help you manage access, policy, and
compliance for multiple subscriptions. All subscriptions in a management group automatically
inherit the conditions applied to the management group.

Subscriptions: A subscription associates user accounts and the resources that were created by those
user accounts. Each subscription has limits or quotas on the amount of resources you can create and
use. Organizations can use subscriptions to manage costs and the resources that are created by users,
teams, or projects. A subscription fuels the Azure resources in a customer tenant. Everything will
suspend or halt if the subscription carries zero credit unless the subscription is a post-paid pay-as-you-
go subscription

The Azure account is a global unique entity that gets you access to Azure services and your
Azure subscriptions. You can create multiple subscriptions in your Azure account to create
separation e.g. for billing or management purposes. In your subscription(s) you can manage
resources in resources groups.

AD Account - Director of your Holding

Directory - Sub-companies at your Holding
Subscriptions -  Each department at each directory/company
ResourceGroup - Shelves where you keep documents or etc on each department

We can have multiple type of subscription within an account.

All the resources created requires a - subscription(billing) & resource group(logical grouping ).

9
resource - A manageable item that is available through Azure. Virtual machines, storage accounts,
web apps, databases, and virtual networks are examples of resources

resource group - A container that holds related resources for an Azure solution. The resource
group includes those resources that you want to manage as a group.
Azure Resources Groups are logical collections of virtual machines, storage accounts, virtual
networks, web apps, databases, and/or database servers. A logical group of resources belonging to
the same application environment and lifecycle. Permissions can be assigned to a group
instead of each resource level or you can delete an entire resource group.

Although Azure requires the admin to specify a region when creating a resource
group, resources contained within that resource group can span across multiple regions.
The requirement of a resource group being deployed to a specific region comes from
the need to store the deployment metadata and definitions associated with that
resource group in a specific location.

10
Azure Policy

Azure Policy is a service in Azure which allows you create polices which enforce and control the
properties of deployed resources. When these policies are used they enforce different rules and effects
over your resources, so those resources stay compliant with your IT governance standards.

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its
compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment,
with the ability to drill-down to the per-resource, per-policy granularity. 
Common use cases for Azure Policy include implementing governance for resource consistency,
regulatory compliance, security, cost, and management. 

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business
rules. These business rules, described in JSON format, are known as policy definitions.
To simplify management, several business rules can be grouped together to form a policy
initiative (sometimes called a policySet). Once your business rules have been formed, the policy
definition or initiative is assigned to any scope of resources that Azure supports, such as management
groups, subscriptions, resource groups, or individual resources. The assignment applies to all
resources within the scope of that assignment.
Subscopes can be excluded, if necessary.

Resource Lock

11
moved from one resource group to another.

The source and destination subscriptions must exist within the

same Azure Active Directory tenant. The destination subscription must be
registered for the resource provider of the resource being moved.

12
Deleting the entire resource group. Doing so deletes all of the resources
contained within it. This makes it easy for me to keep my Azure
subscription clean of any unused resources.

Azure Cost Optimization

Pricing calculator - Configure and estimate the costs for Azure products. There are two important tools
to analyses the current resources consumptions:
 Billing Portal
 Cost Management Tool

 Azure virtual machines use three primary resources, CPU cores, memory
and storage for the virtual hard drives. CPU cores and memory costs are
managed by choosing the appropriate virtual machine size.

A better option is to choose a virtual machine size that provides CPU

core and memory utilization needed for average demand. 

And use virtual machine scale sets to add capacity on demand by starting
up an additional virtual machine.

You can define the number of instances or virtual machines in a scale set
and configure the scale set to automatically increase or decrease the

13
number of running virtual machines in the scale set based on demand or
even on a schedule.

It is recommended that you only use the auto-scale feature of scale sets
with the eviction policy set to delete to avoid the costs of the associated
disks and hitting your scale set instance quota limit. When using virtual
machine scale sets you can manage the auto-scale parameter by setting the
minimum and the maximum number of instances as well as the scale out
and scale in a threshold.

Using Azure Spot on scale sets or low priority scale set allows you to take
advantage of our unused capacity at a significant cost savings. At any point in time
when Azure needs the capacity back, the Azure infrastructure will evict Spot
instances. Therefore, Spot instances are great for workloads that can handle
interruptions like batch processing jobs, dev/test environments, large compute
workloads, and more.
When creating Spot scale sets, you can set the eviction policy
to Deallocate (default) or Delete.

The Deallocate policy moves your evicted instances to the stopped-deallocated state

allowing you to redeploy evicted instances. The deallocated VMs will count against
your scale set instance quota and you will be charged for your underlying disks.

 It is important to note the difference between the stopped and the stopped
deallocated virtual machine states.

A virtual machine can be stopped by connecting by your remote desktop protocol

and by stopping it in Windows. However, the resources, CPU and memory, are still
allocated to that virtual machine.

To deallocate a virtual machine you must initiate the stop down from the Azure
portal by clicking stop in that virtual machines blade. Verify that the status of the
virtual machine is listed as stopped deallocated. An excellent tool for identifying
unutilized virtual machines is the Azure Advisor. 

Azure allows you to purchase and use virtual machines using their pay-as-
you-go method. This method is suitable for short-term virtual machine
deployments and for development and testing environments. 

Another great way to reduce IAAS virtual machine costs is by using Azure
Reserved VM Instances. Reserved VM Instances allow you to prepay for
your virtual machines, up front, for one- or three-year periods. The cost

14
savings can be significant. A one-year purchase saves about 18% on your
compute costs. While a three-year purchase can save as much as 32%.
You will need to have a current pay-as-you-go or Microsoft Azure
Enterprise subscription to create Reserved VM Instances.

In addition to using Azure App Services, you can realize cost savings by
leveraging Azure Functions. Azure Functions allow you to run pieces of code,
known as functions, without having to provision any compute resources
yourself. Using Functions can perform a variety of tasks including
processing data, or orders, perform file maintenance or just about anything
that needs to run on demand. 
The advantage of Azure Functions over hosting your own code on a virtual
machine is that you don't have to deploy, manage and pay for IAAS virtual
machines to host your functions, if you choose the consumption plan.

Azure networking costs are strictly limited to egress or outbound

bandwidth. All incoming data to Azure data centers is free while the cost of
outgoing data begins after the first five gigabytes per month and it's tiered
based on usage

Region to Region data transfer with Azure incurs charges.

Availability zone to Availability zone within a region also incurs charges.

Data transfers within the same availability zone incur no charges nor do data
transfers from a VNet resource in an availability zone and a public address
in the same Azure region. 

15
The key to reducing network costs then is to deploy all of your resources
within the same region whenever possible.

When resources must be deployed to multiple regions, network costs can

be reduced by ensuring that the collection of resources in each region
operate autonomously from each other. For example, when deploying a
web application, ensure that all the resources needed by that application
such as databases, queues, storage, et cetera, all reside within the same
region. 

It's important to realize that when a virtual machine is deleted, any disks that
were attached to that virtual machine are not deleted. You will still incur
charges for these orphan disks that remain in your storage account.
Moreover, disk charges are based on the allocated size of the disk and not
the amount used.  So you should delete the unattached/unused disks.

If you use snapshots on blobs, monitor the snapshots and delete those
which are outdated or no longer needed. A even better way to avoid the
costs associated with snapshots is to implement a comprehensive backup
solution by deploying an Azure Recovery Vault. With the proper retention
policy for your backups, you can effectively eliminate the need for
snapshots in most cases.

16
For the storage tier for a blob storage in General Purpose v2 accounts.
There are four tiers to choose from; Premium, Hot, Cold, and Archive.

The Premium tier stores data on high-performance solid-state drives that are
optimized for lower latency and higher transactional rates compared to
traditional hard drives. But it's only available for block blob storage.

The Hot tier has the highest cost for storage but the lowest cost for access.
This tier is ideal for frequently read and written data, or staged data that will
eventually be moved to Cold storage. 

The Cold storage tier has a lower storage cost but higher access cost
compared with the Hot tier. This tier is best for data that will remain in this
tier for at least 30 days, such as short term backups or any infrequently
accessed data.

The Archive tier has the lowest storage cost but the highest access cost of
the four tiers. It is best suited for long term back up storage, compliance, or
archival data that is rarely accessed.

17
Azure Active Directory

18
Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management
service. For an organization, Azure AD helps employees sign up to multiple services and access them
anywhere over the cloud with a single set of login credentials.

Whenever as an Organization or individual creates an Azure account automatically Azure AD

directory is created along with it which authenticates all the users/groups to access all resources in a
subscription.

Azure Storage account 

Azure Storage is the cloud storage solution for modern applications that rely on durability,
availability, and scalability to meet the need of their customers. 
The very first thing you need, to use storage in azure is a storage account.

To use any storage type in azure, you first have to create an account in Azure. After creating an
account, you can transfer data to or from services in your storage account. Create a storage account to
store up to 500 TB of data in the cloud. 

Cost is related to the storage capacity, egress, transactions.

19
A storage account can be of two types:

1. General Purpose
2. Blob Storage

20
A general purpose storage account provides a space where, it gives you access to blobs, queues, files
and tables, all of these services in a unified account. A general-purpose storage account can be used to
store object data, can be used as a NoSQL data store, can be used to define and use queues for
message processing, and set up file shares in the cloud.

 Azure Blobs: A massively scalable object store for text and binary data. Also includes
support for big data analytics through Data Lake Storage Gen2. Azure Blob storage is a
service that stores unstructured data in the cloud as objects/blobs. Blob storage can store any
type of text or binary data, such as a document, media file, or application
installer. Blob storage is also referred to as object.

Blob storage accounts are specialized in storing blob data and can also be used to choose
an access tier, which allows you to specify how frequently data in the account is accessed.

21
 All the files need to be present inside a bucket called - container

 Azure Files: Managed file shares for cloud or on-premises deployments. A File Storage share
is an SMB file share in Azure. All directories and files must be created in a parent share. An
account can contain an unlimited number of shares, and a share can store an unlimited
number of files, up to the 5 TB total capacity of the file share.

Azure Files offers fully managed file shares in the cloud that are accessible via the industry
standard Server Message Block (SMB) protocol. Azure file shares can be mounted
concurrently by cloud or on-premises deployments of Windows, Linux, and macOS.

 Azure Disks: Block-level storage volumes for Azure VMs. Designed for 99.999%
availability. With managed disks, all you have to do is specify the disk size, the disk type, and
provision the disk. Once you provision the disk, Azure handles the rest.

The available types of disks are ultra-disks, premium solid-state drives (SSD), standard SSDs,
and standard hard disk drives (HDD).

22
  Azure Tables: A NoSQL store for schema less storage of structured data. The Azure
Table storage service stores large amounts of structured data. The service is a NoSQL
datastore which accepts authenticated calls from inside and outside the Azure cloud. Azure
tables are ideal for storing structured, non-relational data.

 Azure Queues: A messaging store for reliable messaging between application components.
Azure Queue storage is a service for storing large numbers of messages that can be accessed
from anywhere in the world via authenticated calls using HTTP or HTTPS. A
single queue message can be up to 64 KB in size, and a queue can contain millions of
messages, up to the total capacity limit of a storage account.

Azure Storage Explorer

Free tool to easily manage your Azure cloud storage resources anywhere, from Windows, macOS, or
Linux

23
Upload, download, and manage Azure blobs, files, queues, and tables, as well as Azure Cosmos DB
and Azure Data Lake Storage entities. Easily access virtual machine disks, and work with either
Azure Resource Manager or classic storage accounts. Manage and configure cross-origin resource
sharing rules.

Use access keys to authenticate your applications when making requests to this Azure storage
account.

Shared access signature (SAS)

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage

resources. You can provide a shared access signature to clients who should not be trusted with your
storage account key but to whom you wish to delegate access to certain storage account resources

A client who is in possession of the SAS can make a request against Azure Storage with just the SAS
URI, and the information contained in the SAS token is used to authorize the request.

This can be applied both at blob/file or Account level.

When you create a storage account, primary and secondary access keys are
created. Both of these keys can grant administrative access to your account
and all of the resources within it.

By using an SAS(shared access signature), you can provide a way to grant

limited access to objects and data that are stored inside your storage
account to the clients that connect to it. Using an SAS, you don't have to
expose your access keys to the clients.

24
There is also a connection string provided for each key, which can be used by
client applications to access the storage account.

shared access signature

A shared access signature (SAS) is a URI that grants restricted access rights to Azure
Storage resources. You can provide a shared access signature to clients who should
not be trusted with your storage account key but whom you wish to delegate access
to certain storage account resources. By distributing a shared access signature URI to
these clients, you grant them access to a resource for a specified period of time

 I generate the key, or generate the token. So, I have a URI down here, if I
zoom in a little bit, you can see it a little bit more clearly. And this is the URI
that I'll hand out to any client application that I want to have access to, this
particular access to my storage account.

For a shared access signature for blob/file the user can access via https link

For a shared access signature for an account the user has to use a Storage Explorer

25
 Expose blobs using HTTP endpoints.

 SAS tokens are used to provide kind of discrete, narrow access to blobs.
Blobs can also be exposed through HTTP endpoints.

By default, any blob that you add to blob storage is not publicly accessible,
you have to kind of opt in to that behaviour, but you can do it, you can turn it
on. This allows to access that blob directly, without any extra tokens or any
other authentication

We have to use access policy. You set this at the container level, you don't
actually set it at the individual blob level, you set it at its parent container
level. By default, the access type is private, 

 Azure storage queues

Azure queue storage is a message-oriented data store often used to connect software
applications in a producer-consumer relationship where one or more applications are
writing input data to the queue, while others are reading from the queue and
performing downstream work on each message.

Azure Queue Storage can store multiple messages that we can access via HTTP
or HTTPS.

26
Both technologies support poison message handling, that is the ability to
detect a message that has repeatedly been read but unsuccessfully
processed.

Storage queues, which are part of the Azure storage infrastructure

Service Bus queues are part of a broader Azure messaging infrastructure

Azure File service (NFS)

This service is built on top of other Azure storage services.

27
The Azure File Service allows applications that run in Azure to share files
between  virtual machines by using such standard file system APIs such as
WriteFile or ReadFile.

Azure File Service can be the central location in which applications leave
configuration files. This is helpful when applications spread across VMs
since they'll still be able to read settings files from just one source.

Ultimately it is a File Share, so the most, you know, kind of most obvious
thing you can do would be to mount it in a Virtual Machine, so that we could
navigate the File system, or the files in the Share that way. You can do this
from Windows or from Linux, either one works well.

As it relies on the SMB protocol, you need to open port 445 through your
firewall on your local network to allow this to work, our File Share to work
up to Azure. In Azure VMs it is open automatically.

Azure storage Disk service.

28
Azure disks are highly optimized for hosting VHD disk images and providing
random access of data stored as page blobs.

You can create multiple disks per Azure storage account, and attach multiple
disks to a single VM, so a single disk can be attached to at most one VM at a
time.

Disk snapshots are also possible which makes it easy to duplicate a complex
virtual machine setup or do point-in-time recovery from failures.

All virtual machines have at least two disks- a operating system disk and a
temporary disk. Both the operating system disk and the image are virtual hard
disks (VHDs) stored in an Azure storage account. The VHDs used in Azure is
.vhd files stored as page blobs in a standard or premium storage account in
Azure.

29
Virtual machines can also have one or more data disks that are also stored
as VHDs.

These disks can be added to the existing VM as Data Disk in addition to the
OS disk. Once attached these needs to be mounted on the VM.

30