Hybrid cloud
- need to deploy resources to public cloud
- need Interal network to work
- part of itself is public cloud
OpEx / CapEx
- Operational Expenditure
- need to be considered while migration
- Capital Expenditure
- building a datacenter
- electricity bill
PaaS
- Azure backup
- Azure storage account
- Can add services for itself
- Azure logic app only runs at cloud
Resource group
- can't create resource group into another resource group
- Tags are not inherited to own resources
- Deleting resource group also deletes resources inside
- Resource group can have multiple owner!
- Can't assign azure blueprint to resource group
- only for subscription
- Locks are inherited to resources inside
Network Security Group / NSG
- Allow or Deny access
Firewall
- Access Rules
- single firewall can restrict multiple VNet
- To connect to VNet via internet, need to set NAT on firewall
Web app
- Free/Shared : 1GB - No load balancing
- Basic : 10GB - No load balancing
- Standard : 50GB
- Premium : 250GB
- Isolated : 1TB
Redundancy
- To Achieve least redundancy, need to deploy system in more than 2 availability zone.
For migration to on premise to VM, need to think about Operational Expenditure
- Can be saved with Azure.
Azure policies
- Manage the compliance of azure resource
- JSON format
Azure support plan : basic > developer > standard > professional direct
- from developer, can get general guidance about assessment of azure environment
- Health report 24/7 billing info access, notification starting from basic plan
- Every tier can open new support request
- create azure support request from azure portal
- standard plan is minimum tier for 24/7 access to support engineer by phone
- Only professional direct can use architectural review
Web app
- Free/Shared : 1GB - Not support Load balancing
- Basic : 10GB - Not support Load balancing
- Standard : 50GB
- Premium : 250GB
- Isolated : 1TB
Elasticity is not Expenditure model!
Create a azure resources automatically via Azure resource manager ( ARM )
- with template!
Azure devtest lab - can create 50 vm and delete it autumatically
- Quickly provision development/test environment
- minimize policies
- set automated shutdown for low cost
Azure point to site (P2S) VPN can be used to connect user and VNet
!! Encryption solution >> Azure Key vault!
- Store configuration secret for server! ( not clients )
Azure government only available on USA
Azure AD Identify protection
- Anon IP address use
- Malware linked ip
- Encourage to change password
- ...
Storage
- Storage cost is separated from VM cost, it'll cost even if vm is turned off
- Azure containers are the backbone of VM storage / IaaS
- Azure cosmos DB can store JSON Document ( NOSQL )
- Azure storage account saves files in 3 different location, but it is not a backup plan.
- Storage account level can only be hot or cool
- cool tier is for infrequent access not long term backup
- Azure databrick is based on apache spark
- Azure data lake can handle millions of sensor datas
- SQL server can't avoid billing by turn off.
Public cloud
- Possibly extend capacity of internal network by using public cloud
- Physical server can't be deployed on public cloud
VNET
- for on premise vpn, need local network gateway
- Gateway connect on-premise and vm
- Outbound transfer fee is charged for connection between two azure regions.
Microsoft Intune is SaaS service
Region > Availability zone > Data center
Azure AD
- Azure AD tenant can have multiple subscription, Azure subscription can't have multiple admin
- If subscription is expired, Azure AD remains in azure
- Can be managed by another subscriptions.
- Azure AD synchronize on premise AD and azure AD
Subscription
- Can't merge multiple subscriptions into single
- subscription limit can be raised via creating new support request
- there is only one admin account for each subscription
- subscription must be created for first step of migration
IOT
- IOT hub : Bidirectional communication between azure and iot
- IOT central : SaaS Solution to connect, monitor, manage IOT device
- Azure Sphere : Solution provides communication / security feature to IOT device
can buy third party solution at azure marketplace
Azure monitor
- can monitor on-premise server
- can collect events from multiple resources.
Azure service health can set alert rule for failure of services
Help and Support include service health option which affects availability
Azure machine learning designer build/test/deploy ai learning module
Azure advisor
- Can't make list of vms without backup
- only recommend, not require
- does not give security advise for azure AD
- help to optimize cost for vm
- does not give how to config vm network
azure powershell can be run on any system
Access compliance manager from Microsoft Service Trust Portal
Regional requirements are in Trust Center
Use Azure Advanced Threat Protection for monitor threat by sensors
Just In Time VM in azure security center allow lock down inbound traffic
Security Information / Event Management > Azure sentinel
- Azure sentinel remediate(교정하다) incidents automatically
- Azure sentinel analyze security log files from vm
- Azure sentinel playbook automatically respond to threat
Azure security center
- display security score
- show company's regulatory compliance report
- trust center is not a part of it.
DDos Protection is on Perimeter layer
Azure monitor workbook automate responses to threat
Authorization - does user have role?
Authentication - do id and pw right?
Azure blueprint can include zero or more ARM templates
Azure china is not operated by Microsoft
- Is distinct separate instance
Passport number is not valid MFA solution
Azure information Protection encrypt document / email
Policy to not allow does not delete existing resource
Service in private preview can be viewed in azure portal
To generate several billing report, use Tags
if MS close resource service, will provide notification at least 12 month before
Can remove spending limit, but can't increase or decrease
Vnet doesnt cost, Account also does not cost
Azure hybrid benefit : 온-프레미스 코어 기반 Windows Server 및 SQL Server 라이선스를 Azure로 가져올 수 있는 라이선스 혜택
Azure free account has 5GB storage limit, 10 web limit
Anyone can calculate Total Cost of Ownership ( TCO )
1 Azure free account per 1 MS account
SLA
- 서비스 수준 협약이라고 하며, 고객이 공급업체로부터 기대하는 서비스 수준을 기술한 문서입니다.
- SLA of multiple resource can be calculated by multiple of them
- SLA is kind of Availability
- Free tier of Azure AD does not provide SLA
CAN SEE COMPANY REGULATORY COMPLIANCE FROM
- AZURE SECURITY CENTER
DELEGATE SAME PERMISSON TO VMs
- USE SAME RESOURCE GROUP
AZURE STORAGE CAN HOLD UPTO 2PB ~ 500TB
AZURE TCO CALCULATOR
- Calculate a cost saving if migrated to azure environment.
USERS IN AZURE AD
- not organized by resource group
WINDOWS VIRTIAL DESKTOP SESSION
- host can run any os
- 20 session does not mean maximum 20 user can use it
Traffic between same region is ALWAYS FREE!
Trust center can also be accessed by user without subscription
Size is not everything for cost of VMs
Azure sentinel does not collec event from Azure storage account
- remediate automatically
- collect firewall log
NSG Does not encrypt every internet connection
NSG와 Firewall
Azure Firewall은 방화벽 장비로 가상 네트워크에 진입하려는 경우 정책에 의해 필터링을 제공하며 NSG의 경우 가상 네트워크 내에서 정책에 의해 필터링을 제공합니다.
조금 더 설명하자면, Azure Firewall은 외부에서 가상 네트워크로, 혹은 가상 네트워크에서 가상 네트워크로, 혹은 VPN이나 전용선을 통해 On-premises에서 가상 네트워크로 네트워크 트래픽이 들어오거나 나가려는 경우 특정 정책에 의해 필터링하는 것을 의미합니다. 가상 네트워크 입장에서는 네트워크 경계면에서 특정 정책에 의한 트래픽 필터링이라 할 수 있습니다.
NSG의 경우 가상 네트워크 내 가상 머신과 가상 머신, 가상 머신과 부하 분산 장치간 등의 네트워크 트래픽을 정책에 의해 제어합니다. Azure Firewall 없이 NSG만 사용하는 경우, NSG가 Azure Firewall을 대체하는 것 처럼 보이지만, 실제로는 가상 머신까지 네트워크 트래픽이 오고 가며 정책에 의해 필터링 되는 것이 NSG 입니다.
만능 컴덕후 겸 번지 팬