Microsoft Azure Core Concepts

An interactive learning atlas by mindal.app

Launch Interactive Atlas

Create a foundational guide to Microsoft Azure. Organize the graph around the core concepts of identity with Azure AD, compute services like Virtual Machines and App Service, and storage solutions.

This foundational guide to Microsoft Azure organizes around the core concepts of identity with Microsoft Entra ID (formerly Azure AD), compute services like Virtual Machines and App Service, and various storage solutions. It covers Azure's comprehensive platform for building, managing, and deploying applications globally, emphasizing the integration and interoperability of these services to form robust cloud solutions.

Key Facts:

  • Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud-based enterprise identity and access management (IAM) solution, providing secure access and features like SSO, MFA, Conditional Access, and RBAC.
  • Azure Virtual Machines (VMs) are an Infrastructure-as-a-Service (IaaS) offering providing customizable, virtualized compute resources suitable for development/testing, application hosting, and 'lift-and-shift' migrations.
  • Azure App Service is a Platform-as-a-Service (PaaS) offering designed for deploying and scaling web applications, mobile backends, and APIs, supporting various programming languages and CI/CD integration.
  • Azure Storage solutions offer diverse services like Blob, File, Table (now part of Cosmos DB), Queue, and Disk Storage for highly available, secure, and scalable data storage.
  • These core services (identity, compute, storage) integrate, for example, through Managed Identities for secure authentication between compute resources and storage, or by leveraging Azure AD for application user authentication.

Azure App Service

Azure App Service is a Platform-as-a-Service (PaaS) offering designed to simplify the deployment, management, and scaling of web applications, mobile backends, and RESTful APIs. It allows developers to focus on writing code without managing the underlying infrastructure.

Key Facts:

  • Azure App Service is a Platform-as-a-Service (PaaS) offering.
  • It simplifies deployment, management, and scaling of web applications, mobile backends, and RESTful APIs.
  • It supports popular web stacks including .NET, Java, Node.js, Python, and PHP, and containerized applications.
  • Key features include automatic scaling, built-in security, CI/CD integration, and custom domain support.
  • App Service Environments (ASEs) offer isolated and dedicated environments for high-scale applications.

Azure App Service vs. Azure Kubernetes Service (AKS)

This comparison highlights the fundamental differences between Azure App Service and Azure Kubernetes Service (AKS), two distinct Azure offerings for application deployment. While App Service is a fully managed PaaS offering ideal for simplicity, AKS provides a managed Kubernetes environment, offering granular control for complex containerized workloads.

Key Facts:

  • Azure App Service is a fully managed PaaS offering, abstracting infrastructure management.
  • Azure Kubernetes Service (AKS) is a container orchestration platform providing a managed Kubernetes environment.
  • App Service is suitable for simple web applications, REST APIs, and microservices without complex deployment needs.
  • AKS is designed for complex microservices architectures requiring flexibility and fine-grained control over containerized workloads.
  • App Service has predictable, plan-based pricing, while AKS pricing is based on consumed resources (VMs, storage, networking).

Continuous Integration/Continuous Deployment (CI/CD)

Azure App Service facilitates seamless CI/CD integration, automating the process of building, testing, and deploying applications. It supports various source control providers and involves a pipeline that includes source control integration, build pipelines for artifact creation, and release pipelines for automated deployment, often utilizing deployment slots for zero-downtime updates.

Key Facts:

  • Azure App Service supports CI/CD integration for automating application deployment.
  • It integrates with source control providers like GitHub, Azure Repos, and Bitbucket.
  • A typical CI/CD pipeline involves source control integration, build pipelines, and release pipelines.
  • Build pipelines compile code, run tests, and produce deployable artifacts upon code changes.
  • Deployment slots enable zero-downtime deployments by allowing new versions to be tested in staging before swapping with production.

Custom Domain and SSL Configuration

Azure App Service allows users to configure custom domain names, replacing default URLs with branded addresses. This process involves DNS record creation and validation. To secure these domains, Azure App Service supports SSL/TLS certificates, offering options for users to bring their own or utilize Azure's free Managed Certificates to enable HTTPS.

Key Facts:

  • Azure App Service enables custom domain names to replace the default azurewebsites.net URL.
  • Configuration involves adding the custom domain in the Azure portal and creating necessary DNS records (A record or CNAME).
  • SSL/TLS certificates are supported for securing custom domains and enabling HTTPS.
  • Users can bring their own SSL certificates or use Azure's free App Service Managed Certificates.
  • Once obtained, certificates must be bound to the custom domain within App Service settings for secure communication.

Azure Blob Storage

Azure Blob Storage is a service designed for storing massive amounts of unstructured data, such as images, videos, audio files, logs, and backups. It is highly scalable and cost-effective for data that doesn't require frequent access, making it suitable for large datasets for analytics.

Key Facts:

  • Azure Blob Storage is designed for massive amounts of unstructured data.
  • It is highly scalable and cost-effective for data that doesn't require frequent access.
  • Typical use cases include storing images, videos, audio files, logs, and backups.
  • It is a component of Azure Storage Solutions, which offers high availability, durability, and scalability.
  • A storage account serves as a centralized container for managing Blob storage and other storage resources.

Azure Blob Storage Access Tiers

Azure Blob Storage Access Tiers are designed to optimize storage costs based on data access frequency, offering different pricing models and performance characteristics. These tiers allow users to match storage costs with the actual usage patterns of their data.

Key Facts:

  • Hot Tier is for frequently accessed data with the lowest latency and highest performance, but highest storage costs.
  • Cool Tier is for infrequently accessed data, offering lower storage costs than Hot but higher access costs, recommended for data stored for a minimum of 30 days.
  • Cold Tier is optimized for rarely accessed data requiring fast retrieval, with lower storage costs than Cool and higher access costs, recommended for data stored for a minimum of 90 days.
  • Archive Tier is the most cost-effective for rarely accessed data with flexible latency, requiring data rehydration for access and recommended for data stored for a minimum of 180 days.
  • Data in the Archive tier is offline and must be rehydrated to an online tier before it can be read or modified, a process that can take up to 15 hours.

Azure Blob Storage Lifecycle Management Policies

Azure Blob Storage Lifecycle Management Policies automate the movement of data between access tiers and its deletion, based on predefined rules. This mechanism ensures data resides in the most cost-effective tier according to its usage patterns, thereby optimizing storage costs.

Key Facts:

  • Policies automatically transition blobs to cooler storage tiers or delete them based on access/modification patterns and age.
  • A policy consists of rules with unique identifiers, status (enabled/disabled), conditions, filters, and actions (tiering or deletion).
  • Rules can be applied to an entire storage account, specific containers, or subsets of blobs using prefixes or index tags.
  • Lifecycle policies are evaluated by the system typically once a day, with changes taking up to 24 hours to become effective and actions up to 48 hours to complete.
  • Lifecycle management itself is free, though users are billed for standard 'Set Blob Tier API' operation costs; delete operations are free.

Shared Access Signatures (SAS)

Shared Access Signatures (SAS) provide a secure and granular way to grant limited, time-restricted access to resources within an Azure storage account without exposing the account keys. SAS tokens are URI-based and specify permissions, validity periods, and accessible resources.

Key Facts:

  • SAS tokens offer granular control over actions (read, write, delete), access duration, and specific resources.
  • A SAS is a URI containing a signed portion that grants restricted access rights to Azure Storage resources.
  • Service SAS grants access to specific resources within a service (e.g., a blob), while Account SAS offers broader access across multiple services.
  • User Delegation SAS, secured with Microsoft Entra credentials, provides superior security and is recommended for Blob Storage.
  • Best practices include granting minimal permissions, using short-lived SAS tokens, leveraging stored access policies for revocation, and always delivering SAS over HTTPS.

Azure Disk Storage

Azure Disk Storage provides durable, high-performance, and highly available disk-based storage volumes specifically for Azure Virtual Machines. It includes various disk types such as Ultra Disks, Premium SSDs, Standard SSDs, and Standard HDDs, used for operating system disks, data disks, and databases.

Key Facts:

  • Azure Disk Storage provides durable, high-performance, and highly available disk volumes.
  • It is specifically designed for use with Azure Virtual Machines.
  • Disk types include Ultra Disks, Premium SSDs, Standard SSDs, and Standard HDDs.
  • It is used for operating system disks, data disks, and databases.
  • Managed disks simplify disk management for Azure VMs by handling storage accounts internally.

Azure Disk Types

Azure Disk Storage offers various disk types, including Ultra Disks, Premium SSD v2, Premium SSDs, Standard SSDs, and Standard HDDs, each tailored for different performance, latency, and cost requirements. These types are designed to support a wide range of workloads from high-performance databases to cost-effective archival storage.

Key Facts:

  • Ultra Disks offer the highest performance with up to 160,000 IOPS and 4,000 MB/s throughput, ideal for data-intensive workloads.
  • Premium SSDs provide excellent durability and high performance for mission-critical applications like production SQL Server.
  • Standard SSDs balance cost and performance for general-purpose tasks and development environments.
  • Standard HDDs are the most cost-effective option for latency-tolerant workloads and backups.
  • Disk types allow independent configuration of capacity, IOPS, and throughput for Ultra Disks.

Key Features and Benefits of Azure Disk Storage

Azure Disk Storage provides high-performance, durable, and highly available block storage volumes for Azure Virtual Machines, offering key benefits such as high availability, simplified management through managed disks, scalability, cost efficiency, and robust security features.

Key Facts:

  • Managed disks are designed for 99.999% availability with data persistence ensured by three replicas.
  • Azure Disk Storage simplifies management by abstracting storage account complexities, handling provisioning and maintenance.
  • It offers high scalability, supporting up to 50,000 VM disks per region per subscription.
  • Cost efficiency is achieved through scaling disks based on traffic and billing snapshots only for used data size.
  • Security features include encryption for data at rest and in transit, and Role-Based Access Control (RBAC).

Managed Disks vs. Unmanaged Disks

Azure Disk Storage offers both Managed Disks and Unmanaged Disks, with Managed Disks simplifying disk management by abstracting storage accounts and blobs, providing higher availability and easier scalability. Unmanaged Disks require users to manually manage the underlying storage accounts, leading to higher overhead.

Key Facts:

  • Managed disks simplify disk management by abstracting storage account complexities.
  • Managed disks provide 99.999% availability and handle provisioning, scaling, and maintenance.
  • Unmanaged disks require users to create and manage the storage accounts holding VHD files.
  • Microsoft recommends Managed Disks for new workloads due to simplicity, scalability, and enhanced features.
  • Managed Disks offer better reliability when used with Azure Availability Sets.

Optimizing Azure Disk Performance for SQL Server VMs

Optimizing Azure Disk performance for SQL Server VMs involves considering workload requirements, selecting appropriate disk types and caching strategies, implementing disk striping (RAID 0), and continuous monitoring and adjustment. This ensures efficient data processing and low latency for database operations.

Key Facts:

  • Workload requirements for IOPS and throughput must be understood for system binaries, database files, tempdb, and backup files.
  • Premium SSDs (P30, P40, P80) are recommended for production SQL Server data and log files due to performance and caching support.
  • Ultra Disks or Premium SSD v2 are suitable for very high IOPS (over 160,000) and low-latency SQL Server workloads.
  • Caching strategies include 'Read-Only' for data disks to improve latency and 'No caching' for write-heavy log files.
  • Disk striping (RAID 0) can increase IOPS and throughput by combining multiple disks, and continuous monitoring helps adjust performance tiers.

Use Cases for Azure Disk Storage

Azure Disk Storage is essential for a wide range of workloads, including relational and NoSQL databases, clustered applications requiring high availability, backup and disaster recovery solutions, containerized workloads on Kubernetes, and data-intensive applications on Azure VMware Solution.

Key Facts:

  • Supports relational and NoSQL databases like SAP HANA, SQL Server, Oracle, and MongoDB with consistent low latency.
  • Enables migration of on-premises high-availability clustered applications to Azure, including shared disks for Windows and Linux.
  • Facilitates backup and disaster recovery through point-in-time snapshots, reducing recovery times and costs.
  • Provides high-performance, low-latency block storage for mission-critical containerized workloads on Kubernetes.
  • Leveraged for data-intensive and transaction-heavy workloads within the Azure VMware Solution.

Azure File Storage

Azure File Storage provides managed cloud file shares accessible via the industry-standard Server Message Block (SMB) protocol. It is ideal for shared file storage for collaboration, 'lift-and-shift' applications requiring file shares, and can be mounted on Windows, macOS, and Linux clients.

Key Facts:

  • Azure File Storage provides managed cloud file shares.
  • It is accessible via the industry-standard Server Message Block (SMB) protocol.
  • It is ideal for shared file storage, collaboration, and 'lift-and-shift' applications.
  • File shares can be mounted on Windows, macOS, and Linux clients.
  • It offers high availability, durability, and scalability as part of Azure Storage Solutions.

Azure File Storage Capabilities and Use Cases

Azure File Storage provides managed cloud file shares accessible via SMB and NFS protocols, offering versatile solutions for various scenarios. It is ideal for modernizing applications, supporting shared storage for VMs, replacing on-premises file servers, and enabling hybrid cloud environments with Azure File Sync.

Key Facts:

  • Azure File Storage is accessible via industry-standard Server Message Block (SMB) and Network File System (NFS) protocols.
  • It supports 'lift-and-shift' applications, allowing migration to the cloud without significant code changes.
  • Azure File Storage can serve as shared storage for multiple virtual machines and replace on-premises file servers.
  • It provides centralized storage for configuration files, logs, metrics, and crash dumps.
  • Azure File Sync extends Azure File Storage to on-premises Windows Servers for hybrid cloud file sharing with cloud tiering.

Azure File Storage Data Redundancy

Azure File Storage offers multiple data redundancy options to ensure high availability and durability against various failures. These options range from localized replication within a datacenter to geo-replication across distant regions, protecting data from hardware failures, power outages, and regional disasters.

Key Facts:

  • Locally Redundant Storage (LRS) replicates data three times within a single datacenter for high durability.
  • Zone-Redundant Storage (ZRS) replicates data synchronously across three Azure availability zones within the primary region.
  • Geo-Redundant Storage (GRS) replicates data to a secondary, geographically distant region for disaster recovery.
  • Geo-Zone-Redundant Storage (GZRS) combines ZRS in the primary region with geo-replication to a secondary region.
  • Redundancy options are crucial for protecting data from various types of failures, including hardware issues and regional disasters.

Azure File Storage Performance Tiers

Azure File Storage offers Standard and Premium performance tiers to match diverse workload demands. The Standard tier uses HDDs for cost-effective general-purpose storage, while the Premium tier utilizes SSDs for high-performance, low-latency applications like databases and analytics.

Key Facts:

  • The Standard tier uses Hard Disk Drives (HDDs) and is cost-effective for general-purpose file sharing and backup.
  • The Premium tier utilizes Solid-State Drives (SSDs) for high-performance workloads requiring low latency.
  • Premium file shares are suitable for databases, analytics, and virtual desktops.
  • Premium shares support Locally Redundant Storage (LRS) and Zone Redundant Storage (ZRS) but not Geo-Redundant Storage (GRS).
  • Standard shares support geo-redundancy options.

Azure File Storage Security

Security in Azure File Storage is comprehensive, encompassing encryption for data at rest and in transit, robust access controls, and methods for secure access. It leverages Microsoft Entra ID integration and Shared Access Signatures to manage permissions and secure data throughout its lifecycle.

Key Facts:

  • Data in Azure File Storage is automatically encrypted at rest, using Microsoft-managed or customer-managed keys.
  • Data in transit is encrypted using HTTPS and TLS protocols for secure transfer.
  • Access controls are managed through integration with Microsoft Entra ID and Role-Based Access Control (RBAC).
  • Shared Access Signatures (SAS) provide temporary, limited access to storage resources without exposing account keys.
  • Security measures ensure data confidentiality, integrity, and availability within Azure Files.

Mounting Azure File Share

Azure File Shares can be mounted on various operating systems, including Windows, macOS, and Linux, using SMB or NFS protocols. The Azure portal provides guided instructions and scripts, and persistent mounts on Linux can be configured via `/etc/fstab` for automatic access upon VM boot.

Key Facts:

  • Azure File Shares can be mounted on Windows, macOS, and Linux clients.
  • Mounting is supported via SMB and NFS protocols, depending on the client OS and share configuration.
  • The Azure portal offers step-by-step instructions and scripts to simplify the mounting process.
  • For persistent mounts on Linux VMs, entries can be added to the `/etc/fstab` file.
  • Successful mounting enables seamless file access from client machines as if the shares were local drives.

Azure Table Storage

Azure Table Storage is a NoSQL key-value store for structured, non-relational data, designed for scalability and cost-effectiveness. It is suitable for storing large volumes of data that do not require complex queries or relationships, such as user data for web applications, telemetry, and logging information. Azure Table Storage is now part of Azure Cosmos DB.

Key Facts:

  • Azure Table Storage is a NoSQL key-value store for structured, non-relational data.
  • It is highly scalable and cost-effective for large volumes of data.
  • It is suitable for data that does not require complex queries or relationships.
  • Examples of use include user data for web applications, telemetry data, and logging information.
  • Azure Table Storage is now part of Azure Cosmos DB.

Azure Table Storage Use Cases

Azure Table Storage is particularly well-suited for specific applications that involve storing large quantities of structured, non-relational data without complex query requirements. These applications commonly include user data for web applications, telemetry from IoT devices, logging information, and metadata storage for cloud applications.

Key Facts:

  • Ideal for user data in web applications (profiles, session data).
  • Suitable for telemetry and logging information, including IoT device data.
  • Used for catalog and shopping cart data in e-commerce.
  • Effective for storing metadata for cloud applications.
  • Best for datasets not requiring complex joins, foreign keys, or stored procedures.

Migration to Azure Cosmos DB Table API

Azure Table Storage has been integrated into Azure Cosmos DB, offering an upgrade path to the Azure Cosmos DB Table API for enhanced features. This migration provides benefits such as global distribution, guaranteed low latency, automatic indexing, and multiple consistency levels, often requiring only a connection string change due to the shared data model and operations.

Key Facts:

  • Azure Table Storage is now part of Azure Cosmos DB.
  • Migration to Azure Cosmos DB Table API offers enhanced features.
  • Benefits include global distribution and guaranteed low latency.
  • Automatic indexing on all properties is available in Cosmos DB Table API.
  • Migration can be straightforward, often only requiring a connection string change using tools like dt.exe.

NoSQL Key-Value Store

Azure Table Storage operates as a NoSQL key-value store, designed for structured, non-relational data, employing a schemaless design where tables can contain entities with diverse properties. Each entity within this structure is uniquely identified by a combination of a Partition Key and a Row Key.

Key Facts:

  • Azure Table Storage is a NoSQL key-value store.
  • It stores structured, non-relational data.
  • Data is organized in a schemaless design, allowing entities with different properties.
  • Each entity is uniquely identified by a Partition Key and a Row Key.
  • The data model is straightforward, facilitating efficient storage and retrieval.

Pricing Model and Redundancy Options

The pricing for Azure Table Storage is primarily determined by the amount of data stored and the number of transactions performed, offering a transparent cost structure. Users can also choose from various redundancy options like Locally Redundant Storage (LRS), Geo-Redundant Storage (GRS), and Read-Access Geo-Redundant Storage (RA-GRS) to meet different availability and disaster recovery needs, each with varying cost implications.

Key Facts:

  • Pricing is based on the amount of data stored in GB.
  • Pricing also accounts for the number of operations (transactions) performed.
  • Redundancy options include Locally Redundant Storage (LRS).
  • Geo-Redundant Storage (GRS) provides cross-region data replication.
  • Read-Access Geo-Redundant Storage (RA-GRS) allows read access to the secondary region.

Scalability and Cost-Effectiveness

Azure Table Storage is engineered for high scalability, capable of handling petabytes of structured data by scaling horizontally to accommodate growing data volumes and unpredictable workloads. This scalability is coupled with a cost-effective, pay-as-you-go pricing model, making it a budget-friendly option for storing massive datasets.

Key Facts:

  • Azure Table Storage is highly scalable for massive amounts of structured data.
  • It scales horizontally to manage growing data volumes and unpredictable workloads.
  • It can store petabytes of semi-structured data.
  • Pricing is based on a pay-as-you-go model.
  • It is considered a budget-friendly option for large data volumes.

Azure Virtual Machines

Azure Virtual Machines (VMs) are a core Infrastructure-as-a-Service (IaaS) offering within Microsoft Azure, providing customizable, virtualized compute resources. They emulate physical computers with virtual processors, memory, storage (disks), and networking components, giving users significant control over the operating system and software.

Key Facts:

  • Azure VMs are an Infrastructure-as-a-Service (IaaS) offering.
  • They provide virtualized computing instances with control over the operating system and software.
  • Use cases include development/testing environments, hosting applications, extending on-premises data centers, and disaster recovery.
  • Features include scalability via Virtual Machine Scale Sets and high availability using Availability Zones and Availability Sets.
  • They offer various disk storage options like Ultra Disks, Premium SSDs, Standard SSDs, and Standard HDDs.

Availability Sets

Availability Sets are a foundational Azure feature designed to ensure high availability for Virtual Machines by distributing them across different fault domains and update domains within a single Azure datacenter. This protects applications from single points of failure related to hardware issues or planned maintenance.

Key Facts:

  • Availability Sets logically group VMs within a single Azure datacenter.
  • They distribute VMs across different fault domains (physical racks) to protect against power, network, or server hardware failures.
  • VMs are also distributed across update domains to ensure they do not all reboot simultaneously during planned Azure maintenance.
  • Availability Sets provide a cost-effective way to achieve basic redundancy for applications within a datacenter.
  • They are suitable for workloads that can tolerate minor disruptions within a single datacenter, offering a 99.95% SLA for VMs.

Availability Zones

Availability Zones (AZs) represent a higher level of fault tolerance in Azure, comprising physically separate datacenters within an Azure region, each with independent power, cooling, and networking. Deploying VMs across AZs protects applications against datacenter-wide failures, making them ideal for mission-critical workloads requiring maximum resilience.

Key Facts:

  • Availability Zones provide fault tolerance by being physically isolated datacenters within an Azure region.
  • Each AZ has independent power, cooling, and networking, ensuring resilience against localized failures.
  • Deploying VMs across AZs protects against full datacenter outages, crucial for mission-critical applications.
  • While there are no direct charges for AZs, inter-zone network traffic may incur egress charges.
  • Availability Zones are designed to offer a 99.99% SLA for VMs when deployed correctly across multiple zones.

Azure IaaS Offering

Azure Virtual Machines (VMs) are a foundational Infrastructure-as-a-Service (IaaS) offering within Microsoft Azure, providing virtualized compute resources. This model gives users extensive control over the operating system and installed software, emulating physical computers in a cloud environment.

Key Facts:

  • Azure VMs are categorized as Infrastructure-as-a-Service (IaaS), meaning Microsoft manages the underlying infrastructure, while users manage operating systems, applications, and data.
  • They provide virtualized computing instances, offering a high degree of control over the software stack.
  • Azure VMs mimic physical computers, complete with virtual processors, memory, storage (disks), and networking components.
  • Use cases range from development/testing environments and application hosting to disaster recovery and extending on-premises data centers.
  • IaaS offerings like Azure VMs contrast with PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service) by providing more user control over the virtualized infrastructure.

Azure Virtual Machine Scale Sets (VMSS)

Azure Virtual Machine Scale Sets (VMSS) allow for the deployment and management of a group of identical, auto-scaling Virtual Machines. They are crucial for handling varying workloads by automatically adding or removing VM instances based on predefined metrics, schedules, or AI-driven predictions, ensuring optimal performance and resource utilization.

Key Facts:

  • VMSS enables the deployment and management of identical, load-balanced VMs as a single unit.
  • They provide automatic scaling capabilities, adjusting the number of VM instances based on demand.
  • Best practices include using zone-redundant deployments for geographical distribution and the Max Spreading algorithm for fault domain distribution.
  • Application health monitoring with automatic instance repair can be configured within VMSS.
  • Overprovisioning in Uniform Orchestration mode can improve deployment success rates and reduce deployment time, though primarily supported in that mode.

High Availability and Scalability

High Availability and Scalability are critical features for Azure Virtual Machines, ensuring applications remain operational and performant under varying loads. Azure achieves this through services like Virtual Machine Scale Sets, Availability Sets, and Availability Zones, each providing different levels of fault tolerance and resource management.

Key Facts:

  • Scalability ensures that VM instances can be automatically added or removed to match workload demands, maintaining performance and cost efficiency.
  • High availability mechanisms protect applications against various types of failures, from individual VM outages to entire datacenter disruptions.
  • Azure Virtual Machine Scale Sets (VMSS) enable deployment and management of identical, auto-scaling VM groups based on metrics or schedules.
  • Availability Sets distribute VMs across different fault and update domains within a single datacenter to protect against hardware failures and planned maintenance.
  • Availability Zones offer the highest level of fault tolerance by deploying VMs across physically separate datacenters within a region, protecting against datacenter-wide failures.

Migration of On-Premises Applications to Azure IaaS VMs

Migrating on-premises Virtual Machines and applications to Azure IaaS offers significant benefits, including enhanced scalability, robust security measures, and seamless integration with other Microsoft cloud services. This process typically involves a structured approach encompassing assessment, strategic planning, and the use of specialized Azure tools for execution.

Key Facts:

  • Migration to Azure IaaS VMs provides scalability, extensive security, and integration with other Microsoft tools.
  • The initial phase involves assessment and planning, identifying application dependencies and defining timelines.
  • Azure Migrate is a centralized hub for discovering, assessing, and migrating on-premises workloads.
  • Migration strategies include 'Rehost' (lift and shift) for minimal changes, 'Refactor' for PaaS optimization, and 'Rearchitect' for cloud-native leveraging.
  • Azure Site Recovery (ASR) is a key tool for replicating VMs and enabling disaster recovery during the migration process.

Microsoft Entra ID

Microsoft Entra ID, formerly Azure Active Directory, is Microsoft's cloud-based enterprise identity and access management solution. It provides secure access to a wide range of resources including Microsoft 365, Azure services, Dynamics 365, Power Platform, and thousands of third-party SaaS applications.

Key Facts:

  • Microsoft Entra ID was formerly known as Azure Active Directory (Azure AD).
  • It is a cloud-based enterprise identity and access management (IAM) solution.
  • It provides secure access to Microsoft 365, Azure services, Dynamics 365, Power Platform, and third-party SaaS applications.
  • Key features include Single Sign-On (SSO), Multi-Factor Authentication (MFA), Conditional Access, and Role-Based Access Control (RBAC).
  • It integrates seamlessly with on-premises Active Directory environments.

Hybrid Identity Management

Hybrid Identity Management refers to the seamless integration of on-premises Active Directory with Microsoft Entra ID, creating a unified identity experience across both cloud and local environments. This approach is common for organizations transitioning to the cloud, utilizing tools like Microsoft Entra Connect for synchronization and various authentication methods.

Key Facts:

  • Hybrid identity unifies on-premises Active Directory and Microsoft Entra ID.
  • Microsoft Entra Connect is the primary tool for synchronizing identities between environments.
  • Authentication methods include Password Hash Synchronization (PHS) and Pass-through Authentication (PTA).
  • It provides a consistent sign-in experience for users accessing both cloud and on-premises resources.
  • Traditional Active Directory is designed for on-premises, while Microsoft Entra ID is cloud-native.

Identity and Access Management (IAM)

Identity and Access Management (IAM) is the security framework that enables the right individuals to access the right resources at the right times for the right reasons. Microsoft Entra ID serves as a cloud-based IAM solution, centralizing user authentication, access controls, and governance across various environments.

Key Facts:

  • IAM systems manage user authentication, authorization, and access controls.
  • Microsoft Entra ID is Microsoft's cloud-based IAM solution.
  • It provides secure access to Microsoft 365, Azure services, Dynamics 365, Power Platform, and third-party SaaS applications.
  • IAM is critical for enforcing security policies and ensuring compliance.
  • It encompasses processes like user provisioning, de-provisioning, and access review.

Key Features of Microsoft Entra ID

Microsoft Entra ID offers a suite of key features designed to enhance security, user experience, and administrative control over access to resources. These features include Single Sign-On (SSO), Multi-Factor Authentication (MFA), Conditional Access, and Role-Based Access Control (RBAC), which are fundamental for modern identity management.

Key Facts:

  • Single Sign-On (SSO) allows users to access multiple applications with one set of credentials.
  • Multi-Factor Authentication (MFA) requires more than one method of verification for user identity.
  • Conditional Access enables policy-based access decisions based on user, device, location, and risk level.
  • Role-Based Access Control (RBAC) grants permissions based on a user's organizational role, adhering to the principle of least privilege.
  • Identity Protection detects and remediates identity-based risks using machine learning.

Managed Identities for Azure Resources

Managed Identities for Azure Resources provide Azure services with an automatically managed identity in Microsoft Entra ID, eliminating the need for developers to manage credentials in code. This simplifies authentication for Azure services accessing other Microsoft Entra ID-protected resources, enhancing security and operational efficiency.

Key Facts:

  • Managed identities enable Azure services to authenticate to Microsoft Entra ID-protected resources without explicit credentials.
  • They eliminate the need to store and manage secrets, such as connection strings or certificates, in application code.
  • There are two types: system-assigned (tied to a single Azure resource's lifecycle) and user-assigned (standalone, shareable, and managed independently).
  • Managed identities are crucial for secure service-to-service communication within Azure.
  • They support the principle of least privilege by granting specific permissions to the identity.

Microsoft Entra External ID (B2B/B2C)

Microsoft Entra External ID, encompassing what was formerly Azure AD B2B and B2C, provides comprehensive solutions for managing external identities. It facilitates secure collaboration with partners, vendors, and guests (B2B) and offers robust customer identity and access management (CIAM) capabilities for consumer-facing applications (B2C).

Key Facts:

  • Microsoft Entra External ID manages external user identities for collaboration and consumer applications.
  • Business-to-Business (B2B) capabilities enable secure collaboration with external partners and guest users.
  • Business-to-Consumer (B2C) provides CIAM for consumer-facing applications, managing millions of customer identities.
  • It supports various identity providers for external users, including social accounts and enterprise identities.
  • External ID simplifies identity governance for non-employee access.