Microsoft Azure

From Colettapedia
Jump to navigation Jump to search

Azure CLI

  • az configure
    • az config set core.output=table
    • az config set core.output=json - usually gives you a lot more
  • az login
  • az account show

storage

  • az storage account show --name StorageAccountName > /path/to/file
  • az storage blob download-batch --auth-mode login -d . -s container_name --account-name storage_account_name --pattern path/without/leading/slash/dir/*

Azure Storage Services

Blob storage

  • Anykind of file, BinaryLarge OBject file - usually unstructured data (PNG, MOV, EXE, TXT)
  • Blobs are subdivided into containers

Access tier

  • Hot - frequently accessed data
  • Cool - lower availability, high durability - older versions and backups
  • Archive - Long term backup - rarely if-ever accessed data, could take

Queue Storage

  • Storage for small pieces of data (messages)
  • designed for scalable asynchronous processing

Table Storage

  • semi-structured data
  • no schemas, like noSQL
  • No need for foreign joins, foreign keys, relationships or strict schema
  • designed for fast access so it's scalable

File storage

  • Blob:File::Container:Share
  • Access shares via SMB protocol, i.e., Map Network Drive
  • Can also have REST protocol apparently

How to set up

  1. Create new resource
  2. Create new resource group name
  3. Provide storage account name
  4. Pick standard vs premium performance,

Access Control Model

Shared Key authorization

  • Grants access to user/application without requiring them to have an identity in Azure Active Directory

Shared access signature (SAS) authorization

  • Grants access to user/application without requiring them to have an identity in Azure Active Directory

Role-based access control (Azure RBAC)

  • Requires user/application to have an identity in Azure Active Directory
  • Course-grained access to storage account data, e.g., all data in storage account.

Attribute-based access control (Azure ABAC)

  • Requires user/application to have an identity in Azure Active Directory
  • More fine-grained than RBAC, you can add conditions, e.g., read/write access to all data objects in storage account that have a specific tag.

Access control lists (ACLs)

  • Requires user/application to have an identity in Azure Active Directory
  • Finest-grained access, can unlock specific files and/or directories.



Authorize Access

General

  • Authorize access to data in Azure Storage
  • Each time you access data in your storage account, your client application makes a request over HTTP
  • Every resource is secured by default
  • Every request to a secure resource must be authorized

Access Vectors

  • Shared Key / storage account key (not recommended)
    • Client passes a header with every request that is signed using the storage account access key
  • Shared access signature
    • Provide limited delegated access to resources in a storage account via a signed URL
    • "A service SAS or account SAS is signed with the account key, while the user delegation SAS is signed with Azure AD credentials and applies to blobs only."
  • Azure Active Directory
  • On-premises active directory domain services
  • Anonymous public read access (not recommended)
  • Storage Local Users (used only with SFTP)

Access Control Lists

Azure Active Directory (Entra ID)

Identity fundamentals

  • Identity and access management (IAM) fundamental concepts
  • IAM ensures that the right people, machines and software components get access to the right resources at the right time
  • First the person, machine, or software component proves they're who or what they claim to be
  • They are then allowed or denied access to or use of certain resources
  • Identity: Three identity types, human, workload and device
  • Authentication: Proves the identity of the user. The process of challenging a person, software component or device for credentials in order to verify their identity
    • Often uses OpenID Connect (OIDC) (which is built on OAuth2.0 protocol) or SAML protocols
  • Authorization: Done after successful authentication. Grants or denies the user access. Validates that the user, machine or software component has been granted access to certain resources
    • Often uses OAuth2.0 protocol

Identity and access management

  1. Identity management
    • create, store and manage identity information
    • Identity providers - software that is used to track and manage user identities, as well as permissions and access levels associated with those identities
  2. Identity federation
    • You can allow users who already have passwords elsewhere to get access to your system
  3. Provisioning and deprovisioning of users
    • Create and manage user accounts
    • Specify which users have access to which resources
    • Assign permission and access levels
  4. Authentication of users
    • Can add MFA, or SSO authenticate identity with one portal instead of many different resources
  5. Authorization
    • Ensures a user is granted the exact level and type of access to a tool that they're entitled to
    • Users can also be portioned into groups or roles so large cohorts of users can be granted the same privileges.
  6. Access control
    • The process of determining who or what has access to which resources
    • defining user roles and permissions
    • Setting up authentication and authorization mechanisms
    • Regulate access to systems and data
  7. Reports and monitoring
    • Generate reports after actions taken on the platform (sign-in time, systems accessed, type of authentication)
    • Ensure compliance and assess security risks
    • Gain insights into the security and usage patterns of your environment.



Day1, afternoon

  • Deploy solution directly from github list
    • lots of templates "Resource management templates"
  • Infrastructure as a service
  • account.windowsazure.com

Portal

  • portal.azure.com
  • can't put v1 and v2 on same service network

Resource manager ("ARM")

  • New model for administration
  • portal.azure.com
  • "v2"
  • Used for: VMs VNets ("Virtual networks") and storage

Service Manager ("ASM")

  • classic portal
  • manage.windowsazure.com
  • "v1", or "classic"

Business/resource groups

  • Applications
  • Environments
  • Nested

Resource manager templates

  • declaration using JSON
  • define/deploy infrastructure through declaritive syntax
  • run imperative commands to manage resources, e.g.,
    • set azure VM network

Azure Iaas v2 implementation guidelines

  • Naming conventions
  • Storage
  • virtual networks
  • virtual machines

Operations Management

  • OMS workspace
  • organization wide
  • collect logs
  • consolidated view
  • interest for public cloud vs. on premises

Azure access management

  • role-based access groups (RBAC)

Module 3

  • Subscription
    • Virtual network - governing IP range, e.g. 10.0.0.0/16
      • Subnets - hav IP range that fits into lerger 10.0.0.0/24, 10.0.0.1/24
  • Network interface object (NIC) - obtain an ip address form the subnet, then connect to a virtual machine.
    • All it does is hold an ip address
    • VNet -> subnet -> NIC -> VM
  • If you use a custom domain name like chriscoletta.com, To connect DNS, have a DNS server on a VM which would provice resolution to whatever name zones, needs to be able to resolve dns naming on its own
  • Attach to network security groups that acts as port and ip firewalls for that group
    • e.g., Allow TCPIP
    • Apply to individual components, or on a VNet level
  • Cross-premises network connectivity
  • VPN always attaches to a VNet on the Azure side
  • VNet features
    • Private addresses to a NIC
    • Public IP to a NIC or a load balancer
  • IP addressing in VNet
    • Azure will take away the first 3 and the last
    • 10.0.0.1 -> 10.0.0.254
      • Azure range goes from
  • CIDR notation
    • slash defines howmany bits represent the network
    • 4 binary octets that make up the address
    • tells where the divider is network or clients
    • bigger number after slash leaves
    • how big is the subnet, and how many individual clients/servers
    • if it's outside my subnet then I need a route to it or I just don't worry about it.
    • e.g. 255.255.255.0, is another way of saying /24. Anything with ze is client addressable.

NIC

  • NIC not VM is the ip configurable, can detach VM from NIC which keeps DNS name and IP configuration, and attach another one. Allows to trat independently.
    • Could have a VM that has multiple NICs, can treat security of different security groups differently.
    • Number of NIC you can have is based in the VM skew, D1-4, adding "multiple network cards"
    • e.g., eight NICs at as a load balancer, network failover or bandwidth aggregation.

Private IP address allocation

  • dynamic & statis
  • "Rm" in commandlets stands for "Resource Manager", i.e., v2 stuff

Load Balancer

  • internal load balancer
  • internet-facing load balancer
  • Application Gateway - layer7 "they go right to HTTP1" SSL1
    • Primary design to handle web traffic
    • redirecting traffic to a webserver based on cookie information
  • traffic manager
    • allows to direct traffic internally and externally,
  • primarily used to redirect based on network affinity, endpoints in india, eas asia, will diret to appropriate endpoint for tha tapplication
  • Configure load balancer
    • Configure front-end IP
    • configure backend address pool, which consists of one or more subnets
    • configure laod balancing rules
  • * create health probe, don't redirect traffic to a node that's down/not present

Azure DNS

  • Create Azure DNS zone
  1. Select subscription
  2. Create new resource group
  3. Create a DNS Zone
  4. Retrieve SOa and NS rcords for the Zone
  5. Create a resource record
  • have your own-domain based, e.g., extend ActiveDomain
  • Use this server to do DNS rather than the native DNS, most universal application

Planning for Azure virtual networks

  • Choose both private and public non-overlapping address space
    • Important if you have on-premises address space
  • Choose subnets
  • If we want to be sure we don't have overalpping, use statis private IP addresses (optional)